Welcome to GearBrain’s Weekly Data Breach Report, a collection of known breaches into company databases where someone you don’t know got access to your personal information. The frequency at which these break-ins happen appears to be growing, so every week we’ll update our report with fresh news on the latest hacks and links on where you can go if there’s action to be taken — whether you’re concerned about your privacy or not.
This week, we’re looking at a mishandling of company data by Bank of America, over eight billion web usage records that were exposed in Thailand, and the sharing of 26 million LiveJournal user account details – including passwords – online for free.
Bank of America Plaza
This week Bank of America announced a data breach may have affected business clients’ information for the Paycheck Protection Program. The breach happened on April 22, as Bank of America uploaded PPP applications ono the US Small Business Administration’s test platform, reports Charlotte Business Journal.
The bank said application information may have been visible to other SBA-authorized lenders and their vendors. The exposed information could include business details like postal addresses and tax identification numbers, plus business owner’s information like their name, address, Social Security number, phone number, email and citizenship status.
Bank of America said: “There is no indication that your information may have been viewed or misused by these lenders or their vendors. And your information was not visible to other business clients applying for loans, or to the public, at any time.”
Eight billion Thai internet records exposed
Over 8bn records were exposed
A huge data breach was reported from Thailand this week, involving Advanced Info Services (AIS), the country’s largest cell network. Managed by a third party for AIS, the database contained real-time internet records of millions of customers; the data was accidentally made public in May during a scheduled test.
Security researcher Justin Paine said on the breach: “Over the course of the roughly three weeks the database has been exposed the volume of data has been growing significantly. The database was adding approximately 200 million new rows of data every 24 hours.” As of May 21, 8.3 billion documents were exposed.
Although the data did not contain personal information, Paine said how viewing it could “quickly paint a picture” of what someone may be doing online, and in real-time.
The database contained passwords in plain text
Finally for this week, a database containing over 26 million LiveJournal user accounts – including their passwords stored in plain text – is being shared for free on multiple hacker forums.
Bleeping Computer reports how the database was first stolen back in 2014, containing 33 million user credentials. Since approximately May 8, links to the data dump have been circulating on forums. According to those sharing it, the database contains email addresses, usernames, LiveJournal profile URLs, and passwords. Although originally stored as MD5 hashes, the passwords appear as plain text.
The database has been shared with Have I Been Pwned, the website that helps users discover if their usernames and passwords have been exposed online. If your details appear on that website, it is crucial that you change the passwords of any online services for which you still use the old, compromised password. Any LiveJournal user (past or present) should also change their password immediately, both on that service, and wherever they have used the same password again.
Week of May 18, 2020: Home Chef
Home Chef admitted to a data breach involving 8 million of its customers
Home Chef has admitted a data breach got hold of records on eight million of its customers. The data includes names, email information, encrypted passwords, and the last four digits of people’s credit cards, according to PYMNTS.
Home Chef sells customers weekly subscription meal kits. People are sent ingredients — and recipes — and they prepare their own meals at home.
Home Chef is now telling customers they should change their passwords.
EasyJet got hit with a data breach in January, but only told customers in April
Low-cost airline EasyJet has also been hit with a data breach with hackers getting access to credit and debit card details. They first knew about the hack in January, but were only able to tell people in early April, according to the BBC.
The company, which is known for its incredibly low-cost flights in Europe, said they wanted to figure out how bad the hack had been before telling people. But they say that everyone who has been involved will be told by May 26.
GoDaddy admitted to a data breach involving 28,000 customers
GoDaddy, one of the best known web hosting companies, has been hacked the company has admitted. About 28,000 customers have ha their data stolen through the breach which happened on October 29, 2019 — and continued for six months until April 23, 2020, reports CPO Magazine.
GoDaddy says the hacker has been blocked now, and claims that files were not added or changed on people’s accounts. The company has also reset all of user names and passwords of the people involved. They’re also suggesting customers check their own hosting accounts to make sure their okay as well.
Week of May 11 2020: Magellan Health
US healthcare giant Magellan Health revealed this week it has been the victim of a data breach and a ransomware attack. The Fortune 500 insurance company said how the attackers first issued a phishing email campaign on its staff.
This then gave the attackers access to Magellan’s systems, from which they stole login credentials and passwords of some current staff. Personal data of staff was also stolen, including names, addresses and employee ID numbers. Some Social Security numbers and Taxpayer ID numbers were also taken.
In a letter sent to victims Magellan said: “Once the incident was discovered, Magellan immediately retained a leading cybersecurity forensics firm, Mandiant, to help conduct a thorough investigation of the incident. The investigation revealed that prior to the launch of the ransomware, the unauthorized actor exfiltrated a subset of data from a single Magellan corporate server, which included some of your personal information.”
This week it was reported that, earlier in the month, Interserve was hit by a cyber attack which saw the data of 100,000 people stolen. Interserve is one of the UK government’s “strategic suppliers”, and is responsible for maintaining schools and hospitals, as well as transport networks like the London Underground.
Interserve recently helped with the formation of the Nightingale Hospital Birmingham, a field hospital built in a convention center for coronavirus patients.
It was first reported by the Telegraph that the hum resources database of the outsourcing firm was broken into on May 9, and information on current and former staff was stolen. The data included names, addresses, bank details, payroll information, next of kin details, HR records, dates of absences and pension information.
Interserve acknowledged the data breach in a statement and said it is working with the UK’s National Cyber Security Centre to remedy the situation.
The trading platform said the breach occurred on April 14
City Index informed users this week of a data breach which saw the theft of their names, dates of birth, gender and bank details. City Index is a London-based financial trading and spread better service provider.
The company told its users on May 8 that its network “was accessed by an unauthorized third party and client personal data may have been viewed,” reports Infosecurity Magazine. City Index added that, upcon discovering the breach, which took place on April 14, it “shut down access to the server connected and launched a full forensic investigation.”
City Index users are urged to reset their passwords, and make sure the same password previously used to access their City Index account isn’t currently being used for anything else.
Week of April 27: Chegg
Educational technology company Chegg has suffered a third data breach in just three years, as it admits hackers stole the personal details of 700 current and former employees. The data included their names and Social Security numbers. For context, the company had around 1,40 employees at the start of 2020, reports TechCrunch.
Paul Martini, CEO of cloud cybersecurity company ibos, told GearBrain: “This attack may be reflective of a larger coming cybersecurity trend that should worry employers and employees alike. Over the last few months, a massive increase in people working from home has left organizations particularly vulnerable to hackers and if this attack was related to a remote employee, we’re going to see a lot of IT people lose sleep..organizations of all sizes face a difficult and dangerous future.”
Nintendo confirmed on April 24 that attackers had accessed 160,000 user accounts since earlier in the month. In reaction, the company temporarily disabled the ability to log into the accounts through a Nintendo Network ID. It said the login IDs and passwords were “obtained illegally by some means other than our service,”
This now tallies with a claim by SpyCloud, a cyber security company, that says the hack was likely the result of credential stuffing. This is where usernames and passwords already stolen through a previous data breach at a different company, are then used again by their owner somewhere else, like for a Nintendo account. Hackers repeatedly and automatically use these credentials to log into accounts, and in this case were successful with 160,000 Nintendo accounts, as their owners had used the same passwords before.
According to SpyCloud, 59 percent of people admit to using passwords.
UK license plates
It was revealed this week that the details of millions of journeys made by private individuals across the UK could be freely accessed online. This is because a system used to automatically log vehicle license plates as they pass a roadside camera, known in the UK as ANPR, was storing its data on a server with no password.
The data, and therefore journeys and locations of millions of vehicles, could be accessed by entering the IP address of the server into an internet browser. In total, 8.6 million journeys could be viewed. The data specifically came from the ANPR system of Sheffield, a city in the north of England. Hackers could have used the data to track individual vehicles through the city, putting vulnerable people at risk. The name and location data of cameras could also be changed, which could have led to wrongful convictions.
Sheffield City Council and South Yorkshire Police said in a joint statement: “We take joint responsibility for working to address this data breach. It is not an acceptable thing to have occurred. However, it is important to be very clear that, to the best of our knowledge, nobody came to any harm or suffered any detrimental effects as a result of this breach.”
Week of April 20, 2020: Small Business Administration
The Small Business Administration’s Economic Injury Disaster Loan program may have been hit by a data breach, and affected about 8,000 people who had applied for emergency funds to help offset the impact of the coronavirus pandemic. What’s data is now vulnerable? CNN reports that it could include Social Security numbers, birth dates, insurance information, names, their email addresses and even where they live and their citizen status.
Applicants were told if they were involved in the breach on April 13 through a letter — and told they would be given a year of free credit monitoring as a result.
A chain of sandwich shop in New Jersey has found a breach that happened over a series of month to its system. Customer payment information that allowed people to place online orders was involved, and the breach took place between July 15, 2019 and February 18, 2020. Not only were numbers potentially seen, but also security codes, expiration dates, names and addresses. PrimoHoagies told customers that only data from online purchases were involved, not those made inside physical stores, reports the Courier Post.
A children’s gaming platform had a breach that released nearly 23 million user names and hashed passwords — information that’s been scrambled from its original form.
Webkinz World is a virtual space children can enter, that connects to a plush toy. Inside are games and adventures kids can play — and they need to have a password and user name to get online. The company has demanded that all passwords be updated on the site before people can re-log on to their accounts.
Week of April 13: Quidd
Quid, a digital collectibles trading platform, has suffered a data breach resulting in the login credentials of almost four million users appearing on a dark web hacking forum. The data included Quidd usernames, email addresses and passwords, although these were reportedly hashed, according to Teiss. The email addresses belonged to professionals from companies like Microsoft, Experian, Target and the University of Pennsylvania.
Despite being hashed, it is being reported that hackers have already cracked more than a million of the stolen passwords, and another hacker is currently selling 135,000 of the Quidd passwords.
According to experts Risk Based Security, the data was stolen from Quidd by hacker group ProTag, and was uploaded to the forum on March 12, 2020. Adverts were displayed on the dark web about the stolen database as far back as October 2019.
Wappalyzer, a technology company that lets users scan websites to receive a report of information like the type of server it uses, has been the victim of a cyber attack. The disclosure of the hack comes a week after hackers began emailing Wappalyzer’s customers, offering to sell a stolen database for $2,000 in bitcoin.
The database contains Wappalyzer customer email and billing addresses, but the company told ZDnet that it contained information on just 16,000 customers. Wappalyzer says the hack took place on January 20 when an intruder accessed one of its databases, which was left exposed due to a misconfiguration, the company said.
As well as reportedly containing user email addresses, the stolen database includes technographic data, which is data collected by Wappalyzer and sold as part of its product offering to customers.
San Francisco International Airport
User data was stolen from two small websites run by SFO
SFO contacted users of two of its websites this week to tell them they had been the victims of a cyber attack. The websites are SFOConnect.com and SFOConstruction.com, and are said to both be relatively low-traffic websites. The attack is believed to have taken place in March, reports ThreatPost.
The airport said this week: “The attackers inserted malicious computer code on these websites to steal some users’ login credentials. Users possibly impacted by this attack include those accessing these websites from outside the airport network through Internet Explorer on a Windows-based personal device or a device not maintained by SFO.”
It added that it “appears the attackers may have accessed the impacted users’ usernames and passwords used to log on to those personal devices.”
Week of April 6, 2020: RigUp
A company, focused on the energy sector, helped people find jobs in that market — but is now a victim of a breach that exposed 76,000 files from those clients. Those files reportedly never made it into a public view, luckily, but inside were details dating back to July 2018 including employee resumes, private family photos, W9 forms, insurance policy data, Social Security numbers and more.
Found by vpnMentor, the breach has now been secured. But anyone doing business with RigUp may want to contact the company about what it’s doing next to ensure the data it has in its systems is better locked down.
Hackers are taking advantage of people’s fears and worries around the coronavirus pandemic, sending phishing texts and emails that promise relief funds from the government, or trackers that turn out to be malware. Emails look to be coming from the World Health Organization, or doctors, and everyone from individuals to businesses are being targeted.
The best thing for anyone to do today, given the fact that most people are online even more than usual, and from typically less secure networks than those used at the office, is to stop opening, or sending attachments — and to go directly to government sites through a search engine, than through a link they’ve received online.
Hammersmiths Medicine Research
Case in point? A medical facility tapped to do some live Coronavirus vaccines has been victimized by ransomware — with their data stolen and held for hostage. Volunteers whose last names started with D,G, I or J had their records stolen from Hammersmiths Medicine Research, and personal details in them as well including their date of birth, passport information and even in some cases some health records, reports ComputerWeekly. The medical facility has refused to pay the ransom.
Week of March 30, 2020: Marriott
Marriott has a data breach that is impacting more than five million guests, with details from names to birth dates part of the get. The breach took place between mid-January and February of 2020, and happened after someone used log-in details of two employees at a franchise of the hotel chain, said Marriott.
While financial details weren’t impacted, like credit cards, guests’ loyalty programs, like airline frequent flyer details including those account numbers, were involved along with mailing addresses. Marriott says it will be notifying people who were impacted by the breach. And while they say passwords weren’t involved — definitely change yours.
As great as Zoom has turned out to be, connecting people to friends, family, loved ones and co-workers, it has also ended with some not nice bugs — with people Zoombombing. People have been gaining access to Zoom calls, filling the screens with sounds and even pornographic imagery, that’s not always appreciated.
To add insult, security researchers have found exploits, including one reported by TechCrunch that allows hackers to take over the webcam and microphone of Mac users.
Zoom says it’s actually halting all new features for 90 days while it works to beef up security and privacy. Part of the problem, Zoom notes, is that its user based is up from about 10 million a day before the coronavirus pandemic took hold to about 200 million now.
WhatsApp users are reportedly getting tricked into turning over login credentials to hackers. Those hackers who have broken into social media accounts, like Facebook, are tricking that person’s contacts into handing over their own WhatsApp details — which the hacker can then use, reports Android Authority.
This is kind of a version of phishing, and truthfully it can happen to anyone, regarding any of their accounts. It’s always a good idea to never send your personal details to people over digital methods like email, text or, yes, WhatsApp.
Week of March 23, 2020 – Mystery database exposes 200M Americans
A databased owned by an unknown party was discovered this week with 800GB of personal user information exposed to the public. The database, which was discovered by a research team by CyberNews, contained personal information belonging to 200 million Americans.
The data included a broad range of personal information, including:
- Full name and title
- Email addresses
- Phone numbers
- Dates of birth
- Credit ratings
- Home address
- Number of children
- Personal and political interests
It is thought that much of the data has come from the US Census Bureau. CyberNews said of the leak: “It’s difficult to understate the massive effect this data leak can have on hundreds of millions of people in the US. The data exposed by the unidentified party is a virtual gold mine for anyone with a penchant for cybercrime.
“Merely selling these records on darknet marketplaces at the below-average asking price of $1 per record would net the seller about $200 million. If utilized by cybercriminals to its full destructive potential, however, this data leak can result in untold billions in damages for defrauded users.”
Data belonging to current and former employees of General Electric was publicly accessible for 10 days in February. A third party gained access to an email account that contained sensitive information between February 2 and 14, reports ITPro.
The data of current and former workers included:
- Direct deposit forms
- Driver’s licenses
- Birth certificates
- Marriage certificates
- Death certificates
- Medical child support orders
- Tax withholding forms
It is also thought that the data also included names, addresses, social security numbers, bank account numbers, and dates of birth. “After learning of the issue, we quickly began working with Canon [Business Process Services] to identify the affected GE employees, former employees and beneficiaries.”
Data Deposit Box
Detailed private information about 270,000 people who have used cloud storage company Data Deposit Box appeared online in late-2019. The data was discovered on December 25 and remained online until January 6.
More than 270,000 files were exposed, according to SecurityMagazine, with some leaked information dating from 2016 to the present day. Data included login credentials (usernames and unencrypted passwords), IP addresses, email addresses and GUIDs (globally unique identifies for resources).
Some information about files stored on the website by users was also accessible. This included file names, type, size and the date they were last modified.
Week of March 16, 2020: Princess Cruises
As if Princess Cruises doesn’t have enough going on after being shut down from the coronavirus, the cruise line, owned by Carnival Corp, has now admitted that a possible data breach hit its system from April 11 to July 23, 2019. After gaining access to employee email accounts, Princess Cruises said the hacker was able to then see personal details on other crew members, employees and most keenly guests.
Social security numbers, passport numbers, driver’s license information, financial account details and more were potentially visible. The company has posted the details on its web site, and encouraged anyone concerned that they get in touch with the company. And in the meantime, start using a password checker — while you also start changing those passwords. Yes, again.
TrueFire, a site that offers guitar lessons and tutorials online, discovered that it had a breach that spanned about six month — from August 2019 to January 2020. That left the personal data on more than one million users open including credit cards numbers, names, addresses and even security codes, among other details.
Nothing on the site gives any indication about the breach which TrueFire said it discovered on January 10, 2020. But it has sent letters to people who were affected, according to Guitar.com which said it heard form one of the users.
TrueFire is telling users to monitor their credit card statements.
Department of Health and Human Services
The U.S. Department of Health and Human Services reported that it had spent Sunday and Monday fighting against a hacking attempt on its system, reported The New York Times. The department claimed, on Monday, that the attack had not worked — but coming at a time when health groups globally are trying to work on fighting the coronavirus, the attempt was badly timed, at the least.
Officials are trying to figure out who was being the attack, concerned about attempts that could impact information being shared by medical experts to fight the virus spread. But experts have been warning already that cybercriminals have been attempting to take advantage of coronavirus fears to spread malware.
Week of March 9: Eight million eBay and Amazon shopping records exposed
Our lead story this week is of a database, accidentally made public, which contained eight million shopping records from Amazon eBay, PayPal, Shopify and Stripe.
The data, which could be found using a regular search engine, was mistakenly exposed by an unnamed third-party firm conducting cross-border value-added-tax (VAT) analysis. The majority of the data came from UK and European online shopping, and it included names, shipping addresses, email addresses, phone numbers, items purchased, payments, order IDs, links to Stripe and Shopify invoices, and the last four digits of credit card numbers.
The unencrypted database was indexed by search engines on February 2, then discovered by cybersecurity firm Comparitech a day later, with Amazon immediately notified. The database was then shut down by its owner on February 8.
Dutch government loses data of 6.9m registered donors
External computer hard drives storing data of 6.9 million registered organ donors from February 1998 to June 2010 were admitted lost this week. Last used in 2016, the pair of drives were placed in a secure vault, but this week the Dutch Minister of Health, Wellness and Sport admitted they had gone missing earlier in 2020, reports ZDnet.
The data includes first and last names, gender, date of birth, address at the time of registration, choice for organ donations, ID numbers and a copy of the person’s signature. Although missing, Dutch officials said there was no evidence yet of the data being used for identity theft or fraud.
Secret-sharing app Whisper exposes 900 million user records
Whisper, once a hugely popular smartphone app where users could anonymously share secrets, left private and sensitive information about hundreds of millions of people in a public database for years.
The database, which had no password and could be accessed by anyone, included users’ nicknames as well as their age, gender, ethnicity, location, and information on what groups they were a part of on the app. Many of Whisper’s chat groups are about sexual relationships and orientation. The report claims 1.3 million users in the database listed their age as 15.
Once describing itself as “the safest place on the internet”, Whisper launched in 2012, is available for iOS and Android, and although not as popular today it had three billion monthly page views by late 2013. Most of its users are aged 18 to 24 and predominantly female.
As well as users’ hometowns, the data included the GPS coordinates of where each user submitted their most recent post.
Week of March 2, 2020: Virgin Media exposes data on almost 1 million people
Details on nearly 1 million people were accessible online for ten months in a Virgin Media database, the company announced Thursday. While passwords and financial details weren’t involved, phone numbers, birthdate, email addresses and home addresses were stored in the database.
How did this happen? Virgin Media said the database had been Virgin Media said it shut down access to the database, but not before finding out some details had been “accessed without permission.” The company said it had already notified the 900,000 people involved, who appear to be getting text messages.
T-Mobile hack accesses details on customers and employees
What T-Mobile is calling “a malicious attack,” compromised details on customers and employees, with a hacker gaining access to details about email accounts, which include customer names, addresses, phone numbers, account numbers, rate plans and billing information. What wasn’t involved? Credit card and Social Security numbers.
T-Mobile did say that they were able to shut down the attack, and while they’re trying to get a wholesaled of customers, they’re encouraging people to reach out if they want to know if their details were involved in the hack. Crucially, T-Mobile is reporting they have no evidence that the data gleaned has been “misused” at this time.
J.Crew hacked in 2019, company says now
Retailer J.Crew may be known for its style hacks, but this time the company was a victim of a different kind of hack, one that left financial information exposed on customers. The attack took place around April 2019, and J.Crew and is just now telling customers about the problem. Compromised are the last four digits of credit card numbers, expiration dates, the kind of payment card involved, plus email and physical addresses, as well as passwords.
What should you do? What you should always do — Change. Your. Password.
Week of February 24, 2020: Clearview AI
Controversial facial recognition company Clearview AI contacted clients this week to admit its entire client list had been stolen by an intruder. The company was the subject to an in-depth New York Times report in January which claimed it held over three billion images of members of the public, gathered up by scraping them from publicly-viewable social media accounts on Facebook, Twitter, YouTube, LinkedIn and others – a breach of their terms and conditions.
Clearview said in a statement that data thefts like this are now “a part of life”. As well as the client list, data on how many Clearview each customer had, and how many times they had searched the image database, was also taken.
This week also saw Samsung admit to exposing the personal information of 150 customers on its UK website. The bizarre data leak was blamed on a “technical error”, and the data exposed to the public included names, phone numbers, postal and email addresses, and previous orders made through Samsung’s UK online store.
Thankfully, the company said user credit card information was not exposed. Customers affected will be contacted, Samsung said.
Slickwraps, a company that makes customized vinyl skins for phones and other devices, admitted this week it had fallen victim to a data breach. The admission came after Slickwraps customers reported they had received an email claiming to be from the company, but which was in fact written by a hacker who had gained access to its customer database.
The email appears to have been sent to 377,428 addresses, and the sender claimed they had gained access to Slickwraps’ customer database by reading a now-deleted Medium post written by a seemingly different hacker who explained how they had accessed the database via a vulnerability.
In a blog post, Slickwraps said the data was “mistakenly made public via an exploit” and it included names, plus postal and email addresses. However, it assured customers that their financial data had not been accessed.
Week of February 17, 2020: MGM Resorts data shows up on hacking web site
You can never truly be free of a data breach as some of MGM Resort’s former guests are now discovering. The chain announced this week that more than 10.6 million guests were caught in a data breach in 2019, and now have much of their personal information on a hacker’s forum — from names to phone numbers, and even including birth dates.
The data base is from guests who stayed at the MGM Resorts prior to 2017, and they include some well-known names from Justin Bieber to Twitter’s Jack Dorsey. Those who had originally been caught up in the breach had initially been contacted by MGM Resorts in August 2019.
U.S. Department of Defense (Yes, really)
An agency inside the U.S. Department of Defense (DoD) were affected by a data breach which may have included their Social Security number. The department, the Defense Information systems Agency — or DISA — contacted those involved in mid-February about the breach which happened between May and July 2019, reports Reuters, which saw the letter sent by the agency.
DISA’s role, according to its web site, is to manage the way information is shared, managed and transmitted for the DoD, including communications for the president.
ISS World hacked
ISS World, which provides cleaning, catering, management and other support services, has fallen victim to malware, the company is stating on its web site. While customer data doesn’t appear, for now, to be affected, businesses that use its IT services are likely finding those options dark as ISS has “disabled access,” it said.
ISS owns companies across the world including the U.S.-based catering company Guckenheimer and another catering firm, Apunto, based in Chile.
Week of February 10, 2020: Estée Lauder
This week, a huge and completely unprotected customer database owned by US cosmetic firm Estée Lauder was spotted by cybersecurity researchers at Security Discovery.
The database contained more than 440 million data entries, all appearing in plaintext. These entries included email addresses, references, internal documents, IP addresses, storage information and other data that looks to have come from a company-run content management system.
Customer data wasn’t compromised, but the accidental leaking of so much company data is still a major concern. Estée Lauder said in a statement: “On 30 January 2020, we were made aware that a limited number of non-consumer email addresses from an education platform were temporarily accessible via the internet. This education platform was not consumer facing, nor did it contain consumer data. We have found no evidence of unauthorized use of the temporarily accessible data.”
South African financial service group Nedbank said this week that it is investigating a data breach related to Computer Facilities, a direct marketing company. Computer Facilities send SMS and email marketing information to customers on behalf of Nedbank and other clients.
Nedbank said in a statement how “a subset of the potentially compromised data at Computer Facilities included personal information (names, ID numbers, telephone numbers, physical and/or email addresses) of some Nedbank clients.”
The company is keen to point out that no Nedbank systems or client bank accounts were compromised “in any manner whatsoever”. Forensic experts have been hired to conduct an investigation, Nedbank says.
Nine-year-old’s identity stolen after data breach
Finally, an example of what can happen if your personal information is caught up in a data breach. A recent data breach at Health Share of Oregon led to the identity of nine-year-old boy being stolen, then used to unlawfully open a US Bank Credit Card in his name.
The card arrived at the family home soon after the boy’s mother learned of the data breach. Speaking to Katu 2 news, Kristen Matthews said: “This is not OK, especially for a child. This is not OK. I immediately started seeing red because I never signed up for any of this.”
The account was later closed by US Bank, but the incident serves as a demonstration of how stolen or mistakenly leaked personal data can be used. Matthews added: “There are other victims out there, though. There could be other cards being sent out to people.”
Week of February 3, 2020: Don’t click on the Coronavirus phishing attack
Hackers are preying on fears about the Coronavirus, with a new phishing attack designed to look like an email from the World Health Organization. Needless to say, the message is not from the United Nations agency, but instead an attempt to get people to click on a link that takes them to a pop up asking them to type in their email address and password, according to Sophos.
The specific message actually includes a number of grammatical mistakes — something to watch for if you’re getting an email from an official group, such as the World Health Organization. There are also words that are spelled wrong.
While people are concerned about the coronavirus, clicking on a link through an email — that you didn’t request —is still not the best course of action. Instead, we recommend going to different web sites directly, and not through a link.
Ashley Madison breach affects still felt
A new attack is affecting those whose names, passwords, credit card details and phone numbers were hacked from the Ashley Madison data breach of five years ago. Now some of the 32 million accounts are being targeted — personally — through emails scam that threatening to expose people if they don’t pay a Bitcoin ransom, according to Threatpost, pointing to a post from Vade Secure which discovered the scam.
The demand is for about $1,165 in Bitcoin, which is hidden in an attachment in the email, and also includes a QR code which are often not caught by email filters. The email demands the payment in six days, or the information about the person will be released.
Vade Secure has detected hundreds of these in the past week, and expects to see more of them in the coming months.
St. Louis Community College breach impacts thousands
A data breach at St. Louis Community College in Missouri has affected more than 5,100 people, including details such as birth dates, college IS numbers, names, addresses, phone numbers, email addresses and for 71 people, their Social Security numbers, according to local news site KSDK.com. The college told people about the hack, which occurred through a phishing attack, and that they had been able to lock down accounts again within about 72 hours.
While the school has said it will get in touch with those affected by the hack, anyone who is a student or has an affiliation with the college, should get in touch with them as well.
Week of January 27, 2020: Wawa Inc
Wawa, the US fuel and convenience store, admitted in December 2019 that it had been the victim of a nine-month-long data breach, leading to the theft of customer card data. Now, it is claimed these stolen card records are being sold online.
The Wawa customer records are said to be among a huge batch of 30 million card accounts from over 40 states offered up for sale. They are claimed to be from “a new huge nationwide breach,” reports Krebs on Security.
Data exposed by the breach includes debit and credit card numbers, expiration dates, and cardholder names. PINs and CVV numbers were not exposed, Wawa claimed.
We urge readers who use Wawa to keep an eye on their card statements and report any suspicious transactions to their bank or card issuer.
The United Nations
It was reported this week that The United Nations fell victim to a suspected state-funded cyberattack in July, but did not inform the public or affected employees.
According to confidential documents leaked to The New Humanitarian, the attack could have affected up to 4,000 UN employees. Compromised data included staff records, health insurance and commercial contract data.
It is reported that hacked gained access to the data through a flaw in Microsoft SharePoint and used malware to gather up data from UN servers in three of its European offices. Staff were advised to change their passwords, but were not told why.
In 2019, data breaches increased 17 percent
Finally this week, a year-end report by the Identity Theft Resource Center revealed that the number of US data breaches increased by 17 percent in 2019 to 1,473, compared to 2018.
According to the report, the year saw 164,683,455 sensitive records exposed, which was a 65 percent increase on 2018. What’s particularly interesting here is how the Marriott hotel data breach of 2018 accounted for 383 million of that year’s 471 million stolen records, further demonstrating the marked increase in data theft in 2019.
“The increase in the number of data breaches during 2019, while not surprising, is a serious issue,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “It would appear that 2018 was an anomaly in how many data breaches were reported and the number of records exposed. The 2019 reporting year sees a return to the pattern of the ever-increasing number of breaches and volume of records exposed.”
Week of January 20, 2019: Microsoft exposes 250 million records
Microsoft left 250 million records open on a data — and admitted it in a blog post. The breach was open from December 5, 2019 to December 31, 2019, and contained details about “support case analytics,” said the company, and personal details had been “redacted.”
While Microsoft wouldn’t say how many records were involved, a site called Comparitech, which claims to have uncovered the breach, said there were 250 million records. Inside were conversation details between agents and customers that dated back to 2005 — far earlier than the December 5, 2019 Microsoft admitted to in its statement. And they reached out to Microsoft on December 29, 2019, they said.
Microsoft itself referred to the situation as a “misconfiguration,” and that no “personally identifiable information” was exposed to the outside world. However, IP addresses and locations were available to see.
THSuite cannabis dispensary breach
A point-of-sale system used by cannabis dispensaries suffered a data breach — with some leaving buyers information from names to birth dates exposed, and occasionally the employee’s name who helped them, according to a new report from VPN Mentor.
More than 85,000 files were exposed which included more than 30,000 records from the following dispensaries: Amedicanna Dispensary, Colorado Grow Company and Bloom Medicinals. But VPN Monitor warned that additional dispensaries could have been involved. The information that was breach differed between the different dispensaries. But in some cases the customers signature was captured, along with birth dates and Medical ID numbers.
VPN Mentor tracked the breach to an Amazon S3 bucket that had been unsecured. The database was closed on January 14, 2020. But any customer of three dispensaries should keep an eye on their email for possible phishing exploits.
UPS Store exposes customer financial records and ID
UPS is emailing customers admitting that some customers records at about 100 stores were exposed through a phishing hack. The attack involved details in emails that had been sent to UPS for printing and other requests, and in some cases included government-issued ID and even some financial details.
The breach happened between September 29, 2019 and January 13, 2020, when a hacker was able to access the email accounts of UPS stores. The company said it’s using a third-part cybersecurity firm to help investigate the incident. And in the meantime, UPS is offering affected customers free credit monitoring and identify theft assistance.
Equifax has agreed to put aside at least $380.5 million as compensation for victims of a 2017 data breach which saw 147 million US consumers compromised.
The company has also laid out plans to spend $1 billion on revamping its information security over the next five years. Consumers who believe they were affected by the breach have a week (from January 15) to file a claim for compensation. How much they receive will depend on how many people file.
The 2017 incident, which saw personal data including Social Security Numbers compromised, was blamed by Equifax on a buggy component of a server, for which a patch was available at the time but not applied.
The money will be used to pay for credit monitoring services for affected consumers, and individuals may be entitled to up to $20,000 in compensation, but only if they can provide proof that the data breach affected them financially.
An app aimed and new parents and designed for cataloguing baby photos and videos left masses of data exposed on an insecure server for all to see. The app, called Peekaboo, was found to have exposed more than 100GB of data, including the email addresses of users, but also photos and videos of babies.
An estimated 800,000 email addresses were exposed by the insecure server, along with location data accurate to about 30 feet, effectively revealing where people had used the app on their smartphone. The insecure server was discovered by Dan Ehrlich of computer security company Twelve Security.
Ehrlich told BankInfoSecurity: “I’ve never seen a server so blatantly open. Everything about the server, the company’s website and the iOS/Android app was both bizarrely done and grossly insecure.”
The app developer has since secured the server and said it would check its systems for any other security issues.
Western Australian bank P&N Bank informed customers this week of a data breach which exposed their personal information. Data unlawfully accessed include customer names, addresses, email addresses, phone numbers, ages, account numbers, and account balances.
Other personal records like ID and credit card numbers were not accessed, the bank said, adding that it believes the data was targeted on or around December 12, during a server upgrade. A company the bank hired to provide hosting is believed to have been the attackers’ entry point, reported ZDnet.
The bank stresses that, at this point, it appears that no customer accounts or funds were accessed or compromised. It is now working with law enforcement and federal authorities to work out exactly what happened. It isn’t yet known how many customers were affected.
Week of January 6, 2020: City of Las Vegas
Right as the biggest tech show in the world kicked off, CES 2020, the city that hosted it gave notice that it, in fact, had been victim of a data breach, reported local channel KTNV. The actual breach happened at 4:30 am local time, and Las Vegas warned that some services may be interrupted as a result. But by Wednesday, the city gave the all clear, and tweeted that it didn’t think any data was actually taken or lost, but still couldn’t point at how the breach happened, and who was responsible.
Google pays $7.5 million
Google is paying $7.5 million for data leaks from its former Google+ platform dating back to 2018, reports Law 360. About half a million people who used the platform had some personal details breached, where third-party developers were able to see profile data. But the company didn’t tell anyone for seven months.
Bubba Gump parent company hacked
Landry’s the parent company for Joe’s Crab Shack, Bubba Gump Shrimp Co. and Morton’s The Steakhouse is reporting a data breach on its machines in its restaurants, the company reported. Malware on order entry systems, and not the main payments systems, was able in “some instances,” according to Landry’s to glean payment card details, although not someone’s name. These issues happened as early as January 18, 2019 but stopped by October 17, 2019. Anyone who has eaten at a Landry’s chain should, of course, monitor their credit cards for charges.
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .