SecureFact™

A curated list of Data Security News happening across the world, in a simple yet intuitive form for the fast-paced cybersecurity professionals.

WEEK OF DECEMBER 09, 2019

Ransomware attack hits major US data center provider

  • According to details ZDNet received in a tip, the incident took place yesterday and was caused by a version of the REvil (Sodinokibi) ransomware.
  • This is the same ransomware family that hit several managed service providers in June, over 20 Texas local governments in early August, and 400+ US dentist offices in late August.
  • The company owns 45 data centers in Europe, Asia, and the Americas, and has more than 1,000 customers.
  • CyrusOne spokesperson confirmed the incident and said they are currently working with law enforcement and forensics firms to investigate the attack, and help customers restore systems impacted systems.

*Source

Mega Breaches Are Forcing Us to a Passwordless World. Are We Finally Ready?

  • The cause of breaches has been well-known since the landmark “2017 Verizon Data Breach Investigations Report,” which revealed that 81% of hacking-related breaches leveraged either stolen and/or weak passwords.
  • While it’s true the industry has been slow to change, a closer look reveals that much progress has been made in 2019. For example, Microsoft and Google now support passwordless standard FIDO2, and Apple made it clear it intends to support FIDO2 for its Safari browser. In another important move, Apple says iOS 13.3 (likely available early in 2020) will support popular FIDO-compliant authentication devices like the YubiKey.
  • Matthew Ulery, chief product officer at SecureAuth, says organizations will change based on a combination of four important factors: an important industry peer (i.e., a bank or insurance company) gets breached and they don’t want to be the next victim; a new CEO or top executive comes into the organization and dictates that the company will move toward passwordless authentication; an organization realizes it finally has to do something to stop the ability of synthetic IDs to steal passwords; and, finally, customers push for change.

*Source

Serious flaw in Airtel mobile app exposed data of over 325 million Indian users

  • Airtel’s mobile app had a serious security flaw that likely exposed the data of its nearly 325 million customer base. This would include personal information such as names, emails, birthdays, addresses, even IMEI numbers of their mobile devices. Airtel has acknowledged the issue on its mobile app and issued a fix for the same as well.
  • The bug was in the Application Program Interface (API) of Airtel’s mobile app, according to independent security researcher Ehraz Ahmed, who told the BBC that it took him about 15 minutes to find the flaw. Ahmed has also posted a video, which shows a script being used to fetch the information from the Airtel mobile app’s API.

*Source

Union Cabinet approves Personal Data Protection Bill, to be introduced in this session

  • On Dec 4th, the Union Cabinet cleared the Personal Data Protection Bill (PDPB) for introduction in the current session of Parliament.
  • India’s draft bill, titled the Personal Data Protection Bill, 2018, has been approved by the Union Cabinet and introduced in the Parliament. The draft bill is India’s first step towards a privacy framework for the governance of personal data. Broad guidelines on the collection, storage, and processing of personal data, consent of individuals, penalties and compensation, code of conduct, and an enforcement model are likely to be a part of the law.

*Source

Despite potential fines, GDPR compliance rate remains low

  • Talend released the results of its first GDPR research benchmark, which reveals that despite potential fines, the compliance rate remains low.

  • Talend released the results of its first GDPR research benchmark, which was aimed to assess the ability of organizations to achieve right to access and portability compliance with the European regulation.

    The findings are as follows: 

    Of the companies surveyed, 

    • 58% were not able to meet data access and portability requests within the GDPR-specified-one-month time limit 
    • 7% of the companies surveyed do not have any electronic means to make the requests 
    • In average, companies provided the data in 16 days 

*Source

Data from 21M Mixcloud Users Compromised in Breach

  • Music streaming service Mixcloud has disclosed a security incident in which unauthorized users gained access to some of its systems; the breach compromised the data of 21m users.

  • Mixcloud confirmed the security incident wherein unauthorized users gained access to some of its systems. While Mixcloud did not disclose the breach’s scale, the alleged attacker who provided a portion of the data to TechCrunch said there were 20 million records stolen. However, 21 million records were listed for sale, and the data sample indicated there might have been up to 22 million records stolen. Data contained includes usernames, email addresses, and salted passwords.

*Source

WEEK OF DECEMBER 03, 2019

Password data for ~2.2 million users of currency and gaming sites dumped online

  • Security researcher confirms that the password data of almost 2.2 million users of Gatehub and EpicBot services has been posted online.
  • Security researcher Troy Hunt, who’s behind the Have I Been Pawned breach notification service, confirms that the password data and other personal information of close to 2.2 million users have been dumped online. One haul includes personal information for as many as 1.4 million accounts from the GateHub cryptocurrency wallet service. The other contains data for about 800,000 accounts on RuneScape bot provider EpicBot. The databases include registered email addresses and passwords that were cryptographically hashed with bcrypt, a function that’s among the hardest to crack.

*Source

PayMyTab data leak exposes personal information belonging to mobile diners

  • Cybersecurity researchers from vpnMentor disclosed a data leak in which personal information belonging to PayMyTab customers was exposed due to an open AWS database.
  • Cybersecurity researchers from vpnMentor disclosed a data leak in which PII and partial financial details were made available online. The team found an unsecured Amazon Web Services (AWS) S3 bucket, in which PayMyTab failed to follow Amazon’s security protocols. While no exact figures on the amount of data leaked or the number of customers have been released, vpnMentor says that the leak has left “10,000s of people vulnerable to online fraud and attacks.”

*Source

Thousands of Enterprises At Risk Due to Oracle EBS Critical Flaws

  • Two critical security vulnerabilities discovered in Oracle’s E-Business Suite (EBS) could allow potential attackers to take full control over a company’s entire enterprise resource planning (ERP) solution.
  • According to Onapsis Research Labs, more than 21,000 enterprises use Oracle EBS for financial management, CRM, SCM, HCM, logistics, procurement and more. Two critical security vulnerabilities were discovered in Oracle’s EBS which could allow potential attackers to take full control over a company’s entire ERP solution. If successfully exploited in an attack, these flaws enable threat actors to avoid detection while printing bank checks and making electronic fund transfers.

*Source

Why Multifactor Authentication Is Now a Hacker Target

  • The FBI recognized how the increased implementation of multifactor authentication (MFA) has led to a proportionate increase in cybercriminals trying to bypass MFA.
  • In a recent Private Industry Notification (PIN), the FBI recognized how recent cyberattack campaigns are focusing directly on circumventing multifactor authentication (MFA). The FBI outlined four tactics – SIM swaps, insecure web design, phishing, and channel-jacking – that hackers have been developing to bypass MFA. To social engineer such an attack, an adversary tries to take advantage of a person’s naturally trusting tendencies, where many people end up processing the hacker’s request.

*Source

Android phones hacked; ‘hundreds of millions’ cameras, GPS, microphones affected

  • Google and Samsung disclosed several security vulnerabilities to their phones: hundreds of millions of cameras, GPS, microphones affected.

  • According to Forbes, the Checkmarx security research team found several security vulnerabilities in Google and Samsung phones. Checkmarx uncovered several exploits, including the ability to remotely control the smartphone camera applications, take pictures, record videos, and use the video recording to eavesdrop on a user’s phone conversations. Hackers could also use exploits to gather a user’s GPS location data remotely.

*Source

Authorities Arrest Alleged Member of Group That Hacked Jack Dorsey

  • Disney’s new game-changing streaming-video service hasn’t even been available for a week, but already its users have been hacked and thousands of Disney+ accounts are on sale on the Dark Web, according to a new report.

  • Looking ahead, therefore, there’s a strong likelihood that Disney+ accounts will continue to be traded on the Dark Web alongside the multitude of account information and illegal content already for sale in that shadowy part of the Internet. Like it or not, this is only just the beginning.

*Source

WEEK OF NOVEMBER 25, 2019

Data Breaches Will Cost Healthcare $4B in 2019, Threats Outpace Tech

  • According to Black Book Research, threat actors are outpacing security technology and processes; these data breaches will cost the healthcare sector $4B by the end of 2019.
  • Black Book surveyed 2,876 security professionals from 733 provider organizations to identify gaps, vulnerabilities, and deficiencies keeping the healthcare sector from improving its cybersecurity posture.
  • Data breaches cost hospital organizations an estimated $423 per each breach patient record.
  • About 96 percent agreed that threat actors are outpacing their healthcare organizations’ ability to fend off cyberattacks, keeping them at a serious disadvantage.

*Source

Why Cyber-Risk Is a C-Suite Issue

  • NTT Security’s 2019 Risk:Value research claims that cyber risk is a c-suite issue as organizations realize the scale of cyber-risk but lack counter-actions to build resilience.
  • In a global study of more than 2,200 organizations across 22 different countries, NTT Security’s 2019 Risk:Value research found that cyberattacks (43%), data loss or theft (37%), and attacks on critical infrastructure (35%) -aimed particularly at telecoms and energy networks- concern respondents the most. The survey respondents figured these threats would present a greater risk to their organization over the next 12 months than trade barriers and other critical global issues such as the environment, terrorism, and government failures.

*Source

Americans Fed Up with Lack of Data Privacy

  • 8 out of 10 US adults are worried that their data is collected and used in concerning ways that they cannot control and don’t fully understand, a new Pew Research survey shows.
  • A Pew Research Center study shows that a majority of Americans say they have very little or no control over how companies use their data but are very concerned about how companies are using it. The report, based on a nationally representative panel of randomly selected US adults, shows that 62% of Americans feel they cannot prevent companies from collecting data on their activities, while 63% feel the same about government data collection. The study also found that a vast majority conclude that the risks of data collection outweigh the benefits.

*Source

Macy’s suffers online Magecart card-skimming attack, data breach

  • Macy’s has announced a data breach caused by Magecart card-skimming code being implanted in the firm’s online payment portal.

  • Macy’s found that card-skimming script had been injected in their website. The unauthorized code was highly specific and only allowed the third-party to capture information submitted by customers. Magecart attacks are usually made possible through a vulnerability in a website or its backend CMS. Once unauthorized access is gained, threat actors inject JavaScript code into a webpage dealing with financial information and wait for unsuspecting consumers to submit their payment card details.

*Source

Avoid juice jacking! L.A. warns travelers against public USB charging stations

  • Travelers who need to charge their smartphones while on the go might want to avoid public USB charging stations, due to the security risk known as “juice jacking,” authorities in California have warned.

  • While juice jacking may not be the weapon of choice for hackers, as there are many other ways to infiltrate the smartphones of targets, it remains a potential threat. Travelers should stick to the safe side and only consider public USB charging stations a last resort.

*Source

Thousands of Disney+ Accounts Have Been Hacked, And They’re Already For Sale on the Dark Web

  • Disney’s new game-changing streaming-video service hasn’t even been available for a week, but already its users have been hacked and thousands of Disney+ accounts are on sale on the Dark Web, according to a new report.

  • Looking ahead, therefore, there’s a strong likelihood that Disney+ accounts will continue to be traded on the Dark Web alongside the multitude of account information and illegal content already for sale in that shadowy part of the Internet. Like it or not, this is only just the beginning.

*Source

WEEK OF NOVEMBER 20, 2019

Joker’s Stash Puts $130M Price Tag on Credit Card Database

  • Skimmed at ATMs and shops, the details of about 1.3 million debit and credit cards have been put up for sale on a darknet marketplace called Joker’s Stash.
  • Group-IB, a Singapore based firm that specializes in the detection and prevention of cyberattacks, said of the 1.3 million cards, 98% are believed to be from India. Researchers say that details are being sold at $100 each, which puts the value of the card database at over $130 million. The fraudsters selling the data claim that they have both track-1 and track-2 data, which can be used for online transactions or for cloning cards.

*Source

Ransomware hits Spanish companies sparking WannaCry panic

  • Two major Spanish companies, IT consultancy firm Everis and leading radio network Cadena SER, have been hit by ransomware on the same day, sparking memories of the WannaCry outbreak.
  • Everis and Cadena SER have told employees to shut down computers and have disconnected their networks from the internet. Everis was impacted the most, as the company has more than 24,500 employees across 18 countries. According to screenshots posted on social media by supposed Everis employees, the ransomware that hit the IT firm is a version of the BitPaymer ransomware that also hit French TV station M6 and German automation tools maker Pilz.

*Source

Chinese Hackers Just Gave Us All A Reason To Stop Sending SMS Messages

  • If you haven’t shifted to an encrypted platform, now is the time to do so. China’s state-sponsored hackers have demonstrated just how insecure open SMS technology built into telcos has become.
  • The threat research and analysis blog FireEye has reported that APT41, one of China’s state-sponsored hacking groups, has been infecting Short Message Service Centre (SMSC) servers within cellular carriers with a malware tool dubbed MESSAGETAP. In this campaign, telcos were front and center. They’ve discovered the multiple vulnerabilities of SMS messaging where attackers can monitor for keywords in mass volumes within the network itself.

*Source

California DMV data breach exposes thousands of drivers’ Social Security information

  • The California Department of Motor Vehicles (DMV) suffered a data breach in which the Social Security information of 3,200 people was exposed.

  • Federal agencies, including the US Department of Homeland Security, had improper access to the Social Security information of thousands of drivers due to the California DMV breach. Notices of the data breach went out to those whose Social Security information — including whether or not a license holder had a Social Security number — was accessed during the last four years by seven agencies, including the Internal Revenue Service, the Small Business Administration, and district attorneys in San Diego and Santa Clara counties.

*Source

Siri, Google Assistant and Amazon Alexa can be hijacked with a $14 laser pointer to open garage doors, start cars, and shop online

  • Researchers found a way to hijack Google Assistant, Apple’s Siri, and Amazon’s Alexa with a $14 laser pointer, getting them to perform tasks such as starting cars and opening garage doors.

  • A team of researchers from Tokyo’s University of Electro-Communications and the University of Michigan tested popular voice assistant models from major tech firms, such as Google Assistant, Apple’s Siri and Amazon’s Alexa. They demonstrated how they were able to “speak” to smart speakers and smartphones by running voice assistants using cheap lasers, even getting them to perform tasks such as opening a garage door. Since smart speakers don’t require extra authentication, they were found to be particularly vulnerable to this kind of attack.

*Source

Twitter & Trend Micro Fall Victim to Malicious Insiders

  • Twitter and Trend Micro are the latest on a long and growing list of organizations to fall victim to malicious insiders.

  • The US Department of Justice announced indictments against two former Twitter employees for allegedly accessing private information tied to Twitter accounts belonging to several individuals of interest to the government in Saudi Arabia. They are alleged to have provided the information — which included email addresses, phone numbers, IP addresses, and dates of birth — to officials working on behalf of the Saudi government and the Saudi royal family.

*Source

WEEK OF NOVEMBER 04, 2019

Adobe left 7.5 million Creative Cloud user records exposed online

  • The basic customer details of nearly 7.5 million Adobe Creative Cloud users were exposed on the internet inside an Elasticsearch database that was left connected online without a password.
  • The exposed details primarily included information about customer accounts, but not passwords or financial information.
  • This leak is nowhere as severe as the infamous 2013 Adobe breach, where hackers obtained full records, including encrypted payment details, for nearly 38 million Adobe users. At the time, the Adobe breach was one of the biggest hacks ever.

*Source

Italian Financial Service UniCredit Discloses Data Breach Affecting 3 Million Customers

  • Two The Italian bank and financial service provider firm UniCredit has recently confessed to a data breach. The incident happened around four years ago and exposed 3 million records.
  • According to their press release, the company noticed a data file impacted during the incident having around 3 million records. However, the extent of the incident remained limited to Italian customers only.
  • The company has also fallen a victim to a third-party data breach earlier this year. Specifically, the ransomware attack on the German IT firm CITYCOMP also affected UniCredit along with other CITYCOMP clients.

*Source

Indian nuclear power plant’s network was hacked, officials confirm

  • The Nuclear Power Corporation of India Limited (NPCIL) has acknowledged today that malware attributed by others to North Korean state actors had been found on the administrative network of the Kudankulam Nuclear Power Plant (KKNPP). The admission comes a day after the company issued a denial that any attack would affect the plant’s control systems.
  • The malware in question, named Dtrack by Russian malware protection company Kaspersky, has been used in widespread attacks against financial and research centers, based on Kaspersky data collected from over 180 samples of the malware. Dtrack shares elements of code from other malware attributed to the Lazarus threat group, which, according to US Justice Department indictments, is a North Korean state-sponsored hacking operation. Another version of the malware, ATMDtrack, has been used to steal data from ATM networks in India.

*Source

Data Breach Hits 22 Million Web.com, Register.com, Network Solutions Accounts

  • The companies said they became aware of the breach on October 16, but the intrusion apparently took place in late August 2019. The hackers accessed a “limited number” of computer systems that gave them access to account information for current and former customers.

  • Network Solutions, Web.com and Register.com have started notifying impacted customers via email and their websites, and they have also reported the incident to federal authorities. A cybersecurity firm has been called in to help determine the scope of the hacker attack.

  • Web.com informed customers in August 2015 that hackers had managed to steal personal information and credit cards associated with approximately 93,000 accounts after breaching a server.

*Source

More than 28 million Canadians impacted by a data breach in past 12 months: privacy watchdog

  • One year after Canadian businesses became subject to mandatory data breach reporting, the country’s federal privacy watchdog says reports of breaches have dramatically increased, with their figures suggesting more than 28 million Canadians have been affected by a data breach in the past year.

  • The OPC also saw a “significant rise” in breaches that affect a small number of people — often only one person and “sometimes through a targeted, personalized attack.”

*Source

WEEK OF OCTOBER 29, 2019

Zappos data breach settlement: users get 10% store discount, lawyers get $1.6m

  • Seven-year-old class-action lawsuit nears its end; Zappos data breach settlement: users get only a meagre 10% discount while their lawyers are set to receive $1.6M.
  • More than 24 million customers’ personal data was compromised in the 2012 Zappos data breach; while they receive a 10% store discount as compensation, their lawyers received 1.6 million. The settlement marks yet another case where data breach victims walk away with nothing following devastating data breaches – such as Yahoo settlement and Equifax settlement.

*Source

Indiana hospital system notifying patients after data breach

  • Methodist Hospitals, Indiana, is warning more than 68,000 patients that their personal information, including Social Security numbers and health records, may have been exposed during a data breach.
  • In addition to social security numbers and patient health records, the hackers may have accessed names, addresses, dates of birth, driver’s license and credit card information. The hospital system is advising people who may been affected by the data breach to monitor their credit reports and medical billing data for any suspicious activity.

*Source

Equifax used ‘admin’ as username and password for sensitive data: lawsuit

  • Equifax used the word “admin” as both password and username for a portal that contained sensitive information, according to a class-action lawsuit filed in Georgia.
  • The ongoing lawsuit, filed after the breach, went viral on Twitter Friday. The lawsuit also notes that Equifax admitted using unencrypted servers to store sensitive personal information and had it as a public facing website. When Equifax, one of the three largest consumer credit reporting agencies, did encrypt data, the lawsuit alleges, “it left the keys to unlock the encryption on the same public facing servers, making it easy to remove the encryption from the data.”

*Source

CenturyLink Customer Data Exposed

  • Customer information was left open on a CenturyLink MongoDB server for 10 months, leaving some 2.8 million records exposed on the Internet.

  • Researchers from Comparitech and security researcher Bob Diacehnko found the misconfigured MongoDB database on Sept 15. Customer names, addresses, email addresses, and phone numbers were exposed. “The data involved appears to primarily contact information and we do not have reason to believe that any financial or other sensitive information was compromised”, CenturyLink said in a statement to comparitech.

*Source

U.S. Government, Military Personnel Data Leaked By Autoclerk

  • A leaky database owned by reservations management system Autoclerk has exposed the personal data and travel information for thousands of users – including U.S. government and military personnel.

  • The reservation management system Autoclerk had a faulty Elasticsearch database which exposed online over 100,000 booking reservations for travelers. The database was hosted by the Amazon web serves in the USA, containing over 179GB of data. The exposed information included unencrypted login credentials, full names, date of birth, home addresses, phone numbers, dates and costs of travel, and masked credit-card details.

*Source

10% of Small Businesses Breached Shut Down in 2019

  • As a result of cybercrime, 10% of small businesses hit in 2019 were forced to shut down, 69% were forced offline for a limited time, 37% experienced financial loss, and 25% filed for bankruptcy.

  • To compile the report, commissioned by the National Cyber Security Alliance and conducted by Zogby Analytics, analysts polled 1,006 small business decision-makers on cybersecurity topics, They learnt i) 88% consider themselves a “somewhat likely” target for attacks, including 46% who believe they are a “very likely target”. ii) Nearly 30% have experienced an official security within the past year.

*Source

WEEK OF OCTOBER 21, 2019

Hackers breach Volusion and start collecting card details from thousands of sites

  • Hackers have breached Volusion, a provider of cloud-hosted online stores, and are collecting personal card details from thousands of sites.
  • The hackers are delivering malicious code that records and steals the payment card details entered by users in online forms. More than 6,500 stores have been compromised, but the number could be around 20,000. Similar attacks followed over the summer, and in most, hackers targeted misconfigured Amazon Web Services accounts. The Volusion incident that’s currently underway is the first one traced back to Google Cloud.

*Source

Chinese Hackers Use New Cryptojacking Tactics to Evade Detection

  • Chinese cybercrime group Rocke, known for operating multiple large-scale malicious crypto-mining campaigns, are using new crypto-jacking tactics to evade detection.
  • The financially motivated threat group, Rocke, was first spotted in April 2018 by Cisco Talos researchers while exploiting unpatched Apache Struts, Oracle WebLogic, and Adobe ColdFusion servers, and dropping crypto-mining malware from attacker-controlled Gitee and GitLab repositories. The hackers have now switched to new Tactics, Techniques, and Procedures (TTPs), including new C2 infrastructure and updated malware to evade detection.

*Source

Malware That Spits Cash Out of ATMs Has Spread Across the World

  • A malware called “Cutlet Maker” that is designed to make ATMs eject all of the money inside it; first noticed in Germany has now spread across the world.
  • A joint investigation between Motherboard and the German broadcaster Bayerischer Rundfunk (BR) has uncovered details about a spate of so-called “jackpotting” attacks on ATMs in Germany in 2017 that saw thieves make off with more than a million Euros. Jackpotting is a technique where cybercriminals use malware or a piece of hardware to trick an ATM into ejecting all of its cash, no stolen credit card required. Hackers typically install the malware onto an ATM by physically opening a panel on the machine to reveal a USB port.

*Source

Student tracking, secret scores: How college admissions offices rank prospects before they apply

  • The University of Wisconsin-Stout installed tracking software on its school website which reveals personal data such as web-browsing habits and financial history to “learn” more about prospective students.

  • Colleges are collecting more data about prospective students than ever before. The Post shows that at least 44 public and private universities in the United States work with outside consulting companies to collect and analyze data on prospective students, by tracking their Web activity or formulating predictive scores to measure each student’s likelihood of enrolling. The practices may raise a hidden barrier to a college education for underprivileged students.

*Source

Sextortion botnet spreads 30,000 emails an hour

  • A “sextortion” botnet is making use of a network of more than 450k hijacked computers to send aggressive emails, researchers have warned.

  • The emails threaten to release compromising photographs of the recipient unless $800 (£628) is paid in Bitcoin. And they contain personal information – such as the recipient’s password – probably gathered from existing data breaches, to specifically target more than 27 million potential victims at a rate of 30,000 per hour. While analysis suggests a small fraction of targets have fallen for the ploy, one expert said such botnets still offered a great “return on investment” for cyber-criminals.

*Source

Sweden’s first GDPR fine sets the regulatory tone

  • Secondary school fined £16,000 for breaching General Data Protection Regulation, signaling the attitude of Sweden’s Data Protection Authority.

  • Secondary school Anderstorpsskolan in Skellefteå, used face recognition technology in a time-limited test to identify students attending classes. The school carried out the test for a few weeks, tracking 22 students. The regulator found the school’s board to have violated GDPR law. The DPA ruled that biometrics is sensitive personal data, and it was not enough that the students’ parents had given their consent for the exercise.

*Source

WEEK OF OCTOBER 14, 2019

Alabama hospitals forced to close after ransomware attack

  • Three hospitals in Alabama were forced to close due to a ransomware attack; this comes several days after a similar attack took place in seven hospitals in Victoria, Australia.
  • Nonprofit firm, DCH Health System, said in a statement “a criminal is limiting our ability to use our computer systems in exchange for an as-yet unknown payment”. The form of ransomware used and whether the attacks in Alabama and Victoria are linked is unknown.

*Source

20M Russians’ Personal Tax Records Exposed in Data Leak

  • A database holding more than 20 million Russian tax records was found unprotected, leaving personal tax data accessible to anyone with a web browser, researchers reported this week.
  • The AWS Elasticsearch cluster contained data on Russian citizens spanning from 2009 to 2016. No password or any authentication was needed to access the cluster, leaving personal tax data accessible to anyone with a web browser. Researchers cannot confirm whether the data was taken.

*Source

64% of IT decision-makers have reported a breach in their ERP systems in the past 24 months

  • ERP system breaches have been reported by 64% of the 191 IT decision-makers surveyed, whose organizations rely either on SAP or Oracle E-Business Suite.
  • Applications like SAP or Oracle E-Business Suite can be foundational for businesses. A breach of such critical ERP applications can lead to unexpected downtime, increased compliance risk, diminished brand confidence, and project delays.

*Source

Yahoo could owe you $358 or more as a part of its data breach settlement

  • If you had a Yahoo account any time between 2012 and 2016, you could get a compensation of $358 or more for your losses as part of Yahoo’s data breach settlement.

  • Over several years, hackers were able to gain access to over 3 billion Yahoo accounts, email addresses, calendars, contacts, birth dates, passwords and answers to security questions in at least three separate attacks. If you had an account any time between 2012 and 2016 and are a resident of the US or Israel, you are part of the settlement class and can file a claim for part of the $117,500,000 settlement fund.

*Source

Tu Ora Data Breach Exposed Medical and Personal Data of 1 Million People

  • Extending the trail of breaches happening recently, now joins New Zealand based primary health organization (PHO), Tu Ora, having suffered a breach that exposed medical and personal data of 1 million people.

  • The organization suffered a cyber attack on its website on August 2019. While investigating the recent incident, they found previous such attacks dating from 2016 to early March 2019. Since Tu Ora holds a database of people dating back to 2002, they revealed that the incidents may have affected the people enrolled with them. While they aren’t sure if those attacks impacted people’s data, they still disclosed the incidents to keep people informed.

*Source

Twitter Took Phone Numbers for Security and Used Them for Advertising

  • Twitter announces that they may have inadvertently used phone numbers taken for security for advertising.

  • Twitter says it cannot say with certainty how many people were impacted by this issue of using personal phone numbers for advertising purposes. Facebook did something similar to phone numbers provided by users for two-factor authentication, as confirmed by the company last year. This could make people think twice about using a phone number to secure their accounts at all.

*Source

WEEK OF OCTOBER 09, 2019

Smishing is the latest Social Security scam going around

  • Smushing (SMS + Phishing) is the latest social security scam in which hackers are trying to fool people into disclosing their private information or downloading malicious code to their mobile phones.
  • Smishing attacks involve the same sort of trickery as phone scams, including the same false claims that the message is from the IRS, Social Security Administration, a long-lost friend, or a bank.
  • Texting has replaced the phone call as the most popular consumer communication channel. So while we ignore phone calls, we are conditioned to respond to text messages — and phishers are using this to their advantage

*Source

Senate Passes Bill Aimed At Combating Ransomware Attacks

  • As the number of sophisticated ransomware attacks increase, the US Senate approves new legislation aimed at helping government agencies and private sector companies combat such attacks in the future.
  • In August, Texas officials were left scrambling after up to 22 Texas entities were hit by a coordinated ransomware attack. Other cities have also been hit, including New Bedford, Mass., dual Florida cities and several Atlanta city systems. The proposed law authorizes the Department of Homeland Security (DHS) to invest in and develop “incident response teams” to fight these attacks.

*Source

ANU incident report on massive data breach is a must-read

  • Australian National University has released a detailed report on the massive data breach it suffered from in 2018, where the hackers had gained access to almost 19 years’ worth of data.
  • ANU has set a new standard for transparent data breach reporting. The report is an example to everyone else on how to deal with cyberattacks – honest, technical, detailed, and full of good advice for protecting data. Attacks will keep happening. This is the way to understand them and learn to improve our defenses.

*Source

Hiding a Data Breach Can Derail an Acquisition

  • Research by the world’s largest non-profit association of certified #cybersecurity professionals, (ISC)2, states that companies can drive down their value by hiding or mishandling.

  • Out of the 250 M&A experts who were questioned – 49% have seen deals derailed after due diligence brought an undisclosed breach to light, 86% said that if a company publicly reported a breach of customer or other critical data in its past, it would detract from the acquisition price assigned and 77% had recommended a particular company be acquired over another because of the strength of its cybersecurity program.

*Source

218M Words with Friends Players Compromised in Data Breach

  • A Pakistani hacker, going by the online alias Gnosticplayers, has claimed to have hacked the popular mobile social game company Zynga Inc and gained unauthorized access to a massive database of more than 218 million users.

  • An investigation was immediately commenced, leading third-party forensics firms were retained to assist, and we have contacted law enforcement. As a precaution, we have taken steps to protect these users’ accounts from invalid logins. We plan to notify players as the investigation proceeds further

*Source

Zendesk Alerts Users Of Data Breach That Occurred in 2016

  • The customer support ticketing platform Zendesk has confessed to a security incident affecting thousands of customers. As revealed, Zendesk suffered a data breach back in 2016 that impacted 10,000 users.
  • As stated by the firm, On September 24, we identified approximately 10,000 Zendesk Support and Chat accounts, including expired trial accounts and accounts that are no longer active, whose account information was accessed without authorization prior to November of 2016.

*Source