SecureFact™

Your curated list of Data Security News happening across the world, in a simple yet intuitive form for the fast-paced cybersecurity professionals.

WEEK OF MAY 26, 2020

Fake Microsoft Teams Emails Phish for Credentials

  • Employees belonging to organizations in industries such as energy, retail, and hospitality have been recipients, Abnormal Security says.
  • According to researchers from Abnormal Security, the emails are very convincing-looking, with links that lead to landing pages that are identical to what a user would expect from a legitimate Teams page.
  • These new email attack campaigns are the latest evidence of the surge in threat actor activity seeking to exploit workplace disruptions caused by the COVID-19 pandemic.

*Source

Trump Declares National Emergency As Foreign Hackers Threaten U.S. Power Grid

  • He signed an executive order banning, “acquisition, importation, transfer, or installation,” of bulk-power system electricity equipment from companies under foreign adversary control.
  • The executive order also confirmed that a task force had been established, with members including the Secretary of Defense, Secretary of Homeland Security, and the Director of National Intelligence, to work to protect against national security threats to energy infrastructure.
  • What this order did not do is go as far as naming any specific foreign adversaries, nor the companies they may control.

*Source

GoDaddy notifies users of breached hosting accounts

  • The security incident that took place on October 19, 2019, was discovered on April 23, 2020, after the company’s security team discovered an altered SSH file.
  • GoDaddy is the world’s largest domain registrar and a web hosting company that provides services to roughly 19 million customers around the world.
  • The company says that it has not yet found any evidence of the attackers adding or modifying any files on the impacted accounts’ hosting. Additionally, the company assured the affected users that only their hosting accounts were affected as part of the incident, while their main GoDaddy account was not accessible to the attackers.

*Source

Home affairs data breach may have exposed personal details of 700,000 migrants

  • Privacy experts say the breach in the SkillsSelect platform, which affects data going back to 2014, was ‘very serious’.
  • At a time the federal government is asking Australians to trust the security of data collected by its Covid-Safe contact tracing app, privacy experts are appalled by the breach, which they say is just the latest in a long line of cybersecurity blunders.
  • With just two clicks, users of the app can view a range of fields including the applicants’ “ADUserID”, a unique identifier composed of partial name information and numbers.

*Source

Fuzzy anonymity rules could stymie EU’s big data sharing ideas

  • The EU wants to see more non-personal data shared between businesses, but that could prove easier said than done.
  • On 19 February, the European Commission presented a three-part package to boost Europe’s digital economy, including a European strategy for data.
  • One of the suggestions to encourage data sharing across the bloc is to give public subsidies to a so-called “European cloud,” prompting cries of “protectionism” from outside the EU.

*Source

A real estate agent has been defrauded of $120k in ‘sim hijacking’ scam

  • That real estate agent told Stuff he began experiencing network issues with his phone while in a remote part of the province, a week before Christmas.
  • The fraud involved impersonating victims and applying for new sim cards through their telco, before accessing bank accounts and withdrawing huge sums of cash in the weeks before Christmas last year.
  • His victims included a woman in Mangawhai Heads who lost more than $200,000, a retired man in Remuera who lost $180,000 and an Otago-based real estate agent who lost $120,000.

*Source 

WEEK OF MAY 18, 2020

Europe’s privacy law hasn’t shown its teeth, frustrating privacy advocates

  • Nearly two years in, there has been little enforcement of the General Data Protection Regulation, once seen as ushering in a new era.
  • The inaction is creating tension within European governments, as some leaders call for speedier enforcement and broader changes. Privacy groups and smaller tech companies complain that companies like Facebook and Google are avoiding tough oversight.
  • At the same time, the public’s experience with the G.D.P.R. has been a frustrating number of pop-up consent windows to click through when visiting a website.

*Source

Hackers exploit SQL injection zero-day issue in Sophos firewall

  • Sophos releases an emergency patch to address an SQL injection flaw in its XG Firewall.
  • Attackers could exploit the issue to steal sensitive data including usernames and hashed passwords for the firewall device admin, and user accounts used for remote access. Sophos pointed out that passwords associated with external authentication systems such as AD or LDAP are unaffected.
  • The security firm also recommends that companies to disable the firewall’s administration interfaces on the internet-facing ports if they don’t need the feature.

*Source

An ADT employee had access to more than 200 customers’ home security systems

  • The worker was fired after an internal investigation revealed he had intermittent access to equipment, including cameras, for seven years.
  • According to a company spokesman, the Dallas-area technician added his personal email address to customers accounts during service visits. That gave him varying levels of access to their systems, including the video streams of security cameras.
  • The abuse was discovered in March after a DeSoto resident reported an unauthorized email address was associated with an account in the company’s app. ADT began an internal investigation and found the employee’s personal email address in 220 accounts.

*Source

‘Dramatic’ increase in cyberattacks says WHO, after passwords leaked online

  • Five times as many attacks against the World Health Organisation as hackers look to exploit the coronavirus outbreak.
  • The health organisation said around 450 active WHO email addresses and passwords had recently been leaked online, along with thousands belonging to others working on the coronavirus response.
  • Officials say New York hired security firm CrowdStrike in mid-February “to assess the scope of the situation.” ITS hired a third party when, a few weeks into its internal investigation, it discovered a previously unknown backdoor. New York is working with the FBI to learn the hackers’ identities.

*Source

Personal data Of 267 million Facebook users up for sale online for INR 42k

  • The data might have been gathered via web scraping or leakage in third-party API.
  • Threat intelligence platform Cyble, which recently exposed the sale of over 500K Zoom accounts, was the first to report about the Facebook breach.
  • In a blog, Cyble revealed that personal data including email addresses, names, Facebook IDs, dates of birth and phone numbers were available in the database. Cyble claimed that its researchers had verified the data by purchasing it only for reviewing purposes.

*Source

Hackers may be attacking iPhones by sending emails that can infect phones without you even opening the email

  • The vulnerability specifically affects those who use Apple’s Mail app.
  • According to ZecOps researchers, the security vulnerability is particularly sophisticated because it doesn’t require users to click on anything in order for their devices to be infected.
  • The attackers send emails that install malicious software once Apple’s email reader begins downloading the message — the user doesn’t even need to open the message at all.

*Source 

WEEK OF MAY 11, 2020

Hacker leaks 23 million usernames and passwords from Webkinz children’s game

  • The game has been one of the most successful online children’s games of the past decade next to Disney’s Club Penguin.
  • The game has been one of the most successful online children’s games of the past decade next to Disney’s Club Penguin.However, today, an anonymous hacker has posted a part of the game’s database on a well-known hacking forum.
  • The hacker allegedly gained access to the game’s database using an SQL injection vulnerability present in one of the website’s web forms. Hackers were also successful in obtaining hashed versions of parents’ email addresses; however, this data has not been leaked.

*Source

Popular alternative app store Aptoide suffers major data breach

  • People who registered on Aptoide or used it between July 21 2016 and January 28 2018 are affected by the hack.
  • Aptoide posted an update regarding the breach on its blog, saying it was working with data center partners to figure out what happened. Furthermore, they claimed that most users probably aren’t affected as an account isn’t required to use the service.
  • Aptoide has confirmed that it’s temporarily disabled registrations, logins, reviews, and comments until it feels user information is safe. Nevertheless, this is a big blow to the app store, coming almost a year after it lashed out at Google Play Protect for labeling it a harmful app.

*Source

Two Illinois schoolchildren are suing Google for reportedly collecting biometric data

  • The claims allege that the tech giant is illicitly making use of the biometric data, including face scans, of millions of school students through its classroom software tools.
  • The lawsuit seeks damages of $1,000 for each member of the class for Google’s “negligently” committed violation of Illinois’ Biometric Information Privacy Act (BIPA), as well as a further $5,000 for each “intentionally or recklessly” committed violation.
  • It would not be surprising to see lawsuits eventually emerge over negligent handling of all of this sensitive personal data.

*Source

New York State Confirms Breach of Government Network

  • The January incident led state officials to hire an external forensics firm and change thousands of employee passwords.
  • On Jan. 28, 2020, New York’s Office of Information Technology Services (ITS) discovered an intrusion into state government networks. Attackers had built tunnels into multiple servers used to transmit encrypted information.
  • Officials say New York hired security firm CrowdStrike in mid-February “to assess the scope of the situation.” ITS hired a third party when, a few weeks into its internal investigation, it discovered a previously unknown backdoor. New York is working with the FBI to learn the hackers’ identities.

*Source

The SBA just told thousands of businesses applying for disaster loans that their personal information was mistakenly leaked

  • The leak affects businesses that submitted economic-relief applications through the SBA’s website.
  • The security incident has resulted in the exposure of sensitive data belonging to customers of the company and its staff, and even of internal API keys.
  • Wool sales were halted for several days and hastily rescheduled, with an estimated 70,000 bales held in limbo. The industry’s turnover in a typical week is up to A$80 million, but prices may now drop as the postponed sales cause a glut in the market.

*Source

Cognizant’s ransomware attack is making peers like TCS and Infosys nervous — and they are beefing up security

  • According to Infosys’ chief operating officer, the ransomware attack had nothing to do with working from home.
  • Tata Consultancy Services ( TCS) has shifted from the concept of offshore development centres (ODCs) to secure borderless workspaces ( SBWS).
  • It is also looking into solutions that can help its employees work from home without compromising on security. However, that was already in the works even before news of the Cognizant ransomware broke.

*Source 

WEEK OF MAY 04, 2020

The data of more than 600,000 Email.it users is currently being sold on the dark web

  • The Email.it hack came to light on Sunday, when the hackers went on Twitter to promote a website on the dark web where they were selling the company’s data.
  • The hackers — going by the name of NN (No Name) Hacking Group — claim the actual intrusion took place more than two years ago, in January 2018.
  • The hackers claim the databases contain plaintext passwords, security questions, email content, and email attachments for more than 600,000 users who signed up and used the service between 2007 to 2020.

*Source

Interpol warns of cyberattacks on hospitals

  • Cybercriminals targeting critical healthcare institutions with ransomware amid pandemic.
  • In an alert sent to 194 nations, including India, Interpol said organisations at the forefront of the global response to the COVID-19 outbreak had also become targets of ransomware attacks, which were “designed to lock them out of their critical systems in an attempt to extort payments”.
  • “Cybercriminals are using ransomware to hold hospitals and medical services digitally hostage, preventing them from accessing vital files and systems until a ransom is paid,” Interpol said in a note.

*Source

Third Party Data Breach of GE Vendor Exposes Highly Sensitive Employee Information

  • The Fortune 500 electronics conglomerate has disclosed that the third party data breach occurred between February 3 and 14 of this year. The company did not become aware of the breach until February 28.
  • The third party data breach has reportedly exposed reams of personal information including direct deposit forms and tax forms containing social security numbers, scans of birth certificates and passports, applications for benefits, court orders and photos of driver’s licenses.
  • It would not be surprising to see lawsuits eventually emerge over negligent handling of all of this sensitive personal data.

*Source

RigUp exposes more than 70,000 private files belonging to its US energy sector clients

  • It appears the database was a ‘file dump’ used by RigUp to store various kinds of files belonging to its clients, contractors, job seekers, and candidates for employment.
  • Had it been discovered by malicious hackers, or leaked to the general public, warn the researchers, the impact on RigUp, its clients, and 1,000s of energy workers across the USA could have been devastating.
  • The vpnMentor team commends RigUp for responding positively to their disclosure, “especially at a time when it must be experiencing considerable disruption, due to the coronavirus pandemic,” write the researchers.

*Source

Scuf Gaming Exposed Over One Million Clients and Their Payment Data

  • The accessed information includes names, email addresses, redacted payment data, and more.
  • The security incident has resulted in the exposure of sensitive data belonging to customers of the company and its staff, and even of internal API keys.
  • Wool sales were halted for several days and hastily rescheduled, with an estimated 70,000 bales held in limbo. The industry’s turnover in a typical week is up to A$80 million, but prices may now drop as the postponed sales cause a glut in the market.

*Source

Microsoft Confirms ‘Really, Really High’ Hacking Risk For Millions Of Users: Here’s What You Do Now

  • If you have an organization of 10,000 users, 50 of them are going to be compromised this month.
  • The truly shocking issue here, is that only 11% of enterprise users make use of multi-factor authentication or MFA tools. That means a staggering 89% of accounts remain open to fairly simple attacks.
  • 80% of those compromised enterprise accounts, which if you do the quick math is almost 1 million hacked accounts in January alone, were hit by either “password spray” or “replay” attacks.

*Source 

WEEK OF APRIL 27, 2020

Tech Giant GE Discloses Data Breach After Service Provider Hack

  • GE says in a notice of data breach filed with the Office of the California Attorney General that Canon Business Process Services (Canon), a GE service provider, had one of their employees’ email accounts breached by an unauthorized party in February.
  • GE also states that the sensitive personal information exposed during the incident was uploaded by or for current and former GE employees, as well as “beneficiaries entitled to benefits in connection with Canon’s workflow routing service.”
  • GE has also set up a support hotline at 1-800-432-3450 that affected individuals can call between 9 AM and 5 PM Eastern time, Monday through Friday.

*Source

Virgin Media Could Pay £4.5B for Leak Affecting 900,000 Customers

  • A misconfigured database holding personal data was left available online between April 2019 and February 2020.
  • Between April 2019 and late February 2020, a misconfigured database exposed customer information including full names, email addresses, birthdates, and contact phone numbers.
  • For some users, it exposed requests to block or unlock pornographic or explicit content. If accessed, the data could give cybercriminals means to launch phishing attacks of blackmail customers.

*Source

Personal details for the entire country of Georgia published online

  • A file containing personal information for 4,934,863 Georgians has been published on a hacker forum over the weekend.
  • Personal information such as full names, home addresses, dates of birth, ID numbers, and mobile phone numbers were shared online in a 1.04 GB MDB (Microsoft Access database) file.
  • The leaked data was spotted by the Under the Breach, a data breach monitoring and prevention service, and shared with ZDNet over the weekend.The database contained 4,934,863 records including details for millions of deceased citizens.

*Source

Marriott announces possible data breach

  • Marriott notified up to 5.2 million guests of a possible data breach via email.
  • The hotel group says that it identified that “an unexpected amount of guest information” may have been accessed using the login credentials of two employees from mid-January to the end of February.
  • Marriott disabled the login credentials upon discovery of the activity and says it is carrying out an investigation into the matter. The company has also “implemented heightened monitoring and notified relevant authorities”.

*Source

42 million Iranian “Telegram” user IDs and phone numbers leaked online

  • The data was posted by a group called “Hunting system” (translated from Farsi) on an Elasticsearch cluster that required no password nor any other authentication to access. It was removed after Diachenko reported the incident to the hosting provider on March 25.
  • Telegram says the data came from an unofficial “fork” of Telegram, a version of the app unaffiliated with the company. Telegram is an open-source app, allowing third parties to make their own versions of it. Because the official Telegram app is frequently blocked in Iran, many users flock to unofficial versions.

*Source

If You Work From Home, the FBI Has a Warning for You

  • Millions of Americans have started working from home in the last few weeks, and as they do, scammers and hackers have seized the opportunity.
  • While it’s impossible to eliminate every risk, the good news is that there are a few things you can do to protect yourself and your information from hackers and other bad actors.
  • Secure Your Zoom Meetings
  • Don’t Click on Unfamiliar Links
  • Don’t Give Up Login Info
  • Don’t Download Attachments
  • Put a Password on Your Wi-Fi
  • Use a VPN

*Source 

WEEK OF APRIL 20, 2020

A UK-based Security Company Seemed To Have Inadvertently Exposed Its ‘Leaks Database’ with 5B+ Records

  • On March 16th I have found an unprotected and thus publicly available Elasticsearch instance which appeared to be managed by a UK-based security company, according to the SSL certificate and reverse DNS records.
  • Even though most of the data seems to be collected from previously known sources, such large and structured collection of data would pose a clear risk to people whose data was exposed. An identity thief or phishing actor couldn’t ask for a better payload.
  • Fraudsters might target affected people with scams and phishing campaigns, using their personal information to craft targeted messages.

*Source

Major data breach exposes database of 200 million US users

  • 800GB of personal user information was left unsecured online.
  • Based on its analysis of the database, CyberNews believes that much of the data it contained may have originated from the  US Census Bureau.
  • The records stored in the unsecured database contained the full names and titles of the exposed individuals, email addresses, phone numbers, dates of birth, credit ratings, home addresses, demographics including numbers of children and their genders, detailed mortgage and tax records and other personally identifiable information.

*Source

Norwegian Cruise Line Suffers Data Breach

  • Information from a database belonging to Norwegian Cruise Line was discovered on the dark web by an intelligence team at DynaRisk on March 13.
  • Data exposed in the incident included clear text passwords and email addresses used to log in to the Norwegian Cruise Line travel agent portal by agents working for companies including Virgin Holidays and TUI.
  • DynaRisk said data relating to 29,969 travel agents was breached from the portal on the agents.ncl.eu website on March 12. Norwegian is the third cruise line this month to hit the cybersecurity headlines. Princess Cruises and Holland America Line both reported being hacked on March 2.

*Source

Slickwraps slapped with a class-action lawsuit after the recent data breach

  • The suit alleges that Slickwraps “was well aware that it had lax data security measures”.
  • The suit, Almeida et al. v. Slickwraps Inc., was filed on March 12th in California’s Eastern District Court. It alleges that Slickwraps “was well aware that it had lax data security measures and did absolutely nothing to prevent the very kind of cyber security incident that occurred.
  • The filing also mentions that Slickwraps does not have a privacy policy of any kind, which isn’t entirely true — the privacy policy is “Coming Soon.”

*Source

Hacker selling data of 538 million Chinese social network Weibo users

  • Data for 538 million Weibo users, including 172 million phone numbers, has been put up for sale on the dark web.
  • In ads posted on the dark web and other places, a hacker claims to have breached Weibo in mid-2019 and obtained a dump of the company’s user database.
  • The database allegedly contains the details for 538 million Weibo users. Personal details include the likes of real names, site usernames, gender, location, and — for 172 million users — phone numbers.

*Source

Zoom’s iOS app is sending your data to Facebook because privacy is a myth

  • The app is nonconsensually sending data to Facebook — even if you don’t have a Facebook account.
  • What’s more shocking is that the company’s privacy policy makes no mention of it. Plus, the app doesn’t make it clear anywhere that it’s sending your data to the social network.
  • Every time you open the app, it sends your data to Facebook including your device’s model, network provider, time zone, city, and a unique device identifier that advertisers can use to send you targeted ads.

*Source 

WEEK OF APRIL 13, 2020

4 steps you should take to secure your Gmail account right away

  • You wouldn’t like someone snooping around your Gmail account, would you? I can’t blame you. Lock it down right now.
  • It’s time to step up your password game. Use unique, randomly generated passwords, for every online account you have. Keeping track of all those passwords is easy when you use a password manager.
  • With two-step verification, sometimes called two-factor authentication, hackers would need your password and a randomly generated six-digit passcode or physical access to your phone before they could gain access to your account.
  • It’s possible that a hacker (or an ex) is accessing your account without your knowledge. If you suspect any unkosher activity, sign out of all other Gmail web sessions and immediately change your password.
  • Since the time that you first set up your Gmail account, you may have changed your phone number, or ditched an old email account. So it’s a good idea to double-check your backup contact methods. 

*Source

Anonymous secret sharing app Whisper left sensitive profile data exposed for years

  • The database was not password protected and anyone could search and download it.
  • The app, while far from as popular as it was in the few years after its release in 2012, is still used by more than 30 million people a month, some of whom are under the age of 18 and share confessions about teenage sexual encounters and information related to sexual orientation.
  • The database did not include real names, as Whisper was designed to protect users’ identities and allow them to share secrets anonymously. But the records left unprotected online included information like age, location, ethnicity, residence, in-app nickname, and membership in any of the app’s groups.

*Source

Thousands of Malaysian credit card details leaked in massive breach

  • According to experts, the breach is made up of a collective loss of data over the past 6 months, as opposed to a single event.
  • The cybersecurity experts said that 37,145 credit cards have been hit in Malaysia—although credit card holders in the Philippines are the most affected, with 172,828 cards breached. The details are being dumped online, and even more card details are still being compromised
  • This isn’t the first time we’re hearing of a massive data breach—only recently, passengers’ personal information were exposed when subsidiaries of Lion Air were affected.

*Source

Microsoft has taken down the world’s largest Necurs botnet that infected nine million computers globally

  • The botnet is known for distributing several malware particularly the Locky ransomware malware, the botnet believed to be operated from Russia.
  • The world’s largest botnet was taken down as a coordinated operation between Microsoft and partners across 35 countries.
  • The Necurs botnet was first detected in 2012, it primarily acts as a dropper for other malware, between the years 2016 to 2019 the botnet emerges as largets one and responsible for 90% of the malware spread by email worldwide.

*Source

Sweden fines Google $8 million for right-to-be-forgotten violations and demands it keep websites in the dark

  • The crux of the Swedish DPA’s complaint is that Google did not “properly remove” two search result listings after it was instructed to do so back in 2017.
  • Sweden’s Data Protection Authority (DPA) has slapped Google with a 75 million kronor ($8 million) fine for “failure to comply” with Europe’s General Data Protection Regulation (GDPR) after the internet giant reportedly failed to adequately remove search result links under right-to-be-forgotten requests.
  • Europe’s right-to-be-forgotten regulation, which dates back to 2014, was designed to help people delist specific web pages that contain potentially “damaging” information.

*Source

Millions of online shoppers have data exposed

  • Database with millions of sales records was left unprotected online by a third-party app.
  • According to Comparitech, the documents in the database contained sales records including customer names, email addresses, addresses, purchases, the last four digits of credit card numbers and other personal information.
  • Of the exposed data, roughly half of it was in the form of sales records from Amazon UK and Ebay. Shopify, PayPal and Stripe records made up a smaller portion of the data along with several other smaller marketplaces and payment systems.

*Source 

WEEK OF APRIL 06, 2020

A major new Intel processor flaw could defeat encryption and DRM protections

  • Security firm Positive Technologies discovered the flaw, and is warning that it could break apart a chain of trust for important technology like silicon-based encryption, hardware authentication, and modern DRM protections.
  • The root of the flaw is Intel’s Converged Security Management Engine (CSME), the part of Intel’s chips that’s responsible for securing all firmware that runs on Intel-powered machines.

*Source

Telus-Owned Koodo Mobile Announces Data Breach, Stolen Info for Sale

  • Affected users should also be on the lookout for mobile SMS phishing (smishing) scams that pretend to be Koodo and utilize information obtained from this breach.
  • According to a data breach notification email from Koodo Mobile that was seen by BleepingComputer, their systems were hacked on February 13th, 2020, and an unauthorized person stole customer data from August and September 2017 that contains mobile account numbers and telephone numbers.
  • This information can be used by scammers to port Koodo Mobile numbers to attacker’s devices to receive 2-factor authentication codes, which could allow attackers to gain access to email and bank accounts.

*Source

Polish school hit with GDPR fine for using fingerprints to verify students’ lunch payments

  • This highlights the fact that GDPR isn’t only about imposing gargantuan fines, as it has in other high-profile cases.
  • A school in Poland has been fined €4,600 ($5,200) for breaching Europe’s General Data Protection Regulation (GDPR) after it was found to be processing students’ fingerprint data to verify whether they had paid for school lunch.
  • While parental consent was obtained for the biometric ID program, the Poland’s Personal Data Protection Office (UODO) found that the system was “not essential for achieving the goal of identifying a child’s entitlement to receive lunch.”

*Source

Walgreens Mobile App Leaks Prescription Data

  • A security error in the Walgreens mobile app may have leaked customers’ full names, prescriptions and shipping addresses.
  • “As part of our investigation, Walgreens determined that certain messages containing limited health-related information were involved in this incident for a small percentage of impacted customers,” according to a Walgreens data security incident customer notification.
  • That potentially exposed data includes first and last names of customers, their prescription numbers and drug names, store numbers that customers picked up prescriptions from, and shipping addresses.

*Source

Ransomware attack on sheep farmers shows there’s no room for woolly thinking in cyber security

  • Wool sales were severely disrupted last week by a ransomware attack on IT company Talman Software, which processes more than 75% of sales in Australia and New Zealand.
  • A ransomware attack on such an important sector of Australia’s economy shows how vital it is for authorities to defend markets against cyber threats.
  • Wool sales were halted for several days and hastily rescheduled, with an estimated 70,000 bales held in limbo. The industry’s turnover in a typical week is up to A$80 million, but prices may now drop as the postponed sales cause a glut in the market.

*Source

Microsoft Confirms ‘Really, Really High’ Hacking Risk For Millions Of Users: Here’s What You Do Now

  • If you have an organization of 10,000 users, 50 of them are going to be compromised this month.
  • The truly shocking issue here, is that only 11% of enterprise users make use of multi-factor authentication or MFA tools. That means a staggering 89% of accounts remain open to fairly simple attacks.
  • 80% of those compromised enterprise accounts, which if you do the quick math is almost 1 million hacked accounts in January alone, were hit by either “password spray” or “replay” attacks.

*Source 

WEEK OF MARCH 30, 2020

Louisiana’s governor declared a state of emergency after a cybersecurity attack on government servers

  • The attack prompted an outage of “many state websites and emails” on Monday “due to the state taking extreme emergency protective measures, including shutting down server traffic, to neutralize the attack.”
  • Louisiana is no stranger to declarations of emergency, but it never had one for a cybersecurity emergency, until recently.
  • A series of attacks on school districts around the state led Governor John Bel Edwards to issue the declaration that brings new resources and statewide coordination to what had been a collection of local cybersecurity events.

*Source

Cathay Pacific hit with £500,000 fine for customer data breach

  • The Information Commissioner’s Office (ICO) said that, between October 2014 and May 2018, Cathay Pacific’s computer systems lacked appropriate security measures that led to customers’ personal details being exposed, 111,578 of whom were from the UK, and around 9.4 million more worldwide.
  • The Cathay Pacific data breach occurred before GDPR came into force in May 2018, which introduced significantly higher financial penalties for security breaches.

*Source

Boots stops Advantage Card payments after cyber attack on 150,000 customers’ accounts

  • The suspension comes after the company’s IT security team spotted “unusual” activity on a number of Boots Advantage Card accounts with the aim of accessing and spending the points.
  • The chain told the PA news agency the issue affected less than 1% of the company’s 14.4 million active Advantage Card users – around 150,000 people. But Boots insisted no credit card information had been accessed.

*Source

Virgin Media data breach affects 900,000 people

  • The database, which was for marketing purposes, contained phone numbers, home and email addresses. The breach was not due to a hack or a criminal attack, but because the database had been “incorrectly configured” by a member of staff not following the correct procedures.
  • The company said almost all of those affected were Virgin customers with television or fixed-line telephone accounts, although the database also included some Virgin Mobile customers as well as potential customers referred by friends as part of a promotion.

*Source

Zynga Faces Lawsuit Over Massive Words with Friends Breach

  • The Zynga complaint was filed on behalf of a minor and his parent, in the U.S. District Court for California. It seeks class status and at least $5 million in damages.
  • It accuses the game developer of negligence and a failure to safeguard victims’ personally identifiable information (PII), thanks to “substandard password security.” The complaint continues, the incident could lead to “further irreparable harm to the plaintiffs’ personal, financial, reputational and future well-being.”

*Source

 

The breaches at J.Crew, T-Mobile, and two units of cruise-line operator Carnival Corp., show that millions of customers can feel the effect of even the simplest exploit.

  • The separate incidents show how data theft knows no market-based limits.
  • J.Crew said that customers’ email addresses and passwords were obtained by an unauthorized third party and that significant additional personal information could have been accessed in the April 2019 incident.
  • T-Mobile disclosed a breach affecting an unknown number of customers.
  • Holland America Line and Princess Cruises, two units of Carnival Corp, disclosed a breach from May 2019 in which personal information including mail accounts, names, Social Security numbers, and credit card information was illegally accessed.

*Source 

WEEK OF MARCH 23, 2020

Survey by Security.org found that one in four Americans won’t do business with data-breached companies

  • In 2018, roughly five billion people had their information and sensitive data exposed due to hacks.
  • The findings showed that almost one in four Americans stop doing business with companies who have been hacked, and more than two in three people trust a company less after a data breach.
  • Breaches normally expose email addresses (49.5%) or full names (47.8%), but 13.8% of breaches expose credit card information and 11.8% of breaches expose debit card information.

*Source

Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach

  • In a brief statement, the company confirmed it was “the recent target of a criminal cybersecurity incident, including access to or theft of data.”
  • Security researchers say the attack was caused by the DoppelPaymer ransomware, a new kind of file-encrypting malware which first exfiltrates the company’s data. The DoppelPaymer ransomware has been active since mid-last year, and its victims have included the Chilean government and Pemex, Mexico’s state-owned petroleum company.

*Source

A shocking 623 million records breached in February 2020 alone

  • At first glance, February appears to be a big improvement cyber security-wise compared to the start of the year. The 632,595,960 breached records accounts for about a third of January’s total, and is considerably lower than the figures for this time last year.
  • Unfortunately, the number of breached records doesn’t tell the full story, as there were a whopping 105 incidents – making February 2020 the second leakiest month we’ve ever recorded.

*Source

Home Office Admits to 100 GDPR Breaches in EU Scheme in just five months

  • The Home Office claimed it is getting better at data protection. The ICIBI also suggested that the problems it uncovered should be easy enough to fix.
  • Between March 30 and August 31 2019 the government department admitted a catalog of errors including misplaced passports, documents sent to the wrong recipient’s address and unauthorized disclosure, according to the Independent Chief Inspectorate of Borders and Immigration (ICIBI)

*Source

A researcher at Security Discovery found that user data of those who connected to free Wi-Fi hotspots at several train stations in the UK had been stored in a non-password protected database

  • The database contained 146 million records which included email addresses, age ranges, the reason for travel, device data, and other logs.
  • C3UK, which operates the database, restricted public access to the database on Friday, February 14th, the same day that it was reported. As more and more free Wi-Fi hotspots begin to pop up around towns and cities, both providers and consumers will have to start thinking about how to better protect data.

*Source

 

According to a study, conducted by the Ponemon Institute, 68% of respondents say their organization has put more resources toward security technologies to detect and respond quickly to a data breach.

  • Since 2017, respondents who say their organization is very confident or confident in their ability to deal with spear phishing attacks has declined from 31% to 23%.

  • More organizations are also taking additional steps to prepare beyond their data breach response plan. These steps include:

  • Regularly reviewing physical security and access to confidential information (73%, up 3%)

  • Conducting background checks on new full-time employees and vendors (69%, up 4%)

  • Integrating data breach response into business continuity plans (56%, up 4%)

  • Subscribing to a dark web monitoring service (26%, up 7%)

*Source 

WEEK OF MARCH 16, 2020

Ransomware installs Gigabyte driver to kill antivirus products

  • RobbinHood ransomware deploys novel technique to make sure it can encrypt files without being interrupted.
  • Gigabyte’s fault resides in its unprofessional manner in which it dealt with the vulnerability report for the affected driver. Instead of acknowledging the issue and releasing a patch, Gigabyte claimed its products were not affected.
  • Other ransomware gangs are expected to incorporate this trick into their arsenals as well, leading to more attacks using this technique.

*Source

Powerful Cyber Attack Takes Down 25% Of Iranian Internet

  • The NetBlocks internet observatory, which maps internet freedom in real-time, confirmed that there was extensive Iranian telecommunications network disruption resulting in the national internet connectivity drop to 75%.
  • With both fixed-line and mobile network providers impacted, it was seven hours before normal internet connectivity was resumed. This is just the latest in a long line of alleged cyber-attacks against Iranian infrastructure.
  • Earlier last year, the U.S. had launched an “offensive cyber strike on Iran to disable the computer systems used to control rocket and missile launches.”

*Source

India’s Data Protection Bill Threatens Global Cybersecurity

  • The proposed ban on re-identification discourages researchers from investigating security weaknesses—and encourages criminals to exploit them.
  • One feature of the bill that’s most alarming of all is that how it would criminalize illegitimate re-identification of user data. Because of this, software vendors might be tempted to initiate legal action against security and privacy researchers, hampering research altogether.
  • Faced with a risk of fines or even prison, who would dare act in good faith, with the public interest in mind?

*Source

App Used by Netanyahu’s Likud Leaks Israel’s Entire Voter Registry

  • Names, identification numbers and addresses of over 6 million voters were leaked through the unsecured Elector app.
  • The security lapse allowed anyone to obtain the leaked information in its entirety without using sophisticated tools. Right-clicking on the Elector app’s home page and choosing “view source” revealed the original code of the internet page. The code revealed all the usernames and passwords of system admins, allowing one to log in and download the registry.

*Source

Several email apps were found to scrape the contents of people’s inboxes and sell that data

  • Email apps scraping peoples’ inboxes for profit include Edison, Cleanfox and Slice. The apps are primarily interested in tracking “transaction data,” gleaning information from receipts and shipping emails that show people’s consumer behavior.
  • A spokesperson for Rakuten, the company that owns Slice, told Business Insider that the company tells its users that it is collecting their data for market research and that the company values “the protection of consumer privacy.”

*Source 

Facebook employees reportedly feel guilty that the company didn’t fix a known security risk fast enough

  • Concerns about the risk posed by “access tokens” – digital keys that allow access to users’ accounts – were raised as early as December 2017. According to the report, Facebook employees said concerns about the tokens were largely ignored, and that the hack “could have been prevented.”
  • Hackers were able to generate tokens for other users, gaining access to their accounts, through Facebook’s “View As” feature, leading to 50 million accounts’ access tokens being compromised.

*Source 

WEEK OF MARCH 9, 2020

GDPR enforcement is on fire

  • While fines are not always particularly high, in terms of volume, data protection authorities (DPAs) are rapidly increasing their GDPR enforcement activities. Some interesting trends are
  • DPAs have levied 190 fines and penalties to date.
  • Failures of data governance — not security — trigger the most fines and penalties.
  • Breaches get the enforcement ball rolling but are just a starting point.
  • Compromised data from a single customer can be expensive.
  • Failure to respect individuals’ rights will lead to the next wave of fines and penalties.
  • Third-party risk management is the next big thing in the privacy arena.

*Source

Toll stops services after security breach

  • Toll has not said how many customers are affected. The company delivers 95 million items around the globe every year, including United States travel documents to Australians.
  • “As a precautionary measure, in response to a cyber security incident on Friday, Toll deliberately shut down a number of systems across multiple sites and business units,” a spokesperson said.
  • “Toll is making progress with our recovery activities to restore our systems and Toll customer-facing applications,” the spokesperson said.

*Source

Twitter Data Breach: Govt Accounts Tried To Access User Phone Numbers

  • A large network of fake accounts was being used to exploit its API and match usernames to phone numbers.
  • “While we identified accounts located in a wide range of countries engaging in these behaviours, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia,” Twitter said.
  • The company said it is also possible that some of these IP addresses may have ties to state-sponsored actors.

*Source

Pabbly Email Marketing Exposes 51.2 Million Records Online

  • One more data leak in recent times, due to not protecting the publicly accessible cloud database without a password.
  • The records appear to go back to 2014 and contained customer names, email addresses, subject lines, email messaging and more internal records like host path and SMTP data. It should be noted that Pabbly also offers email scrubbing where users upload their own lists and they will remove invalid, duplicate email addresses and provide users with a “clean list”.

*Source

Health Share of Oregon discloses data breach, theft of member PII

  • A burglary and stolen laptop from GridWorks IC, a vendor hired by Health Share of Oregon, has led to the exposure of Medicaid member data.
  • Information contained on the laptop included names, addresses, phone numbers, dates of birth, Social Security numbers, and Medicaid ID numbers. This data can now be considered as potentially compromised but the CCO says that no personal medical histories were involved in the data breach.
  • Due to the nature of the theft, Health Share of Oregon is not able to confirm what happened to the laptop and information contained therein, including whether or not the records have been utilized or sold.

*Source

 

Major Data Breach Exposes Card Details of Half a Million Indians

  • Cybersecurity company Group-IB on Friday revealed that a database of over 460,000 payment card records has been posted on one of the most popular darknet card shops on 5 February.
  • The worrying bit about the report is that over 98 percent of records detected belonged to some of the biggest Indian banks. And it also mentions the market value of this database on the dark web is estimated at more than $4.2 million. This is the second major incident to have been reported in less than six months involving data of Indian debit or credit card users.

*Source