SecureFact™

Your curated list of Data Security News happening across the world, in a simple yet intuitive form for the fast-paced cybersecurity professionals.

WEEK OF SEPTEMBER 29, 2020

US Staffing Firm Hit by Ransomware Again

  • One of the largest IT staffing companies in America has been hit by a second ransomware attack in nine months.

  • At the start of September, Artech Information Systems disclosed a data breach caused by a ransomware attack perpetrated between January 5 and 8, 2020.

  • Attackers deployed the ransomware three days after gaining unauthorized access to some of the company’s systems. The incident was picked up by the company following reports of suspicious activity on the user account of an Artech employee.

*Source 

Medical group announces data breach of patient information at Montana hospitals

  • SCL Health Medical Group announced on Sept. 10 a data breach of patient information that occurred earlier this year, including personal information of patients at three Montana hospitals.
  • The information that may have been accessed includes patient names, dates of birth, addresses, phone numbers, email addresses, admission dates, hospital locations, service locations and treatment providers.

  • Encrypted information, like social security numbers, financial accounts and credit card information stored in Blackbaud was not accessed after a forensic investigation was conducted by the company. The incident did not involve any access to medical system or electronic health records.

*Source

The Real Cost of a Data Breach for Your Brand

  • The aftermath can hurt in more ways than just a bank balance.
  • Customer trust is the cornerstone of any brand’s success, and a failure of data security impacts this all-important area immediately. Studies show that private data such as credit card and social security numbers are top targets and that 48 percent of consumers have cut ties with brands that have had a security breach.

  • A data breach can drive a promising day straight into the gutter and leave your business in pain for much longer. A data breach blows the doors off any sense of security for your customer base and is blood in the water to competitors. The best way to attend to both issues is to ensure your internal systems are prepared to meet the moment.

*Source

Minnesota Suffers Second-Largest Data Breach

  • Hundreds of thousands of Minnesotans are receiving letters warning them that their data may have been exposed in the second-largest healthcare data breach in state history.

  • Attackers gained access to copies of a backup fundraising database stored by the Children’s Minnesota Foundation on Blackbaud’s cloud computing systems. Individuals impacted by the breach have been warned to monitor their medical bills for any instances of fraud.

  • To date, over 3 million people in the United States have been impacted by the attack on Blackbaud, which has also impacted a number of universities, charities, and organizations in the United Kingdom. 

*Source

SFU ransomware attack exposed data from 250,000 accounts, documents show

  • Officials didn’t disclose number in March when personal data of students, faculty, alumni were compromised.
  • The information included student and employee identification numbers, full names, birthdays, course enrolments and encrypted passwords. Accounts were also linked to staff and retirees.
  • The loophole arose when a developer replaced a software tool on an SFU computer and assumed the new version behaved the same way. The previous version had allowed local network access only, but the new software was open globally to the internet.

*Source

Shopify announces data breach affecting fewer than 200 merchants

  • The e-commerce giant (SHOP) (SHOP.TO) says the data breach was a result of “two rogue members” on a support team who allegedly “engaged in a scheme to obtain customer transactional records of certain merchants.”
  • Shopify added this was not a result of technical issues or vulnerabilities and that “the vast majority of merchants using Shopify are not affected.”
  • It did note that data of customers related to those merchants could have been exposed, including contact information like email and names, addresses, order details, and products and services purchased.

*Source 

WEEK OF SEPTEMBER 21, 2020

Magecart Attack Impacts More Than 10K Online Shoppers

  • Close to 2,000 e-commerce sites were infected over the weekend with a payment-card skimmer, maybe the result of a zero-day exploit.

  • According to Sansec Threat Intelligence, online stores running Magento versions 1 and 2 are being targeted in a classic Magecart attack pattern, where e-commerce sites are hacked, either via a common vulnerability or stolen credentials.

  • Researchers recently reported that they have seen an uptick in the number of e-commerce sites that are being attacked by Magecart and related groups, dovetailing with new tactics.

*Source 

Staples discloses data breach exposing customer order data

  • The office retail giant sent out a data breach notification letter to the impacted customers, the incident took place around September 2.
  • According to the notification, no sensitive data was exposed and an unauthorized party only accessed a limited amount of order data for customers of Staples.com. 

  • Staples revealed that exposed order data includes customers’ names, addresses, email addresses, phone numbers, last four credit card digits, cost of the products, delivery and product ordered. The data accessed by the hackers did not include account credentials and full payment card data.

*Source

Hackers working for China have successfully compromised US government systems, according to a federal cybersecurity agency

  • Hackers linked to the Chinese government have successfully infiltrated US government systems across “many sectors,” according to the Cybersecurity and Infrastructure Security Agency and the FBI.
  • The report suggests that, after vulnerabilities are discovered and publicized by US defenders, hackers are often able to exploit the vulnerabilities before government agencies patch them.

  • CISA did not specify which agencies were compromised or how many records were potentially stolen, but says that hackers were frequently successful using “low-complexity” methods.

*Source

Blackbaud hack: US healthcare organizations confirm data breach impacted 190,000 patients

  • So far, the Blackbaud incident has affected hundreds of organizations from healthcare providers to universities and other charities.

  • Children’s Minnesota, one of the largest children’s healthcare organizations in the US, recently announced that the personal data of more than 160,000 patients may have been compromised in the incident.

  • Joseph Carson, chief security officer at Thycotic, added: “It is essential to perform a data impact and risk assessment on any software a company decides to use such as what data is being collected, what security controls it has, data integrity and availability such as a strong data backup and resiliency.

*Source

Ransomware warning: Hackers are launching fresh attacks against universities

  • Cybersecurity agency warns about a spike in ransomware attacks targeting universities and colleges.
  • With colleges and universities gearing up to start the new academic year and welcome new students – while already facing challenges because of the ongoing coronavirus pandemic – they’ve been urged to make sure their cybersecurity infrastructure is ready to defend the additional challenge of a ransomware attack.
  • The warning from the UK’s National Cyber Security Centre (NCSC) – the cyber arm of GCHQ – comes following a recent spike in hackers targeting universities with ransomware attacks during August. In some instances, hackers have not only demanded a significant bitcoin ransom from victims of attacks, but they’ve also threatened to leak stolen personal data of students if they’re not paid.

*Source

Brazil’s LGPD now in effect — what does this mean for enforcement?

  • The LGPD, strongly inspired by the EU General Data Protection Regulation, establishes various obligations and principles regarding the treatment of people’s personal data.
  • Simply and objectively speaking, the entry into force of the LGPD now generates the immediate need for companies to adjust their practices to the law because its rules are valid without delay.
  • With the postponement of the penalties until 2021, companies need to be aware that the law can already be applied by the courts or other competent authorities, making it a valuable instrument to protect personal data.

*Source 

WEEK OF SEPTEMBER 14, 2020

Service NSW reveals 738GB of customer data was stolen during email breach

  • Attack accessed 47 staff email accounts and affected 186,000 customers.

  • Service NSW said it would now progressively notify affected customers by sending personalised letters via registered post containing information about the data that was stolen and how they could access support, including access to an individual case manager to help with possibly replacing some documents.

  • Service NSW said in light of the incident, it has added additional security measures to protect against future attacks, such as partnering with IDCare that will provide the agency with additional “cyber support”.

*Source 

China Launches Initiative to Set Global Data-Security Rules

  • Move, unveiled Tuesday is meant to counter U.S. Clean Network effort.
  • China’s initiative has eight key points including not using technology to impair other countries’ critical infrastructure or steal data, and making sure service providers don’t install backdoors in their products and illegally obtain user data.
  • It is unclear if any country has signed up to China’s initiative and how it will be implemented and policed. But the world’s second-largest economy has been looking to increase its role in setting standards around the world.

*Source

Cyberattackers Go Global To Steal Company Cash

  • With cyberattacks skyrocketing amid the pandemic, new data is rolling out to paint a picture of just how damaging the ramped-up thievery has become.
  • $80,000 is now the average amount phishers demand from their business email compromise targets, according to new research from the Anti-Phishing Working Group (APWG) in its second-quarter 2020 Phishing Activity Trends Report.

  • Yet, as researchers pointed out, the amount of funds sought vary significantly from one attack to the other, with one particular BEC-attack group seeking an average of $1.27 million per targeted attack. The average sought in a BEC scam is up from $54,000 in the first quarter of the year.

*Source

How can the C-suite support CISOs in improving cybersecurity?

  • The shift to widespread remote work has made a compelling case for the need to bring security within the remit of other departments.

  • While CISOs continue to spearhead the development of the organization’s security program and define the security mission and culture, other C-suite executives can vocally support these programs to ensure their integrity throughout the whole process, from vision and development to implementation and ongoing enforcement.

  • One likely companion for this type of cross-department alignment is the Chief Operating Officer (COO). This means a good COO today needs to encourage a business culture that supports security efforts thoroughly, while also ensuring security is prioritized at a tactical level.

*Source

Gaming hardware manufacturer Razer suffered a data leak

  • An unsecured database managed by the company containing gamers’ info was exposed online.
  • Discovery made by the security researcher Bob Diachenko found that the unsecured database exposed the information of approximately 100,000 individuals who purchased items from Razer’s online store.
  • The unsecured database was discovered on August 19, it contained customers’ info, including a name, email address, phone number, order numbers, order details, and billing and shipping addresses.

*Source

Inova Suffers Third-Party Data Breach

  • The breach occurred as part of a ransomware attack against service provider Blackbaud.
  • According to Blackbaud, data was exfiltrated between February 7, 2020, and May 20, 2020. The exfiltration was part of a ransomware attack that did not succeed in encrypting significant data at Blackbaud.
  • Ultimately, though, the company says that it paid a ransom in order to have the exfiltrated data destroyed, which it says was done.

*Source 

WEEK OF AUGUST 31, 2020

Marriott International faces class action suit over mass data breach

  • Technology consultant leads legal action after hackers stole personal details of 300m guests.
  • Martin Bryant, a technology consultant, is leading the legal action on behalf of people living in England or Wales who made a reservation to stay at one of Marriott International’s Starwood properties before 10 September 2018.
  • The UK’s data watchdog, the Information Commissioner’s Office (ICO), revealed in July 2019 its intention to fine Marriott International almost £100m as a result of the data breach. The ICO proposed a £99.2m fine for Marriott, after finding that about 7 million of the customers whose records were hacked were UK residents.

*Source 

Russian National Arrested for Conspiracy to Hack Nevada Company

  • The defendant allegedly planned to pay an employee $1 million to infect the company network with malware.
  • The complaint alleges that between July 14, 2020, and Aug. 22, 2020, Kriuchkov conspired with associates to recruit an employee to infect the company’s network with malware.
  • While the report does not specify the target company, it does note this malware would have given the attackers access to the company’s system. Following the infection, they would steal data from the network and threaten to publish it unless the organization paid their demanded ransom.

*Source

Higher Education CISOs Share COVID-19 Response Stories

  • Security leaders from Stanford, Ohio State, and the University of Chicago share challenges and response tactics from the COVID-19 pandemic.
  • Among the core threats CISOs are most concerned about are dramatic increases in phishing and vulnerability of user devices given the lack of visibility and control mechanisms.

  • Looking ahead, CISOs are concerned about what may happen if employees stay remote for the long haul. While there are things students can do to stay safe in the meantime – applying OS updates, not reusing passwords, patching apps – permanent remote work will bring challenges.

*Source

iPhone flaw lets hackers steal your personal data — don’t do this in Safari

  • Safari exploit can trick you into sharing personal data with malicious websites on iPhones and Macs.

  • An unpatched flaw in the Apple Safari browser lets hackers steal your browsing history, bookmarks, downloads or any other file that Safari can access, a Polish security researcher claims. The problem seems to exist on both Macs and iPhones.

  • To avoid falling victim to this sort of thing, don’t use Web Share in Safari for the time being. If you want to share a link with friends, fall back on the tried ‘n’ true method of selecting the link in the browser address bar, copying it, opening up an email or messaging app and pasting it the body of the text.

*Source

Paytm Mall suffers massive data breach as hackers gain ‘unrestricted access’ into database: Report

  • The breach potentially affects all accounts and related information at Paytm Mall. Paytm is yet to make an official statement on the breach.
  • Global cyber intelligence agency Cyble stated that the John Wick hacker group gained unrestricted access to Paytm Mall’s entire production database through a backdoor, which potentially affects all accounts and related information at Paytm Mall.

*Source

It’s never the data breach — it’s always the cover-up

  • The felony charges levied against former Uber CSO paints him as actively masterminding and executing a plan to cover up a major data breach. This serves as a reminder that CSOs and CISOs must consider how decisions made in the moment can be interpreted, construed, or proven to be criminal after the fact.
  • In November 2016, Uber learned of a data breach. Hackers threatened to expose the stolen data. Uber paid a ransom to the hackers under its bug bounty program and made the hackers sign NDAs to avoid the breach becoming public knowledge.

*Source 

WEEK OF AUGUST 24, 2020

Jack Daniel’s-Maker Suffers REvil Ransomware Breach

  • The Jack Daniel’s-maker has released few details about the incident but claimed it successfully prevented attackers from encrypting its files.
  • Attackers told Bloomberg that 1TB of corporate data is now in their hands and it will most likely be leaked online in batches to turn up the pressure on the Louisville, Kentucky-headquartered firm.
  • The group apparently responsible for this attack is Sodinokibi (REvil), which, like Maze and other gangs, maintains a dedicated leak site to post stolen data on. As per previous attacks, it has already shared screenshots of file names as proof of its claims, some dating back over 10 years.

*Source 

Firms Still Struggle to Prioritize Security Vulnerabilities

  • Security debt continues to pile up, with 42% of organizations attributing remediation backlogs to a breach, a new study shows.
  • Every six months the average firm fails to patch 28% of the vulnerabilities in their hardware and software, leading to a backlog of more than 57,000 unfixed security issues, a new study found.
  • The underlying problem is that once vulnerabilities have been identified by automated systems, the prioritization and patching process is mostly manual, which slows an organization’s response.

*Source

Free photos, graphics site Freepik discloses data breach impacting 8.3m users

  • Freepik is one of the most popular websites on the internet, currently ranked #97 on the Alexa Top 100 sites list.
  • According to the company’s official statement, the security breach occurred after a hacker (or hackers) used an SQL injection vulnerability to gain access to one of its databases storing user data. Freepik said the hacker obtained usernames and passwords for the oldest 8.3 million users registered on its Freepik and Flaticon websites.

  • The company says it notified authorities as soon as it learned of the incident, and began investigating the breach, and what the hacker had accessed.

*Source

Experian South Africa discloses data breach impacting 24 million customers

  • Experian said the attacker was identified and its data deleted from the fraudster’s devices.

  • While Experian did not disclose the number of impacted users, a report from South African Banking Risk Centre (SABRIC), an anti-fraud and banking non-profit, claimed the breach impacted 24 million South Africans and 793,749 local businesses.

  • Experian said it reported the incident to local authorities, who were able to track down the individual behind the incident. Since then, Experian said it obtained a court order, “which resulted in the individual’s hardware being impounded and the misappropriated data being secured and deleted.”

*Source

Stolen Data: The Gift That Keeps on Giving

  • Users regularly reuse logins and passwords, and data thieves are leveraging that reality to breach multiple accounts.
  • When mega-leaks occur, many other ecosystems become endangered due to the tendency of users to reuse the same credentials on other sites. Not only well-known brands but even small to midsize organizations with an online presence should consider the issue of password reuse stemming from previous mega-leaks as a primary threat vector.

*Source

IBM Db2 Flaw Gives Attackers Read/Write Access to Shared Memory

  • Researchers discover a lack of explicit memory protections around the shared memory used by the Db2 trace facility.
  • CVE-2020-4414 exists because developers neglected to add explicit memory protections around shared memory used by the Db2 trace facility. This allows any local users to have read and write access to that memory area. 
  • All Db2 instances of current version (11.5) on Windows are affected. IBM has released a patch to address this vulnerability and other security issues. It’s difficult to tell whether the vulnerability has been exploited.

*Source 

WEEK OF AUGUST 17, 2020

Canon suffers ransomware attack, Maze claims responsibility

  • Reports based on an internal memo suggest an external security firm has been hired to investigate.
  • As reported by Bleeping Computer, a six-day outage beginning July 30 on the image.canon website, a service for uploading and storing photos through Canon’s mobile applications, led to suspicions that a cyberattack may have taken place.
  • It is believed that Maze is to blame, after the threat group said they had stolen 10TB in data after launching a successful ransomware attack against the tech giant. Maze, however, denied responsibility for the image.canon issues, and so the timing of the outage and the ransomware infection may simply be coincidental. 

*Source 

Major tech corporations face multi-billion-euro cases for alleged GDPR breaches

  • The damages could exceed €10 billion if the legal proceedings are successful, the NGO said.
  • The Privacy Collective, a non-profit Foundation that pursues claims for violations of privacy rights, is suing Oracle and Salesforce in action representing millions of individuals objecting to the use of their personal data.
  • “Everyone who has ever used the internet is at risk from this technology,” said Dr Rebecca Rumbul, class representative and claimant in England & Wales.

*Source

Google ‘Spying’ On People’s App Use, Lawsuit Claims

  • The lawsuit centers on “Android Lockbox,” a program that “allows Google employees to spy on how Android Smartphone users interact with non-Google apps.
  • Android Lockbox came to public attention to weeks ago, when The Informationreported that Google drew on data about people’s use of outside apps, like TikTok, for competitive purposes.
  • Google says in an online support page the company uses that data “to improve products and services, like Google apps and Android devices.” This lawsuit marks at least the fourth separate privacy case brought against the company in the last several months.

*Source

Doki Backdoor Infiltrates Docker Servers in the Cloud

  • The malware is a new payload that uses Dogecoin wallets for its C2, and spreads via the Ngrok botnet.

  • A fresh Linux backdoor called Doki is infesting Docker servers in the cloud, researchers warn, employing a brand-new technique: Using a blockchain wallet for generating command-and-control (C2) domain names.

  • To avoid infection, Docker admins should check for any exposed ports, verify there are no foreign or unknown containers among the existing containers,and monitor excessive use of resources.

*Source

List of data breaches and cyber attacks in July 2020 ­– 77 million records breached

  • This includes the Twitter hack on 130 people, including Bill Gates, Barack Obama and Elon Musk, as well as the less flashy but equally concerning attack on dozens of universities and charities across the UK, US and Canada.
  • You can view the complete list by clicking on the source link.

*Source

Business Email Compromise Attacks Involving MFA Bypass Increase

  • Adversaries are using legacy email clients to access and take over accounts protected with strong authentication, Abnormal Security says.
  • Researchers from Abnormal Security this week reported observing a recent increase in attacks where threat actors used legacy apps with old email protocols, such as IMAP, SMTP, and POP, to access and take over business email accounts protected with MFA.
  • MFA, or MFA with Single Sign On (SSO), is a great way to provide a secure access policy to a network. But organizations need to be aware that legacy protocols do not all support modern authentication methods.

*Source 

WEEK OF AUGUST 10, 2020

Intel investigating breach after 20GB of internal documents leak online

  • Leak confirmed to be authentic. Many files are marked “confidential” or “restricted secret.”
  • The data was published by Till Kottmann, a Swiss software engineer, who said he received the files from an anonymous hacker who claimed to have breached Intel earlier this year. The Swiss engineer said today’s leak represents the first part of a multi-part series of Intel-related leaks.
  • None of the leaked files contain sensitive data about Intel customers or employees, based on ZDNet’s review. However, the question remains to what else the alleged hacker had access to before stealing and releasing Intel’s confidential files.

*Source

Online Exam Tool Suffers Data Breach

  • According to a spokesperson, the data exposed relates to ProctorU users who registered on or before 2014.
  • A database of 440,000 ProctorU user records was published by hacker group ShinyHunters over the past week along with hundreds of millions of other user records.
  • ProctorU user data exposed includes usernames, unencrypted passwords, legal names, and full residential addresses.

*Source

Capital One fined $80 million for 2019 hack of 100 million credit card applications

  • The Capital One hack was one of the largest data breaches ever to hit a financial services firm.
  • The OCC said in a statement that the Capital One fine was “based on the bank’s failure to establish effective risk assessment processes” before it moved a major portion of its computer data to a cloud storage system, “and the bank’s failure to correct the deficiencies in a timely manner.”
  • When it announced the breach last year, Capital One emphasized that no credit card numbers or log-in credentials were compromised.

*Source

Trump Signs Executive Order That Will Effectively Ban Use Of TikTok In the U.S.

  • A move that steps up pressure on the Chinese-owned app to sell its U.S. assets to an American company.

  • Since the Trump administration began turning up the heat on TikTok, software giant Microsoft has confirmed it is among a handful of companies in early talks to acquire the short-form video service.

  • Officials at Microsoft say it is examining a TikTok acquisition that would potentially buy TikTok’s American, Canadian, Australian and New Zealand services, but officials close to the deal say the final offer may include operations in even more countries.

*Source

Macy’s sued over use of Clearview facial-recognition software

  • It was targeted in one of the first lawsuits against users of the controversial facial-recognition software made by startup Clearview AI.
  • Clearview’s software allows users to try to match a face against a database of images it scrapes from the internet, including sites like Youtube and Facebook. 
  • Though it is marketed primarily as a tool for law enforcement, the New York Times and Buzzfeed News reported earlier in the year that it had also been used by several major retailers, with Macy’s conducting more than 6,000 searches.

*Source

Nine in ten Americans view data privacy as a human right, according to new report

  • Americans are becoming increasingly concerned with, and distrustful of, how companies use, manage and protect their personal data.
  • KPMG surveyed 1000 Americans in May 2020. It reveals that nine out of ten respondents think that companies should be held responsible for corporate data breaches (91%), take corporate data responsibility seriously (91%), and take the lead in establishing corporate data responsibility (91%)
  • Nine out of ten (91%) respondents agree that the right to delete personal data and the right to know how their data is being used should be extended to all US citizens – similar to the GDPR regulations for European citizens.

*Source 

WEEK OF AUGUST 03, 2020

The Data Privacy Loophole Federal Agencies Are Still Missing

  • The knowledge-based authentication is leaving federal contact centers vulnerable to an increasingly sophisticated hacker community.
  • One of the most immediate risks to customer data privacy on the federal level lies in an over-reliance on knowledge-based authentication across a number of government agencies.
  • Regardless of which road a federal agency takes in 2020 when it comes to data privacy, it’s become clear in the fed tech community that KBA is a relic, one that leaves contact centers vulnerable to an increasingly sophisticated hacker community.

*Source

GEDmatch confirms data breach after users’ DNA profile data made available to police

  • In a statement on Wednesday, the company told users by email that it was hit by two security breaches on July 19 and July 20.
  • The site, which lets users upload their DNA profile data to trace their family tree and ancestors, rose to overnight fame in 2018 after law enforcement used the site to match the DNA from a serial murder suspect against the site’s million-plus DNA profiles in the site’s database without first telling the company.
  • GEDmatch issued a privacy warning to its users and put in new controls to allow users to opt-in for their DNA to be included in police searches.

*Source

Slack credentials abundant on cybercrime markets, but little interest from hackers

  • Security researchers find more than 17,000 Slack credentials for roughly 12,000 Slack workspaces being sold online.
  • Reporters claim the hacker found a username and password for an internal Twitter admin tool pinned to one of the Slack channel’s chat rooms, which the hacker later used to wreak havoc on Twitter by defacing high-profile accounts with a cryptocurrency scam.
  • Slack credentials might not be as useful as G Suite or Microsoft 365 accounts, but hackers usually work by mimicking successful hacks, and the Twitter hack showed that Slack workspaces might be a good place to lurk in search for sensitive data.

*Source

Hackers wipe out more than 1000 databases, leaving only the word “Meow”

  • The attack saw a database that had details of the UFO VPN. UFO VPN, and other products from seemingly the same company, had recently been in the news for exposing user information.

  • The attack seems to have come from a bot, according to Forbes, as the attack script overwrites database indexes with random numerical strings and the word ‘Meow’. It is unclear who is the source of the attacks.

  • It appears that the attackers are running searchers for servers which expose information by not being password protected – like how security companies conduct research and reports.

*Source

Clever hackers are making ATMS spit out all their money

  • Jackpotting involves attaching rogue devices called “black boxes” to open up programming interfaces inside the ATM machine’s software and issue commands, forcing it to, proverbially, make it rain.
  • Previous jackpotting approaches involved the use of black boxes that were even able to change the maximum amount a given ATM was authorized to spit out.
  • There is a silver lining to the latest hack, as Ars Technica points out. The thieves’ new approach doesn’t seem to target the retrieval of personal banking information, as has been the case with previous schemes.

*Source

Blackbaud Hack: Universities lose data to ransomware attack

  • At least 10 universities in the UK, US and Canada have had data stolen about students and/or alumni after hackers attacked a cloud computing provider.
  • Blackbaud, one of the world’s largest providers of education administration, fundraising, and financial management software, has been criticised for not disclosing this externally until July and for having paid the hackers an undisclosed ransom.
  • The UK’s Information Commissioner’s Office [ICO], as well as the Canadian data authorities, were informed about the breach last weekend – weeks after Blackbaud discovered the hack.

*Source 

WEEK OF JULY 28, 2020

The European Union’s highest court declared that the EU-U.S. Privacy Shield for international data transfers arrangement is invalid.

  • The Court of Justice of the European Union, however, did uphold the validity of standard contractual clauses.
  • The court said that the ombudsperson mechanism in the U.S. — a role created by the Privacy Shield arrangement — “does not provide data subjects with any cause of action before a body which offers guarantees” at the level of EU law.

  • Beyond the massive implications for data transfers to the U.S., the decision will place a greater burden on businesses exporting data to other countries via SCCs. It will also require more work from EU supervisory authorities, many of which are already faced with limited resources.

*Source

Walmart Sued Under CCPA After Data Breach

  • The retail giant is the subject of a new complaint alleging that customers now face “significant injuries and damage” after an unspecified incident.
  • Customer names, addresses, financial and other information were among the haul for attackers, according to the suit filed in the US District Court for the Northern District of California.
  • Although it’s unknown at present how many customers were affected by the incident, the filing claims that the number of class members is “at least in the thousands.”

*Source

340 GDPR fines for a total of €158,135,806 issued since May 2018

  • Every one of the 28 EU nations, plus the United Kingdom, has issued at least one GDPR fine.
  • Whilst GDPR sets out the regulatory framework that all EU countries must follow, each member state legislates independently and is permitted to interpret the regulations differently and impose their own penalties to organizations that break the law.

  • The second-highest number of fines comes from Hungary. The National Authority for Data Protection and Freedom of Information has issued 32 fines to date. The largest being €288,000 issued to an ISP for improper and non-secure storage of customers’ personal data.

*Source

Orange, Europe’s Fourth-Largest Mobile Operator, Confirms Ransomware Attack

  • Orange Business Services provides support for business and local governments through the digital transformation journey.

  • Orange was added to the Nefilim dark web site that details “corporate leaks” on July 15. Samples of data that the Nefilim group says were exfiltrated from Orange customers were included in a 339MB archive.

  • Nefilim is a relatively new ransomware operator, discovered earlier this year, which follows the recent trend for stealing data that can be used to leverage ransom payment.

*Source

More than 20 million VPN users warned of massive data breach

  • It’s estimated around one billion online records have been exposed in a massive data breach.
  • In a report provided to 9News, the researchers say the server was “completely open and accessible, exposing private user data for everyone to see”. It’s claimed affected apps include UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN and Rabbit VPN.
  • Lead researcher Noam Rotem said his team found entries within the exposed database that contained personal details about users, such as email addresses, home addresses, clear text passwords, IP addresses and other identifying information.

*Source

Test and Trace program skipped GDPR privacy assessment

  • England’s Test and Trace program launched nationally at the end of May, and there is still no sign of the data privacy assessment required by GDPR.
  • In a privacy notice published at the start of the program, health authorities also said that the information gathered could be used for alternative purposes, such as research into COVID-19, and that patients had “limited” rights to ask for data to be deleted.
  • An ICO spokesperson said that the organization has been working with the government as “a critical friend” in this case, providing guidance and advice for some elements of the scheme, while maintaining that there is not always a requirement for a DPIA to be shared with the regulator.

*Source 

WEEK OF JULY 20, 2020

Health insurance firm Religare has been hit by hackers

  • Cybersecurity firm Cyble has claimed that over 5 million records of Religare users have been leaked and posted on the Dark Web.
  • Cyble claims that the list of data exposed includes: Customer’s name, address, mobile number, email id, date of birth (dob); customer’s ID, policy number, start date, end date, agent assigned; name of the policy, sum insured, renewal amount; and employee /agents full names, mobile numbers, dob, usernames, password hashes, individual authorisation keys, official email IDs, email signatures having office address and personal mobile numbers, last login and logout, internal IP address through which they connected to the portal.

*Source

The MGM Resorts 2019 data breach is much larger than initially reported

  • According to the ad on the dark web, the hacker is selling the details of 142,479,937 MGM hotel guests for a price just over $2,900.
  • The security breach came to light in February 2020 after a batch of 10.6 million MGM hotel guests’ data was offered as a free download on a hacking forum. At the time, MGM admitted to suffering a security breach, but the company didn’t disclose the full breadth of the intrusion.
  • The hacker claims to have obtained the hotel’s data after they breached DataViper, a data leak monitoring service operated by Night Lion Security.

*Source

LiveAuctioneers reports data breach after user records sold online

  • On July 10th, 2020, a data breach broker began selling a database that allegedly contains 3.4 million user records stolen from the LiveAuctioneers’ site.
  • BleepingComputer was told by the data broker that the database is being sold for $2,500. This data allegedly contains user’s email addresses, usernames, MD5 hashed passwords, names, phone numbers, addresses, IP addresses, and social media profiles.

  • In addition to the this data, the seller stated that 3 million of the accounts had their passwords decrypted, which were included in the sale. This type of data is a treasure trove for threat actors as it can be used in targeted phishing attacks and credential stuffing attacks at other sites

*Source

Twitter reveals that its own employee tools contributed to unprecedented hack

  • Twitter says hackers compromised high-profile accounts thanks to access to internal tools.

  • In a series of tweets posted under its support channel, Twitter said that its internal systems were compromised by the hackers, confirming theories that the attack could not have been conducted without access to the company’s own tools and employee privileges.

  • It seems as if Twitter is acknowledging here that numerous people appear to have been involved in the hacks, not just one individual, and also that numerous employees were compromised, too.

*Source

Vulns in Open Source EHR Puts Patient Health Data at Risk

  • Five high-risk flaws in health IT software from LibreHealth, a researcher at Bishop Fox finds.
  • The vulnerabilities give unauthenticated attackers multiple ways to compromise the application’s underlying server and gain access to sensitive patient health information and health records.
  • Since the beginning of the pandemic earlier this year, security vendors have noted a general increase in attacker interest not just in electronic health systems but in a variety of other services which have seen a recent surge in use.

*Source

Critical flaw allows hackers to breach SAP systems with ease

  • SAP NetWeaver Application Server Java vulnerability can be exploited without authentication and lead to complete system takeover.
  • Researchers from security firm Onapsis who found and reported the vulnerability estimate that 40,000 SAP customers worldwide might be affected.
  • Over 2,500 vulnerable SAP systems are directly exposed to the internet and are at higher risk of being hacked, but attackers who gain access to local networks can compromise other deployments.

*Source 

WEEK OF JULY 14, 2020

India panel proposes new regulator for non-personal data: draft report

  • “There is a need to create a regulator or authority for data business, which provides centralized regulation for all non-personal data exchanges,” the government-appointed panel said in the report.
  • A company collecting data beyond a yet unspecified threshold should register as a “data business” in India, the report said, with government bodies also subject to the need to disclose what information they collect and store, and how they use it.

  • The panel consulted companies such as Amazon, Microsoft and Uber, as well as some international experts, in drawing up the report, it said.

*Source

Companies start reporting ransomware attacks as data breaches

  • Corporate victims are finally starting to realize that ransomware attacks are data breaches and have begun to notify employees and clients about data stolen data.
  • A tactic used by almost all enterprise-targeting ransomware is to steal unencrypted files before encrypting a breached network. The threat actors then use these stolen files as leverage by threatening to leak or sell the data if a ransom is not paid.
  • Unfortunately, many companies choose to sweep ransomware attacks under the rug and do not adequately disclose that personal data was stolen, even to employees who were affected.

*Source

Billions of passwords now available on underground forums, say security researchers

  • Cybersecurity researchers at Digital Shadows spent 18 months analysing how hackers gain access to and use stolen account details and have detailed how account takeover has never been easier or cheaper for cyber criminals.
  • Usernames and passwords for everything from network administrator accounts and bank details to streaming services and anti-virus software are up for grabs on the dark web – and many are being distributed for free.
  • Many breached accounts are shared multiple times – suggesting that despite being hacked, the user remains unaware of what has happened. But despite that duplication, researchers say there’s still over five billion ‘unique’ accounts up for sale on the cyber-criminal underground, providing buyers access to hacked online services.

*Source

Delivery startup Dunzo suffers data breach, numbers, emails leaked

  • No payment information, like credit or debit cards etc. has been compromised, says CTO Mukund Jha.

  • Dunzo also hasn’t revealed when the hack actually occurred or how long the database was left exposed. It’s unclear whether the attackers got access to its entire database or how many users were exposed.

  • The company also sent emails to its users informing them about the data breach, stating that it has secured its databases, rotated access tokens and changed all passwords. The email doesn’t tell users to change their passwords, but that’s likely because Dunzo uses phone numbers and one time passwords for logins.

*Source

60% of Insider Threats Involve Employees Planning to Leave

  • Researchers shows most “flight-risk” employees planning to leave an organization tend to start stealing data two to eight weeks before they go.
  • More than 80% of employees planning to leave an organization bring its data with them. These “flight-risk” individuals were involved in roughly 60% of insider threats analyzed in a new study.
  •  As more companies trust their employees to do the right thing while using cloud applications, it gets tougher to figure out when someone has gone rogue.

*Source

Morgan Stanley Tells Customers of Potential Data Compromise

  • Morgan Stanley is offering some current and former wealth management customers a two-year free subscription to a credit report monitoring service to compensate for the potential compromise of personal data.
  • In a memo sent Thursday afternoon to the firm’s 15,400 brokers, field management head Vince Lumia said the issue stems from two data centers closed in 2016. Some servers and other hardware were sold to recyclers by a vendor Morgan Stanley had hired to scrub the devices that left some client data extant, he explained.
  • Morgan Stanley is considering appropriate legal action against the firm hired to scrub the data, the person said, declining to name the vendor.

*Source 

WEEK OF JULY 06, 2020

AMT healthcare data breach impacts nearly 50,000 patients

  • Client information exposed after attack on senior care company’s email network
  • Potentially compromised data includes patient names, Social Security numbers, medical record numbers, diagnosis information, health insurance policy, medical history information, HIPAA account information, and driver’s license/state identification numbers.
  • Potentially affected patients are being offered free credit monitoring services, and AMT said it has employed extra security safeguards to protect information on its web infrastructure.

*Source

Russian Criminal Group Finds New Target: Americans Working at Home

  • American officials worry election infrastructure could be next.
  • Sophisticated new attacks by the hacking group — which the Treasury Department claims has at times worked for Russian intelligence — were identified in recent days by Symantec Corporation.
  • While ransomware has long been a concern for American officials, after devastating attacks on the cities of Atlanta and Baltimore and towns across Texas and Florida, it has taken on new dimensions in an election year.

*Source

350,000 Social Media Influencers and Users at Risk Following Data Breach

  • The leak was discovered by Risk Based Security’s data breach research team on June 6 when a known threat actor revealed they had compromised Preen.
  • The information includes influencers’ social media links, email addresses, names, phone numbers and home addresses. It was noted that those affected appear to be associated with cosmetic or lifestyle-related content.
  • Those exposed are also susceptible to spam and substantial harassment via their leaked contact information, as well as spear-phishing and identity theft scams if enough personally identifiable information is gathered.

*Source

V Shred data leak exposes PII, sensitive photos of fitness customers and trainers

  • V Shred defended the public status of its open bucket and only partially solved the problem.

  • The bucket, discovered on May 14, originally contained 1.3 million files, totaling 606GB of data. Among the files were three .CSV files of particular note; one that appeared to be a lead generation list, another a client email list, and a trainer list.

  • Combined, the files contained names, home addresses, email addresses, dates of birth, some Social Security numbers, social media accounts details, usernames and passwords, age ranges, genders, and citizenship status, among other data points.

*Source

University of California SF Pays Ransom After Medical Servers Hit

  • As one of at least three universities hit in June, the school paid $1.14 million to cybercriminals following an attack on “several IT systems” in the UCSF School of Medicine.
  • The crypto-ransomware attacks, which have been attributed to the NetWalker group, also reportedly hit Michigan State University and Columbia College of Chicago.
  • BBC News managed to get a fly-on-the-wall view of the negotiation between UCSF and the NetWalker criminal group — a negotiation that started at $3 million. After some back and forth, the two parties negotiated to 116.4 Bitcoins, or $1.14 million, which the school paid.

*Source

500,000 BMW, Mercedes and Hyundai owners hit by massive data breach

  • As per the report, the hackers claim that they got hold of the database via a call centre that works with a range of car manufacturers.
  • The database is believed to consist of 500,000 customer records dated from 2016 to 2018. These not only include the details of Brits who own BMW cars, but also owners of Mercedes, Honda, Hyundai and SEAT vehicles.
  • Last month, the hackers sold 16 databases that contained the information of contractors working for the U.S. government and weapons being created by the Russian armed forces.

*Source 

WEEK OF JULY 02, 2020

Major security breach at Service NSW after staff member opened phishing email

  • The malicious attack, discovered on April 22 of this year, illegally accessed the emails of 47 staff members.
  • Forensic specialists hired by Service NSW and working to identify any personal information that may have been accessed in this attack. The breach impacts customers who have gone into a Service NSW branch, or contacted the service over the phone.
  • Service NSW CEO Damon Rees said internal cyber security teams stopped the attack and worked to limit the impact on our customers and services.”We are now working as quickly as possible to confirm the scope of this attack on the personal information of our customers,” Mr Rees said.

*Source

EasyJet admits data of nine million hacked

  • It said email addresses and travel details had been stolen and that 2,208 customers had also had their credit and debit card details “accessed”.
  • EasyJet added that it had gone public now in order to warn the nine million customers whose email addresses had been stolen to be wary of phishing attacks. It said that it would notify everyone affected by 26 May.
  • It did not provide details about the nature of the attack or the motives, but said its investigation suggested hackers were targeting “company intellectual property” rather than information that could be used in identity theft.

*Source

Verizon Data Breach Report

  • Denial of Service (DoS), ransomware, and financially-motivated data breaches were the winners in this year’s Verizon DBIR.
  • this year DoS attacks increased in number (13,000 incidents) and were also seen as a bigger part of cybercriminals’ toolboxes (DoS attacks made up 40 percent of security incidents reported), beating out crimeware and web applications.
  • Cyber espionage attacks meanwhile have seen a downward spiral, dropping from making up 13.5 percent of breaches in 2018 to a mere 3.2 percent of data breaches in 2019.

*Source

Japan suspects missile data leak in Mitsubishi cyberattack

  • Chief Cabinet Secretary Yoshihide Suga told reporters that the Defense Ministry is investigating “the possible impact of the information leak on national security.”
  • The ministry suspects the information might have been stolen from documents sent from several defense equipment makers as part of a bidding process for the project. Mitsubishi Electric did not win the bid, Japanese media reports said.
  • Mitsubishi said in a statement Wednesday that it had reported to the Defense Ministry in February a possible leak of sensitive information related to a cyberattack earlier this year. Mitsubishi has acknowledged that its personal data on some 8,000 people also might have been leaked.

*Source

Hackers leak personal data of 29 million Indians on the dark web for free

  • Folders in the name of some of the leading job websites in India also appeared on the screenshot posted by Cyble.
  • The security incident has resulted in the exposure of sensitive data belonging to customers of the company and its staff, and even of internal API keys.
  • Wool sales were halted for several days and hastily rescheduled, with an estimated 70,000 bales held in limbo. The industry’s turnover in a typical week is up to A$80 million, but prices may now drop as the postponed sales cause a glut in the market.

*Source

Bank of America reveals data breach in PPP application process

  • Charlotte-based BofA said application information may have been visible to other SBA-authorized lenders and their vendors.
  • Compromised information could include business details, such as an address or tax identification number, or a business owner’s information, such as name, address, Social Security number, phone number, email and citizenship status.
  • The bank said the data breach did not affect the applications’ submission to the SBA. It asked the SBA to remove the visible information that same day, according to the filing.

*Source