Bitcoin,  Exchange,  Ripple

Semaine du 11 mai 2020: Magellan Health


Bienvenue dans le rapport hebdomadaire sur les violations de données de GearBrain, une collection de violations connues des bases de données d’entreprise où une personne inconnue a eu accès à vos informations personnelles. La fréquence de ces intrusions semble augmenter, donc nous mettons à jour notre rapport chaque semaine avec les dernières nouvelles sur les derniers pirates et des liens vers où vous pouvez aller pour l’action nécessaire – que vous soyez préoccupé par votre vie privée ou non.

Cette semaine, nous examinons les violations de données avec Magellan Health, Interserve, un fournisseur stratégique pour les hôpitaux et les écoles, et le City Index du marché commercial de Londres.

Lire la suite:

iStock

Le géant américain de la santé Magellan Health a révélé cette semaine qu’il avait été victime d’une atteinte à la vie privée et d’une attaque de ransomware. La compagnie d’assurance Fortune 500 a expliqué comment les attaquants ont publié pour la première fois une campagne d’e-mails de phishing auprès de leur personnel.

Les attaquants ont ensuite eu accès aux systèmes de Magellan, à partir desquels ils ont volé les identifiants et les mots de passe de certains employés actuels. Des informations personnelles sur le personnel, notamment des noms, adresses et numéros d’identification personnels, ont également été volées. Certains numéros de sécurité sociale et numéros d’identification fiscale ont également été pris.

Dans une lettre aux victimes, Magellan a déclaré: « Lorsque le cas a été découvert, Magellan a immédiatement retenu Mandiant, une importante société de criminalistique en cybersécurité, pour l’aider à mener une enquête approfondie sur l’affaire. Vos informations.  »

Inter service

iStock

Cette semaine, il a été signalé qu’au début du mois, Interserve avait été frappé par une cyberattaque au cours de laquelle des données de 100 000 personnes avaient été volées. Interserve est l’un des «fournisseurs stratégiques» du gouvernement britannique et est responsable de l’entretien des écoles et des hôpitaux ainsi que des réseaux de transport tels que le métro de Londres.

Interserve a récemment aidé à créer l’hôpital Nightingale à Birmingham, un hôpital de campagne construit comme un centre de conférence pour les patients atteints de coronavirus.

Le Telegraph a d’abord signalé que la base de données des ressources humaines de la société sous-traitante avait été piratée le 9 mai et que des informations sur le personnel actuel et ancien avaient été volées. Les informations comprenaient les noms, adresses, coordonnées bancaires, détails sur les salaires, informations sur les proches, dossiers du personnel, jours d’absence et informations sur la retraite.

Interserve a reconnu la violation de données dans sa déclaration et a déclaré qu’elle travaillait avec le UK National Security Center pour rectifier la situation.

Index des villes

Le marché a signalé que la violation avait eu lieu le 14 avril

Index des villes

Le City Index a informé les utilisateurs cette semaine de la sécurité des informations, où leurs noms, dates de naissance, sexe et coordonnées bancaires ont été volés. The City Index est un magasin financier basé à Londres qui offre un meilleur fournisseur de services.

Le 8 mai, la société a déclaré à ses utilisateurs que le réseau « l’accès non autorisé passait par un tiers et que vos informations personnelles pourraient devoir être surveillées », a rapporté Infosecurity Magazine. Le City Index a ajouté qu’après avoir constaté la violation, qui s’est produite le 14 avril, il « a bloqué l’accès au serveur connecté et a lancé une enquête médico-légale complète ».

Les utilisateurs de l’index de ville sont invités à réinitialiser leurs mots de passe et à s’assurer que le même mot de passe précédemment utilisé pour leur compte d’annuaire de ville n’est actuellement utilisé pour rien d’autre.

27 avril: Chegg

Chegg est une entreprise de technologie éducative

iStock

L’entreprise de formation en technologie Chegg a subi une troisième violation de données en seulement trois ans, car elle admet que des pirates ont volé les informations personnelles de 700 employés actuels et anciens. Les informations comprenaient leurs noms et numéros de sécurité sociale. Dans le contexte, la société comptait environ 1,40 employés au début de 2020, rapporte TechCrunch.

Paul Martini, PDG de la société ibos de services cloud ibos, a déclaré à GearBrain: « Cette attaque pourrait refléter une tendance future à la cybersécurité plus large qui devrait préoccuper les employeurs et les employés. Ces derniers mois, la forte croissance du nombre de personnes travaillant à domicile a , nous constatons que de nombreuses personnes dans le domaine des technologies de l’information perdent leur sommeil … il y a un avenir sérieux et dangereux dans les organisations de toutes tailles. « 

Nintendo

160 000 comptes Nintendo ont été compromis en raison de la licence

Nintendo

Le 24 avril, Nintendo a confirmé que les attaquants avaient utilisé 160 000 comptes d’utilisateurs au début du mois. En réponse, la société a temporairement supprimé la possibilité de se connecter au compte via un identifiant Nintendo Network. Il a déclaré que les identifiants et les mots de passe « ont été obtenus illégalement d’une autre manière que notre service ».

Cela répond maintenant à la demande de la société de cybersécurité SpyCloud selon laquelle le piratage était susceptible de remplir les informations d’identification. Ici, le propriétaire utilise à nouveau des noms d’utilisateur et des mots de passe qui ont déjà été volés lors d’une précédente violation de la vie privée dans une autre entreprise, ailleurs, comme un compte Nintendo. Les pirates utilisent à plusieurs reprises et automatiquement ces informations d’identification pour se connecter au compte, et dans ce cas, ils ont réussi avec 160 000 comptes Nintendo parce que leurs propriétaires avaient utilisé les mêmes mots de passe dans le passé.

Selon SpyCloud, 59% des personnes reconnaissent utiliser des mots de passe.

Plaques d’immatriculation du Royaume-Uni

Tout le monde peut regarder des millions de voyages

iStock

Il a été révélé cette semaine que les détails des millions de voyages effectués par des particuliers au Royaume-Uni étaient disponibles gratuitement en ligne. En effet, le système utilisé pour enregistrer automatiquement les plaques d’immatriculation des véhicules lors du passage d’une caméra routière connue au Royaume-Uni sous le nom d’ANPR stockait ses données sur un serveur sans mot de passe.

Les informations, et donc les distances et les emplacements de millions de véhicules, peuvent être obtenues en saisissant l’adresse IP du serveur dans un navigateur Internet. Au total, 8,6 millions de voyages ont pu être consultés. Les données proviennent notamment du système ANPR de Sheffield dans le nord de l’Angleterre. Les pirates auraient pu utiliser les informations pour suivre des véhicules individuels à travers la ville, mettant en danger les personnes vulnérables. Le nom et les informations de localisation des caméras pourraient également être modifiés, ce qui aurait pu conduire à des abus.

Dans une déclaration conjointe, le Sheffield City Council et la police du South Yorkshire ont déclaré: << Nous assumons la responsabilité conjointe de lutter contre cette violation de la protection des données. Il n'est pas acceptable qu'un incident se soit produit. Cependant, il est important d'être très clair que de la meilleure manière possible. ou a subi des effets préjudiciables du fait de cette infraction. "

Semaine du 20 avril 2020: Small Business Administration

Le programme de prêts pour dommages financiers de la Small Business Administration a peut-être souffert d’une violation de données et a touché quelque 8 000 personnes qui avaient demandé une aide d’urgence pour compenser les effets de la pandémie de coronavirus. Quelles informations sont désormais vulnérables? CNN rapporte qu’il pourrait inclure des numéros de sécurité sociale, des dates de naissance, des informations sur l’assurance, des noms, leurs adresses e-mail et même leur lieu de résidence et de citoyenneté.

Les requérants ont été informés de leur participation à l’infraction par lettre du 13 avril – et ont été informés qu’ils se verraient accorder un an grâce à la surveillance gratuite du crédit.

PrimoHoagies

Une chaîne de magasins de sandwich dans le New Jersey a découvert une violation du système qui a eu lieu sur plusieurs mois. Les informations de paiement des clients qui permettaient aux gens de passer des commandes en ligne ont été incluses et la violation s’est produite du 15 juillet 2019 au 18 février 2020. Non seulement les chiffres qui pouvaient être vus, mais aussi les codes de sécurité, les dates d’expiration, les noms et les adresses. PrimoHoagies a déclaré aux clients qu’il s’agissait uniquement d’achats en ligne, et non d’informations fournies dans des magasins physiques, a rapporté le Courier Post.

Webkinz World

Il y a eu une violation sur la plate-forme de jeux pour enfants qui a libéré près de 23 millions de noms d’utilisateurs et de mots de passe brisés – données extraites de leur forme d’origine.

Webkinz World est un espace virtuel accessible aux enfants qui se combine avec un jouet en peluche. À l’intérieur, il y a des jeux et des aventures auxquels les enfants peuvent jouer – et ils doivent avoir un mot de passe et un nom d’utilisateur pour accéder au Web. L’entreprise a exigé tout le monde les mots de passe sont mis à jour sur le site avant que les utilisateurs ne puissent se reconnecter à leur compte.

13 avril: Quidd

Digital Collectibles Marketplace Quid a subi une violation de la vie privée qui a fait apparaître près de quatre millions de connexions d’utilisateurs sur un sombre forum de piratage de réseau. Les informations comprenaient les noms d’utilisateur Quidd, les adresses e-mail et les mots de passe, bien qu’ils aient été effacés selon Teiss. Les adresses e-mail appartenaient à des professionnels d’entreprises telles que Microsoft, Experian, Target et l’Université de Pennsylvanie.

Malgré l’arnaque, il a été signalé que des pirates ont piraté plus d’un million de mots de passe volés, et un autre pirate vend actuellement 135 000 mots de passe Quidd.

Selon les experts, selon la norme Risk Based Security, l’équipe de piratage ProTag a volé les données de Quidd et les a téléchargées sur le forum le 12 mars 2020. Les données de la base de données volée sont apparues sur un réseau sombre dès octobre 2019.

Wappalyzer

Wappalyzer, une entreprise technologique qui permet aux utilisateurs de scanner des sites Web pour obtenir un rapport sur le type de serveur qu’ils utilisent, a été victime d’une cyberattaque. Le pirate est découvert une semaine après que les pirates ont commencé à envoyer un courrier électronique aux clients de Wappalyzer leur proposant de vendre la base de données volée pour 2 000 $ en bitcoins.

La base de données contient les adresses e-mail et de facturation des clients Wappalyzer, mais la société a déclaré à ZDnet qu’elle ne contient des informations que sur 16 000 clients. Wappalyzer dit que le piratage a eu lieu le 20 janvier lorsqu’un intrus a accédé à sa base de données, qui a été laissée à découvert en raison d’une mauvaise configuration, a déclaré la société.

Outre les adresses e-mail de l’utilisateur, la base de données volée contient également des informations techniques, qui sont des informations collectées par Wappalyzer qui sont vendues dans le cadre d’une offre de produits aux clients.

Aéroport international de San Francisco

Les données des utilisateurs ont été volées sur deux petits sites Web gérés par SFO

SFO

La SFO a contacté les utilisateurs de ses deux sites Web cette semaine pour leur dire qu’ils avaient été victimes d’une cyberattaque. Les sites sont SFOConnect.com et SFOConstruction.com, et il est dit que les deux sont des sites Web à faible trafic. L’attaque aurait eu lieu en mars, selon un rapport de ThreatPost.

L’aéroport a déclaré cette semaine: « Les attaquants ont ajouté du code informatique malveillant à ces sites Web pour voler les informations d’identification de certains utilisateurs. Les utilisateurs touchés par cette attaque incluent les utilisateurs accédant à ces sites Web depuis l’extérieur du réseau de l’aéroport via Internet Explorer sur un appareil personnel Windows ou un appareil non géré par SFO. »

Il a ajouté qu ‘ »il semble que les attaquants aient pu utiliser les noms d’utilisateur et mots de passe des utilisateurs concernés qui sont utilisés pour se connecter à ces appareils personnels ».

Semaine du 6 avril 2020: RigUp

L’entreprise axée sur l’énergie a aidé les gens à trouver un emploi sur ce marché – mais est maintenant victime d’une infraction qui a révélé 76 000 fichiers de ces clients. Bien sûr, ces fichiers ne l’ont jamais rendu public, heureusement, mais ils contenaient des informations de juillet 2018, y compris les curriculum vitae des employés, des photos de famille privées, des formulaires W9, des informations sur les assurances, des informations sur la sécurité sociale, etc.

La violation trouvée par VpnMentor est désormais sécurisée. Mais toute entreprise envisageant de faire affaire avec RigUp peut lui demander ce qu’elle fera ensuite pour s’assurer que les informations sur ses systèmes sont mieux verrouillées.

Arnaques COVID-19

Les pirates profitent des craintes et des préoccupations des gens face à la pandémie de coronavirus et envoient des SMS et des courriels d’hameçonnage promettant des fonds d’aide gouvernementale, ou des trackers qui se révèlent être des logiciels malveillants. Les e-mails semblent provenir de l’Organisation mondiale de la santé ou de médecins et cibler tous les individus des entreprises.

La meilleure chose à faire pour quiconque aujourd’hui, étant donné que la plupart des gens sont en ligne encore plus que d’habitude et que les réseaux généralement moins sécurisés sont utilisés dans les bureaux, est de cesser d’ouvrir ou de publier des pièces jointes – et d’accéder directement aux sites du gouvernement via un moteur de recherche plutôt que le lien qu’ils ont reçu. en ligne.

Hammersmiths drug research

Exemple? Ransomware a été victime d’un établissement médical qui a été autorisé à fabriquer des vaccins contre le coronavirus vivants – leurs données ont été volées et prises en otage. Les données volées à des volontaires dont le nom de famille commençait par les lettres D, G, I ou J ont été enregistrées par Hammersmiths Medicine Research et des informations personnelles ainsi que la date de naissance, des informations sur le passeport et, dans certains cas, même des informations sur la santé, selon le rapport ComputerWeekly. L’hôpital a refusé de payer une rançon.

Semaine du 30 mars 2020: Marriott

Marriott dispose d’une sécurité des informations qui concerne plus de cinq millions de clients. Les détails des noms pour les anniversaires font partie de l’arrivée. La violation s’est produite entre la mi-janvier et février 2020, et s’est produite après que quelqu’un a utilisé les informations d’identification de deux employés d’un service de franchise de chaîne d’hôtel, a déclaré Marriott.

Bien que les détails financiers, tels que les cartes de crédit, n’aient pas été affectés, les programmes de fidélisation des clients, tels que les informations sur la fidélité des compagnies aériennes, y compris les numéros de compte, ont été inclus avec les adresses postales. Marriott dit qu’il informera les personnes concernées par la violation. Et même s’ils disent qu’aucun mot de passe n’a été inclus – changez définitivement le vôtre.

Zoom

Aussi grand que Zoom ait prouvé qu’il connectait les gens avec leurs amis, leur famille, leurs proches et leurs collègues, cela s’est également soldé par des erreurs inconfortables – le bombardement de zombies de personnes. Les gens ont eu accès aux appels Zoom, aux écrans remplis de sons et même aux images pornographiques. Ce n’est pas toujours apprécié.

Les chercheurs en sécurité ont découvert des abus des abus, dont l’un est rapporté par TechCrunch et permet aux pirates de saisir les webcams et les microphones des utilisateurs de Mac.

Zoom dit qu’il arrête vraiment toutes les nouvelles fonctionnalités pendant 90 jours, tout en améliorant la sécurité et la confidentialité. Zoom note que le problème est dû en partie à sa croissance tirée par les utilisateurs, qui est passée d’environ 10 millions par jour avant la pandémie de coronavirus à environ 200 millions.

WhatsApp

Les utilisateurs de WhatsApp auraient triché pour changer leurs informations de connexion en pirates. Les pirates qui ont piraté des comptes de médias sociaux comme Facebook incitent les contacts de cette personne à donner leurs propres informations WhatsApp – que le pirate peut ensuite utiliser, rapporte l’Autorité Android.

Il s’agit d’une sorte de version de phishing et, à vrai dire, cela peut arriver à n’importe qui sur leurs comptes. C’est toujours une bonne idée de ne jamais envoyer vos informations personnelles à des personnes utilisant des méthodes numériques comme le courrier électronique, le texte ou, oui, WhatsApp.

Semaine du 23 mars 2020 – La base de données mystère révèle 200 millions d’Américains

Cette semaine a été trouvée dans une base de données appartenant à une partie inconnue. 800 Go d’informations personnelles sur l’utilisateur ont été divulguées au public. La base de données, trouvée par l’équipe de recherche de CyberNews, contenait les informations personnelles de 200 millions d’Américains.

Les informations contenaient un large éventail d’informations personnelles, notamment:

  • Nom complet et titre
  • Adresses mail
  • Les numéros de téléphone
  • Date de naissance
  • cotes de crédit
  • Adresse du domicile
  • sexuel
  • Nombre d’enfants
  • Intérêts personnels et politiques

On pense qu’une grande partie des données ont été obtenues auprès du U.S. Census Bureau. Cyber ​​News a déclaré que la fuite: « Il est difficile de sous-estimer l’énorme impact de cette fuite des centaines de millions de personnes aux États-Unis révélées par les données d’une partie non identifiée est une mine d’or virtuelle pour quiconque veut lutter contre la cybercriminalité ..

« La vente de ces disques sur des points de vente darknet à un prix inférieur à la moyenne de 1 $ / disque coûterait environ 200 millions de dollars net au vendeur. Cependant, si les cybercriminels l’exploitent à leur plein potentiel, cette fuite d’informations pourrait conduire à des milliards incalculables d’utilisateurs frauduleux. »

General Electric

Les données sur les employés actuels et anciens de General Electric étaient accessibles au public pendant dix jours en février. Un tiers a été autorisé à accéder à un compte de messagerie contenant des informations sensibles de 14 h à 14 h. Février, rapporte ITPro.

Les données pour les employés actuels et anciens comprenaient:

  • Formulaires de dépôt direct
  • Permis de conduire
  • passeports
  • certificats de naissance
  • les mariages
  • certificats de décès
  • Ordonnance de pension alimentaire pour enfants
  • Formulaires de retenue à la source

On pense également que les informations incluaient également les noms, adresses, numéros de sécurité sociale, numéros de compte bancaire et date de naissance. «Après en avoir pris connaissance, nous avons rapidement commencé à travailler avec Canon [Business Process Services] identifier les employés, anciens employés et bénéficiaires de GE concernés. « 

Boîte de dépôt de données

Des informations privées détaillées sur les quelque 270000 personnes qui ont utilisé le Data Deposit Box de la société de stockage en nuage sont apparues en ligne fin 2019. Les données ont été trouvées le 25 décembre et sont restées en ligne jusqu’au 6 janvier.

Plus de 270000 fichiers ont été révélés, selon SecurityMagazin, et certaines informations ont été divulguées de 2016 à aujourd’hui. Les informations comprenaient des informations de connexion (noms d’utilisateur et mots de passe non cryptés), des adresses IP, des adresses e-mail et des GUID (identificateurs globalement uniques pour les ressources).

Certaines informations sur les fichiers que les utilisateurs stockaient sur le site Web étaient également disponibles. Cela comprenait les noms de fichiers, le type, la taille et la date de leur dernière modification.

Semaine du 16 mars 2020: Princess Cruises

La compagnie de croisière appartenant à Carnival Corp. semble maintenant avoir admis qu’il n’y avait pas assez à voir avec les croisières princesses après leur fermeture par le coronavirus, et maintenant elle a identifié une possible violation de la sécurité affectant son système du 11 avril au 23 juillet 2019. Dans les comptes de messagerie, Princess Cruises a déclaré que le pirate informatique avait alors vu les dossiers du personnel des autres membres d’équipage, des employés et des invités les plus passionnés.

Les numéros de sécurité sociale, le numéro de passeport, les informations sur le permis de conduire, les informations sur le compte, etc. étaient peut-être visibles. La société a publié les détails sur son site Web et a encouragé toutes les parties intéressées à contacter la société. En attendant, commencez à utiliser un vérificateur de mot de passe – tout en changeant également ces mots de passe. Oui encore.

True Fire

TrueFire, un site Web qui propose des cours de guitare et des guides en ligne, a constaté qu’il y avait eu une violation qui a duré environ six mois – d’août 2019 à janvier 2020. En conséquence, plus d’un million d’utilisateurs des informations personnelles étaient ouvertes, y compris les numéros de carte de crédit, les noms, les adresses et même les codes de sécurité, entre autres. de même que.

Rien sur le site ne donne d’indication d’une violation que TrueFire a déclaré avoir trouvé le 10 janvier 2020. Mais il a envoyé des lettres aux personnes concernées, selon Guitar.com, qu’il a entendu l’un des utilisateurs.

TrueFire invite les utilisateurs à garder une trace de leurs informations de carte de crédit.

Ministère de la santé et des services sociaux

Le département américain de la Santé et des Services sociaux a annoncé qu’il avait passé dimanche et lundi à lutter contre son système contre une entreprise de piratage, a rapporté le New York Times. Le département a affirmé lundi que l’attaque n’avait pas fonctionné – mais à un moment où les groupes de santé du monde entier tentent de lutter contre le coronavirus, la société était au moins inopportune.

Les autorités tentent de découvrir qui était l’attaque, inquiète des entreprises qui pourraient affecter les informations partagées par les experts médicaux pour lutter contre la propagation du virus. Mais les experts ont déjà averti que les cybercriminels avaient tenté d’exploiter les craintes du coronavirus pour propager des logiciels malveillants.

Semaine du 9 mars: huit millions d’espaces commerciaux eBay et Amazon dévoilés

L’histoire principale de cette semaine est une base de données qui a été accidentellement publiée et contient huit millions de dossiers d’achat d’Amazon eBay, PayPal, Shopife et Stripe.

Des informations qui peuvent être trouvées dans un moteur de recherche typique, ont révélé une société tierce incorrectement anonyme qui a effectué l’analyse de la taxe sur la valeur ajoutée transfrontalière. La plupart des informations provenaient de magasins en ligne au Royaume-Uni et en Europe et comprenaient des noms, des adresses de livraison, des adresses e-mail, des numéros de téléphone, des produits achetés, des paiements, des identifiants de commande, des liens vers les factures Stripe et Shopify et les quatre derniers chiffres de votre carte de crédit. Nombres.

Les moteurs de recherche ont exploré la base de données non chiffrée le 2 février. La société de cybersécurité Comparitech l’a ensuite trouvée un jour plus tard, informant immédiatement Amazon. Le propriétaire a ensuite fermé la base de données le 8 février.

Le gouvernement néerlandais perd 6,9 millions de donateurs enregistrés

Des disques durs informatiques externes, qui stockaient les données de 6,9 ​​millions de donneurs d’organes enregistrés de février 1998 à juin 2010, ont été déclarés disparus cette semaine. Utilisées pour la dernière fois en 2016, les paires de stations ont été placées dans un coffre-fort, mais le ministre néerlandais de la Santé, du Bien-être et des Sports a admis cette semaine qu’il avait disparu plus tôt en 2020, rapporte ZDnet.

Les informations comprennent le prénom et le nom, le sexe, la date de naissance, l’adresse au moment de l’enregistrement, la sélection des dons d’organes, les numéros d’identification et une copie de la signature de la personne. Bien que les autorités néerlandaises soient absentes, elles ont affirmé que les données n’avaient pas encore été utilisées pour le vol d’identité ou la fraude.

L’application de partage secret Whisper révèle 900 millions de registres d’utilisateurs

Whisper, autrefois une application pour smartphone très populaire où les utilisateurs peuvent partager des secrets de manière anonyme, a laissé des informations privées et sensibles sur des centaines de millions de personnes dans une base de données publique pendant des années.

La base de données, qui n’avait pas de mot de passe et était accessible à tous, comprenait les surnoms des utilisateurs ainsi que l’âge, le sexe, l’origine ethnique, l’emplacement et des informations sur les groupes dont ils faisaient partie dans l’application. De nombreux groupes de discussion de Whisper portent sur le sexe et l’orientation. Selon le rapport, 1,3 million d’utilisateurs de la base de données ont déclaré avoir 15 ans.

Lorsque Whisper s’est décrit comme «l’endroit le plus sûr sur Internet», il a été publié en 2012 et est disponible pour iOS et Android, et bien qu’il ne soit pas aussi populaire aujourd’hui, il comptait trois milliards de pages vues par mois à la fin de 2013. La plupart de ses utilisateurs ont entre 18 et 18 ans. 24 et surtout des femmes.

En plus des tailles de domicile des utilisateurs, les données comprenaient également les coordonnées GPS de l’endroit où chaque utilisateur a envoyé son dernier message.

Semaine commençant le 2 mars 2020: Virgin Media dévoile des données sur près d’un million de personnes

Des informations sur près d’un million de personnes ont été disponibles en ligne pendant dix mois dans la base de données Virgin Media, a annoncé jeudi la société. Bien que les mots de passe et les informations financières n’aient pas été inclus, les numéros de téléphone, la date de naissance, les adresses e-mail et les adresses personnelles ont été stockés dans la base de données.

Comment est-ce arrivé? Virgin Media a déclaré que la base de données était Virgin Media a déclaré qu’elle bloquait l’accès à la base de données, mais avant de découvrir certains détails, il y avait « accès sans autorisation ». Selon l’entreprise, elle avait déjà notifié 900 000 personnes impliquées qui semblaient recevoir des SMS.

Un pirate T-Mobile utilise des informations sur les clients et les employés

Ce que T-Mobile appelle des «attaques malveillantes» met en péril les données des clients et des employés. Le pirate a accès aux informations de compte de messagerie qui incluent les noms des clients, les adresses, les numéros de téléphone, les numéros de compte, les plans de tarification et les informations de facturation. Qu’est-ce qui n’était pas impliqué? Numéro de carte de crédit et de sécurité sociale.

T-Mobile a déclaré avoir réussi à mettre fin à l’attaque et, tout en essayant de convaincre complètement les clients, ils encouragent les gens à tendre la main s’ils veulent savoir si leurs informations ont été piratées. Il est important de noter que T-Mobile déclare n’avoir aucune preuve que les informations collectées sont «mal utilisées» pour le moment.

J.Crew piraté en 2019, dit la société maintenant

Le détaillant J.Crew est peut-être connu pour son équipement de coiffure, mais cette fois, l’entreprise a été victime d’un autre type de piratage qui a laissé des informations financières à révéler aux clients. L’attaque a eu lieu vers avril 2019 et J.Crew parlait aux clients du problème en ce moment. Les quatre derniers chiffres des numéros de carte de crédit, les dates d’expiration, le type de carte de paiement en question, ainsi que les adresses électroniques et physiques et les mots de passe sont à risque.

Que devrais tu faire? Ce que vous devez toujours faire – changer. Votre. Mot de passe.

24 février 2020, semaine: Clearview AI

La société de reconnaissance faciale controversée Clearview AI a contacté des clients cette semaine pour admettre que l’intrus avait volé la liste complète des clients. La société a fait l’objet d’un rapport détaillé du New York Times en janvier affirmant avoir rassemblé plus de trois milliards d’images de membres du public en les grattant dans des comptes de médias sociaux publiquement visibles sur Facebook, Twitter, YouTube, LinkedIn. et autres – violation de leurs conditions d’utilisation.

Clearview a déclaré dans un communiqué que ce vol de données faisait désormais « partie de la vie ». En plus de la liste des clients, des informations ont également été prises sur le nombre de Clearviews que chaque client avait et le nombre de fois qu’il avait cherché dans la base de données d’images.

Lire la suite:

Samsung

Cette semaine, Samsung a également admis avoir divulgué les informations personnelles de 150 clients sur le site Web britannique. Une étrange fuite de données a été imputée à une « erreur technique », et les informations exposées au public comprenaient des noms, des numéros de téléphone, des adresses postale et électronique et des commandes précédentes passées via la boutique en ligne britannique de Samsung.

Heureusement, selon la société, les informations de carte de crédit de l’utilisateur n’ont pas été divulguées. Les clients concernés seront contactés, a déclaré Samsung.

Slickwraps

Slickwraps, une entreprise qui fabrique des skins en vinyle personnalisés pour téléphones et autres appareils, a admis cette semaine avoir été victime de la sécurité de l’information. L’accès a eu lieu après que les clients de Slickwraps ont signalé avoir reçu un e-mail prétendant provenir de l’entreprise, mais en réalité écrit par un pirate qui avait accédé à sa base de données clients.

L’e-mail semble avoir été envoyé au 377428, et l’expéditeur a prétendu avoir accédé à la base de données clients Slickwraps en lisant un message Medium maintenant supprimé écrit par un pirate apparemment différent expliquant comment ils avaient accédé à la base de données via une vulnérabilité.

Slickwraps a déclaré dans un article de blog que les informations avaient été « incorrectement divulguées par l’exploitation » et qu’elles comprenaient des noms, des adresses postales et électroniques. Cependant, il a rassuré les clients que leurs informations financières n’étaient pas accessibles.

Semaine du 17 février 2020: les informations de MGM Resorts apparaîtront sur le site de piratage

Vous ne pouvez jamais être complètement incassable, comme le découvrent maintenant certains anciens clients du MGM Resort. La chaîne a annoncé cette semaine que plus de 10,6 millions d’invités avaient été piratés en 2019, et maintenant ils ont une grande partie de leurs informations personnelles sur le forum des pirates – des noms aux numéros de téléphone et même aux dates de naissance.

La base de données provient des clients qui ont séjourné au MGM Resorts avant 2017 et comprend des noms bien connus de Justin Bieber sur Twitter à Jack Dorseye. MGM Resorts a initialement contacté ceux qui avaient initialement été surpris en violation en août 2019.

Département américain de la défense (oui, en effet)

Une agence du Département de la défense des États-Unis (DoD) a été victime d’atteintes à la sécurité, notamment à son numéro de sécurité sociale. Le département, la Defense Information System Agency ou la DISA ont contacté les violations impliquées à la mi-février, survenues entre mai et juillet 2019, rapporte Reuters, qui a vu la lettre envoyée par l’agence.

Selon le site Web, le rôle de la DISA est de gérer la façon dont les informations sont partagées, gérées et transmises au DoD, y compris la communication au président.

ISS World piraté

ISS World, qui fournit des services de nettoyage, de restauration, de gestion et d’autres services d’assistance, a été victime de logiciels malveillants, rapporte la société sur son site Web. Bien que les données clients ne semblent pas être affectées pour le moment, les entreprises utilisant ses services informatiques sont susceptibles de trouver ces options aveugles car l’ISS a «bloqué l’accès», a-t-il déclaré.

ISS omistaa yrityksiä ympäri maailmaa, mukaan lukien yhdysvaltalainen catering-yritys Guckenheimer ja toinen ravintolayritys, Apunto, jonka kotipaikka on Chile.

Viikko 10. helmikuuta 2020: Estée Lauder

Tällä viikolla tietoturvatutkijat havaitsivat USA: n kosmetiikkayrityksen Estée Lauderin omistaman valtavan ja täysin suojaamattoman asiakastietokannan Security Discovery -sivustolla.

Tietokanta sisälsi yli 440 miljoonaa tietomerkintää, jotka kaikki ilmestyivät selkeästi. Nämä merkinnät sisälsivät sähköpostiosoitteet, viitteet, sisäiset asiakirjat, IP-osoitteet, tallennustiedot ja muut tiedot, jotka näyttävät tulevan yrityksen johtamasta sisällönhallintajärjestelmästä.

Asiakastietoja ei vaarannettu, mutta niin monien yritystietojen vahingossa tapahtuva vuotaminen on edelleen suuri huolenaihe. Estée Lauder totesi lausunnossaan: « Meille ilmoitettiin 30. tammikuuta 2020, että rajoitetulle määrälle muihin kuin kuluttajille tarkoitettuja sähköpostiosoitteita koulutusalustalta oli väliaikaisesti saatavana Internetin kautta. Tämä koulutusalusta ei ollut kuluttajien edessä, eikä siinä ollut myöskään Kuluttajien tietoja. Emme ole löytäneet todisteita väliaikaisesti saatavilla olevien tietojen luvattomasta käytöstä. « 

Nedbank

Etelä-Afrikan finanssipalveluryhmä Nedbank kertoi tällä viikolla tutkivansa tietoturvallisuutta, joka liittyy suoramarkkinointiyritykseen Computer Facilities. Tietokonelaitteistot lähettävät SMS- ja sähköpostimarkkinointitietoja asiakkaille Nedbankin ja muiden asiakkaiden puolesta.

Nedbank kertoi lausunnossaan, kuinka « osa tietokonetta koskevissa mahdollisesti vaarannetuista tiedoista sisälsi joidenkin Nedbank-asiakkaiden henkilökohtaisia ​​tietoja (nimet, tunnusnumerot, puhelinnumerot, fyysiset ja / tai sähköpostiosoitteet) ».

Yhtiö haluaa kiinnittää huomiota siihen, että Nedbank-järjestelmiä tai asiakaspankkitilejä ei vaarannettu « millään tavalla ». Oikeuslääketieteen asiantuntijoita on palkattu suorittamaan tutkimus, Nedbank sanoo.

Yhdeksänvuotiaan henkilöllisyys varastatiin tietojen rikkomisen jälkeen

Lopuksi esimerkki siitä, mitä voi tapahtua, jos henkilökohtaiset tietosi joutuvat tietorikkomuksen alaisuuteen. Äskettäinen tietojen rikkominen Oregonin Health Share -yrityksessä johti siihen, että yhdeksänvuotias poika varastettiin, minkä jälkeen hän avasi lainvastaisesti Yhdysvaltain pankkitilin luottokortin hänen nimensäään.

Kortti saapui perheen kotiin pian sen jälkeen, kun pojan äiti sai tiedon rikkomuksesta. Puhuessaan Katu 2 -uutisista Kristen Matthews sanoi: « Tämä ei ole OK, etenkin lapsille. Tämä ei ole OK. Aloin heti nähdä punaista, koska en ole koskaan allekirjoittanut mitään tästä. »

Myöhemmin Yhdysvaltain pankki sulki tilin, mutta tapaus toimii osoituksena siitä, kuinka varastettuja tai virheellisesti vuotaneet henkilötietoja voidaan käyttää. Matthews lisäsi: « Siellä on kuitenkin muita uhreja. Voi olla, että muita kortteja lähetetään ihmisille. »

Viikko 3. helmikuuta 2020: Älä napsauta Coronaviruksen tietokalasteluhyökkäystä

Hakkerit käyttävät pelkoa Coronaviruksesta. Uusi tietokalasteluhyökkäys on suunniteltu näyttämään Maailman terveysjärjestön lähettämältä sähköpostilta. Sanomattakin on selvää, että viesti ei ole peräisin Yhdistyneiden Kansakuntien virastolta, vaan sen sijaan yritys saada ihmiset napsauttamaan linkkiä, joka vie heidät ponnahdusikkunaan, pyytäen heitä kirjoittamaan sähköpostiosoitteensa ja salasanansa Sophosin mukaan.

The specific message actually includes a number of grammatical mistakes — something to watch for if you’re getting an email from an official group, such as the World Health Organization. There are also words that are spelled wrong.

While people are concerned about the coronavirus, clicking on a link through an email — that you didn’t request —is still not the best course of action. Instead, we recommend going to different web sites directly, and not through a link.

Ashley Madison breach affects still felt

A new attack is affecting those whose names, passwords, credit card details and phone numbers were hacked from the Ashley Madison data breach of five years ago. Now some of the 32 million accounts are being targeted — personally — through emails scam that threatening to expose people if they don’t pay a Bitcoin ransom, according to Threatpost, pointing to a post from Vade Secure which discovered the scam.

The demand is for about $1,165 in Bitcoin, which is hidden in an attachment in the email, and also includes a QR code which are often not caught by email filters. The email demands the payment in six days, or the information about the person will be released.

Vade Secure has detected hundreds of these in the past week, and expects to see more of them in the coming months.

St. Louis Community College breach impacts thousands

A data breach at St. Louis Community College in Missouri has affected more than 5,100 people, including details such as birth dates, college IS numbers, names, addresses, phone numbers, email addresses and for 71 people, their Social Security numbers, according to local news site KSDK.com. The college told people about the hack, which occurred through a phishing attack, and that they had been able to lock down accounts again within about 72 hours.

While the school has said it will get in touch with those affected by the hack, anyone who is a student or has an affiliation with the college, should get in touch with them as well.

Week of January 27, 2020: Wawa Inc

Wawa, the US fuel and convenience store, admitted in December 2019 that it had been the victim of a nine-month-long data breach, leading to the theft of customer card data. Now, it is claimed these stolen card records are being sold online.

The Wawa customer records are said to be among a huge batch of 30 million card accounts from over 40 states offered up for sale. They are claimed to be from « a new huge nationwide breach, » reports Krebs on Security.

Data exposed by the breach includes debit and credit card numbers, expiration dates, and cardholder names. PINs and CVV numbers were not exposed, Wawa claimed.

We urge readers who use Wawa to keep an eye on their card statements and report any suspicious transactions to their bank or card issuer.

The United Nations

It was reported this week that The United Nations fell victim to a suspected state-funded cyberattack in July, but did not inform the public or affected employees.

According to confidential documents leaked to The New Humanitarian, the attack could have affected up to 4,000 UN employees. Compromised data included staff records, health insurance and commercial contract data.

It is reported that hacked gained access to the data through a flaw in Microsoft SharePoint and used malware to gather up data from UN servers in three of its European offices. Staff were advised to change their passwords, but were not told why.

In 2019, data breaches increased 17 percent

Finally this week, a year-end report by the Identity Theft Resource Center revealed that the number of US data breaches increased by 17 percent in 2019 to 1,473, compared to 2018.

According to the report, the year saw 164,683,455 sensitive records exposed, which was a 65 percent increase on 2018. What’s particularly interesting here is how the Marriott hotel data breach of 2018 accounted for 383 million of that year’s 471 million stolen records, further demonstrating the marked increase in data theft in 2019.

« The increase in the number of data breaches during 2019, while not surprising, is a serious issue, » said Eva Velasquez, president and CEO of the Identity Theft Resource Center. « It would appear that 2018 was an anomaly in how many data breaches were reported and the number of records exposed. The 2019 reporting year sees a return to the pattern of the ever-increasing number of breaches and volume of records exposed. »

Week of January 20, 2019: Microsoft exposes 250 million records

Microsoft left 250 million records open on a data — and admitted it in a blog post. The breach was open from December 5, 2019 to December 31, 2019, and contained details about « support case analytics, » said the company, and personal details had been « redacted. »

While Microsoft wouldn’t say how many records were involved, a site called Comparitech, which claims to have uncovered the breach, said there were 250 million records. Inside were conversation details between agents and customers that dated back to 2005 — far earlier than the December 5, 2019 Microsoft admitted to in its statement. And they reached out to Microsoft on December 29, 2019, they said.

Microsoft itself referred to the situation as a « misconfiguration, » and that no « personally identifiable information » was exposed to the outside world. However, IP addresses and locations were available to see.

THSuite cannabis dispensary breach

A point-of-sale system used by cannabis dispensaries suffered a data breach — with some leaving buyers information from names to birth dates exposed, and occasionally the employee’s name who helped them, according to a new report from VPN Mentor.

More than 85,000 files were exposed which included more than 30,000 records from the following dispensaries: Amedicanna Dispensary, Colorado Grow Company and Bloom Medicinals. But VPN Monitor warned that additional dispensaries could have been involved. The information that was breach differed between the different dispensaries. But in some cases the customers signature was captured, along with birth dates and Medical ID numbers.

VPN Mentor tracked the breach to an Amazon S3 bucket that had been unsecured. The database was closed on January 14, 2020. But any customer of three dispensaries should keep an eye on their email for possible phishing exploits.

UPS Store exposes customer financial records and ID

UPS is emailing customers admitting that some customers records at about 100 stores were exposed through a phishing hack. The attack involved details in emails that had been sent to UPS for printing and other requests, and in some cases included government-issued ID and even some financial details.

The breach happened between September 29, 2019 and January 13, 2020, when a hacker was able to access the email accounts of UPS stores. The company said it’s using a third-part cybersecurity firm to help investigate the incident. And in the meantime, UPS is offering affected customers free credit monitoring and identify theft assistance.

Equifax

Equifax has agreed to put aside at least $380.5 million as compensation for victims of a 2017 data breach which saw 147 million US consumers compromised.

The company has also laid out plans to spend $1 billion on revamping its information security over the next five years. Consumers who believe they were affected by the breach have a week (from January 15) to file a claim for compensation. How much they receive will depend on how many people file.

The 2017 incident, which saw personal data including Social Security Numbers compromised, was blamed by Equifax on a buggy component of a server, for which a patch was available at the time but not applied.

The money will be used to pay for credit monitoring services for affected consumers, and individuals may be entitled to up to $20,000 in compensation, but only if they can provide proof that the data breach affected them financially.

Peekaboo

An app aimed and new parents and designed for cataloguing baby photos and videos left masses of data exposed on an insecure server for all to see. The app, called Peekaboo, was found to have exposed more than 100GB of data, including the email addresses of users, but also photos and videos of babies.

An estimated 800,000 email addresses were exposed by the insecure server, along with location data accurate to about 30 feet, effectively revealing where people had used the app on their smartphone. The insecure server was discovered by Dan Ehrlich of computer security company Twelve Security.

Ehrlich told BankInfoSecurity: « I’ve never seen a server so blatantly open. Everything about the server, the company’s website and the iOS/Android app was both bizarrely done and grossly insecure. »

The app developer has since secured the server and said it would check its systems for any other security issues.

P&N Bank

Western Australian bank P&N Bank informed customers this week of a data breach which exposed their personal information. Data unlawfully accessed include customer names, addresses, email addresses, phone numbers, ages, account numbers, and account balances.

Other personal records like ID and credit card numbers were not accessed, the bank said, adding that it believes the data was targeted on or around December 12, during a server upgrade. A company the bank hired to provide hosting is believed to have been the attackers’ entry point, reported ZDnet.

The bank stresses that, at this point, it appears that no customer accounts or funds were accessed or compromised. It is now working with law enforcement and federal authorities to work out exactly what happened. It isn’t yet known how many customers were affected.

Week of January 6, 2020: City of Las Vegas

Right as the biggest tech show in the world kicked off, CES 2020, the city that hosted it gave notice that it, in fact, had been victim of a data breach, reported local channel KTNV. The actual breach happened at 4:30 am local time, and Las Vegas warned that some services may be interrupted as a result. But by Wednesday, the city gave the all clear, and tweeted that it didn’t think any data was actually taken or lost, but still couldn’t point at how the breach happened, and who was responsible.

Google pays $7.5 million

Google is paying $7.5 million for data leaks from its former Google+ platform dating back to 2018, reports Law 360. About half a million people who used the platform had some personal details breached, where third-party developers were able to see profile data. But the company didn’t tell anyone for seven months.

Bubba Gump parent company hacked

Landry’s the parent company for Joe’s Crab Shack, Bubba Gump Shrimp Co. and Morton’s The Steakhouse is reporting a data breach on its machines in its restaurants, the company reported. Malware on order entry systems, and not the main payments systems, was able in « some instances, » according to Landry’s to glean payment card details, although not someone’s name. These issues happened as early as January 18, 2019 but stopped by October 17, 2019. Anyone who has eaten at a Landry’s chain should, of course, monitor their credit cards for charges.

December 30, 2019: Wyze database was unencrypted

Wyze, makers of security cameras, sensors and light bulbs, left data from millions of customers exposed and open on its servers including names, email addresses and also nicknames of their security cameras. These details were unencrypted and anyone who knew the location of the database could have gathered the information. Wyze customers should be mindful of potential phishing attacks — and while passwords don’t appear to be involved, should change their Wi-Fi security codes just in case.

City of Aurora payments

The City of Aurora in Colorado has warned its water customers that anyone who used the Click2Gov payment system may have had their data breached, from their names and billing address to also the kind of card they used, down to the number and the expiration date. Any customers who used the online system between August 30th and October 14th, 2019 — whether it was once, or through a recurring payment — may be affected. The city is looking to launch a different payment system, and also set up a website for people who want more information.

Sinai Health Systems

Thousands of patient records from Sinai Health Systems — which includes Chicago’s Mount Sinai Hospital – may have been breached, according to the Chicago Tribune. Two employees email accounts were hacked, and through these names, addresses, birth dates, Social Security numbers and health details could have been seen. People who may be affected got letters from the system.

Week of December 23, 2019: Wawa: A little data breach with your coffee

Wawa, the convenience store chain known across the East Coast in the U.S., found malware in the system it used to collect credit card and other payment information. The malware syphoned off credit card numbers, names and other details from machines inside the store, and also those at the gasoline pumps. ATM machines, though, were not involved, said the company.

Every one of the 850 Wawa locations were impacted and the breach likely goes back to at least March 4, 2019 until December 12 when Wawa was able to stop the attack. The company says it’s reaching out to anyone impacted by the malware and is offering free services, like identity theft needs, to people involved. They’ve also asked the FBI to get involved too.

Facebook: Names, phone numbers and user details breached

The latest data breach for Facebook involves 267 million of Facebook’s user IDs, phone numbers and people’s names visible in a data base for anyone to see. This pot of information was found by a security researcher, Bob Diachenko, at Comparitech, who believes it was collected through an illegal scraping of the site.

Data scraping is one way people can collect information from website, typically used to get a lot of information, which can then be ported to another site or another file. This is done usually with a program, or a bot.

In the case of Facebook’s data, it was ported to a hacker forum, says Comparitech, which people could download. User names and phone numbers can then be used to run phishing attacks on people.

Ring: Log-in details of more than 3,500 users online

The log-in details from 3, 672 Ring users — emails, passwords, the names of the cameras and their time zones — have appeared online. The company, though, is maintaining, via Buzzfeed News, that the information did not come from a breach, just days after the story broke of someone breaking into the Ring camera in someone’s home and speaking to an 8-year-old child.

Ring says that the details are actually those collected from other online data bases, and then tried on their own systems. The company encourages people to use two-factor authentication to further protect their devices.

Week of December 16th: NexusMods: A hacker wasn’t playing games

Gaming site NexusMods is alerting users to a data breach from November 8, 2019 that allowed a hacker to see records of some platers. The site which requires gamers register before downloading games like Skyrim and Fallout, wants people to know that while they were able to shut down the access point, details including email addresses, password hashes and salts may have been seen. They posted the new information on December 19, 2019.

Password salts are bits of random data that are added to a password, while password hashes changes the password into another string of information. The company is asking users to keep their eyes open for phishing, and also to switch over to a new user platform they’ve launched — and yes, of course, change your passwords.

LifeLabs paid the ransom

LifeLabs, a Canadian medical lab, paid a hacker to get access back to its own data on more than 15 million customers. The details that were taken included names, home addresses, health card numbers, birth dates, user names and passwords and for 85,000 people who live Ontario, medical test results.

LifeLabs would not say what amount they paid to gain access to the data, but they did tweet out that a « law enforcement investigation is underway, » the Toronto-based company wrote. They’re also making one-year of free identify theft and monitoring for customers.

Zynga: Who wasn’t hacked?

Although Words With Friends maker Zynga admitted months ago about the hack of their data base (which we highlighted as one of our 12 all times worst data breaches for 2019) the actual number of accounts that had been breached wasn’t known. They are now.

According to Have I Been Pwned, the Zynga breach affected 172,869,660 unique accounts and included email addresses, user names and also passwords plus some Facebook IDs and phone numbers if they had been shared with Zynga. Have I Been Pwned calls this 10th largest breach it’s ever seen. While it’s nice to be tops in something, this may not be how Zynga wants to be ranked.

Week of December 9, 2019: Half a million payment cards for sale

This week, researchers discovered a dark web marketplace offering 460,000 payment card records up for sale. Split into two databases, the records were claimed to be 85-90 percent valid, meaning they could be used to buy goods where the card doesn’t need to be physically present, such as online.

The records predominantly came from Turkish banks, and was priced at $550,000. According to Bleeping Computer, the data was likely stolen during a cyber attack, rather than physically taken from the cards using a hacked payment terminal. Phishing could also be a way to obtain this data.

There isn’t much you can do to prevent an online store from having its customer card data stolen. But what you can do is keep a close eye on your banking records, and immediately report any suspicious transactions to your bank. In most cases, your money can be returned, and the bank will issue a new card with fresh credentials.

City of Hamilton, Canada

Residents of Hamilton, Ontario were warned this week about a « potential privacy breach » in which billing data for water utility accounts may have been accessed by a third party.

Water-related services – including meter readings, plus billing and payment data, names, addresses and tax assessment roll numbers – may have been exposed. The city said customers should maintain a « normal level of vigilance », and that the Information and Privacy Commissioner (IPC) has been contacted.

Customers are asked to monitor their accounts closely for any unusual transactions.

750,000 birth certificates exposed online

Finally this week, a UK security firm discovered a massive database of 750,000 US birth certificates which were sitting on an unsecured server. Hosted by Amazon Web Services (AWS), the server has no password and could be accessed by anyone who knew its location, reports InfoSecurity.

The company who owns the data hasn’t been named because they are yet to respond to attempts by security researchers to contact them. The company provides a service where US citizens can request copies of birth and death certificates from state governments.

The exposed data includes applicant names, along with their date of birth, street address and email address, phone number, and other data like previous addresses and names of family members. This data – especially that of children – can be highly valuable, as it gives hackers the ability to open bank accounts and other services in their name.

Week of December 2, 2019: Nebraska Medicine

Nebraska Medicine, a network of hospitals across the state including in Omaha, has been breached by one of its own workers, the company disclosed. The breach is extensive and includes medical records, with personal details that may have been accessed including Social Security numbers, birth dates and even lab results from medical tests. The worker, who was was fired, according to Threatpost, had access over more than a year from July 11, 2018 to October 1, 2019.

Maine school district victim of ransomware

A Maine school district has the U.S. Secret Service helping them after the federal agency alerted the district that ransomware had been installed on one of their servers. The Maine School Administrative District #6 told employees that their information may have been breached after they returned following the Thanksgiving holiday. While student data his reportedly not involved, said the Portland Press Herald, details about people who worked for the district that could have been breached include bank account and routing information, income data and Social Security numbers.

HackerOne pays $20,000 bounty after slip-up

HackerOne has had to pay a $20,000 bounty to one of its own members after someone accidentally leaked a way to get into the system from inside the company. Two hours of unfettered access through the security analyst’s account ended, as HackerOne disclosed, after the cookie — which had given the community person an in to the system — was revoked. The human error element, as opposed to a brute force or phishing attack, is to blame here.

Week of November 25: Hundreds affected by Facebook and Twitter data breach

Facebook and Twitter both admitted this week that hundreds of their users had inadvertently given third-party apps access to their personal information. The affected users had used their Twitter and Facebook accounts to log into a certain few Android applications.

These apps were then granted access to more information that they should have. This included the people’s usernames, email addresses, recent tweets and Facebook posts.

Twitter said: « We will be directly notifying people who use Twitter for Android, who may have been impacted by this issue. There is nothing for you to do at this time, but if you think you may have downloaded a malicious application from a third-party app store, we recommend you delete it immediately ».

Virtual Care Provider Inc

Milwaukee-based Virtual Care Provider Inc, which provides technology services to more than 100 nursing homes across the US, revealed this week it had been the victim of a cyber attack. The incident saw hackers demand $14M before they will give back the company access to its own hacked servers, the AP reports.

The company informed its clients via a letter on November 18, a day after the attack was discovered. The company said about 20 percent of its servers were affected and that 100 servers need to be rebuilt. The ransom has not been paid, meaning the affected nursing homes can’t access patient records, use the internet, pay employees or order medications.

Palo Alto Networks

Updated Dec. 10, 2019: U.S. cybersecurity company Palo Alto Networks found data on several employees had been exposed by a third-party vendor, including their birth dates. A spokesperson for Palo Alto Networks told GearBrain: « On February 2Dakota du Nord, 2019, we were made aware that information related to seven current and former employees was inadvertently posted by a third-party vendor on an external development community website. We took immediate action to remove the data from public access and terminate the vendor relationship. We also promptly reported the incident to the appropriate authorities and to the impacted individuals. We take the protection of our employees’ information very seriously and have taken steps to prevent similar incidents from occurring in the future. »

Week of November 18th: Disney+

Just hours after Disney launched its highly-anticipated Disney+ streaming service this week, customers began complaining en masse about being locked out of their accounts.

Although many said their accounts had been hacked and blamed a lack of security on Disney’s part, the likely answer is that the users fell victim to what’s known as credential stuffing. This is where they use an email address (or username) and password combination which they’ve used elsewhere, and with a service which itself has indeed been hacked.

These pairs of usernames and passwords are sold online to hackers who use automated software to try them with other websites and services, like Disney+. When one works, it is sold for a few dollars.

The answer here is simple – always use a different password for everything website and service you log into online, and if an account is compromised (perhaps through no fault of your own), then make sure not to use that stolen password again.

Fairfax County Police Department

The personal information of over 500 employees of the Virginia police department may have been breached, officials revealed to the Washington Post this week. The data breach occurred at a neighboring police department, Purcellville.

Data exposed include names, dates of birth and Social Security numbers. Fairfax Country Police Chief Edwin Roessler Jr. said the data was on a missing memory stick that contained the email inbox of the Purcellville police chief.

Roesslar said it wasn’t clear why data on his staff was stored on a USB stick held at another police department.

Macy’s

Department store Macy’s confirmed this week it had been the victim of a hacking attempt during a weeklong window in October.

The attack began on October 7 and saw hackers inject lines of code into the checkout page which scooped up customers’ billing information and sent it to a malicious third-party website.

  • Data stolen from customers who made purchases on macys.com that week include:
  • First name
  • Last name
  • Address
  • City
  • State
  • Zip
  • Phone number
  • Email address
  • Payment card number
  • Payment card security code
  • Payment card expiry date

Macy’s has contacted law enforcement and hired « a leading class forensics firm » to help with their investigation. All relevant credit card companies have also been contacted, as have all affected customers, who have been offered free consumer protection.

Week of November 11: ZoneAlarm

This week, it was reported that the names, email addresses, hashed passwords and birth dates of up to 4,500 users of ZoneAlarm, a security firm, were compromised.

Owned by Check Point, ZoneAlarm offers cybersecurity solutions to protect users against malware, ransomware, phishing attacks and identity theft to over 100 million PC users globally. First reported by TheHackerNews, the data breach was confirmed by ZoneAlarm, but instead of speaking publicly about the incident, the company chose to quietly email affected users last weekend.

The email told users to change their forum account passwords, as hackers had gained unauthorized access to their personal data, including names and email addresses. Thankfully, stolen passwords were hashed, meaning they cannot be read as plain text and used by the hackers. Additionally, the incident only affects around 4,500 users, so is relatively small compared to other data breaches we have seen this year.

Solara Medical Supplies

Solara Medical Supplies is a California-based company and the largest US independent supplier of continuous glucose monitors and insulin pumps for those suffering from diabetes. The company this week gave notice of a data breach where a hacker gained access to employee Office 365 accounts.

The unauthorized access took place between April 2 and June 10 this year, and was the result of an email phishing campaign. Although it isn’t known exactly what data was seen, and if any was stolen, what could have potentially been seen by the hacker is vast.

Solara said in a press release: « The personal information present in the accounts at the time of the incident varied by individual but may have included first and last names and one or more of the following data elements: name, address, date of birth, Social Security number, Employee Identification Number, medical information, health insurance information, financial information, credit / debit card information, driver’s license / state ID, passport information, password / PIN or account login information, billing / claims information, and Medicare ID / Medicaid ID. »

Solara has not said how many people could be affected by the data breach, but has since reset employee Office 365 passwords and informed law enforcement. Customers wishing to learn more are urged to call 1-877-460-0157 (toll free) or email compliance@solaramedicalsupplies.com.

Starling Physicians

Finally this week, and in more medical news, Starling Physicians gave notice of a security incident, which resulted in the « potential access to some of our patient’s personal and medical information. »

As with Solara, Starling admits it was the victim of a phishing attack that resulted in « an unauthorized third party potentially having access to the contents of some of our employees’ email accounts. »

Data potentially exposed by the incident includes patient names, addresses, dates of birth, passport numbers, Social Security numbers, medical information and health insurance or billing information. » Those whose Social Security numbers were exposed have received an offer of free credit monitoring and identity theft protection, the company said.

Anyone concerned by the incident can call Starling on 1-888-800-3306.

Week of November 4th: California Department of Motor Vehicles

Thousands of Social Security numbers were visible to federal agencies, through a data breach by the California Department of Motor Vehicles. So reported the Los Angeles Times this week, which said that the DMV did reach out to those who were affected. But agencies that may have gotten access to this information included the U.S. Department of Homeland Security and the Internal Revenue Service. This wasn’t a one-time breach either. Access to numbers of 3,200 people took place over the last four years. The DMV has reportedly closed off this access, but some records included those of people who had applied, as they’re permitted to do so in California by law, who did not have proof of legal status.

Brooklyn Hospital Center

A ransomware attack has hit the Brooklyn Hospital Center, making some patient records visible — and making others disappear permanently. While the center said, in a notice on its web site, that none of the data was exposed, they could not recover some records, and have reached out to those patients. The attack goes back to July when the hospital found out it had been hit with malware on its system. By September, they realized that the attack had also deleted some patient data. Anyone who believes they’ve been impacted by the situation are invited to reach out to the hospital themselves.

Veritas Genetics

Finally this week, Veritas Genetics, which conducts DNA testing, admitted that an unauthorized user gained access to its system. The company promises that genetic information, including DNA test results and health records, weren’t breached, but they wouldn’t tell Bloomberg exactly what data was seen. While data breaches that include addresses and financial details, can be a serious problem, medical data presents its own unique concerns. People can change their passwords. Their DNA is immutable. Veritas says just a small number of customers are involved in the breach. Anyone who has ever used Veritas, and has concerns, should certainly reach out to them.

Week of October 28: Adobe Creative Cloud

This week, digital design company and software maker Adobe discovered a vulnerability which may have exposed the email addresses of up to 7.5 million users.

Adobe says it fixed the problem as soon as it was made aware of it, which was in mid-October by a company called Comparitech. Adobe made its customers aware with a short notice on its website on October 25.

« The environment contained Creative Cloud customer information, including e-mail addresses, but did not include any passwords or financial information, » said Adobe. « This issue was not connected to, nor did it affect, the operation of any Adobe core products or services. »

Web.com

Users of Network Solutions and register.com – both owned by domain registrar web.com – were contacted this week snd asked to reset their passwords after the discovery of a data breach which took place in August 2019.

Hackers gained access to contact details of current and former customers of web.com, including their names, postal addresses, phone numbers, and email addresses. The names and addresses of current and former customers of Network Solutions and register.com, both subsidiaries of web.com, were also compromised. However, no credit card information was taken, the company said in a statement, as that data was encrypted.

Despite the breach believed to date back to August, the company only discovered it on October 16, and then took immediate action. The company’s statement did not say how many of its customers were affected by the breach, but CISO Mag reports the figure could be as high as 22 million across the three companies.

UniCredit

Italy’s top bank, UniCredit, admitted its third data breach in three years this week. The latest incident involved the personal records of three million Italian customers, reported Reuters.

Although only discovered and acknowledged this week, the breach occurred back in 2015 and saw the exposing of a file containing the email addresses and phone numbers of three million people. This latest breach is the third to be suffered by UniCredit since 2016, despite the lender spending €2.4 billion over the past three years upgrading its IT system and cyber security.

The bank urged that no data was lost which could result in customer accounts being accessed, and said it was in the process of contacting the victims. The police have also been contacted, the bank said, and an investigation is now underway to determine if any crimes have been committed.

Week of October 21: Best Western affected

A data breach uncovered by vpnMentor, found the reservation management system Autoclerk may have leak details about hotel guests at some of the biggest chains in the world. Autoclerk, which is owned by Best Western Hotels and Resorts Group, holds data on reservations, down to the when someone may have checked in to their stay and their home address. And one of the biggest customers of Autoclerk? The U.S. government, including the Department of Homeland Security.

The database in question, which held 179 GB of data, has now been closed reports vpnNetwork. But hundreds of thousands of reservations were held inside.

Zappos makes up with sad discount

The data breach that impacted Zappos in 2012 has now been settled, and the company is awarding 10 percent discount coupons to those impacted. Sure, lawyers netted nearly $1.6 million, but who is to say what a 10 percent coupon could be worth?

The coupon is the same discount that students, teachers and military people can earn on the site as well. The rest of us? Zappos famously says it doesn’t push out coupons. So perhaps this is a case of being happy with what you get — your data sold across the data web, for a few dollars off the latest fashion sneakers.

More healthcare breaches

A phishing attack impacted the Kalispell Regional Healthcare in Montana, when employees were fooled into giving up their login credentials. Hackers may have used these details to access patient information from as early as May 24, 2019. The healthcare group has notified anyone who might have been impacted. For now, of course, anyone who may have sought medical care from the group may want to reach out — and of course check their accounts for any activity that looks incorrect.

Week of October 14: Indiana hospital system falls victim to phishing scam

Methodist Hospitals of Indiana said this week that the personal information – including Social Security numbers and health records – of over 68,000 patients may have been exposed during a data breach. The hospital group, which has campuses in Gary and Merrillville, said it was alerted to questionable activity on an employee’s work email account in June, then in August it discovered that two workers had fallen victim to an email phishing scam.

The scam caused an unauthorized person to gain access to the employees’ email accounts, which may then have given them access to thousands of patient records. In a letter sent to patients, Methodist Hospitals said the data may have included names, addresses, license or state identification number, password number, financial account number, electronic signature, username and password, date of birth, medical record number, CSN number, HAR number, Medicare or Medicaid number, and medical treatment/diagnosis information. In other words, pretty much everything – and the company didn’t say if the passwords were encrypted or stored in plain text.

Although all this data may have been accessed, the hospital group cannot yet say for sure if it was. An investigation is ongoing.

North Florida Obstetrician-Gynecologist

North Florida OB-GYN has contacted more than half a million current and former patients, warning that their data may have been accessed by an unauthorized person. The clinic, which provides specialist medical care for women, told all current and former patients that their personal and medical data records may have been exposed during the breach, but it couldn’t say if this stage if any data was actually taken.

In a statement, the clinic said it discovered in July 2019 that a « cyber incident » had begun on or before April 29 and resulted in « improper access to certain portions of its networked computer systems ». It was also said a computer virus had encrypted certain files on the clinic’s computer network.

Compromized data may have included patients’ names, demographic info, dates of birth, Social Security numbers, driver’s license or ID card number, employment information, health insurance information and health data like treatment, diagnosis, related information and medical images. No financial information was exposed. All that said, the clinic cannot yet say for sure if any of the data was viewed or stolen, or if was merely exposed and could potentially have been taken.

Infosecurity Magazine reports that all 528,188 past and current patients were contacted by the clinic.

BriansClub

In an ironic twist this week, one of the largest underground websites for buying stolen credit card data was itself hacked. Called BriansClub, the website uses the name and likeness of prominent cybersecurity expert Brian Krebs.

Krebs himself reported the incident, revealing that the hack involved « more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including almost eight million records uploaded to the shop in 2019 alone. »

The incident gives an insight into how the website operated, earning an estimated $126 million in bitcoin-funded sales between 2015 and 2019. While many of the stolen credit card records likely no longer work, due to the owners having them cancelled, Krebs estimates that more than 14 million of the 26 millions records could still be valid. These so-called ‘dumps’ are made up of ones and zeroes, and when encoded onto a magnetic strip can be used like the credit card they have been stolen from.

As ever, readers are reminded to keep a close eye on their credit card statements and immediately report any suspicious activity to their bank or card issuer.

Week of October 7, 2019: TransUnion’s Canada breach

Data on 37,000 people in Canada — and held by TransUnion — were reportedly breached this year. The hack happened sometime this summer, in June and July 2019, through a business customer, Canadian Western Bank and one if its accounts. Specifically, the breach included credit checks for people who did not know that data on them was being pulled. Customers affected are being notified about the breach.

Beeline brouhaha

Beeline, a Russian ISP, is now admitting to the hack of the data from millions of customers. The breach reportedly happened years ago — but the data from 8.7 million customers, who never knew about the hack, is now appearing online. Those who signed up for the service in Russia, and before November 2016, are affected, according to ZDNet. While Beeline also covers customers in other countries, including Australia, these people were not affected.

Toms’ hacker was very polite

Toms shoes just got hit with what may be the nicest hack in recent history. Over the weekend, subscribers had emails sent to their inboxes with the message to turn off their screens and step outside, according to Motherboard Vice. The hacker even gave himself the nice normal name, Nathan.

While Toms doesn’t believe any payment details were accessed. Still, the company is asking customers not to click on anything else that came from the email, nor respond in any way — even to return the kind message.

Week of September 30: Words With Friends spills 218 million user accounts

Hugely popular mobile game Words With Friends, the Scrabble-like title by Zynga, was subject to a huge data breach this week. Speaking to The Hacker News, well-known Pakistan-based hacker Gnosticplayers claimed their had stolen the user details of all 218 million mobile players of Words With Friends. That’s every single person who has played the game on a smartphone.

Zynga had actually announced it was the victim of a data breach earlier in the month, but didn’t reveal the scale of the attack. It instead said: « Certain player account information may have been illegally accessed by outside hackers. »

What actually happened, according to the hacker themselves, is that the names, email addresses, login IDs, hashed passwords and Zynga IDs were stolen. For some players, the stolen data also included their password reset token, phone number and Facebook ID.

If you have ever played the Words With Friends mobile app, we recommend you change your passwords and keep a close eye on your Facebook account.

Zendesk

Zendesk, a customer support ticketing platform, revealed this week that it was victim of a security breach which took place back in November 2016. The company revealed on its website that a hacker had accessed the personal information of around 10,000 users with Zendesk Support and Chat accounts.

Despite taking place almost three years ago, the company admitted it had only discovered the breach on September 24, 2019. And even then, it admitted it was alerted to the issue « by a third-party ». Stolen data included email addresses, names and phone numbers, all related to accounts created with Zendesk up to November 2016. The company says passwords were hashed and salted, so should be safe. « We have found no evidence that these passwords were used to access any Zendesk services n connection with this incident, » the company added.

Zendesk says it is engaging with « a team of outside forensic experts to validate the claims of the third party and to determine the exact data and information that was exposed. » It recommends that customers change their passwords.

Chegg

Chegg, an education technology company, mistakenly exposed the usernames, passwords and addresses of thousands of George Washington University community members. Chegg offers students at the university homework help and textbook rentals.

The breach was reported by The GW Hatchet, which said Chegg had suffered a data breach in April 2018 which exposed the usernames and passwords of 5,000 members of the GW community, and 40 million Chegg users globally. GW students were notified of the breach on September 24, and it was recommended they change their passwords used for GW’s online services.

Chegg said on its website: « Our understanding is that the data that may have been obtained could include names, email addresses, shipping addresses, Chegg usernames, and hashed Chegg passwords. Our current understanding is that no financial information such as credit card numbers, bank account information, or social security numbers was obtained. »

Loretta Early, chief information officer at the university, said: « Due to the nature and potential impact of cybersecurity incidents, collaboration and attention is elevated to the highest level to provide the best and most expedient response to our customers. »

The cost of data breaches is rising – Kaspersky

Not a data breach itself, but a new report from cybersecurity firm Kaspersky revealed this week that the cost of enterprise data breaches is on the rise. The cost per incident has risen, Kaspersky says, from $1.23m last year to $1.41m today.

As a result, the report says, enterprise organizations are investing more in cybersecurity, with the average IT security budget up massively from $8.9m in 2018 to $18.9m now. Kaspersky is keen to point out that companies with a Security Operation Center (SOC) in place tend to suffer less financially when they fall victim to a data breach. The company says the average financial impact of a breach without an SOC is $1.4m, compared to $675,000 with an SOC in place.

Week of September 23: Iowa’s parking payment breach

As if paying a parking ticket isn’t bad enough, now about 1,500 people in Ames, Iowa who paid that fine online may have had their data breached if they used a vendor, Click2Gov, according to the Des Moines Register. Anyone who paid between July 30 and Sept 12 could have had their credit and debit card numbers, full name, address and email addresses breached because of a server on the city’s side that connected to Click2Gov.

The city isn’t the only victim of the hack, with eight cities in total hit and data getting syphoned and sent to the dark web, according to Wired. In the case of Ames, the city replaced its server. Now customers should keep a very close eye on fraudulent charges possibly appearing on their payment cards — and also be mindful of phishing emails that could start appear in their in-box.

WordPress plugin problem

An old plugin used to help WordPress users manage reviews on their sites is getting unwanted attention from hackers. The plug-in, Rich Reviews, is being infected by hackers to send visitors to other sites and even bring up popup ads according to Wordfence. The company that created the plugin, Nuanced Media, has actually discontinued maintaining it — and you can’t download it anymore. (It wasn’t super popular to begin with, only getting about 100,000 of those in total.) What should you do if you’re using this plugin? Delete it. Now.

Malicious Military hack

An attack directed at U.S. veterans included a fake web site with directions on how to install an app to help former military personnel find jobs. The web site, hiremilitaryheroes.com, was actually still online as of Sept. 25, and had been created either at the end of July or early August 2019, said CNET. But GearBrain has found the site is now down as of midday Sept. 26.

Downloading the malware — which was cloaked as an app — would access details of someone’s computer from the hardware they were using to their software, even their admin name. What’s the lesson here? Installing software from the web is almost never a good move unless it’s truly coming through a company or someone you know well. That circle of trust? Keep it very (very) small.

Week of September 16, 2019: Almost all of Ecuador

It’s been a fairly quiet week of US-based data breaches, but the same can’t be said on a more global scale. Topping the charts this week is the country of Ecuador, where just about every single person has had their data exposed online. Discovered by vpnMentor, a leaking database, discovered on an unprotected server in Miami, Florida, contains the personal details of over 20 million people – four million more than the population of Ecuador itself. The server appears to be owned by Ecuadorian consulting company Novaestrat, with the majority of people affected appearing to be from Ecuador.

The data appears to have come from the country’s government registries, an automotive association called Aeade, and Biess, a national bank in Ecuador. Around 18GB of data was exposed, including:

  • Full names
  • Gender
  • Date of birth
  • Place of birth
  • Home address
  • Email address
  • Home, work and cell phone numbers
  • Martial status
  • Date of marriage, where applicable
  • Date of death, where applicable
  • Level of education

Basically, the database contain everything you need to know about almost everyone in Ecuador, including names of relatives, personal financial information, employment details (with salary), and there was even an entry for Julian Assange, the Wikileaks founder who was granted political asylum by Ecuador in 2012. The manage of Novaestrat has reportedly been detained.

Malindo Air

Millions of passenger details were exposed by a data breach confirmed by Malindo Air, an airline operating 40 routes from two airports in Kuala Lumpur, the capital of Malaysia. Malindo Air is a subsidiary of Indonesian low-cost airline Lion Air.

The exposed information included passport details, home addresses and phone numbers of customers who have flown with Malindo Air. The information was leaked onto data exchange forums in September, reports South China Morning Post.

Malindo Air says it will hire an independent cybersecurity firm to do a full forensic analysis and determine what happened. In a statement, the airline said: « Some personal data concerning our passengers hosted on a cloud-based environment may have been compromised. »

Hospital patient records

Finally, this week saw letters sent to thousands of hospital patients in the UK to tell them hospital records were accessed multiple times by unauthorized staff, prompting a criminal investigation. Letters were sent out by the Wrightington, Wigan and Leigh NHS Foundation Trust to 2,172 victims of the data breach, reported Wigan Today.

The letters explained that personal information was viewed on multiple occasions by an employee who had no legitimate reason to access the data, and were not allowed to do so. The UK’s Information Commissioner’s Office is investigating the incident. Data wrongly accessed could include clinical documentation like blood results, care pathways, medication, secretary letters and patient discharge letters.

Victims were additionally told: « Unfortunately during this investigation poor computer etiquette was also identified and therefore we are unable to validate the specific individual concerned. The employee who has inappropriately accessed your record is a member of our staff who has legitimate access to our electronic health record system; for example a medical professional or clinical administrator. »

Week of September 9, 2019: Cobalt Dickens

Nope, not the name of Charles’ brother — but instead it’s a group of hackers who are luring users through 20 different domains to steal their information. Researchers think they’re going to an online library, log in, and get their details taken. We’re taking about phishing, and the group is hardly new to this behavior, having caught the eye of the US. Department of Justice in 2018 — and getting in trouble for it.

The phish starts with an email that looks like it’s coming from their school, and telling them to re-up their library account. What to do? As usual — try very hard not to click on links in emails, even if you think you know where it’s coming from.

SimJacker

An exploit is taking advantage of a weakness in SIM cards, tracking phone owners, where they are, and also able to hijack calls. The way this works is people get an SMS message. How many have been affected? That doesn’t appear to be clear — but the exploit has been around for two years.

One report believes this attack is actually coming from a private company, and could get into mobile phones in regions as wide ranging as Europe, the Middle East, West Africa and the Americas.

More Equifax steps

Those who have already signed up to get their Equifax settlement — for $125 — are finding there are more steps they need to take. Reports show people who have registered are now receiving emails that they have to show they’ve had credit monitoring — and promise to have monitoring going for at least another six months in order to get the $125.

While, in some cases, people can get free credit monitoring if they’ve been the victim of a hack, or identity theft, these services can charge a monthly fee of anywhere from about $10 to $30. After six months, you’ll have easily eaten through your $125.

Facebook (again)

This week, Facebook confirmed that the phone numbers of over 200 million users had been exposed on a database which was unencrypted and could have been accessed by anyone. The database, which is not believed to have been created by Facebook, paired phone numbers up with the User IDs of Facebook users, unique numbers assigned to each user.

It would have been relatively easy for someone viewing the database to discover someone’s phone number. Some entries in the database also included the user’s name, gender and the country they lived in, along with their user ID and phone number.

The exposed data comes more than a year after Facebook switched off a feature in April 2018, whereby users could be found by searching the social network with their phone number. Also this week, Facebook launched a dating website for US users, called Facebook Dating…

DK-Lok

Also this week, it was discovered that industrial supplier DK-Lok had left private emails and communications exposed for all to see. Cybersecurity company vpnMentor revealed the existence of the database on Thursday, belonging to the South Korean company and containing emails between staff, clients, and some personal email too.

« Many of the emails were marked private & confidential, revealing highly sensitive information about DK-Lok operations, products, and client relations, » vpnMentor said. The firm added it had made several attempts to contact DK-Lok about the leaking server, but received no reply – vpnMentor even pointed out how they could see their own emails on the server, proving their communications were getting through, but not being responded to.

vpnMentor said: « The most absurd part is that we not only know that they received an email from one journalist we work with, alerting them to the leak…but we know they trashed it. »

Sensitive information exposed publicly included product prices and quotes, project bids, travel arrangements, private conversations, and discussions on suppliers, clients, projects and internal operations.

Yahoo breach claim forms available now – how to get yours

Yahoo announced this week that claim forma are now available for users looking to seek compensation from multiple data breaches which affected over three billion people between 2012 and 2016. There is a $117.5m pot of compensation cash, but the amount each claimant receives will depend on how many apply.

Readers believing they were affected by the data breaches must file a claim online or by mail by July 20, 2020, and they can find more information at www.YahooDataBreachSettlement.com.

Tesla Model S

The keyless system of a Tesla Model S has been hacked again, this time by researchers eager to show how vulnerable the key fob is — even with a patch that Tesla put in place.

Researchers from Belgium University found a bug, a work around, in the encryption again, wrote Wired, which reported the news. Tesla had built a new set of key fobs, from Pektron, after the same researchers showed they were able to hack the car in 2018.

This vulnerability, however, can be reportedly fixed with a software update — meaning Tesla owners just need to wait to get their key fobs secure again.

Imperva

Imperva, a cybersecurity company that protects other firms’ information, was itself the victim of a hack, they disclosed this week. The breach impacted customers who had accounts with Imperva through September 15, 2017, and included email addresses, hashed and salted passwords and for some, API keys and customer-provided SSL certificates.

Imperva only learned of this on August 20, 2019 — which means for nearly two years, that information was available. Of course any Imperva customer should contact the company, and also reset API keys among other steps, along with setting up two-factor authentication.

Capital One update

Paige A. Thompson, also known as « erratic, » will be arraigned in Seattle on wire fraud, and computer fraud and abuse, as per a United States Department of Justice (DOJ) statement. The former software engineer is still in custody for hacking into Capital One’s database, as well as « more than 30 other entities, » said the DOJ.

Thompson is being charged with not only hacking in the data base, but also cryptojacking, which is using someone else’s computer power to mine cryptocurrency, without their knowledge.

Week of August 19, 2019: MoviePass

MoviePass, the movie ticket subscription service, confirmed this week had become the victim of a data breach. The company said the breach may have left customer information – including user billing details – exposed online.

It was reported that tens of thousands of customers had had their data exposed by the breach, and a day after the initial report MoviePass issued a statement. The company said: « We are working diligently to investigate the scope of this incident and its potential impact on our subscribers. »

The data was exposed by a leaking database first discovered by cybersecurity firm SpiderSilk. The server contained over 160 million records and was growing at the time of the discovery, but only a small amount of the data was sensitive user information. This data included the numbers of MasterCard-based debit card issued by MoviePass to its users. Other data exposed included billing information, names and postal addresses.

Arizona State University

Arizona State University told 4,000 students this week that their email addresses were « accidentally revealed » in late July, reports AZ Central. The inadvertent exposure of the email addresses has been described as a breach of federal health privacy law.

The email addresses weren’t exposed via an unencrypted server which could be tricky to find. Instead, and somewhat worse, the university sent bulk emails to students about health insurance renewals, but failed to mask the identity of recipients, and some of the email addresses revealed show student names.

The university said it was able to delete over 2,500 of the messages, and more than 1,130 of them went unread by recipients.

Described as an « unintended action », the university said the incident was a breach of the Health Insurance Portability and Accountability Act.

Massachusetts General Hospital

It was announced by Massachusetts General Hospital on Thursday this week it has notified 9,900 people of a privacy breach. During the breach, the hospital believes a third party may have accessed data, including demographic and genetic information for study participants.

The third party is said to have accessed databases « related to two computer applications used by researchers in the Department of Neurology for specific Neurology research studies, » the hospital said. The third party had unauthorized access to the databases between June 10 and June 16, 2019.

According to the hospital, accessed data may have included participants first and last names, plus certain demographic information like marital status, sex, race and ethnicity, along with their date of birth, dates of study visits and tests, medical record number, type of study and research study identification number, diagnosis and medical history, biomarkers and genetic information, types of assessments and results, « and other research information.

The hospital says it has hired a third-party forensic investigator and is in the process of notifying affected individuals. More information can be found on the hospital’s website.

Week of August 12, 2019: Choice Hotels

Hundreds of thousands of records from Choice Hotels were stolen by hackers from names and addresses to email details and phone numbers. The records had been stored in a database that belonged to an outside party — not the hotel chain. Nevertheless, guests’ information was not only hacked, but is now up for ransom for about $4,000 or .4 bitcoin, according to Comparitech, which worked with a security expert to find the original breach.

Anyone who stayed at the hotel chain should certainly change any passwords they have, but they should also be aware that with their phone numbers and email addresses now floating about they could be getting a bump in spam as well.

Suprema Biostar 2

Fingerprint, facial recognition data and passwords of users was discovered unsecured by researchers on the site of Suprema’s Biostar 2 security platform. The large cache of data — 27.8 million records — may or may not have been hacked. But the fact that the database was publicly accessible is alarming since the platform is used to grant access to buildings in the U.S., Japan, UAE, India and the U.K. — including the UK Metropolitan police, reports The Guardian.

Fingerprints of more than one million people are just some of the biometric data in the cache — data which cannot be changed like a password. Researchers report that actual images of people’s fingerprints were stored.

Hy-Vee

Supermarket chain Hy-Vee said that some credit card customers that used its fuel stations, drive-thru coffee shops and restaurants have been victims of a data breach. These include some Market Grilles, Market Grille Express and Wahlburgers locations that were inside the stores.

The chain does not know how many people were involved, but says it will notify customers. Keenly, people who frequent the chain should make sure they’re checking credit card statements if they see anything that looks amiss.

Week of August 5, 2019: Monzo

Almost half a million Monzo customers were told this week to change their PIN, after the British challenger bank admitted it had been storing the numbers in an insecure database accessible by its workers.

It was announced that the PINs of 480,000 customers were in a file which could have been accessed by its employees for months. Monzo said in a blog post on Monday: « As soon as we discovered the bug, we immediately made changes to make sure the information wasn’t accessible to anyone in Monzo…We’ve checked all the accounts that have been affected by this bug thoroughly, and confirmed the information hasn’t been used to commit fraud. »

The incident affected less than a fifth of Monzo’s UK customers, and it appears that no harm was done. However, it comes at an unfortunate time for Monzo, as the rapidly-growing bank prepares to open shop in the US, just as Apple launches its Card, which offers similar smartphone app-based features.

Air New Zealand

National carrier Air New Zealand warned over 100,000 of its Airpoints members this week that some of their data may have been compromised as part of a cyber attack. The customers were contacted by email on August 9.

In all, approximately 112,000 members of the airline’s Airpoints membership programme were affected.

Air New Zealand said in a statement addressed to the affected members: « We’re sorry to advise that some of your personal information may have been affected by a recent phishing incident relating to two Air New Zealand staff accounts…While your Airpoints account was not accessed, some information relating to your membership profile may have been visible in our internal documents should these documents have been accessed. »

The airline said the amount of personal data exposed will vary from one member to another, but said it could include their Airpoints number, name and email address. It said passwords and credit card details were not affected.

Twitter

Twitter disclosed more bugs this week relating to how it uses the personal data of its users to target advertisements at them. The social network admitted it may have shared user data with ad partners, even when users had opted out of this from happening.

Twitter said in a blog post: « We recently found issues where your settings choices may not have worked as intended. » The company admitted that, if a user clicked or viewed an advert for a mobile app then interacted with the app since May 2018, it « may have shared certain data » with advertising partners, « even if you didn’t give us permission to do so. »

The certain data shared could include « country code, if you engaged with the ad and when, information about the ad, etc », Twitter said. It also admitted it may have showed users adverts based on inferences it made about the device you use, even if you did not give it permission to do so. The issues were fixed on August 5 2019, Twitter says, but because the incident began in May 2018 the company could find itself having to pay a hefty GDPR fine.

Week of July 29, 2019: Capital One

This week saw Capital One admit to a « data security incident » which occurred in March 2019, and said it may have impacted about 100 million people in the US, and six million in Canada.

Unusually at this stage of such an incident, the alleged hacker is known and already in custody. The stolen data included names, addresses, birth dates, credit ratings and more. The hacker is said to have worked alone and broke into Capital One’s systems through a « configuration vulnerability » which was discovered by the company on July 17.

Credit card numbers and customer login details were not accessed, Capital One says. However it did say that the Social Security numbers of 140,000 US customers and one million in Canada were stolen.

Read more on the Capital One data breach here.

Norton Core Protects all IoT Devices – Available on Amazon

Sephora

It was claimed this week that 3.7 million customer records stolen from cosmetics company Sephora were discovered for sale on the dark web.

Singapore-based cybersecurity company Group-IB says it discovered two databases containing the customer records, and said they are « likely to be related » to Sephora. The leak dates back to February this year and was announced by Group-IB on August 1.

One of the databases listed for sale is said to contain 500,000 records including user names and hashed passwords from Sephora’s Indonesia and Thailand websites. The second database, called « Sephora 2019/03 – Shopping – [3.2 million] », contains 3.2 million customer records stolen in March this year.

Sephora said details had indeed been leaked, and they affected online customers in Singapore, Malaysia, Indonesia, Thailand, the Philippines, Hong Kong, Australia and New Zealand, reported Channel News Asia.

Norton Core Protects all IoT Devices – Available on Amazon

FTC warns Equifax compensation fund could run dry

Following the opening of a website allowing victims of the 2017 Equifax data breach to claim $125 in compensation, the Federal Trade Commission has warned there isn’t enough money to go around.

The 147 million victims can opt for Equifax’s own free credit monitoring service, or chose to take the $125, which is intended to pay for a credit monitoring service from elsewhere. But the FTC claims « million of people » have visited the website to claim their $125, and as a result the commission says the $31 million settlement fund isn’t enough.

The FTC has warned that victims will get « nowhere near $125 », and added in a blog post: « If you haven’t submitted your claim yet, think about opting for the free credit monitoring instead. Frankly, the free credit monitoring is worth a lot more – the market value would be hundreds of dollars a year. »

Pearson, a British education company, said this week that it has notified customers about a data breach which saw unauthorized access to about 13,000 school and university accounts.

Most of these accounts are held in the US, and the exposed data included first and last names, plus birth dates and email addresses in some cases.

The company said: « While we have no evidence that this information has been misused, we have notified the affected customers as a precaution. »

Norton Core Protects all IoT Devices – Available on Amazon

Week of July 22, 2019: Lancaster University

Lancaster University, based in the U.K., has been hit with a data breach that hacked the school through two methods. One involves undergraduate applications for both 2019 and 2020, where names, addresses, telephone numbers and email addresses were breached. As a result, some were sent fake invoices, which the school is warning people to note.

A second attack also hit existing student records, with some of them — « a very small number, » said the school — accessed and ID details as well. The school is contacting those students specifically if they’ve been involved.

Facebook

Facebook’s Cambridge Analytica scandal is going to cost them a $5 billion fine, according to the Federal Trade Commission. (Were you affected? Here’s how to find out.)

The social media giant is also getting handed other requirements — like creating an independent privacy committee — but the fine, announced earlier this year, is seen by some as not hefty enough considering the impact on consumers.

Equifax

Equifax has finally reached a settlement for the 2017 data breach that affected more than 147 million people — and it will be close to $700 million. While dwarfing the Facebook fine which is in the billions of dollars, $300 million of this settlement is meant to go back to people who were impacted by the breach.

Who has been impacted? Well, that’s something consumers can actually discover on their own, by going to a specific web site, where they can also file a claim.

While there is a possibility of a flat cash payout for some — around $125 — Equifax is also agreeing to give people upwards of 10 years of free credit monitoring — which will not be through them but through Experion.

Higher payouts will be based on how impacted someone was by the breach. For example, if they had to spend time trying to clear up identity fraud issues, they can get $25 an hour back for up to 20 hours, plus out-of-pocket losses and up to 25 percent of the products they paid for before the breach — adding up to $20,000. That’s going to not be the norm for most. But its worth checking out to see if you’re eligible at all.

Week of July 15: Sprint

Sprint customers with Samsung devices should change their password immediately, as Sprint found that hackers got into accounts through the Samsung web site, reported ZDNet.

Sprint has sent a letter to those involved, but basically phone numbers, device, the device ID, billing details like account numbers, upgrade eligibility, account holder’s names and billing address were involved. Sprint said it has « re-secured » the accounts as of June 25, 2019. But you know what we’re going to say: Change. Your. Password.

Slack

Slack’s was hit with a data breach in 2015 — and is just now changing the passwords of those users who may have been affected. Basically, about 1 percent of Slack accounts are involved, said the company, with Slack resetting the passwords on its end. Who is getting this forced change? Anyone who created an account before March 2015, anyone who did not change their own password since that time, and accounts that do not log on with a single sign-on.

If your account is getting a forced reset, you’ll get instructions from Slack with details. You can also go to its help center.

Clinical Pathology Laboratories

So the American Medical Collection Agency (AMCA) hack has hit another company, this time Clinical Pathology Laboratories (CPL). Its patients may have had their names, addresses, phone numbers, birthdates, credit card or banking details and other information hacked.

CPL believes that about 2.2 million patients are involved — but only about 34,500 have had their credit card and banking information breached.

Week of July 8: British Airways hit with record fines

British Airways got served what’s being called a « record fine » for the hack in 2018 that made off with about 500,000 customers data. The fine, for about $229 million (£183 pounds), is coming from the Information Commissioner’s Office in the United Kingdom for the data breach that happened around June 2018.

Names, email addresses and credit card data — from numbers to CVV codes — were involved. The new fines are part of the General Data Protection Regulation, also known as GDPR, that went into effect in 2018.

Los Angeles hospitals exposed from contractor breach

A contractor for Nemadji Research Corporation got hit with a phishing hack, and may have exposed data of thousands of patients at Los Angeles hospitals. Data included names, medical records numbers, birthdates and other medical ID details.

About 14,600 patients and their data are involved, as the contractor which determines patient eligibility for reimbursement, works with the Los Angeles County Department of Health Services. Hospitals that fall under their purview include County-USC Medical Center in Boyle Heights and the Olive View-UCLA Medical Center in Sylmar, according to the Los Angeles Times.

K12.com left children’s data unprotected for a week

A web site that serves up educational software left a database open and unprotected that includes nearly 7 million records with student data as specific as birthdate, names, age, school name and gender. All the information was left visible to public searches, according to Comparitech which discovered the breach.

The unsecured data had been visible since June 23, and closed only on July 1 and was specific to students using the A+nyWhere Learning System. Parents who believe their child was using these materials should look for phishing attempts any email address connected to this program, which is used by more than 1,100 school districts.

Week of July 1: Orvibo smart home data leak affects millions

Albeit a relatively quiet one for data breaches, this week saw Orvibo, a smart home systems and platform company, leave a database containing over two billion user records publicly exposed. The server, which did not have a password and could be accessed by anyone who knew its online location, contained the usernames, email addresses, passwords and precise locations of many of the company’s two million users.

Worse still, the exposed data included account reset codes, so a hacker could easily have reset the account of a target, then log them out and take control. This would have given them access to sensitive smart home devices, like security cameras and alarm systems. vpnMentor made the leak public on July 1, having not heard from from Orvibo for two weeks after raising the alarm; the server was eventually secured on July 2.

Read More:

Orvibo data leak: Billions of user records exposed by smart home firm

Marriott hotel fined for data breach

The Marriott hotels group was this week fined almost $270,000 after a five-year security breach was discovered. The fine comes from Turkey’s data protection authority, and is the punishment for an incident which saw cyber attackers seize data from nearly 500 million customers of Marriott’s Starwood group hotels. The breach took place between 2014 and 2018, and the data stolen included customer birth dates, passport numbers, email addresses and credit card information.

The fine came as a result of discovering that, of the 383 million customer records exposed, 1.24 million were of Marriott customers living in Turkey.

Given the breach lasted four years, it was deemed that Marriott had not carried out any necessary inspections to detect such unauthorized access to private customer data.

Week of June 24: Dominion National finds old breach

A well-known dental and vision insurance firm, Dominion National, reported a data breach from nine years ago, accessing about data from about 95,000 people in Delaware — or about 10 percent of the state’s population. Information that may have seen includes names, birth dates, Social Security numbers, Bank accounts, routing numbers as well as other Taxpayer identification information.

The Insurance Commissioner of the State of Delaware believes the hack may have happened around the date of August 25, 2010 — and is offering two free years of credit monitoring and fraud services.

Hackers hit Florida again

The Village of Key Biscayne in Florida announced they were victims of a data breach — the third city in several weeks in the state, reports the Associated Press. Last week, Riviera Beach, Fl. paid $600,000 to hackers, while Lake City, Fl. ponied up $460,000 on Tuesday to hackers too. The fees were paid as ransomware after hackers got into the city’s systems and security networks.

Bitrue hacked for more than $4 million

Finally, hackers made off with more than $4 million from a cryptocurrency exchange called Bitrue on June 27, which informed people through its Twitter account. While not ideal, Bitrue is insured, and so anyone affected will not lose their funds. The theft was of two different crypto coins: XRP and ADA.

Week of June 17: AMCA files for bankruptcy protection after data breach

The American Medical Collection Agency (AMCA) filed for bankruptcy protection this week, in the wake of a large-scale data breach. As we reported earlier in June, blood testing companies Quest and LabCorp became victims of the AMCA breach, with millions of customers potentially having their personal data exposed. Other clients of AMCA include BioReference Laboratories Carecentrix, and Sunrise Laboratories. They all used AMCA’s services to bill their customers.

The security failure has affected over 20 million Americans, according to ZDnet, after hackers stole customer names, Social Security numbers, addresses, birth dates, and payment card information. The data was later discovered being offered for sale on the dark web.

AMCA quickly became the target of multiple class-action lawsuits, blaming the data breach on a lack of adequate security measures being in place. The company then filed for bankruptcy protection in New York on June 17. AMCA had to pay out almost $4 million to inform seven million people by mail that their data may have been compromised. To cover this expense, plus $400,000 in cybersecurity forensic bills, AMCA took out a loan from its CEO and founder, Russell Fuchs.

Department for Human Services data breach impacts 645,000 people

Oregon’s Department of Human Services this week admitted a data breach in January affected more than 645,000 Oregonians, almost double the original estimate. The compromised data included first and last names, postal addresses, Social Security numbers, case numbers and personal health information. Some of the protected health data is due special protection under federal health privacy laws, reports OregonLive.

The DHS said it will provide 12 months of identity theft monitoring and recovery services to anyone whose information was accessed during the breach; these services will be provided by specialist identity theft company MyIDCare.

Transgender children’s charity apologizes after private email database appears online

Mermaids, a UK-based transgender support charity and lobby group, apologized this week after a report by The Sunday Times revealed that over 1,000 pages of confidential emails were freely accessible online. The data, which included the contents of emails from the parents of transgender children, also revealed email addresses, names and telephone numbers of those who had contacted the charity.

In a statement published to its website, Mermaids said it was grateful that thew newspaper had discovered the data leak, and it immediately took action to remove the sensitive material from public view.

The charity said: « The scope of the breach was that internal Mermaids emails from 2016 and 2017 in a private user group were available on the internet, if certain precise search-terms were used. Mermaids understands that the information could not be found unless the person searching for the information was already aware that the information could be found. »

Those affected by the data breach has been contacted by Mermaids, and the charity has reported itself to the Charity Commission. An independent third party will be hired by Mermaids to report to the charity about its findings related to the breach.

Week of June 10 Evite: We’d like to invite you to a data breach

Evite, the online invitation site, is having to reach out to customers after a hacker tried to sell information from the site. The company says the data is from 2013 and earlier — not recent details. Still, Evite’s been around since 1998: that’s plenty for a hacker to syphon away.

What was taken? The usual: Names, emails, passwords, user names, phone numbers, snail mail addresses and also birthdates. Evite purportedly sent an email out to users warned them of the breach. As expected, the company is asking people to change their passwords if they use the same one on other sites and look at accounts and see if there’s anything suspicious.

The breach was actually found in April thanks to ZDNet which reported that the hacker in question had told the site it been selling data from a number of companies including online fashion site Mode Operandi.

Besides changing your password, another option is to use an online tool like Password Checkup, launched through Google Chrome, which is designed to tell you of your password has appeared on a compromised list.

U.S. Customs and Border Protection: License plate and photo please

Images of faces and license plates taken at a specific point at the U.S. border have been breached through a cyberattack, the U.S. Customs and Border Protection (CBP) admitted this week. Currently, the department thinks just 100,000 people have been affected, which would include images taken of people in their cars as they crossed into the U.S.

CBP won’t say where this border point was — or between which countries — although they did say that passports and other travel papers weren’t affected. Faces, though, are a concern as facial recognition software is growing in use, a biometric marker used to identify people in a number of ways, including some security devices, smartphones and even at the upcoming Tokyo 2020 Olympic Summer Games.

A subcontractor for CBP is being blamed by the agency for moving the data to a its own company network. The data was collected during a month and half, and only in certain car lanes at the land border.

Radiohead: Someone Creep-ed on the band’s archived songs

This data breach didn’t steal information from a lot of people — but it sure impacted millions. Hackers got 18 hours of old recordings from English band Radiohead, threatening to release them if the band didn’t pony up $150,000.

The band turned the tables, posting the archived discs on its Bandcamp site, and letting people download and buy « the whole lot, » as they said for just £18, with the money going to Extinction Rebellion, an international group known for its nonviolent protests and work in the conservation and environmental areas.

Fans are, as expected, supportive and thrilled. There are 18 discs, and it’s 1.8 GB. So clear out some old photos, and enjoy or as the band said « until we all get bored and moved on. »

Week of June 3rd: Quest blood testing warns of 12 million-customer data breach

One of the largest blood testing companies in the US, Quest Diagnostics, admitted this week that up to 12 million customers may have had their medical and financial data compromised.

Revealed in an 8-K filing with the Securities and Exchange Commission, Quest said that, at some point between August 1, 2018 and March 30, 2019, a billion collection vendor’s data had been breached by an unauthorized person. Data included which could have been stolen include credit card numbers, bank account information, medical information, and other personal data such as Social Security numbers.

Quest reassured its patients that laboratory test results were not provided to AMCA, the compromised vendor.

The blood testing firm said in the SEC filing: « Quest Diagnostics takes this matter very seriously and is committed to the privacy and security of patients’ personal, medical and financial information. »

LabCorp

Just a day after Quest announced it may have been the victim of a data breach, rival LabCorp made a similar announcement. As with Quest, LabCorp lay the blame at its third-party billing collections vendor, American Medical Collection Agency, which notified the blood collection firm of hackers gaining access to its systems.

LabCorp said 7.7 million of its customers had their data stored on the hacked AMCA system. The data included full names, credit card and bank account numbers, birth dates, addresses, phone numbers, dates of service, health care provider information, and the amount owned by customers to LabCorp.

As with Quest, the company said it did not provide AMCA with information about tests and lab results, and AMCA said it did not store Social Security numbers. Of the millions of datasets on file, LabCorp believes the credit card or bank account information of about 200,000 customers may have been accessed, and it is notifying those people. The company will offer identify protection and credit-monitoring services for two years.

Australian National University

The Australian National University (ANU) announced this week it had been the victim of a data breach in which a « significant amount of student and staff information was stolen. The breach took place in late 2018 and the university estimates the data of some 200,000 people was unlawfully accessed.

In a statement, vice-chancellor Brian Schmidt said: « We believe there was unauthorized access to significant amounts of personal staff, student and visitor data extending back 19 years ». The data included names, addresses, dates of birth, phone numbers, email addresses, emergency contact details, tax file numbers, payroll information, bank account details, passport details and even the academic records of students. Not affected, the university said, was academic research work.

A day later, it was reported by the Sydney Morning Herald that China may have been behind the attack, according to senior intelligence officials. It was reported how the intelligence community fears the data will be used to target promising young students in the hope they can be used as informants as they move through careers in government and even intelligence agency careers.

Pyramid Hotel Group

The week began with news that researchers from VPNMentor had discovered an unprotected database which contained security audit logs for hotels run by the Pyramid Hotel Group. This includes chains like Marriott’s Aloft Hotels in Florida, and Tarrytown House Estate in New York. Pyramid also operates hotels owned by Sheraton and Westin, although it isn’t known if these were affected.

The exposed data stretched back to April 19th and was mostly made up of server logins, internet addresses and firewalls, but also included the full names of hotel staff, along with details about hotel security policies.

It’s unclear if the information on the exposed server was viewed by anyone, but it would have served as the perfect tutorial to break into hotel databases and access sensitive customer information.

Week of May 27th: Checkers Drive In

Checkers, one of the biggest chain of restaurants in the U.S., found out customers may have had their credit card details swiped when they ordered up a burger and fries at that or one of its Rally’s locations. The breach affected people who used a magnetic stripe card at locations across 20 states, grabbing their card number, expiration date, name and the verification code.

Dates are random and span months, going back to December 2015 in some cases. (Rally’s on MLK Blvd in Los Angeles — we’re looking at you.) The company is asking people to review their credit card statements, and order a credit report. In the meantime, you can see if your card may have been involved — and if you’re a Checker’s regular, given how many locations got hit by the malware, the potential that you were is high.

Flipboard

Flipboard, the news app, has been hit by a data breach that involved user names, personal names, passwords and email addresses. The hack didn’t affect every user, said the company which has been emailing some people. But those who were on the site between June 2, 2018 and March 23, 2019 as well as April 21 – 22, 2019 may have had their details scraped.

Those who connect Flipboard accounts to other third-party sites — social media, for example — may have had those security tokens accessed as well. Here’s what Flipboard is doing: it’s gone ahead and changed everyone’s passwords for them. So if you log out, or log in from a new device, you’re going to have to reset your password. You should also do that on any third-party service you use that’s been linked to Flipboard. The company said it’s also replaced — or even deleted — some of these tokens. You might want to consider not linking them together going forward.

Canva

Graphic designers take note: Canva, the tool which makes designing as simple as dragging and and dropping, is a victim of a data breach affecting more than 130 million customers. Usernames, passwords and email addresses are involved — although Canva said the passwords were encrypted and unreadable.

Of course by now you know the drill: If you’re a regular user of Canva, you need change your password. User designs, as well as credit card details don’t appear to be part of the hack. But checking your credit card statements is never a bad idea and backing up your work on another source wouldn’t hurt either.

Week of May 20th – 49 million Instagram users have contact details exposed

This week, it emerged that the location and contact details — including phone numbers and email addresses — of 49 million Instagram users were exposed online. The data belonged to so-called influencers, who have a large following on Instagram and earn a living from the Facebook-owned image sharing site.

The database was traced to Chtrbox, a Mumbai-based marketing company which had stored the information on an Amazon server but failed to protect it with a password.

Chtrbox says the database was only exposed publicly for 72 hours, and has since been taken offline. It appears the contact details were gathered by ‘scraping’ them from the affected users’ Instagram accounts, a practice which violates the social media site’s policies.

Instagram says it is speaking with Chtrbox to understand how the data was obtained. The marketing company says it had not purchased any data that had been obtained by « unethical means. »

Georgia Tech offers ID theft protection and credit monitoring to data breach victims

In the wake of a data breach which saw a database containing the personal details of 1.3 million people unlawfully accessed, Georgia Tech has offered credit monitoring and identification theft protection to everyone affected.

Georgia Tech disclosed in April that someone illegally accessed a database that may have included the names, addresses, birth dates and Social Security numbers of almost 1.3 million people, including past and present students, staff, and other people associated with the university.

Jim Fortner, Georgia Tech’s interim executive vice president for administration and finance, said: « We regret that this incident occurred and apologized for any inconvenience. »

Offering such services is standard procedure for when a database like this has been accessed, even if the target company or institution is unsure if any data was actually stolen.

Seattle blood bank announces loss of patient data

Bloodworks, a Seattle-based blood bank, announced this week that the private details of patients may have fallen into the wrong hands. But instead of being the victim of a cyberattack, or carelessly leaving sensitive data on an unencrypted server, Bloodworks says a document has gone missing from an employee’s desk.

A statement admitted: « The document contained certain patient information, including name, date of birth, and medical diagnosis. » Bloodworks describes the incident as a « data privacy event » on its website.

Thankfully, it said that no Social Security numbers or financial account information was held in the lost document. Bloodworks said it is now in the process of informing patients whose details appeared in the document, providing them with information on how to place a credit freeze against their name, or add a fraud alert to their credit file.

A phone line has been setup for anyone who thinks they may have been affected by this incident. The toll-free number is 1-800-363-3903 and is open Monday through Friday, between 8:00am and 5:00pm PST.

Shubert Organization admits February data breach, credit card details stolen

The Shubert Organization, owner of 17 Broadway theaters, admitted this week that it was the victim of a data breach which began on February 8 and lasted for three days.

Contacting affected customers by letter this week, Shubert said data potentially taken during the breach included customer names, email addresses, credit card numbers and card expiry dates. Affected customers are being offered 24 months of free credit monitoring through TransUnion Interactive to help protect them from further personal damage.

Shubert told its customers it become aware of « unusual activity related to an employee’s email account » on February 11 this year, and a subsequent investigation revealed « unauthorized access to some employees’ email accounts » during the previous three days.

The company told customers: « While the investigation was unable to confirm the scope of the information that was accessed within the affected email accounts, Shubert is notifying you in an abundance of caution because we have confirmed that your information was present in the affected email accounts. »

Week of May 13th — Uniqlo’s online site has been breached

Uniqlo, the Japanese clothing store known for their T-shirts and well-priced basics is involved in a data breach that hit its parent company, Fast Retailing. The breach involves more than 461,000 customers that shopped on the Uniqlo online site between April 23 and May 10. Hackers gained access to personal data, with Fast Retailing stating that names, addressees, gender, date of birth and other contact information — including credit card expiration dates — « may have been browsed, » on its web site.

Customers should change their passwords if they’ve shopped with the firm — and Fast Retailing itself suggests that people should not use the same password from other sites, nor one that people can easily guess.

West Hartford Schools has a test registration problem

A company that registers students for tests such as those for advanced placement courses, may have been breached according to a story in the Hartford Courant. Parents received a note from the West Hartford school district telling them that names, grade level, emails, date of birth and other personal details about their children may have been breached by the company. Social Security numbers and credit card details were not involved.

If you use WhatsApp, you need to read this now

While data may not have been exposed from the security breach impacting messaging platform WhatsApp, that doesn’t mean the danger isn’t present. Hence the call from the company — to everyone of its 1.5 billion users — to update the app to ensure they have a patch for spyware called Pegasus.

The malware, while not thought to have affected the general user base of WhatsApp, attacks mobile devices like smartphones. How easy it is for the spyware to get on to the app? An attacker makes a WhatsApp call to someone — and even if the person doesn’t pick up, the malware can harvest emails, messages, get into their camera and microphone and much more.

The attacker can also erase traces of the call, wiping logs clean so that the victim never knew the malware had infected their device, or been used against them. Use WhatsApp? Update the app people.

Week of May 6th – Data breeches are a ticking time bomb

Before we delve into this week’s data breaches, we would like to draw your attention to a report published by Verizon. The report, built with data from over 41,000 security incidents and 2,013 data breaches provided by 74 public and private data sources spanning 86 countries, found that 69 percent of breaches are perpetrated by outsiders.

It was also revealed that 39 percent were the work of organized criminal groups, and in 23 percent of cases, data breaches involved actors identified as nation-state or state-affiliated. 53 percent of breaches featured hacking, 33 percent exploited social media, 28 percent involved malware, 21 percent were blamed on errors, and four percent were the result of physical actions.

The vast majority of victims — 43 percent – were small businesses, followed by public sector entities (16 percent), healthcare organizations (15 percent), and financial entities (10 percent).

Commenting on the report, Bryan Sartin, Verizon’s head of global security services, told the BBC described data breaches as a « time bomb », adding: Compromises happen in minutes and then extend out to hours, days, weeks and sometimes months. Yet we are still looking at months for them to be discovered…When it comes to account takeover, senior executives are getting hit hard right now. Humans are the weakest link in the chain especially when they are on their mobile devices. »

Freedom Mobile user data gets a little too much freedom

Freedom Mobile, Canada’s fourth-largest cell network, has become victim to a data breach which saw a server leaking five million logs containing customer data. According to security researchers Noam Rotem and Ran Locar, the server wasn’t protected with a password, so anyone could access it.

Speaking to TechCrunch, the pair said it took Freedom Mobile a week to secure the leaking database after first being informed about it. Unencrypted data presented by the security researchers showed customer names, email addresses, phone numbers, postal addresses, dates of birth, customer types and their Freedom mobile account numbers. Answers to credit check questions asked by Equifax were also included, along with whether an applicant was accepted or rejected, and the reason why.

A spokesperson for the cell network said around 15,000 of its 1.5 million customers were affected by the leaky server. Specifically, customers who opened or made changes to their accounts between March 25 and April 15 at 17 Freedom Mobile retail locations had their data set free, along with any customer who made changes or opened an account on April 16, regardless of retail location.

Indiana is suing Equifax over massive 2017 cyberattack

Indiana is suing Equifax over the 2017 data breach which affected over 140 million people, of which almost four million were from the US state. The lawsuit accuses Equifax, a major credit bureau, of failing to protect the personal information of the Indiana residents who were exposed by the breach.

Attorney general Curtis Hill said: « Hoosiers trust us to work hard every day to ensure their safety and security. This action against Equifax results from an extensive investigation, and we will continue our diligent efforts to protect consumers from illegal or irresponsible business. »

Data stolen during the breach, which spanned from May 13 to July 30, 2017, included names, Social Security numbers, birth dates, addresses and, in some cases, driver’s license numbers.

Week of April 29th — Unknown data base is unprotected with 80 million accounts

Here, we have a security breach that is no one’s fault — well, no one anyone can pin it on. The breach is online, and in the form of a database, and was discovered by VPNMentor — with 80 million households affected, the security firm said. There are names, addresses, birth dates and even if these people own home or not — oh, and the address of those homes as well. Everyone on there is over 40 (yes, that means if you’re a Millennial you’re safe.) VPNMentor can’t even find out who owns the database, which means it can’t be locked down. Fun.

Inmediata Health Group

If this is your health provider, your name, address, gender, date of birth and your medical claim information may have been compromised in a recent data security breach of Inmediata Health Corp. The health care provider is reaching out to patients — quite exhaustively as it turns out, reports Health IT Security, with people reporting they’re getting letters, but for other people as well as themselves. Confusing.

Eddie Bauer

After a hack in March 2017 of the clothing company Eddie Bauer, Veridian Credit Union filed a class-action lawsuit for its own customers. That suit ended in a settlement of a whopping $9.8 million. Don’t start shopping for cars yet — or even a new Eddie Bauer jacket. Each customer, represented by the suit, is walking away with (wait for it) — $2. That’s a large cup of java from your local deli, or a banana (and not the cappuccino) from Starbucks.

Week of April 22 – Bodybuilding.com urges password reset

Bodybuilding.com, the internet’s largest online store and forum for fitness and bodybuilding admitted this week it was the victim of a security breach sometime in February 2019. The website, which has over seven million registered users on its forums, and receives over 30 million visitors per month, said it isn’t sure if customer data has been stolen.

The site reassured users that full credit card numbers are not stored – only the last four digits, if a user has requested this be saved – but cannot be certain that other personal information wasn’t stolen. But information that might have been accessed unlawfully includes user names, email addresses, billing and shipping addresses, phone numbers, order history, any communications with the website, birthdates, and any information added by users to their BodySpace profile.

Bodybuilding.com says it has found a remedy for the incident, and has coordinated with law enforcement authorities. Users are urged to change their password immediately, otherwise Bodybuilding.com will reset them on June 12. The cause of the breach appears to have been a phishing email sent to the site in July 2018.

EmCare

EmCare, a provider of physician practice management services, this week announced it was addressing a « data security incident » that involved the personal information of some patients, employees and contractors. The hackers gained access to employee email accounts that contained the personal information of as many as 60,000 individuals, half of whom are patients.

The breach was discovered back on February 19, and EmCare has now admitted the unlawfully accessed data may include names and dates of birth, plus clinical information for some patients. In some instances, the company said, social security and driver’s license numbers were affected. EmCare says it has arranged for identity protection and credit monitoring service for patients and employees affected by the breach.

Facebook (yet again)

Canadian regulators said tis week that Facebook has broken the country’s privacy laws, and they will be taking the social network to court. Canadian officials say Facebook « committed serious contraventions of Canadian privacy laws » when the personal data belonging to over 87 million Facebook users worldwide was leaked as part of the Cambridge Analytica scandal on 2018. The data included that belonging to 622,000 Canadians.

A report by the Privacy Commissioner of Canada and the Information and Privacy Commissioner from British Columbia concluded Facebook has not done enough to prevent the mishandling of user data collected through a Facebook app called This is Your Digital Life. Commissioners said Facebook used « superficial and ineffective safeguards and consent mechanisms. »

Later in the week, the New York attorney general’s office announced it has opened an investigation into Facebook. This comes after a discovery earlier in April that Facebook had the email contacts belonging to over 1.5 million people without their consent.

Attorney General Letitia James said: « It is time Facebook is held accountable for how it handles consumers’ personal information. Facebook has repeatedly demonstrated a lack of respect for consumers’ information while at the same time profiting from mining that data. »

Week of April 15 — The FBI gets hacked

Hackers hit the servers belonging to a group connected to the FBI — and not only walked away with names, jobs, email addresses and in some situations, the physical addresses, publishing them online. More than 23,000 people were affected in total, hundreds of them law enforcement people, after the hackers broke into the online database of three local chapters of the FBI National Academy Associates.

Microsoft

If you use Microsoft Outlook, this may not sit well. Hackers gained access to Outlook, allowing them to read user’s emails for months. In this case, the data breach came after hackers stole the login details from a Microsoft customer service agent. Microsoft has cut off the hackers — but between January 1 and March 28, about 6 percent of customer accounts were basically open to them. Next steps? You know what we’re going to tell you: Change your password.

Wipro

IT firm Wipro is not a name that most of us would know as companies outsource their IT needs to this firm. But KrebsonSecurity reported this week that its own systems were used to attack clients, based on phishing attacks on Wipro’s own people. (Hint: Do not click on emails from people you don’t know.)

Week of Monday, April 8: Don’t panic, but a hotel has probably mishandled your passport

This week, cybersecurity research firm Symantec revealed how the websites of over 1,500 hotels in more than 50 countries accidentally leak private customer information. The problem is to do with how the websites send customers an email, with a link which takes them directly to their booking details – no need for a username, password, or even an account with the site.

That would normally be fine, but the webpage contains adverts, which means advertisers and other companies could have direct access to customer details, including their name, postal address, email address, and passport number.

The report comes soon after Marriott International disclosed in November how it had exposed 500 million guest records, in one of the largest-ever data breaches. However, Symantec said Marriott was not included in its study of hotel websites.

Candid Wueest, principal threat researcher at Symantec, said: « I found that two in three, or 67 percent, of these [1,500+ hotel websites] are inadvertently leaking booking reference codes to third-party sites such as advertisers and analytics companies. All of them did have a privacy policy, but none of them mentioned this behavior explicitly. »

AeroGarden

Makers of an indoor gardening system AeroGarden, sought to nip bad news in the bud this week, contacting customers about a data breach which it discovered in early March. Customers were told how their credit card information had been lifted from AreoGrow’s website by a piece of malware which was active between October 29, 2018 and March 4.

Planted in AeroGarden’s payment processing page, the malware potentially scooped up payment card numbers, expiry dates, security codes and other customer data. The company was at pains to say customer’s security PINs and social security numbers were not stolen.

In a bid to turn over a new leaf, AeroGarden says it has informed law enforcement and will give victims a year of free identity protection services from Experian.

Yahoo

Yahoo — now owned by Verizon — is this week trying to settle the breach of three billion of its user accounts with a $117.5 million payout. This comes after a judge rejected the company’s first offer of just $50 million.

The breach, which took place between 2013 and 2016, affected all three billion Yahoo user accounts worldwide, making it the largest data breach in history. The compensation package is made up of $55 million for compensating victims who took yahoo to court via a class action lawsuit, plus $24 million for credit monitoring.

Information which may have been stolen during the breach, which wasn’t disclosed by Yahoo until 2017, may have included users’ names, email addresses, phone numbers, and dates of birth, as well as a trove of encrypted and unencrypted passwords.

British Home Office

Meanwhile, the UK Home Office apologized to hundreds of European Union nationals this week, seeking settled status in the UK, after it accidentally shared their email addresses — by forgetting to use the ‘blind CC’ option.

Blamed on a « administrative error, » the data gaffe revealed 240 personal email addresses to all 240 people the email was sent to; it is likely that this was a breach of the UK’s Data Protection Act, and the Home Office may be forced to apologize in Parliament.

Week of April 1, 2019: Planet Hollywood, hit Facebook (yeah, again)

It hardly seems news anymore when we hear about Facebook getting breached. But here we are — a year after the Cambridge Analytica scandal — finding that more than 540 million of its users profile information apparently landed on publicly — yes, publicly — on Amazon cloud servers, according to cybersecurity company UpGuard. Two different developers, Cultura Colectiva and the « At the Pool » app makers apparently hadn’t followed the rules on how to store the data they had from Facebook on users who played with its apps. This one wasn’t great (of course no breach is great) as it included passwords, names, comments and even what people liked. Again, it’s likely time to change your Facebook password.

Georgia Tech

Georgia Institute of Technology, commonly known as Georgia Tech, also managed to lose possession of the data around 1.3 million students and faculty at the leafy university. The breach wasn’t anywhere as big as Facebook’s, but the details exposed were problematic: not just names, but addresses, birth dates and social security numbers. Basically, this is everything you need to open a credit line or create a new identity. The school, actually known for its cybersecurity program, found out in late March and says it has locked everything down.

PÄIVITTÄÄ: On April 10, the university said it has hired two firms to review the lapse in cyber security. Virginia-based Mandiant will investigate how the breach took place and the method hackers used to gain access. Meanwhile, Atlanta-based Ankura will analyze the data which was taken.

Toyota

Toyota discovered that up to 3.1 million pieces of information may have been nabbed by hackers who broke into its network. These details were tied to eight different subsidiaries – including the Corolla line and also its luxury line, Lexus. Credit card details weren’t part of this hack, but that’s often the least concern as those companies can’t force consumers to be responsible for chargers made in situations like these. Toyota isn’t completely sure that the information was leaked and the company says it’s monitoring the situation. As you should too.

Planet Hollywood, Buca di Beppo and…..

Finally, if you ate at a Planet Hollywood, Buca di Beppo, Chicken Guy, Mixology, Tequila Taqueria or the Earl of Sandwich, part of Earl Enterprises, between May 23, 2018 and March 18, 2019, you may want to take a gander at your credit and debit card statements. Software installed on the point of sale machines may have grabbed your credit card number, expiration date and even our name. Brian Krebs, always on it, reported that two million credit and debit card numbers from customers who ate at Earl Enterprises were floating around for sale. The breach apparently may have hit three locations in Disney Springs — Planet Hollywood, Earl of Sandwich and Chicken Guy — and all of the Buca de Beppo spots. Get online, check your bank and credit card statements, and perhaps think of cooking in tonight at home.



Stellar Lumens à envie de utiliser la Blockchain pour effectuer des paiements internationaux très rapides avec de frais. Le réseau traiter des milliers de arrangement en seconde avec un temps de confirmation de 3 à 5 secondes. Comme vous le savez peut-être, Bitcoin peut rarement prendre de 10 à 15 minutes pour valider une transaction, ne peut traiter que plusieurs contrat par seconde et, à son tour, a des frais de transaction super élevés. Si cela ressemble beaucoup à Ripple, vous avez raison ! Stellar Lumens était fondé sur le protocole Ripple et tente de faire des affaires similaires. Stellar Lumens servira principalement à effectuer de paiements quotidiens (micropaiements), à envoyer de l’argent à l’étranger et à effectuer des paiements mobiles. Stellar Lumens se concentre sur le monde en développement et, plus particulièrement, sur l’industrie de plusieurs somme de dollars des prolétariat émigrant qui envoient de l’argent à leur dans pays pauvres. L’équipe de Stellar Lumens est dirigée selon Jed McCaleb, qui a travaillé avec succès dans de nombreuses startups dans le passé, comme eDonkey, Overnet, Ripple et le tristement célèbre Mt Gox.