08 Jan Cybercrime Diary, Vol. 4, No. 4: Who’s Hacked? Latest Data Breaches And Cyberattacks
Facebook Fined, Eddie Bauer Settles, Zynga Robbed
Sausalito, Calif. – Jan. 8, 2020
During the last three months of 2019, the fallout from the Cambridge Analytica fiasco continued to plague Facebook, with Brazil fining the social network $1.6 million over the affair.
Other companies settled lawsuits for past data transgressions. Eddie Bauer settled a data breach lawsuit against it for $2.8 million, while Chipotle Mexican Grill settled a case for $1.6 million and Banner Health in Phoenix, Ariz. put to rest litigation against it for $6 million.
Some other well-known brands that appeared on the breach radar included Twitter, Uber, Adobe, and Zynga, which had 170 million names and passwords stolen from its systems. That’s just some of the data breach and cybercrime news in our diary below.
December
Dec. 31. Sinai Health System in Chicago reports an unauthorized party accessed email accounts of two employees. Act places at risk personal information of 12,578 people at the provider.
Dec. 30. Water department of Aurora, Colo., advises citizens that vulnerability in third-party payment system has placed at risk their payment information. People at risk include those making online payments or setting up a recurring payment account through Click2Gov from about Aug. 30 to Oct. 14. The FBI is now investigating data breaches at over 30 cities in the United States that use the Click2Gov platform.
Dec. 30. Brazil fines Facebook and its local unit 6.6 million-real ($1.6 million) for their role in the Cambridge Analytica data leak. In 2018, it was revealed that CA harvested the personal data of millions of Facebook users without their consent and used it for political advertising purposes.
Dec. 29. Moss Adams, a major U.S. accounting and wealth management firm based in Seattle, reveals an employee’s email account was compromised, exposing sensitive information to an unauthorized party. Who and how many people affected by the breach is undisclosed.
Dec. 26. Twelve Security, of San Antonio, Texas, reports data breach at Wyze Labs, a Seattle-based online camera retailer, has exposed sensitive information for about 2.4 million of its customers. Information was in two production databases accessible to anyone with access to the Internet.
Dec. 24. Ibrahim Balic, a security researcher, reveals exploit of Twitter mobile app that allows him to compromise 17 million phone numbers of the social network’s users. Twitter has confirmed a bug in its system that could be exploited by a bad actor to see nonpublic information or compromise accounts. It says it’s working on squashing the bug.
Dec. 24. Citrix, of Fort Lauderdale, Fla., reveals bug in its Application Delivery Controller that could affect at least 80,000 organizations. Bug could be exploited by attacker to perform arbitrary execution of code even without proper authentication. Patch for the flaw is unavailable, but a stop-gap mitigation was released to protect users until a new firmware version can be released.
Dec. 20. Security researchers at vpnMentor discover unprotected online database containing 1.3TB of information belonging to LightinTheBox, a retailer based in China with most of its customers in North America and Europe. The researchers say the 1.5 billion records in the database included personal user data.
Dec. 19. Zynga, a San Francisco maker of digital games, reveals a data breach in September resulted in the theft of more than 170 million user names and passwords. Database of information in the breach has been posted at Have I Been Pwned data breach monitoring website.
Dec. 19. Wawa, a convenience store and gas station chain with 850 U.S. outlets, notifies customers a malware infection of its payment processing servers has placed at risk all payment card transactions from March 4 through December 11. Company says it is not aware of any unauthorized use of any payment card data because of the breach.
Dec. 17. LifeLabs, a medical testing company in Vancouver, British Columbia, Canada, reveals cybercriminals may have accessed personal information of more than 15 million customers. It adds that it also paid an undisclosed amount in ransom money to retrieve data stolen by the thieves.
Dec. 16. Colorado U.S. District Judge Christine Arguello approves settlement in Chipotle Mexican Grill 2017 data breach that involved 2,220 U.S. restaurants. Agreement, which could amount to as much as $1.6 million, will pay customers affected by the breach up to $250 each, the class representatives $10,000, and attorneys $1.2 million.
Dec. 16. Cheyenne Regional Medical Center in Wyoming notifies 17,549 patients their personal information is at risk due to the compromise of a number of employee email accounts. Provider says there is no evidence that any of the patient data has been misused.
Dec. 14. Security researcher Bob Diachenko discovers unprotected Facebook database online containing phone numbers, names, and user IDs of 267 million Facebook users. Information could be accessed by anyone on the Internet for two weeks before it was secured. Data has been offered for sale on at least one hacker forum.
Dec. 13. Pennsylvania Attorney General Josh Shapiro announces settlement with Orbitz and Expedia over 2018 data breach that exposed payment card information of 20,755 Keystone staters. Under the settlement, the companies will pay the state $110,000, including an $80,000 civil penalty.
Dec. 13. Facebook confirms theft of several hard drives from an employee’s motor vehicle has put at risk sensitive payroll information on some 29,000 U.S. employees. It says it believes theft was “smash and grab” and not a deliberate attempt to steal employee information.
Dec. 10. Mouvement Desjardins, Canada’s largest financial services cooperative, reveals some 1.8 million credit card holders who are not members of the institution may have had personal information compromised in data breach that occurred in June.
Dec. 9. Banner Health, based in Phoenix, Ariz., agrees to pay $6 million to settle lawsuit stemming from 2016 data breach affecting some three million people. The breach originated in the provider’s payment processing system, but intruders were able to expand the attack and obtain patient records.
Dec. 9. Fidus Information Security discovers unprotected AWS online storage bucket containing 752,000 applications for copies of U.S. birth certificates. Barcelona-based Onlinevitalus owns the bucket, which could be accessed by anyone with an Internet connection.
Dec. 9. NSW Ambulance Service agrees to pay 108 ambulance workers 275,000 Australian dollars (US$190,689) to settle class action lawsuit. Employees had their workers’ compensation records illegally accessed and sold to at least one law firm.
Dec. 8. Learnaholic, an education services provider, is fined 60,000 Singapore dollars (US$44,460) for data breach exposing personal data of 47,802 students, parents, and staff at a number of Singapore schools. Data thieves stole names, NRIC numbers, contact numbers, and e-mail addresses, as well as medical information for some 372 students.
Dec. 7. Security researcher Ehraz Ahmed discovers API flaw in mobile app of Indian telecommunications Airtel which places at risk personal information of 325 million users. He explains that the bug, which has been fixed, could allow hackers to access subscriber information by using their phone number.
Dec. 6. Microsoft releases research finding that 44 million of its Azure AD and Microsoft Services Accounts reuse passwords. It also found that 99.9 percent of identity attacks can be thwarted with two-factor authentication.
Dec. 5. Theft of laptop computer from employee’s car places at risk personal information of 114,400 patients of Truman Medical Centers, of Kansas City, Mo. Provider says there is no evidence that any of data on the computer was accessed, viewed, or misused.
Dec. 4. Security researcher Bob Diachenko discovers unprotected online database with more than 2.7 billion email addresses. More than a billion of the addresses contained plain-text passwords. It’s believed the email trove is connected to the “Big Asian Leak” reported by HackRead in 2017.
Dec. 4. Online retailer Sweaty Betty reveals checkout process at its e-commerce website was compromised from November 19 to 27. It says payment card information used for transactions made at the site during that period is at risk.
Dec. 4. Security researchers at vpnMentor announce discovery of an unprotected server exposing 352GB of data belonging to British American Tobacco to the public Internet for over two months. The data includes personal identifying information for an undisclosed number of the company’s customers.
Dec. 2. Fidus Information Security discovers unprotected online cloud storage bucket containing 236,400 shipping labels belonging to mattress and bedding company Tuft & Needle. Without password protection, anyone with an Internet connection could access the sensitive information. It’s not known how long the data was vulnerable before the researchers found it.
Dec. 2. Roosters Teeth, an entertainment company in Austin, Texas, reveals its online store was infected with malicious code designed to steal customers’ sensitive information. Number of affected users was undisclosed.
Dec. 2. New Zealand Police Deputy Commissioner Mike Clement confirms data breach exposing personal information of 37,000 gun owners, including firearm and bank account data. Clement says breach occurred after a third-party developer updated the software for maintaining the gun-owners database.
Dec. 1. Researchers at vpnMentor discover online database without password protection belonging to TrueDialog, a provider of SMS messaging solutions based in Austin, Texas. They found the database, which could be accessed by anyone with an Internet connection, contained 605GB of data, including nearly a billion entries with highly sensitive information.
November
Nov. 29. Adobe informs 250,000 Magneto Marketplace customers that it discovered a vulnerability in the e-commerce site’s system allowing an unauthorized party to access account information. Data compromised includes names, email addresses, MageID, billing and shipping addresses, and phone numbers, plus limited commercial information such as “percentages for payments to developers.” It adds that no payment data or passwords are at risk.
Nov. 29. Washington state Attorney General Bob Ferguson releases annual data breach report. During the reporting period — July 2018 to July 2019 — 390,000 citizens of the state were affected by data breaches. That compares to 3.4 million in 2018, which included 3.2 million affected by the Equifax breach. AG also reports the number of data breaches in the state rose 20 percent during the period.
Nov. 29. TechCrunch reports data for more than 20 million accounts has been stolen from Mixcloud, an audio streaming service based in the United Kingdom. It says data is on sale for $4,000 on the dark web. Mixcloud says it’s “actively investigating the incident.”
Nov. 27. U.S. Department of Health and Human services fines Sentara Hospitals, based in Norfolk, Va., $2.175 million for improperly reporting a data breach to the agency. A billing mix-up at the provider resulted in the personal identifying information of 577 patients being exposed, while Sentara reported only eight patients affected by the incident.
Nov. 27. ITSEC, a cybersecurity company, finds for sale on the underground market a database containing millions of students records and Indonesian Family Card data. ITSEC says that it can’t determine from where the data was stolen.
Nov. 26. Precisesecurity.com, a computer security website, reports that the top 10 fines imposed under the European General Data Protection Regulation in 2019 amounted to 402.6 million euros (US$450.8 million). It adds that top three fines accounted for 90 percent of that total.
Nov. 23. Uber reveals data breach that places at risk license numbers of some 600,000 drivers and personal information of 57 million users. It adds that during the breach, which occurred in 2016, no trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth were downloaded.
Nov. 23. OnePlus, a Chinese phone maker, reveals customer ordering information accessed by an unauthorized party. Number of affected customers undisclosed.
Nov. 19. Troy Hunt, operator of the Have I Been Pwned data breach notification website, reveals Gatehub, a cryptocurrency wallet service, and EpicBot, a gaming bot provider, had password and other personal information stolen for some 2.2 million users.
Nov. 18. Macy’s announces that malicious script infection at its website has allowed attackers to steal shoppers’ payment card information. It says the attack lasted from October 7 to 15, and only a small number of customers were affected by the incident.
Nov. 16. Wizards of the Coast, makers of Magic: The Gathering, confirms information for 452,634 players is at risk after a backup of a database file was stored in cloud storage bucket without password protection. It says that it doesn’t believe the data has been used maliciously, but it is requiring affected players to reset their passwords.
Nov. 16. ZDNet reports that hours after the launch of the Disney+ streaming video service, hackers began selling user account information on hacker forums. It says the forums are being flooded with Disney+ accounts, with some ads offering access to thousands of account credentials.
Nov. 12. The Office of the Privacy Commissioner of Canada releases annual data breach report for the year ending October 31. It finds that 28 million Canadians were affected by 680 data breaches during the period.
Nov.7. U.S. Department of Health and Human Services fines Texas Health and Human Services Commission $1.6 million for data breach that exposed online the personal health information of 6,617 people. The breach happened after an internal application was transferred from a private server to a public one, which contained a software bug that allowed the information to be accessed without credentials.
Nov. 6. Facebook reveals that more than 100 developers have improperly accessed data belonging to members of the service’s Groups feature. It says developers accessed names and pictures of Group members without their permission, a requirement imposed by Facebook after its Cambridge Analytica fiasco.
Nov. 6. Veritas Genetics, a DNA testing firm in Danvers, Mass., confirms some customer information was accessed by an unauthorized party through a customer-facing online portal. It says information did not include genetic data, DNA-test results, or health records.
Nov. 5. University of Rochester Medical Center in New York agrees to pay U.S. Department of Health and Human Services $3 million to settle potential violations of the federal Health Insurance Portability and Accountability Act. An investigation by the department of the provider revealed that it failed to conduct an enterprise-wide risk analysis, implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level, utilize device and media controls, and employ a mechanism to encrypt and decrypt electronic protected health information when it was reasonable and appropriate to do so.
Nov. 5. California Department of Motor Vehicles notifies 3,200 people their Social Security information was improperly accessed by seven federal agencies, including the Department of Homeland Security. It says the issue was discovered August 2 and has been resolved.
Nov. 4. Singapore’s Personal Data Protection Commission fines Telco Singtel 25,000 Singapore dollars (US$18,503) and Ninja Logistics 90,000 Singapore dollars (US$66,613) for data breaches. A bug in Singtel’s mobile app placed at risk the personal information of 330,000 users. Ninja Logistics, which operates a goods delivery service called Ninja Van, exposed data of 1.26 million people on a public-facing website.
October
Oct. 30. Brandon Charles Glover and Vasile Mereacre plead guilty in San Jose, Calif. federal court to stealing data stored on Amazon Web Services from October 2016 to January 2017 and demanding payment from the owners of the data to destroy it. Among the pair’s victims was Uber, which paid the duo $100,000 to trash sensitive data on 57 million passengers and drivers of the service.
Oct. 28. Security researcher Jeremiah Fowler reveals his discovery of two unprotected databases belonging to Electronic Settlements Limited, the parent of a number of payment settlement companies, including PayPad and CashEnvoy. One database, found in February, exposed to public access more than eight million files containing names, account, and wallet transaction information. The other, identified in October, contains 2.59 million records of transaction data with payment card numbers in plain text.
Oct. 28. UniCredit, an Italian bank and financial services firm, announces data breach exposing some three million records containing names, telephone numbers, email addresses, and cities where clients are registered. It says compromised data was in a file created in 2015, and an internal investigation into the incident is underway.
Oct. 27. CenturyLink, a global technology company, reports a customer database containing 2.3 million records was found exposed on the Internet. It says the database was affiliated with a third-party notification platform and was exposed for 10 months. It adds that the data was primarily contact information and that no financial or other sensitive information was compromised.
Oct. 25. Federal District Court Judge James L. Robart in Seattle approves settlement requiring outdoor clothing retailer Eddie Bauer to pay up to $2.8 million in case stemming from 2016 attack on the chain’s payment processing system. The attack resulted in payment card data being stolen from customers and then used to make fraudulent purchases. Settlement includes payouts of $2 million in attorneys’ fees and a $5 million investment in cybersecurity enhancements.
Oct. 25. People’s Health Center in St. Louis reveals that a ransomware attack on its systems has put at risk personal information of 152,000 people. Although the attack was foiled, the provider says it has no way to determine if the data was viewed or accessed by the intruder.
Oct. 25. QSR, of Chattanooga, Tenn., announces its payment processing system was compromised, placing at risk all payment card transactions made at about a third of its 320 Krystal restaurants from July to September.
Oct. 21. Researchers at vpnMentor discover unprotected online database exposing 179GB of data belonging to Autoclerk, a reservations management system owned by Best Western Hotels and Resorts. Researchers say hundreds of thousands of booking reservations — including those of U.S. military personnel and officials — were available for viewing by anyone with an Internet connection.
Oct. 19. Security researcher Bob Diachenko discovers unprotected online database exposing 7.5 million records of Adobe customers. The records did not contain any passwords or payment information, but did include data about accounts, such as email addresses, Adobe product used, subscription status, Adobe employee status, member IDs, and payment status. It’s not known how long the database was exposed before Adobe secured it.
Oct. 16. Sky News reports security researcher Gareth Llewellyn has discovered two unprotected online databases exposing the resumes of more than 200,000 job seekers. Authentic Jobs, a U.S. employment site used by companies such as the New York Times and multinational professional services firm EY, exposed 221,130 records, while Sonic Jobs, a retail and restaurant jobs outfit, exposed 29,202 resumes. The records were exposed in cloud storage buckets that could be accessed by anyone with an Internet connection.
Oct. 15. North Florida OB-GYN notifies 528,188 patients their personal data is at risk after the provider discovered an unauthorized party accessed its systems and planted ransomware on some of them. It adds that there is no evidence that any unauthorized party viewed, retrieved, or copied any medical or personal information.
Oct. 10. U.S. Customs and Border Protection allows Perceptics, the Tennessee company at the center of a massive data breach involving surveillance data gathered at U.S. checkpoints at the Canadian and Mexican borders, to work on federal contracts. The company was suspended in July for evidence of conduct indicating a lack of business honesty or integrity. As a condition of obtaining government work, the company had to agree to a number of security reforms.
Oct. 10. Moderator of Hookers.nl announces theft of data containing personal details of 250,000 users of the Dutch prostitution website. He explains that a hacker exploited a vulnerability in vBulletin, the software used to power the site. The data includes email addresses, user names, IP addresses, and scrambled password data.
Oct. 5. Tu Ora Compass Health in New Zealand announces the medical data of nearly a million people is at risk due to a series of cyberattacks on its website. However, the healthcare firm says it’s unable to determine if any medical information was accessed during the attacks.
Oct. 3. Turkey fines Facebook $201,865 for a data breach that affected the personal information of 280,959 Turks. An additional fine of $79,000 was imposed on the social network for failing to provide notice of the breach.
Oct. 2. Bob Diachenko and security researchers at Comparitech discover unprotected online database containing the tax records of 20 million Russian citizens. Information that could be accessed by anyone with an Internet connection included names, addresses, residency status, passport numbers, phone numbers, tax IDs, employer names and telephone numbers, and tax values.
Oct. 2. The Ontario Science Centre notifies 174,000 members, donors, and others their names and email addresses are at risk after a data breach at Campaigner, which does email blasts for the provincially-owned tourist attraction. It notes that after an internal investigation, Campaigner discovered that a former employee’s credentials were used to download the Centre’s data without authorization between July 23 and August 7.
Oct. 1. Comodo, a cybersecurity company, alerts 245,000 users of its forums that their personal information is at risk due to a data breach. It says an attacker exploited a vulnerability in the vBulletin software used by its forums and gained unauthorized access to the forums database.
John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.