Cybersecurity Ventures Cybercrime Diary. PHOTO: Cybercrime Magazine.

Cybercrime Diary, Vol. 4, No. 2: Who’s Hacked? Latest Data Breaches And Cyberattacks

Amazon, Microsoft, Facebook and AMC top breach news

John P. Mello, Jr.

Sausalito, Calif. – Jul. 15, 2019

A security breach at Amazon that resulted in money being siphoned from sellers, an attack on Microsoft’s email services, more privacy woes for Facebook, and the online exposure of a subscriber database belonging to AMC Networks highlighted data breach news during the April to June period.

In addition, the former CIO of Equifax was jailed for dumping stock prior to public knowledge of a massive data breach at the company, a congressional aide was sent to prison for “doxxing” Republicans in an attempt to scuttle a Supreme Court nomination, and the hacker behind the TalkTalk data breach was sentenced to four years in the Big House for his misdeeds.

That’s just some of the data breach news in our diary below.

June

Jun. 28. UpGuard, a data breach research company, reveals three Amazon S3 buckets left exposed to the Internet placed at risk more than 750GB of sensitive data. The buckets were related to Attunity, whose clients include 2,000 enterprises and half the companies on the Fortune 100.

Jun. 27. Federal court sentences Jun Ying, former CIO of Equifax, to four months in prison for dumping stock prior to public announcement of a data breach compromising personal data of 148 million Americans. Yung has already paid the government $117,000, which is the amount he made from the illegal transaction, and faces another $55,000 in fines and a year of probation.

Jun. 27. Krebs on Security reports PCM, a $2.2 billion cloud service provider based in El Segundo, Calif., has been the target of a digital intrusion that’s exposed some of its clients’ email and file sharing systems. Security blogger Krebs says the intruders appear to be primarily interested in stealing information that could be used for gift card fraud.

Jun. 26. Delaware Department of Insurance discloses personal data of 95,000 people in the state was compromised by a data breach at Dominion National, a large vision and dental insurer, over a nine-year period.

Jun. 24. NASA’s Office of the Inspector General reports 10-month data breach at the space agency resulted in theft of data related to the Mars program, including details on the Curiosity rover. The IG notes that hackers used a Rasberry Pi computer connected without authorization to one of the agency’s networks to open the breach.

Jun. 22. Singapore’s Personal Data Protection Commission fines the AIA Group, Asia’s largest insurance group, $10,000 for sending letters intended for 245 people to just two people. Letters included full names and policy numbers of the intended recipients, as well as premium amounts and due dates.

Jun. 21. Gizmodo reports more than a terabyte of data stolen from Perceptics, a vendor for U.S. Customs and Border Protection, is being downloaded from torrent sites on the Internet. Data includes PowerPoint presentations, manuals, marketing materials, budgets, equipment lists, schematics, passwords, and other documents detailing Perceptics’ work for CBP and other government agencies for nearly a decade, as well as tens of thousands of surveillance photographs taken of travelers and their vehicles at the U.S. border.

Jun. 20. Comparitech, a UK-based research company, reports damages from data breaches in the United States since 2008 amount to $1.6 trillion. It notes there were nearly 9,700 breaches during that period exposing 10.7 billion records with an average loss of $148 per record.

Jun. 20. Desjardins, Canada’s largest credit union, announces a former employee removed from its systems without authorization data on 2.9 million members. It notes some personal identifying information was removed but no e-banking passwords, security questions, account PINs, or credit and debit card numbers.

Jun. 19. U.S. Federal Court sentences former congressional aide Jackson Cosko to four years in prison for stealing the contents of a senator’s computer and posting to the Internet the private information of Republican legislators, including home addresses and cell phones, in an attempt to influence the confirmation of Brett Kavanaugh to the U.S. Supreme Court.

Jun. 19. American Medical Collection Agency, a New York medical bill and debt collector, announces it is filing for bankruptcy due a data breach that lasted from August 2018 to March 2019 and resulted in theft of sensitive data of at least 20 million Americans.

Jun. 18. Oregon Department of Human Services announces it will be notifying some 645,000 people their personal information is at risk from a data breach that occurred in January. The breach was the result of phishing scam that compromised the email accounts of nine employees.

Jun. 18. EatStreet, which services more than 15,000 restaurants in over 1,100 cities, announces sensitive information of an undisclosed number of partners and customers is at risk after it was accessed by system intruders during a data breach, which lasted from May 3 to May 17.

Jun. 14. U.S. Health and Human Services Department’s Office for Civil Rights reports nearly two million people had healthcare data exposed by data breaches in May.

Jun. 13. Union Labor Life Insurance of Silver Spring, Md., begins notifying 87,400 patients their personal data is at risk after an employee’s login credentials were compromised during a phishing attack.

Jun. 12. Daniel Kelley, 22, was sentenced by a British court to fours years in prison after pleading guilty to 11 charges of hacking 20,000 customer accounts and blackmailing executives at TalkTalk, a UK telecom company.

June 11. Evite, a social planning and e-invitations service, and one of the biggest sites on the Internet, confirms data breach first reported in April, when a hacker claimed to be selling information on 10 million Evite users.

Jun. 10. HaveIBeenPwned reveals data breach at Emuparadise, a retro gaming website, that has compromised personal information of 1.1 million forum members.

Jun. 6. GateHub, a cryptocurrency wallet company, acknowledges a security breach has allowed online thieves to steal 23.2 million Ripple coins from 80 to 90 users. Coins value is estimated at $9.5 million.

Jun. 6. New York Attorney General Letitia James announces Bombas, a sock maker, will pay $65,000 in fines for waiting three years to inform 39,561 online customers their personal information had been compromised in a data breach.

Jun. 6. vpnMentor discovers an unsecured database belonging to Ricoh’s Theta360 photo sharing website has exposed online some 11 million public and private photos. It notes that although most personal information remained secure, some of that information could be found in the unsecured database attached to the compromised  photos.

Jun. 4. ForgeRock, a digital identity management company in San Francisco, releases consumer data breach report that finds 2.8 billion U.S. consumer records were exposed in 2018, costing organizations $654 billion. The report also found U.S. financial services organizations suffered $6.2 billion in damages in the first quarter of 2019, compared to only $8 million during the same period in 2018.

Jun. 4. Primera Blue Cross, of Mountlake Terrace, Wash., announces it has reached a proposed $74 million settlement of a lawsuit stemming from 2014 to 2015 data breach that compromised the data of 11 million patients.

May

May 31. Landmark White, of New South Wales, Australia, a property valuation company, reveals some confidential documents have been posted to an online document sharing website. It adds it believes an insider left the documents online. A data breach in February cost the company AU$5 million to $6 million and led to major banks suspending the use of the company’s services.

May 30. vpnMentor discovers unsecured server online containing security audit logs of a number of hotels, including those operated by Marriott. The server is connected to the Pyramid Hotel Group, a hospitality and resort management company. Security logs are used to identify weaknesses in an organization’s networks and computers.

May 29. Checkers and Rally’s, one of the biggest drive-thru restaurant chains in the United States, reveals its payment processing system was compromised by malware which collects key information from payment cards. It notes 102 locations, or 15 percent of its restaurants, were affected.

May 29. A federal judge in California approves $350,000 settlement of lawsuit related to 2016 data breach at Essex Property Trust, of San Mateo, Calif., in which cyber criminals accessed names, Social Security numbers and 2015 payroll data for some 2,500 current and former employees.

May 29. Medical Informatics Engineering, of Fort Wayne, Ind., agrees to settle lawsuit brought against it by 16 states for $900,000. Litigation arose from 2015 data breach that resulted in theft of 3.9 million electronic personal health records.

May 28. Flipboard, a Palo Alto, Calif. maker of a news application, reveals an unauthorized user accessed its internal systems which contained user account information and credentials. It notes the intruder had access to the systems from June 2018 to April 2019. The number of users affected by the breach was undisclosed.

May 24. ZDNet reports the hacker known as GnosticPlayers has downloaded data for some 139 million users of Canva, an Australian startup that runs a graphic design service, from an unsecured online database.

May 23. Perceptics, of Farragut, Tenn., which makes license plate readers used by the U.S. government, confirms theft of data from its systems by an intruder. The data, posted to the dark web by the hacker known as Boris Bullet-Dodger, reportedly includes a variety of databases, company documents, and financial information.

May 23. Motherboard reports that multiple employees of Snap have abused internal tools for accessing user data to spy on users of the company’s Snapchat application. A Snap spokesperson told the online publication that unauthorized access of any kind is a clear violation of the company’s standards of business conduct and, if detected, results in immediate termination.

May 23.  Medical Informatics Engineering, of Fort Wayne, Ind., pays U.S. Office of Civil Rights of Department of Health and Human Services $100,000 and takes corrective actions to settle potential violations of the federal Health Insurance Portability and Accountability Act (HIPAA).

May 23. TechCrunch reports an unsecured online database containing 49 million records of Instagram influencers, celebrities, and brand accounts was discovered by security researcher Anurag Sen. It notes the database belongs to Mumbai-based social media marketing firm Chtrbox, which pays influencers to post sponsored content on their accounts.

May 21.  Inmediata Health Group, of Puerto Rico, reports to U.S. Health and Human Services Department’s Office for Civil Rights that a misconfigured server exposed online the information of 1.56 million people. It explains that the error allowed search engines to index web pages used for office operations.

May 19. Security blogger Brian Krebs reports the website of First American Financial Corp., a fortune 500 real estate title insurance company, has leaked hundreds of millions of documents related to mortgage deals dating back to 2003 due to an unprotected server accessible to anyone with a web browser.

May 16. The Associated Press reports 10 people have been charged by U.S. and European authorities in connection with a malware campaign that infected tens of thousands of computers and caused more than $100 million in financial losses. The malicious software enabled cybercriminals from Eastern Europe to take remote control of infected computers and siphon funds from victims’ bank accounts, targeted companies, and institutions in the United States.

May 16. European Data Protection Board reports that since the General Data Protection Regulation took effect in May 2018, European privacy authorities have received nearly 65,000 data breach notifications and imposed $65 million in fines.

May 15. Ivan Begtin, co-founder of Informational Culture, a Russian NGO, discovers 23 Russian government sites are exposing online the personal and passport information of 2.25 million citizens, government employees, and high-ranking politicians. He adds the data is unprotected and available for anyone to download.

May 15. Boost Mobile advises its users to reset their passwords and PINs after it detects unauthorized online account activity.

May 14. Fast Retailing, a company behind multiple Japanese brands, announces data breach at its online stores has placed at risk the accounts of 461,091 customers. It explains the breach was caused by a “credential stuffing,” where credentials from other data breaches are used to compromise a website.

May 13. WhatsApp reveals it has fixed a flaw in its software that allowed malicious actors to install spyware on mobile phones. It explains that once installed, the spyware let a caller listen through a phone’s speaker whether their call was answered or not.

May 13. Equifax estimates the cost of recovering from 2017 data breach that compromised the personal information of 148 million customers to be $1.4 billion.

May 12. Multiple security researchers reveal that the servers of at least seven online service providers have been infected with malicious code that logs all form field information from a website, including data on checkout and payment pages, and sends it to a server in Panama. Services found infected with scripts are Alpaca Forms, Picreel, AppLixir, RYVIU, OmniKick, eGain, and AdMaxim.

May 10. Turkish Personal Data Authority fines Facebook $271,000 for bug in an API that allowed third-party apps to access user photos without their permission. It says some 300,000 Turkish users were affected by the flaw.

May 10. Washington Governor Jay Inslee signs into law a bill amending the state’s data breach statute. The amendments expand the definition of “personal information” and decrease from 45 to 30 days the window for reporting a data breach.

May 9. U.S. Justice Department unseals indictments of Fujie Wang, 32, of Shenzhen, China, and “John Doe.” Pair are charged with conspiring to commit fraud, wire fraud, and intentional damage to a protected computer in connection with the 2014 data breach of Anthem, a health insurance provider, and three other American businesses, which were unnamed. The Anthem breach compromised sensitive data for 80 million current and former customers and employees.

May 8. Online mega-retailer Amazon reveals that online thieves siphoned money from some 100 seller accounts between May and October of 2018. Amazon says it’s still investigating the incident, but believes the accounts were compromised by phishing techniques and social engineering.

May 8. Binance, the world’s largest cryptocurrency exchange by volume, announces data breach in which 7,000 bitcoins worth an estimated $40.7 million was stolen. It adds thieves also snatched a large number of API keys, 2FA codes, and other data.

May 7. Freedom Mobile, based in Calgary, Alberta, Canada, confirms data breach in March affected 15,000 customers. It denies initial reports by security researchers at vpnMentor that incident impacted 1.5 million customers.

May 7. Touchstone Medical Imaging, based in Franklin, Ky. agrees to pay $3 million to U.S. Health and Human Services Department’s Office for Civil Rights to settle potential violations of federal law related to data breach that exposed health information of 300,000 patients.

May 7. City of Baltimore announces its computer systems have been targeted in a ransomware attack.  It says emergency services—911 and 311—are still running but most of the city’s servers have been shut down. A hacker known as RobinHood is demanding 13 bitcoins, or about $76,280, to bring the city’s systems back online. The attack is the second on the city in just over a year.

May 6. Wyzant, an online marketplace for connecting students and parents with tutors, announces a data breach has exposed some of its customers’ personal information. The number of customers affected by the breach is undisclosed. The company has more than two million registered users and 76,000 active tutors.

May 3. Trend Micro reveals a credit card skimming campaign aimed at more than 200 campus stores in North America. It explains that the malicious skimming script is injected into payment pages where it gathers credit card and personal information entered on the page. The skimmed information is then sent to a remote server.

May 3. Security researcher Bob Diachenko, of Security Discovery, reports he’s discovered an unprotected online database belonging to AMC networks exposing 1.62 million records containing subscriber information for two of AMC’s premium streaming offerings Sundance Now and Shudder.

May 3. U.S. Justice Department charges three unnamed German nationals with being the administrators of the Wall Street Market, one of the world’s largest dark web marketplaces for selling a wide variety of contraband, including an array of illegal narcotics, counterfeit goods,  and malicious computer hacking software. Before being shut down by German police, the market had more than 1.15 million customer accounts.

May 1. Sanyam Jain, a security researcher and a member of the GDI Foundation, a nonprofit organization aimed at securing exposed or leaking data, finds unprotected online database exposing more 13.7 million user records belonging to Ladders, an online recruitment site specializing in high-end jobs.

April

Apr. 30. Citrix, a $3 billion software company, reports to California Attorney General that intruders had intermittent access to its internal network for six months, from October 2018 to March 2019. It adds files were removed from its systems which may have included information about current and former employees and, in some cases, beneficiaries and dependents.

Apr. 30. Citycomp, a German provider of internet infrastructure for dozens of the world’s largest companies, including Oracle, Airbus, Toshiba, and Volkswagen, alerts some customers sensitive data about them has been stolen and posted online. It explains that the thieves posted the information online after the company refused to meet their blackmail demands.

Apr. 30. Eddie Bauer and Veridian Credit Union announce $9.8 million settlement of claims arising from 2016 data breach at the outdoor retailer that compromised the accounts of more than one million customers of the financial institution.

Apr. 29. Motherboard reports intruders exploited a data breach at Microsoft to rob some of its email users of their cryptocurrency. Microsoft originally claimed only email metadata and customer information, such as subject lines and the names of other email addresses users communicated with, was compromised.  

Apr. 26. Docker reveals that a data breach at Docker Hub, the official repository for Docker container images, has put at risk the data for 190,000 users, or five percent of DH user base.

Apr. 26. UK Information Commissioner’s Office fines London Borough of Newham €145,000 for accidentally exposing through an email list the personal information of 203 people on a “gangs list” compiled by police.

Apr. 24. i-Dressup, a fashion website, agrees to pay $35,000 to settle FTC action stemming from data breach at site that compromised information on 2.1 million users, including 245,000 under the age of 13.

Apr. 23. FBI’s Internet Crime Complaint Center reports $2.7 billion was lost to cybercrime in 2018.

Apr. 20. Emcare, a provider of physician practice management services based in Dallas, reveals an intruder gained access to a number of employee email accounts, putting at risk personal information of as many as 60,000 people, including 31,000 patients.

Apr. 19. Security researcher Justin Paine reveals he found an unprotected online database containing 4.91 million records of patients seeking treatment in several addiction rehabilitation centers, including Steps to Recovery in Pennsylvania and Ohio Addiction Recovery.

Apr. 19. Washington State University settles lawsuit for $5.26 million stemming from 2017 theft of safe containing hard drive that contained sensitive information collected by the university’s Social and Economic Sciences Research Center of nearly 1.2 million people.

Apr. 18. Facebook revises number of passwords of Instagram users stored on its servers in plain text from “tens of thousands” to millions. Plain text data can be read by anyone with access to the servers, including Facebook employees.

Apr. 17. Business Insider reports Facebook harvested the email contacts of 1.5 million users without their knowledge or consent when they opened their accounts. It adds Facebook claims the harvesting was “unintentional” and due to an oversight when changing its verification features.

Apr. 17. Wipro, India’s third largest IT outsourcing company, states it’s monitoring its information systems in the wake of reports it has been compromised for a period spanning many months. It notes some abnormal activity has been observed on “a few” employee accounts.

Apr. 13. TechCrunch reports a hacker group penetrated several FBI-affiliated websites and posted information from those sites online. Information includes personal information on thousands of federal agents and law enforcement officers.

Apr. 12. UK Information Commissioner’s Office fines Bounty, a pregnancy club, £400,000 for illegally sharing the personal data of 14 million people. The office says Bounty collected information from new parents and shared it with 39 organizations without the parents’ knowledge.

Apr. 12. Yahoo settles lawsuit resulting from data breach that compromised sensitive information of 200 million users for $117.5 million.

Apr. 9. Kaspersky Lab reveals a new cybercrime marketplace where digital fingerprints for more than 60,000 people are being offered for sale. Called Genesis, the online bazaar’s main product is full digital profiles and its primary clientele are cyber bandits engaged in online fraud, identity theft, and money mule operations.

Apr. 9. A survey by Texas Lawbook finds that four out of five corporate law firms operating in the Lone Star state have experienced a cyber incident or data breach in the last two years.

Apr. 8. UK Digital Culture, Media, and Sport Department releases annual data breach survey that finds data breaches and cyberattacks have decreased among the 1,500 businesses participating in the survey to 43 percent in 2018 from 46 percent in 2017.

Apr. 6.  Dr. William Scalf, 64, and Dr. John Bizon, 66, shutter Brookside ENT & Hearing Services in Battle Creek, Mich. after a ransomware attack scrambled the practice’s medical, billing, and appointment records. Rather than pay the $6,500 ransom demanded by the hacker behind the attack, the physicians decided to retire earlier than they originally planned.

Apr. 5. Navicent Health, a healthcare provider in Macon, Ga., concludes that, after six months of study, a cyberattack on its email system exposed the protected health information of 278,000 people. It says it discovered the attack in July 2018, but it took until January 2019 to determine if there was any sensitive data in the email accounts that were hacked.

Apr. 4. Sonal Patel, 44, pleads guilty in federal court to conspiring with a former acting inspector general of the U.S. Homeland Security Department to steal a database managing more than 150,000 internal investigations and containing personal data of nearly 250,000 DHS employees. The acting IG intended to leverage the database to create a commercial version of it that he could sell back to the government.

Apr. 3. Security researchers at UpGuard find online two unprotected datasets of Facebook information. One dataset, 146GB in size,  belongs to Cultura Colectiva, a Mexican media company, and contains comments, likes, reactions, account names, FB IDs and more. The other dataset contains data collected by a now-defunct app, “At the Pool,” and includes names, passwords, email addresses, Facebook IDs, and other details.

Apr. 2. Georgia Tech states a data breach at the school has placed at risk personal information of 1.3 million current and former students, faculty, and staff members. It explains that a central database at the institution was accessed by an unknown outside entity.

Apr. 1. Bob Diachenko, a security researcher with Security Discovery, reveals an unprotected online database managed by an Indian government health care agency exposed online 12.5 million medical records for pregnant women for at least three weeks. The records go back to 2014 and detailed medical information on the women and their unborn children.

Apr. 1. CNN reports a group of hackers in the Philippines compromised a military database and exposed online sensitive information about 20,000 members of the military.

Cybercrime Diary Archives

John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.