15 Oct Cybercrime Diary, Vol. 4, No. 3: Who’s Hacked? Latest Data Breaches And Cyberattacks
Zynga and MoviePass leak data, Equifax, British Airways and Marriott pay for past breaches
Sausalito, Calif. – Oct. 1, 2019
High profile data breaches during the July to September quarter of 2019 included unprotected servers exposing online two billion logs containing a potpourri of data of Chinese smart home management company Orvibo, 419 million records belonging to Facebook, and personal information of 218 million Zinga users. Meanwhile, Equifax settled data breach actions against it for $700 million, and fines for data breaches were slapped on British Airways for £183 million and Marriott $123 million. That’s just some of the data breach news in our diary below.
September
Sep. 29. Gnosticplayers, a high profile hacker, tells Hacker News data breach at game company Zynga has exposed personal information of 218 million users. He says data breach affects all Android and iOS game players who installed and signed up for the “Words With Friends” game on and before September 2.
Sep. 26. Food delivery service DoorDash reveals a data breach has exposed personal information of 4.6 million customers who joined the service before April 5, 2018.
Sep. 23. Metro Mobility in Minneapolis, a shared-ride shuttle service for public transit passengers with disability or health issues, alerts 15,200 customers that information about them maintained by the service was exposed to an unauthorized intruder after an employee’s email account was compromised.
Sep. 23. Malindo Air, a Malaysian airline, announces that two former employees of GoQuo, an Indian ecommerce service provider, stole the personal data of some 30 million customers of Malindo and Lion Air.
Sep. 21. English Premier League football club Liverpool pays £1 million to settle complaint by rival Manchester City that the Reds hacked into City’s computer scouting system.
Sep. 21. Dubai-based Cheers Exhibition reports loss of $53,000 from email spoofing scheme that diverted funds into a foreign bank account. CEO Binu Manaf says he didn’t realize account had been compromised until a client asked if he had sent out emails seeking payments into an overseas account instead of a local bank in Dubai.
Sep. 18. Malindo Airlines and Thai Lion Air confirm data breach that compromised passport details of 30 million passengers. Confirmation comes after reports that the information, which includes data from Batik Air, was being offered for sale on the dark web.
Sep. 16. The Federal Emergency Management Agency reports it overshared personal information with a contractor for about 2.5 million people who applied for transitional shelter assistance between 2008 and 2018. It says the data has been removed from the contractor’s computers and that there is no reason to believe it was accessed by any unauthorized parties.
Sep. 16. Researchers at vpnMentor reveal discovery of an unsecured server containing personal information on more than 20 million people, most of them from Ecuador. Data includes names, phone numbers, and birth dates of nearly everyone in the country, which has a population of 17 million.
Sep. 13. New Zealand pet supply store Animate shuts down website after discovering it was compromised and personal information of customers may have been accessed by an intruder.
Sep. 12. U.S. Commodities and Exchange Commission orders Phillip Capital, a futures commission merchant, to pay $1.5 million in sanctions for allowing cybercriminals to breach the company’s email systems, access customer information, and successfully withdraw $1 million in customer funds. The order also finds that the firm failed to disclose the breach to its customers in a timely manner and failed to supervise its employees with respect to cybersecurity.
Sep. 11. Security researcher Jeremiah Fowler reveals discovery of unsecured online database containing 198 million records belonging to dealerleads.com. Information exposed on the Internet included a compilation of potential car buyers wanting more information, loan and finance inquiries, vehicles that were for sale, log data with IP addresses of visitors, and more. He says Dealer Leads secured the information and removed public access to it after he informed them of the problem.
Sep. 11. U.S. Department of Health and Human Services Office for Civil Rights reports 44 healthcare data breaches affecting 710,279 people occurred in August. That’s the lowest number of affected individuals since January, when 577,511 people were affected in breaches.
Sep. 10. Premiere Family Medicine of Utah notifies 320,000 patients their protected healthcare information is at risk after a ransomware attack on the provider’s information systems. It adds that it has no reason to believe that any information was accessed or stolen.
Sep. 9. A Reddit user reveals an API flaw in Get, an application designed to manage university clubs and societies, that puts at risk the personal details of some 50,000 Australian students. The flaw allows anyone to find personal data about other users with a simple search. Get says it has corrected the problem.
Sep. 6. Apple accuses Google of inflating threat to iOS users from an exploit discovered by Google’s Project Zero team on August 30. Apple notes the attack that exploited the flaw was narrowly focused — not expansive, as Google contended — and limited to fewer than a dozen websites with content focused on the Uighur Muslim community in China. It adds the poisoned websites were active for two months, not two years, as Google noted.
Sep. 5. Online employment website Monster confirms resume and CV information for job applicants from 2014 to 2017 was exposed on a server of a former recruitment customer. Although it’s not known how many files were exposed, TechCrunch notes “thousands” of resumes were found in a single file dated May 2017, and while the data is no longer accessible from the server, hundreds of resumes and documents can still be found in the cached results of search engines.
Sep. 4. Sanyam Jain, a security researcher and member of the GDI Foundation, reveals discovery of unprotected server containing 419 million Facebook account records. According to TechCrunch, the records include 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam. It adds that each record contains a user’s Facebook ID, which can be used to find the user’s name, and a phone associated with the account. Jain says he found several profiles of celebrities with their phone numbers. TechCrunch notes the data was pulled offline after it informed the server’s host of the situation.
Sep. 3. Popular comics site XKCD is taken offline after data thieves steal user names, email and IP addresses, and hashed passwords of some 560,000 users. Information was discovered by researcher Adam Davies, who informed Troy Hunt, who operates the breach notification site Have I Been Pwned.
Sep. 3. Providence Health Plan in Oregon notifies 122,000 members that their personal information was exposed by a data breach at Dominion National in Virginia, which administers dental benefits for Providence. Dominion says the breach may have started nine years ago.
Sep. 2. Researchers with vpnMentor announce discovery of an unprotected server owned by Aliznet. They say the server contains data about international cosmetics and beauty brand Yves Rocher, which is one of Aliznet’s clients. Researchers say they could view the personal data for 2.5 million Canadian customers of Yves Rocher. They also were able to view records of more than six million customer orders which could be used to identify the individuals who placed the orders.
Sep. 2. AIG, an insurance company based in New York City, reports that the largest source of claims under its cybersecurity insurance policies is business email compromise (23 percent), followed by ransomware (18 percent), data breaches by outsiders (14 percent), and data breaches by insiders (14 percent). It adds claims nearly doubled from 2017 to 2018, and that claims in 2018 were more than all claims in 2016 and 2017 combined.
August
Aug. 30. ThaiCERT reveals that it has discovered personal information of some 41 million gamblers in an unprotected online database. The exposed information includes names, phone numbers, birthdays, ID card numbers, and bank account numbers.
Aug. 30. The Verdict discovers an unprotected AWS server containing 530,000 files of Teletext Holidays, a British travel company. It says files were exposed for three years and included 212,000 audio files of customer calls to the company’s call center in India. It adds that files were taken offline when Teletext was informed of the situation.
Aug. 30. Foxit Software, which makes a PDF reader, announces sensitive information of an undisclosed number of users was stolen from the company in a data breach. All passwords of affected users were reset.
Aug. 30. Russell Stover Chocolates in Kansas City, Mo., announces the point-of-sale systems of its retail stores were infected with malware allowing customer payment card information to be compromised from February 9 to August 7.
Aug. 28. HIPAA Journal reports that the number of people affected by a data breach at the American Medical Collection Agency is nearing 25 million. It says 23 healthcare organizations in the country have been affected by the breach.
Aug. 27. Presbyterian Healthcare Services in Albuquerque, N.M. reports 183,000 of its patients and health plan members were affected by a data breach it announced on August 2. It adds that number may increase as the provider’s investigation into the incident continues.
Aug. 27. Imperva, a provider of activity monitoring, real-time protection, and risk management solutions, announces security incident with its Cloud Web Application Firewall that has exposed sensitive information of some customers with Cloud WAF accounts through Sept. 15, 2017. It says it’s alerting all affected customers about what the company is doing to protect their accounts and advising them on what to do to protect themselves.
Aug. 25. Hostinger, a web hosting company in Lithuania, announces sensitive information for about 14 million users is at risk after an intruder gained access to its systems through an API server. It says financial information was not affected, although usernames, emails, first names, and IP addresses may have been compromised.
Aug. 23. Mastercard reveals sensitive data about an undisclosed number of customers has been stolen from its German Priceless Specials program. It says it became aware of the breach after the information appeared on the Internet. Data includes customers’ names, payment card numbers, email addresses, home addresses, phone numbers, gender, and dates of birth. The company is offering free credit monitoring and identity theft services to those affected by the incident.
Aug. 22. Security blogger Brian Krebs reports payment card information for 5.3 million cardholders in 35 states is being offered for sale at an online underground store. He says information was scraped from compromised point-of-sale systems at gas pumps, coffee shops, and restaurants operated by Iowa-based Hy-Vee, which operates more than 245 supermarkets in the Midwest.
Aug. 20. TechCrunch reports SpiderSilk, a Dubai-based cybersecurity firm, has discovered an unprotected server containing 161 million records belonging to MoviePass, a movie ticket subscription service. It says records include credit card numbers of tens of thousands of the service’s subscribers.
Aug. 19. Researchers at vpnMentor reveal that data breach at adult website Luscious exposed personal data of 1.2 million users. Information exposed included user names, country of residence, gender, and user activity logs. The site corrected the situation after it was notified of the problem.
Aug. 16. Risk Based Security releases 2019 mid-year data breach report finding 3,813 publicly reported incidents during the first six months of the year, an increase of 54 percent over the same period in 2018, exposing 4.1 billion records, a 52 percent jump over the previous year.
Aug. 7. State Farm, a banking an insurance company based in Bloomington, Ill., announces that the personal information of an undisclosed number of customers is at risk after its information systems were compromised in a “credential stuffing” attack. As a precaution, the company reset the passwords to all affected accounts.
Aug. 7. Revenu Quebec, the province’s tax collection agency, announces arrest of a 39-year-old woman and 46-year-old man in connection with a data breach at the agency affecting 23,000 current and former employees at the agency. It adds that information removed from the agency by the pair was not used for malicious purposes or sold to anyone.
Aug. 5. U.S. District Judge Michael Simon approves $74 million settlement of lawsuit stemming from a data breach at Primera Blue Cross, a health care insurer based in Seattle, which affected more than 10.6 million patient records.
Aug. 5. Marriott International discloses it’s taking a $126 million charge for its latest quarter due to a security breach of its Starwood reservations database that exposed the records of 383 million guests, including passport and credit card information since 2014.
Aug. 5. Have I Been Pwned, a data breach notification site, reveals CafePress, a custom merchandise retailer, suffered a data breach and theft of 23.2 million records containing a variety of information, including email addresses, names, physical addresses, phone numbers, and hashed passwords. CafePress did not acknowledge the breach until September 24, although it reset its users’ passwords in August.
Aug. 3. TechCrunch, citing an unnamed researcher, says a data breach in May at StockX, a fashion and sneaker platform, resulted in the theft of 6.8 million records, which were subsequently sold on the dark web. StockX reset all user passwords August 1 for “system updates.”
Aug. 3. The organizers of E3 2019, a video game show held in Los Angeles in June, apologizes for exposing at its website a spreadsheet containing contact information for 2,000 journalists, content creators, analysts, and others who received credentials to attend the event. The document was taken down within hours of its accidental posting, but not before it was downloaded and distributed by some people.
Aug. 1. Motherboard reports an unprotected cloud storage bucket belonging to the Bank of Cardiff in San Diego has exposed online more than one million audio recordings of bank employees, including calls with potential customers.
July
Jul. 31. Pearson, a British maker of education software, warns that it has suffered a data breach affecting 13,000 school and university accounts, chiefly in the U.S., and thousands of students.
Jul. 28. Capital One announces data breach putting at risk personal information of more than 100 million people, and that Page A. Thompson, 33, a former software engineer, was arrested in connection to the incident.
Jul. 28. Los Angeles Police Department reports theft of data affecting 2,500 officers, trainees, and recruits, and 17,500 police officer applicants. Stolen data included the officers’ names, dates of birth, parts of their Social Security numbers, and the email addresses and passwords used when applying for their jobs.
Jul. 25. Gov. Andrew Cuomo signs into law legislation expanding New York’s data breach statute. Under the law, breaches now include unauthorized access to or acquisition of data, and private information has been expanded to include biometric data. It also requires any business that owns or licenses private information of New York residents to take reasonable safeguards to protect that data.
Jul. 25. Park DuValle Community Health Center, which runs medical clinics for low-income and uninsured patients in Louisville, Ky., reveals it has paid hackers nearly $70,000 to descramble its data targeted in a ransomware attack. It says data has been inaccessible since June 7.
Jul. 24. City Power in Johannesburg, South Africa, reveals a ransomware attack has taken its IT systems offline. It says the attack is preventing customers from notifying the company of electrical faults and suppliers from filing invoices electronically.
Jul. 23. iNSTNQ, a Gig Harbor, Wash. provider of QuickBooks accounting software and services, begins to turn on customers’ virtual desktops after the service was crippled by a MegaCortex ransomware attack on July 16.
Jul. 22. Equifax agrees to pay up to $700 million to settle actions against it by the Federal Trade Commission and others over 2017 data breach that exposed the private data of nearly 150 million people. The settlement is believed to be the largest ever in a data breach case.
Jul. 19. Bayamón Medical Center and Puerto Rico Women and Children’s Hospital, both part of the same organization and based in Bayamon, Puerto Rico, reveal ransomware attack on their information systems impacted 522,000 people. They say some patient information was inaccessible to the facilities for a short period of time, but there is no evidence that any data was extracted from the network or misused.
Jul. 17. Bulgarian authorities arrest 39-year-old man they say was behind data breach resulting in theft of tax data for as many as five million people in a country with a population of seven million.
Jul. 16. Dutch Supervisory Authority fines Haga Hospital in the Hague €460,000 under the GDPR for data breach involving dozens of staffers browsing the medical records of TV star Samantha (Barbie) de Jong.
Jul. 16. Sprint alerts an undisclosed number of customers that their personal information is at risk after an intruder accessed the “add a line” website of Samsung.com. It says the information accessed did not pose “a substantial risk of fraud or identity theft.”
Jul. 14. Have I Been Pwned, a data breach notification website, posts online data stolen from Evite, a social planning website, in August 2013. Data includes 101 million unique email addresses, as well as names, phone numbers, physical addresses, dates of birth, genders, and passwords stored in plain text. When originally reporting the breach, Evite said only 10 million accounts were compromised.
Jul. 13. Hacking group 0v1ru$ breaches information systems of SyTech, a contractor for Russia’s national intelligence service, the FSB, and steals 7.5TB of data, as well as defacing the company’s site. Data included information on projects to collect data on social media users, to remove anonymity from Tor traffic, to penetrate P2P networks like those used for torrents, and to create a closed internet for storing highly sensitive information.
Jul. 11. Premera Blue Cross of Seattle agrees to pay $10 million to 30 states to settle action arising from data breach that exposed confidential information of 10 million people nationwide.
Jul. 10. Canada’s Office of the Privacy Commissioner announces it’s opening an investigation of data breach at Desjardins Group, a financial services company, in which an employee with “ill intention” leaked sensitive information for about 2.7 million individual members and 173,000 business members.
Jul. 9. UK Information Commissioner’s Office announces intent to fine Marriott hotel chain $123 million for compromise of its Starwood reservation database and theft of sensitive information for 383 million guests.
Jul. 9. Bloomberg reports that DNA-testing service Vitagene in San Francisco exposed more than 3,000 user files on unprotected AWS servers for years. It notes that the company shut down external access to the servers after being notified of the problem. The files contained genealogy reports that included gene-based health information, such as the likelihood of developing certain medical conditions.
Jul. 9. County officials reveal medical information of 14,591 patients at Los Angeles County’s hospitals and clinics is at risk from a data breach at Nemadji Research Corp., a contractor with the county’s Department of Health Services. They explain that one of the contractor’s employees fell for a phishing attack that allowed outside access to the medical data.
Jul. 8. UK Information Commissioner’s Office announces intent to fine British Airways £183 million for data breach that resulted in theft of personal information of 500,000 of the airline’s customers.
Jul. 4. Researcher xxdesmus discovers unprotected online database belonging to Honda Motor Company exposing 40GB of employee information, as well as machine hostnames, MAC addresses, internal intellectual property, operating system versions, patch management data, and the status of Honda’s endpoint security software. He says information was accessible to the public since July 1. After being alerted by the researcher, Honda secured the database on July 6.
Jul. 2. Choice Hotels shuts down unprotected online database containing 5.6 million records after being notified of the problem by Comparitech and researcher Bob Diachenko. Most of the records were dummy test data, but 700,000 records contained genuine information on guests, such as names, email addresses, and phone numbers. Researchers also discover a ransom note saying the records had been copied and demanded 0.4 bitcoin (about $4,000) for their return.
Jul. 2. Researchers at vpnMentor reveal an unprotected online database belonging to Chinese smart home management platform company Orvibo has exposed two billion logs containing a potpourri of data, including passwords and reset codes.
John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.