18 Jul Cybercrime Diary, Vol. 3, No. 2: Who’s Hacked? Latest Data Breaches And Cyberattacks
Twitter, Uber, Honda, Jaguar, T-Mobile, Chili’s, Adidas, Under Armour, and Ticketmaster tangled in breaches at year’s halfway mark
Sausalito, Calif. – Jul. 2, 2018
In Q2, The New Scientist reports data from millions of Facebook users who used the myPersonality quiz app was exposed online for four years where anyone could look at it. It says the data was highly sensitive, revealing personal details of the users, such as the results of psychological tests.
Here’s more significant data breach events during the second quarter of 2018:
June
Jun. 29. ZDNet reports a database containing personal data of thousands of US law enforcement officials who sought out or underwent active shooter response training in the ALERTT program at Texas State University has been exposed for an undetermined amount of time on a web server with no password protection.
Jun. 29. Klook, a travel booking service, announces that some of its customers’ information may have been accessed without authorization due to malicious JavaScript code associated with a third-party web-based analytics tool used by the company at its website. Customers who performed transactions at Klook’s website between Dec. 11, 2017 and June 13, 2018 —about eight percent of its users — may be affected by the incident. Klook does about a million bookings a month.
Jun. 28. Sudhakar Reddy Bonthu, 44, former Equifax software development manager, is charged with insider trading in connection with the massive data breach at the company that affected the records of 143 million people.
Jun. 28. Adidas alerts customers who made purchases at its US website that their contact information is at risk after the discovery of a possible data breach at the site. The company estimates “a few million consumers” may be affected by the incident.
Jun. 27. Wired Magazine reports Exactis, a data broker in Florida, left exposed on the Internet for an undetermined amount of time a database containing 340 million individual records, including hundreds of millions containing personal information about adult Americans, as well as millions of businesses.
Jun. 27. Ticketmaster warns its UK customers that they are at risk of fraud or identity theft if they bought tickets online from the service between February and June 23 because of a data breach at its website. Other affected sites include TicketWeb and Get Me In. Company says number of customers affected by the breach is fewer than 40,000.
Jun. 27. Typeform, an online forms and services company, discovers a third-party gained unauthorized access to its server and downloaded a backup file containing largely email addresses. Password and payment information wasn’t compromised.
Jun. 25. TaskRabbit, an online handy person for hire website owned by Ikea, announcers data breach in April affected 3.75 million users.
Jun. 25. ZDNet reports Comcast has shut down an API at its Xfinity website because it could be manipulated into returning information about a customer without their knowledge or permission.
Jun. 22. PDQ, a fast food chain with restaurants in 11 states, warns customers who did business with the company between May 19, 2017 and April 20, 2018 that their personal information is at risk after an unauthorized intruder gained access to its computer-related systems through a technology vendor’s remote connection tool.
Jun. 21. Police authorities in Europe make more than 95 arrests of alleged criminals who set up fake web shops to steal credit card information. Authorities say the criminal enterprise was responsible for more than 20,000 fraudulent transactions worth more than €8 million.
Jun. 20. SecurityWeek reports Flighttrader24, a popular flight tracking service based in Sweden, has been notifying users of accounts registered with the service before March 16, 2016 that their email addresses and hashed passwords may have been compromised by a data breach of one of the company’s servers. It says only a “small subset” of its 40 million monthly users are affected by the incident.
Jun. 18. The US Office of Health and Human Services fines the University of Texas MD Anderson Cancer Center $4.3 million for violating the Health Insurance Portability and Accountability Act by losing more than 33,000 patient health records in 2012 and 2013 through the theft of a laptop computer and USB portable drive.
Jun. 16. Brussels Times reports Orange, a telecommunications company, has revealed that a data leak has exposed the personal information of some 15,000 customers in Belgium.
Jun. 16. Liberty, a financial services group in South Africa, notifies its clients that an external party gained unauthorized access to the company’s IT infrastructure, claims to have taken data from it, and is requesting compensation for the stolen data.
Jun. 15. Chicago Public Schools apologizes for accidentally exposing personal information of more than 3,700 students and families. The school system’s Office of Access and Enrollment inadvertently attached a link to a spreadsheet containing the private data in an electronic mailing sent to prospective applicants for the city’s selective-enrollment schools.
Jun. 14. FastBooking, a Paris-based provider of hotel booking software, suffers data theft of personal information, including payment card data, for guests of hundreds of hospitality properties. The company works with 4,000 partner hotels in 100 countries.
Jun. 14. Documents released by the Canadian government reveal confidential information of more than 80,000 Canadians held by the country’s revenue agency may have been accessed without authorization over the last 21 months.
Jun. 14. Med Associates, a medical claims processor for providers in the Albany, N.Y. area, releases statement notifying public of a data breach that occurred when an unauthorized party accessed one of its workstations and used it to gain access to protected data. Incident may have exposed personal health information of more than 270,000 people.
Jun. 13. UK retailer Dixons Carphone reveals card processing systems at two of its outlets have been accessed by unauthorized intruders putting at risk 105,000 payment cards and 1.2 million records containing personal details of customers.
Jun. 13. HealthData Management reports HealthEquity in Utah, a custodian of more than 3.4 million health savings accounts, acknowledges a data breach that allowed an unauthorized party to access 23,000 accounts. The breach occurred when a single employee email account was compromised.
Jun. 13. AcFun, a popular Chinese video and animation sharing platform, reveals data breach that potentially puts at risk the information of tens of millions of users.
Jun. 12. UK’s Information Commissioner’s Office fines Yahoo £250,000 for 2014 data breach that resulted in the theft of account information for 500,000 British citizens.
Jun. 12. France’s Commission Nationale de l’Informatique et des Libertés fines Optical Center €250,000 for failing to adequately protect the data of 334,000 of its customers.
Jun. 12. San Francisco Chronicle reports a data breach that affected 55,947 patients at Dignity Health, a major health system headquartered in the Bay City, is being investigated by federal health officials.
Jun. 11. City of Wellington, Fla. warns 61,000 citizens their payment card information is at risk due to an apparent compromise of the municipality’s Click2Gov payment system.
Jun. 8. UK Information Commissioner’s Office fines the British and Foreign Bible Society £100,000 for failing to adequately protect its IT network, which resulted in unauthorized access to the personal data of 417,000 of its supporters. Some payment card and bank account details were also accessed.
Jun. 8. Terros Health in Arizona notifies 1,600 people their personal information is at risk after a data breach enabled an unauthorized third party to access their data.
Jun. 8. Martha Smith Lightfoot is suspended for 12 months by the state of New York for violating HIPAA rules by taking a list of 3,000 patients from her old employer, the University of Rochester Medical Center, to her new employer, Greater Rochester Neurology.
Jun. 7. The Irish Data Protection Commission finds Yahoo broke European Union law by failing to protect its users data. Failure resulted in a massive data breach in which 500 million accounts were compromised, 39 million of them belonging to Europeans. The commission told Yahoo that it must take specific and mandatory actions to bring its data processing into compliance with EU law but did not issue any penalties against the company.
Jun. 7. Malaysian broadcaster Astro says a data breach of it systems exposed personal information of its IPTV customers. Data for as many as 60,000 of those customers has been reported for sale on the Internet.
Jun. 6. PageUp, a human resources services provider with two million active users in 190 countries, reveals a malware infection of it systems may have compromised some of its clients’ data.
Jun. 4. MyHeritage, a popular genealogical ancestry site, announces a data breach has compromised the email addresses and hashed passwords of more than 92 million users.
Jun. 1. Commonwealth Bank of Australia reports that in 2016 and 2017 it sent 651 emails containing data related to 10,000 customers to a company with a domain name similar to the bank’s.
May
May 31. Ticketfly, an online ticket selling service, shuts down its website due to a “cyber incident.” The company says no payment card information was compromised, but some customer data was accessed by unauthorized intruders, which affected some 27 million accounts.
May 30. Kromtech Security Center experts discover Agilisium, a cloud data storage contractor for the Universal Music Group, exposed UMG’s internal FTP credentials, AWS configuration details, along with SQL passwords on two unprotected instances of Apache Airflow server.
May 30. Kromtech Security Center experts discover two public unsecured Amazon AWS S3 buckets, both belonging to Honda Car India and both containing unprotected databases of information on more than 50,000 users of Honda’s Connect App.
May 29. Richies Supa IGA in Australia warns more than 6,000 customers their personal information may have been accessed by an unauthorized third party on May 11 and 12. The malicious actor planted malware on Richies website, which redirected customers to a rogue site.
May 29. Karim Baratov, 23, sentenced to five years in federal prison for using data stolen from Yahoo to gain access to private emails. He also agreed to pay restitution to his victims and a fine of up to $2.25 million.
May 28. Bank of Montreal and CIBC, two of Canada’s largest banks, announce a data breach of their systems put at risk the personal and financial information of up to as many as 90,000 customers.
May 26. Amazon confirms one of its Echo devices recorded a family’s conversation and sent it to a random person on the family’s contact list, who is an employee of a family member.
May 25. Coca-Cola says it’s issuing data breach notices to about 8,000 people whose personal information is at risk after it was found on a portable hard drive stolen by a former employee.
May 25. Aultman Health Foundation states personal health and identification information of 42,600 patients tied to AultWorks Occupational Medicine, Aultman Hospital, and some Aultman physician offices may have been stolen from email accounts of those healthcare providers.
May 24. Huffington Post UK reports sensitive documents of about 647 staff at Jaguar Land Rover’s West Midlands factory have been leaked in an apparent data breach. It says one of the leaked files contains hundreds of names of employees who will be laid off.
May 24. ZDNet reports an unprotected API at the website of T-Mobile allowed anyone to access the personal account details of any customer with just their cell phone number.
May 24. Kaspersky Lab releases survey showing the average cost of a data breach for an enterprise is $1.23 million, an increase of 24 percent from 2017. For SMBs, the average is $120,000, an increase of 36 percent from 2017.
May 24. University of Vermont advises all users of its network to change their passwords after it discovered an unauthorized intrusion into its systems.
May 23. Troy Hunt and iAfrikan Digital founder Tefo Mohapi report that a database from a traffic fine platform has exposed close to one million personal records to the Internet. The records were discovered on a web server that belongs to a company that handles electronic traffic fine payments in South Africa and appears to be a backup saved to a directory that was accessible to the public.
May 22. LifeBridge Health in Baltimore notifies Attorney General of Maryland that a data breach caused by a malware infection on a server could put at risk medical information for more than 500,000 patients.
May 21. ZDNet reports a bug in Comcast’s website used to activate its customers’ routers can be exploited to reveal the router’s location, as well as the name and password for the device’s home network.
May 21. The University of Greenwich in the UK is fined £120,000 by the Office of the Information Commissioner for uploading the personal data of 19,500 students to an insecure website.
May 20. ZDNet reports TeenSafe, a mobile application that allows parents to monitor their kids’ phone activity, has left its servers, which are hosted on Amazon’s cloud, unprotected and accessible by anyone without a password.
May 19. University of Buffalo confirms it’s investigating the theft of login information for 2,690 school accounts at a malicious website.
May 18. Tidal, a music streaming service, announces it’s investigating a potential data breach after a Norwegian newspaper published a story about the service based on internal documents it says were obtained from Tidal. The story, which Tidal denies, says the service manipulated play numbers to increase royalty payments to some artists, including Beyonce and Kanye West.
May 17. Krebs on Security reports LocationSmart, a real-time aggregator of mobile phone location data, has been exposing that data on the Internet through a buggy component at its website. Krebs says the data can be used to reveal the location of any AT&T, Sprint, T-Mobile, or Verizon phone in the United States to an accuracy of within a few hundred yards.
May 17. Lincare, a respiratory care services provider, agrees to pay $875,000 to settle a lawsuit by employees whose personal information was exposed in a phishing scam at the company.
May 17. Corporation Service Company, a provider of business, legal, and brand services, notifies the Attorney General of California that a data breach at the company resulted in the theft of personally identifiable information for 5,678 residents of that state.
May 16. The 407 Express Toll Route, which operates an all-electronic, open-access toll highway in Canada, begins notifying 60,000 customers that some of their personal information is at risk after it was removed from the agency’s offices during the last 12 months. Agency says it’s investigating the incident as an “inside job.”
May 15. Rail Europe notifies the Attorney General of California that hackers had unauthorized access to the company’s e-commerce website from November 29 to February 16. It says sensitive information, including payment card data, of people who use the site to book train tickets in Europe may have been compromised.
May 14. The New Scientist reports data from millions of Facebook users who used the myPersonality quiz app was exposed online for four years where anyone could look at it. It says the data was highly sensitive, revealing personal details of the users, such as the results of psychological tests.
May 14. Brinker International announces that the payment card system at its Chili’s restaurant chain was compromise between March and April 2018, placing at risk payment card information of customers who did business with Chili’s during that time frame.
May 14. Cambridge Dental Consulting Group announces sensitive information for some 3,750 patients at its Boston Dental Group locations in Las Vegas, as well as its Diamond Lake Dental location in California, is at risk after it was inadvertently posted to the CDCG’s public website.
May 14. Family Planning New South Wales in Australia notifies 8,000 clients their personal information is at risk after hackers exploited a vulnerability in the organization’s Drupal website content management system.
May 10. Nuance, a speech recognition software maker, reports to the SEC that 45,000 patient records were compromised in a data breach of one of its medical transcription platforms.
May 10. The City of Goodyear in Arizona announces payment card information is at risk of anyone who paid for municipal services with such a card in the past 11 months. During that time, it explains, malware planted on the payment system operated by a third-party vendor was skimming payment card information.
May 7. U.S. Internet Crime Complaint Center reports Americans lost more than $1.4 billion due to computer crime in 2017.
May 7. Halifax Regional Police announce they will not be filing criminal charges against a 19- year-old man arrested in April for downloading files without authorization from Nova Scotia’s Freedom of Information portal. Authorities say there are no grounds for charging the teenager with unauthorized use of a computer.
May 4. Protenus reports that nearly 1.13 million patient records were breached during the first three months of 2018.
May 3. Meituan-Dianping, a Chinese food-delivery and e-commerce company backed by Tencent Holdings, announces its investigating reports that information on tens of thousands of its food delivery customers is being sold on the Dark Web.
May 3. Twitter recommends its 336 million users reset their passwords after it discovers passwords were being stored as plaintext in an internal log.
May 2. Australia’s largest bank, Commonwealth Bank, confirms the financial records of almost 20 million customer accounts are at risk after a subcontractor lost two magnetic tape drives containing the information in 2016.
May 2. Aadhaar‘s seeding portal to the Employees Provident Fund Organization shut down after India’s Intelligence Bureau raises concerns about possible data theft by hackers. Possible data leaked includes Aadhaar numbers, demographic information, and employment details of millions of formal sector employees.
April
Apr. 30. Access Group Education Lending notifies 16,500 borrowers that their personal information is at risk after Nelnet, a student loan processing services vendor, sent their data to an unauthorized party.
Apr. 26. Equifax in its first quarter financial report notes the massive data breach that compromised the accounts of 147.9 million customers last year has cost the company more than $242 million in related expenses.
Apr. 25. Kromtech Security reports Bezop, a cryptocurrency outfit, left a MongoDB database unsecured, exposing on the Internet the names, addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver’s licenses, and other IDs for over 25,000 investors in the company.
Apr. 26. Vector, an electricity network provider in New Zealand, announces that personal information of 35,000 users of its Outage app may have been compromised due to an API vulnerability in the software.
Apr. 24. The US Securities and Exchange Commission announces Altaba, formerly Yahoo, has agreed to pay $35 million to settle charges it misled investors about a massive data breach that resulted in the theft of information on hundreds of millions of user accounts by Russian hackers.
Apr. 23. Careem, a popular ride-hailing service in the Middle East, discloses that cybercriminals have stolen the personal data of more than 14 million customers. The company says it found no evidence that password or credit card numbers were compromised, but it believes thieves have obtained customer name, email address, phone number, and trip information.
Apr. 23. Krebs on Security reports that MEDantex, a Kansas based company that provides medical transcription services for hospitals, clinics, and private physicians, has taken down its customer web portal after being informed the site was exposing sensitive patient medical records on the Internet.
Apr. 20. SunTrust Banks announces an employee working with a criminal actor stole contact lists containing name, address, phone number, and account balance data on as many as 1.5 million customers.
Apr. 20. UnityPoint Health in Madison, Wis., announces that the Social Security numbers and financial information of some 16,000 people is at risk from a phishing attack that compromised its email system between November 1 and February. 7.
Apr. 18. UpGuard Security researcher Chris Vickery reveals misconfigured online repository of a data search service called LocalBlox exposed on the Internet 48 million personal records scraped from social networks, such as Facebook, LinkedIn, Twitter, and real estate site Zillow.
Apr. 17. The UK’s Information Commissioner’s Office fines Royal Borough of Kensington & Chelsea £120,000 for unlawfully identifying nearly 1,000 people in a Freedom of Information response about the number of empty properties in the borough.
Apr. 17. Municipal Media, maker of the Recycle Coach and My Waste apps, notifies some 55,000 users that their email addresses may have been compromised when a subscriber database was accessed by unauthorized parties.
Apr. 16. TaskRabbit, a handy-man service owned by Ikea, shuts down its website after discovering an unauthorized user gained access to its systems and placed at risk some personally identifiable information.
Apr. 13. Inogen, an oxygen supply device maker, notifies 30,000 existing and former customers their personal information is at risk after it was improperly accessed in a data breach that occurred between January 2 and March 14.
Apr. 14. Texas Health Resources in Arlington, Texas, notifies some 4,000 people their medical records, driver’s licenses, and Social Security numbers are at risk after email accounts at the organization were accessed by an unauthorized third party in October.
Apr. 13. Healthcare Informatics reports that Middletown Medical in New York state exposed the protected health information of 63,551 patients when it misconfigured the security settings on one of its radiology interfaces and enabled unauthorized users to access the data.
Apr. 13. Polk County Health Services in Iowa reveals it accidentally disseminated personal and protected healthcare information of 1,071 people who received services at the county’s Crisis Observation Center from June 2014 to Jan. 11, 2018.
Apr. 12. US Federal Trade Commission reveals that Uber failed to disclose 2016 data breach that exposed the names, phone numbers, and email addresses of more than 20 million people who used its service.
Apr. 12. Gemalto reports that 2.6 billion records were stolen, lost, or exposed worldwide in 2017, an 88 percent increase from 2016.
Apr. 12. Australia’s Office of the Information Commissioner reports that some 34,000 citizens have been affected in 63 data breaches since data breach reporting became mandatory in February.
Apr. 11. The government of Nova Scotia, Canada, announces that a data breach at its Freedom of Information and Protection of Privacy website resulted in the inappropriate access to 7,000 documents, of which some 250 contained highly sensitive personal information.
Apr. 9. Integrated Rehab Consultants of Chicago announces that personal information of an unspecified number of patients is at risk after it was inadvertently uploaded to the Internet by one of the organization’s vendors in December 2016.
Apr. 6. Chesapeake Regional Healthcare Sleep Center in Virginia notifies 2,100 patients that their personal healthcare information is at risk because two unencrypted portable hard drives went missing from the center on Feb. 6.
Apr. 6. The California Department of Developmental Services discloses that vandals who ransacked state offices in Sacramento in February briefly had access to the personal health records of 582,000 people and personal information of 15,000 employees, contractors, job applicants, and parents of minors enrolled in the department’s programs.
Apr. 6. Best Buy says payment card information of a number of its customers was affected by a data breach at chat services provider [24]7.ai between September 27 and October 12.
Apr. 5. Delta Airlines announces a data breach at a contractor who provides online chat services to the airline has placed at risk payment card data of “several hundred thousand customers.” The data breach took place at a company called [24]7.ai.
Apr. 5. Shutterfly, a web-based printing company, reports to the Office of the Attorney General for California that on March 20 an employee’s credentials were used without authorization to access the company’s test environment placing at risk personal information of some current and former employees.
Apr. 4. Under Armour, a sports apparel merchant, reveals that a data breach at its food and nutrition website, MyFitnessPal, has placed at risk personal information of about 150 million users.
Apr. 4. Facebook revises number of users affected by Cambridge Analytica mishandling of information taken from the social network to 87 million from 50 million.
Apr. 3. Usinger’s, a sausage maker in Milwaukee, reveals a security incident at the hosting provider for its e-commerce website resulted in the theft of data on customers who made purchases at the site between September and March.
Apr. 3. Florida Virtual Schools alerts students their personal data is at risk after it was accessed by an unauthorized party from May 2016 to February 2018.
Apr. 2. Panera Bread says it’s resolved a security flaw at its website that affected information on fewer than 10,000 customers. Krebs on Security reported earlier that a flaw at the site resulted in millions of customer records being exposed on the Internet.
Apr. 2. Hudson’s Bay Company confirms data breach involving payment card data at Saks Fifth Avenue, Saks Off 5th and Lord & Taylor. Gemini Advisory, a cybersecurity firm, says hackers claiming to have five million payment card numbers from the retailers and have been selling them on the Dark Web since May 2017.
Apr. 2. Virtua Medical Group of New Jersey agrees to pay $417,816 to settle case against it by Attorney General Gurbir Grewal and the state’s Division of Consumer Affairs for data breach exposing medical files of more 1,600 patients.
John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.
The Cybercrime Diary is sponsored by Digital Defense, Inc.
Founded in 1999, Digital Defense is a trusted provider of security risk assessment solutions, protecting billions of dollars in assets for clients around the globe.
Serving clients across numerous industries from small businesses to very large enterprises, Digital Defense’s innovative and leading edge information security technology helps organizations safeguard sensitive data and eases the burdens associated with information security. Frontline Vulnerability Manager™, the original Vulnerability Management as a Service (VMaaS) platform, delivers consistently accurate vulnerability scanning and penetration testing, while SecurED®, the company’s security awareness training promotes employees’ security-minded behavior.
