26 Oct Cybercrime Diary, Vol. 3, No. 3: Who’s Hacked? Latest Data Breaches And Cyberattacks
The cyber intrusions, perpetrators, victims, damages, fines, and settlements we follow… and you should too
– Northport, N.Y. – Oct. 2, 2018
Facebook once again dominated cybersecurity media headlines during the August-September period, but a careful read through our latest cybercrime diary reveals that organizations of all types and sizes globally are under continual cyberattack.
September
Sep. 30. Wall Street Journal reports European watchdogs could fine Facebook as much as $1.63 billion for data breach at the social network that exposed personal information of 50 million users.
Sep. 28. Facebook reveals an attack on its computer network has exposed the personal information of nearly 50 million users. The breach is the largest in the company’s 14-year history.
Sep. 26. Uber agrees to pay $148 million to settle probe by state attorneys general across the US into a 2016 data breach, where a hacker managed to gain access to information belonging to 57 million riders and drivers, including names and driver’s license numbers for 600,000 drivers.
Sep. 26. Port of San Diego announces serious cybersecurity incident, believed to be ransomware attack. It says its employees are still able to work but with limited access to their computers and that the public will be inconvenienced.
Sep. 26. Chegg, an education technology company based in Santa Clara, Calif., announces it will be resetting passwords of its 40 million users after discovering data breach that occurred in April. It says intruder gained access to user data such as names, email addresses, shipping addresses, Chegg.com usernames, and encrypted Chegg.com passwords.
Sep. 21. Ruslan Bondars, 37, a Latvian hacker, is sentenced to 14 years in US prison for violating the Computer Fraud and Abuse Act, conspiracy to commit wire fraud, and computer intrusion with intent to cause damage. Bondars ran a malware scanning site called Scan4You, which was used to develop malware, such as Citadel.
Sep. 21. Chinese police arrest 21 suspects in connection with theft of customer information from Alibaba Group Holding’s logistics affiliate Cainiao Network, which provides logistics support to Alibaba’s Taobao e-commerce platform. More than 10 million pieces of client data were stolen, including user names, phone numbers, and parcel tracking numbers.
Sep. 20. UK Information Commissioner’s Office imposes £500,000 fine on Equifax for failing to protect data of 15 million Britons during a data breach at the credit agency last year.
Sep. 20. UMass Memorial Medical Group and UMass Memorial Medical Center agree to pay $230,000 to resolve claims by Massachusetts Attorney General Maura Healey that two separate data breaches exposed the personal and health information of more than 15,000 Massachusetts residents.
Sep. 19. Philippines-based media network ABS-CBN closes two online stores after discovering malware that intercepted data during customer checkouts and sent it to a server registered in Irkutsk, Russia.
Sep. 18. Huazhu Hotels Group announces a hacker is being detained who is suspected of trying to sell on the dark web almost 500 million data items stolen from the chain, which includes Hanting, CitiGO, Crystal Orange and Ibis. The hacker allegedly offered to sell details of customer bank accounts and identity cards for eight bitcoins ($50,700).
Sep. 17. Krebs on Security reports Government Payment Service, which accepts payments for about 2,300 government agencies in 35 states, has leaked more than 14 million records, some dating back six years. Data leaked includes names, addresses, phone numbers and the last four digits of the payer’s credit card.
Sep. 17. Altaba, formerly known as Yahoo, announces litigation expenses related to its massive data breaches in 2014 amount to $47 million.
Sep. 14. Hackers crack Japanese cryptocurrency exchange operated by Tech Bureau Corp. and steal $60 million in digital currency.
Sep. 12. Peter Yuryevich Levashov, 38, pleads guilty in US District Court in Hartford, Conn. to crimes connected to his operation of the Kelihos botnet, which he used to harvest login credentials, distribute bulk spam emails, and install ransomware and other malicious software.
Sep. 11. RiskIQ reports the hacker group Magecart was responsible for the theft of data of some 380,000 customers from the website of British Airways, as well as its mobile app, from August 21 to September 5. The same group performed a similar attack on Ticketmaster UK in June.
Sep. 11. HuffPost India reports a software patch is being sold online for around $35 that disables critical security features of the Aadhaar identity database and allows anyone to create unauthorized numbers for the system, which contains biometric and personal information on more than one billion Indians. Aadhaar numbers are used for everything from using a mobile phone to accessing bank accounts so creating bogus ones could be a gold mine for criminals.
Sep. 7. Andrei Tyurin, a Russian national, who allegedly participated in a global hacking campaign that targeted major financial institutions, brokerage firms, news agencies, and other companies, is extradited to the United States from the former Soviet state of Georgia. His alleged exploits include largest theft of U.S. customer data from a single financial institution in history, which affected more than 80 million victims.
Sep. 7. U.S. District Court Judge Lucy Koh approves $80 million settlement in investor lawsuit brought against Yahoo for failing to disclose four data breaches that affected three billion user accounts and depressed the company’s stock price once they became public.
Sep. 7. U.S. State Department announces data breach of its unclassified email system has exposed the personal identifying information of less than one percent of its employees’ inboxes.
Sep. 5. British Airways announces data breach of its bookings system resulting in the compromise of 380,000 card payments. Data stolen over a two-week period included names, street and email addresses, credit card numbers, expiration dates, and security codes.
August
Aug. 30. Motherboard reports Family Orbit, a parental control app, exposed online pictures of hundreds of monitored children protected by a password that almost anyone could find. A hacker who brought the situation to Motherboard’s attention says the company left 3,836 containers exposed on Rackspace with 281 gigabytes of pictures and videos.
Aug. 29. Air Canada announces data breach of its mobile app may affect about 20,000 users. It says attackers may have accessed basic profile data, including names, email addresses and phone numbers, as well as passport numbers and expiration dates, passport country of issuance, NEXUS numbers for trusted travelers, gender, dates of birth, nationality, and country of residence.
Aug. 29. Huazhu Hotels Group in China announces it’s investigating the possible leak of millions of customer records following a posting on the dark web selling 140GB of data allegedly belonging to the hospitality chain.
Aug. 29. The Arc of Erie County, a Buffalo-based nonprofit that provides services to people with developmental disabilities and their families, pays $200,000 penalty to state of New York for exposing its clients’ sensitive personal information on the Internet for years.
Aug. 28. UK’s Information Commissioner’s Office reports the number of complaints it has received since the adoption of the EU’s General Data Protection Regulation in May has more than doubled. The office received 6,281 complaints from May 25 to July 3. During the same period in 2017, it received 2,415.
Aug. 27. Security researcher Bob Diachenko reports he has discovered an unprotected MongoDB database belonging to ABBYY, an optical character recognition software developer. The 142GB database included more than 200,000 documents, such as contracts, NDAs, memos, and letters.
Aug. 23. TechCrunch reports a file with 14.8 million records on Texas voters was found on a server exposed online without a password by the hacker known as Flash Gordon. It says it’s unclear who owns the server but it was likely compiled by Data Trust, a Republican-focused data analytics firm created by the GOP to provide campaigns with voter data.
Aug. 23. T-Mobile reveals theft of personal data of two million customers. It says data nicked by hackers included names, email addresses, account numbers, and other billing information. It adds no payment card numbers or Social Security numbers were compromised.
Aug. 23. Motherboard reports misconfigured Amazon cloud storage bucket managed by SpyFone, a maker of mobile spyware, has exposed data of at least 2,208 customers on the public internet, including more than 11,000 unique email addresses.
Aug. 21. Facebook bans myPersonality app from social network after discovering it misused information for about four million users of the social network. It says app’s owners shared the data with researchers and companies with only limited protections in place
Aug. 21. Information Media Group reports the total victim count for healthcare data breaches in 2018 to be 6.1 million. It says hacker attacks accounted for 4.3 million victims, or about 70 percent of the total.
Aug. 20. Darden Restaurants, based in Orlando, Fla., announces malware infection of the point-of-sale systems at its Cheddar’s Scratch Kitchen eateries has compromised payment card information of as many as 567,000 customers in 23 states who visited the outlets in the chain between Nov. 3, 2017 and Jan. 2, 2018.
Aug. 20. Security researcher Bob Diachenko reveals Sitter, a babysitting app, exposed online the details of 93,000 users through an unprotected MongoDB database.
Aug. 20. UK law firm Reynolds Porter Chamberlain reports decline in prosecutions under the country’s Computer Misuse Act, which allows law enforcement to charge individuals with unauthorized access to PC systems and causing damage to machines. It notes there were 47 prosecutions under the act in 2017, down from 57 in 2016 and 61 in 2015.
Aug. 17. A 16-year-old boy from Melbourne, Australia pleads guilty to breaking into Apple’s corporate network and downloading 90GB of data over a one-year period. Law enforcement authorities tracked the lad down after he bragged about his exploits on WhatsApp.
Aug. 17. GOMO, a large Chinese developer of mobile apps, confirms it left a port open for its Amazon cloud storage and exposed online information on more than 50 million users. The misstep was discovered by the security researcher known as Flash Gordon on May 17 and fixed by GOMO on May 30.
Aug. 16. U.S. District Court Judge Lucy Koh approves $115 million settlement of lawsuit connected to 2015 data breach at Anthem, which affected more than 78 million people. The settlement is one of the largest in a consumer data breach case.
Aug. 15. Cosmos Bank of India reveals thieves robbed the institution of $13.4 million over the weekend in a coordinated ATM and SWIFT money transfer scheme. On Saturday, over a seven-hour period, 15,000 fraudulent ATM transactions were performed in 28 countries. Then on Monday, a $1.93 million SWIFT transfer was made from Cosmos to a bank in Hong Kong. One Indian newspaper attributes the heist to the Lazarus Group, a North Korean hacker group linked to past cyber heists.
Aug. 15. Risk Based Security reports that for the first six months of 2018, there have been 2,308 reported data breaches, which have exposed 2.6 billion records. That’s a year-over-year drop from 2,439 breaches and six billion records for the same period in 2017.
Aug. 15. Police in northwest China arrest three men on suspicion of stealing $86.7 million in cryptocurrency from computers in that country.
Aug. 9. Olayinka Olaniyi, 34, a citizen of Nigeria, is convicted in federal court in Atlanta for conspiracy to commit wire fraud, computer fraud, and aggravated identity theft. Olaniyi and his partner Damilola Solomon Ibiwoye, 29, who has already pleaded guilty to similar charges, launched phishing scams against universities in the United States. They used the information from the scams to intercept payroll deposits and file false tax returns to obtain refunds, which netted the pair $6 million.
Aug. 3. Salesforce.com alerts users of its marketing cloud that a code change at the site created a bug that caused information of some customers’ accounts to be written to the accounts of other customers. It says it has found no evidence of malicious behavior associated with the issue.
Aug. 3. TCM Bank, which helps small and community banks issue credit cards, begins notifying some 10,000 consumers that a website misconfiguration error has exposed their personal information online. Data exposed includes names, addresses, dates of birth, and Social Security numbers of people applying for credit cards between early March 2017 and mid-July 2018.
Aug. 3. Unixiz agrees to shut down i-Dressup, a website targeted at teens, to settle charges that it violated the Children’s Online Privacy Protection Act and the New Jersey Consumer Fraud Act. The charges stem from a data breach at the website that compromised 2.2 million unencrypted usernames and passwords. Unixiz also agreed to pay civil penalty of $98,618.
Aug. 3. France’s National Commission for Computing and Freedom fines the video platform Dailymotion €50,000 for failing to secure its customers’ personal data. The action stems from a 2016 data breach in which 82.5 million email addresses and 183 million passwords were stolen. The platform says no users have reported any damages since the breach.
Aug. 1. Social forum site Reddit announces intruders were able to access the email addresses of some current accounts and a backup database from 2007 that contained salted and hashed passwords. It adds the intruders gained access to the compromised data through employee accounts in the company’s cloud and source code hosting providers, not the main website. It also notes that the two-factor authentication protecting the accounts failed because the intruders were able to intercept the SMS messages containing the 2FA codes used to authenticate account users.
July
Jul. 31. Dixons Carphone revises number of customers affected by data breach it announced in June to 10 million from original estimate of 1.2 million. The company is writing to customers to apologize for the data breach, but does not plan to pay compensation because it says no one suffered any financial loss.
Jul. 31. White Room Solutions confirms a vulnerability on one of its servers gave White Hacker Taylor Ralston access to “several thousand” records belonging to a number of UK fashion sites, including AX Paris (axparis.com), Granted London (grantedldn.com), Jaded London (jadedldn.com), ElleBelle Attire (ellebelleattire.com), and Traffic People (trafficpeople.co.uk). Security researcher Troy Hunt, who has seen the exposed data, estimates close to a million unique email addresses and records were at risk of theft.
Jul. 30. UnityPoint Health, an Iowa-based regional health network, begins notifying 1.4 million patients their personal information is at risk after phishing scam compromised the provider’s email system.
Jul. 30. Yale University begins notifying an undisclosed number of people after it discovers it was the target of a data breach between April 2008 and January 2009. The school discovered the breach when it was testing its servers for vulnerabilities in June.
July 27. U.S. District Judge Dolly M. Gee sentences Mikhail Konstantinov Malykhin, 36, aka LAX and Ebay, to serve 70 months in federal prison and to pay $4.1 million in restitution for his role in a payment card fraud scheme that included posing as a healthcare benefits administrator and issuing unauthorized payment cards that were used for fraud.
Jul. 26. Healthcare IT News reports ransomware attack at Blue Springs Family Care in Missouri has placed 44,979 patient records at risk. In addition to the ransomware, a variety of malware was installed on the healthcare provider’s system that gave the intruders full access to all patient data.
Jul. 25. China Ocean Shipping Company (COSCO), one of the largest shipping companies in the world, takes its US computer network offline after it was infected with ransomware.
Jul. 24. Krebs on Security reports The National Bank of Blacksburg, Va. was robbed twice in the last eight months by cyber robbers, who stole more than $2.4 million from the institution.
Jul. 23. Sudhakar Reddy Bonthu, 44, a former manager at Equifax, pleads guilty to charge of insider trading based on his purchases of options ahead of Equifax’s public announcement of its data breach that compromised personal information of more than 145 million Americans.
Jul. 20. New York Times reports tens of thousands of sensitive corporate documents, including many from nearly all of the largest auto manufacturers, was exposed to the public internet for an unknown amount of time. The unprotected cache, discovered by security researcher Chris Vickery, included detailed blueprints and factory schematics; client materials such as contracts, invoices and work plans; and dozens of nondisclosure agreements describing the sensitivity of the exposed information.
Jul. 19. Group-IB, a Russian cybersecurity firm, reveals a criminal group known as MoneyTaker robbed about $1 million from PIR Bank in Moscow by breaking into its computer network through an outdated router.
Jul. 18. Security researcher Bob Diachenko reveals misconfigured Amazon cloud storage bucket managed by Robocent, a political auto-dialing concern based in Virginia, has exposed to the public internet 2,594 files containing audio files, with pre-recorded political messages for robocalls and a “massive” amount of US voter data.
Jul. 18. UK’s Information Commissioner’s Office fines The Independent Inquiry into Child Sexual Abuse £200,000 for exposing the email addresses of 90 people, some of them possible abuse victims, by putting the addresses on the “To” line of a mass email rather than on the “BCC” line.
Jul. 16. California Gov. Jerry Brown signs into law a bill requiring anyone using state voting data to report any security breaches affecting that data.
Jul. 16. Spanish telecommunications company Telefónica patches security hole that allowed anyone to access the billing information of millions of the company’s customers. Customers logging into the system could make a small alteration in the URL they used to access their invoices and they’d have access to another customer’s data. Despite the exposure, Telefónica says no signs of fraudulent access have been detected
Jul. 16. Algonquin College of Applied Arts and Technology in Ottawa, Canada, announces 111,499 people were affected by a computer security breach earlier this year. It notes only birthdays and home addresses of the victims were exposed to the intruders. It adds another 106,931 people, including students, alumni, plus current and former employees, had information stored on the server that was attacked, but that data was assessed as having a low risk of misuse.
Jul. 16. GameStop agrees to settlement of lawsuit stemming from data breach that compromised customer payment card information. Under the proposed settlement, the company will pay up to $235 for each person who purchased items from August 2016 to February 2017 and was impacted by the breach. Class members with extraordinary expenses can request up to $10,000. The electronics retailer also agreed to pay $557,500 in attorney’s fees and $3,750 to each of the class representatives.
Jul. 15. LabCorp, one of the largest blood testing labs in the United States and a Fortune 500 company, shuts down its computer network across the country after discovering hackers trying to access the medical records of millions of people. Company’s initial assessment is there was no unauthorized or misuse of data.
Jul. 12. IBM releases study finding the average cost of data breach for an organization to be $3.86 million, a 6.4 percent increase over its findings in 2017. It also finds that the average time it takes to discover a data breach is 197 days and once found, it takes an average of 69 days to contain.
Jul. 11. UK’s Information Commissioner’s Office fines Facebook £500,000 for its role in allowing Cambridge Analytica to harvest the data of 87 million users for political purposes. The fine is less than 10 minutes’ worth of revenue for the $590 billion company.
Jul. 10. Chinese law enforcement task force arrests 20 suspects involved in cryptomining scheme that netted the crew more than $2 million over two-year period. During that time, the gang compromised 389 million computers in China.
Jul. 9. German hosting company DomainFactory, which is owned by GoDaddy, shuts down online forums after postings appear claiming the company’s computers have been compromised. The company advises users to change their passwords.
Jul. 6. B&B Hospitality Group announces its point-of-sale systems in its restaurants were infected with payment card data scraping malware between March 1, 2017 and May 8, 2018. It advises customers who did business with any B&B eateries during that period to monitor their payment card statements for unauthorized purchases.
Jul. 5. CBC/Radio Canada updates number of people affected by data breach in May to 23,675 from 20,008. Breach occurred when thieves broke into one of the company’s offices and stole computer equipment containing confidential information.
Jul. 5. Russian internet company Yandex announces links to private Google Doc documents have been appearing in search results of its public search engine. Yandex says it is unclear whether the files were meant to be publicly viewable by their authors and how many there are.
Jul. 4. Have I Been Pwned, a data breach database website, tweets Yatra, an Indian travel bookings site, was breached in 2013 and five million records were stolen by cyber thieves. The breach has remained unreported by Yatra until now.
Jul. 4. Children’s Mercy Hospital in Kansas City, Mo. announces data for 60,000 people may have been compromised by phishing scam that gave intruders unauthorized access to several employee email accounts at the end of 2017 and the beginning of 2018.
Jul. 3. State Treasurer Denise Nappier announces hackers cracked 21 Connecticut Higher Education Trust accounts and withdrew $1.4 million. The trust is in a 529 college savings plan with more than $3.6 billion in assets under management and approximately 150,000 accounts.
Jul. 3. Fortnum & Mason, a UK upmarket department store, reports 23,000 of its shoppers may be affected by a data breach at Typeform, a third-party online provider of survey and voting services.
Jul. 3. Golden Heart Administrative Professionals, which provides billing services for Alaska health care providers and other businesses, reveals ransomware attack on its systems has put at risk personal information of 500 clients.
Jul. 4. Timehop, an online nostalgia site, announces a data breach has compromised personal identifying information of some 21 million of its users.
Jul. 2. Macy’s Inc. notifies New Hampshire Attorney General that from about April 26 to June 12 an attacker used valid user credentials to log into some online profiles. It adds that the intruder was able to access customers’ names, addresses, phone numbers, email addresses, birthdays, and credit and debit card numbers with expiration dates. Total number of customers affected by the breach wasn’t disclosed, but 753 people were affected in the Granite State.
Jul. 2. ZDNet reports U.S. Department of Homeland Security has issued subpoena to Twitter to obtain identity data on a user with the handle Flash Gordon, who regularly tweets about data leaks. Gordon recently found a cache of data from ALERRT, a Texas State University-based organization that trains police and civilians against active shooters
Jul. 2. NHS England reveals a flaw in an app developed by SystmOne has exposed medical information of 150,000 patients to healthcare researchers and planners.
Jul. 2. Whitbread, a multinational company based in the UK, notifies an undisclosed number of Australian job applicants for positions at its Costa Coffee and Premier Inn properties that their personal information was stolen from its human resources systems, which are run by PageUp.
John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.
The Cybercrime Diary is sponsored by Digital Defense, Inc.
Founded in 1999, Digital Defense is a trusted provider of security risk assessment solutions, protecting billions of dollars in assets for clients around the globe.
Serving clients across numerous industries from small businesses to very large enterprises, Digital Defense’s innovative and leading edge information security technology helps organizations safeguard sensitive data and eases the burdens associated with information security. Frontline Vulnerability Manager™, the original Vulnerability Management as a Service (VMaaS) platform, delivers consistently accurate vulnerability scanning and penetration testing, while SecurED®, the company’s security awareness training promotes employees’ security-minded behavior.
