05 Apr Cybercrime Diary, Vol. 2, No. 3: Who’s Hacked? Latest Data Breaches And Cyberattacks
Massive data breaches dominate the news in third quarter of 2017
Menlo Park, Calif. – Oct. 3, 2017
Massive data breaches at credit reporting agency Equifax and subscription television service HBO dominated data breach news during this year’s third quarter.
Sensitive information for more than 140 million Americans was compromised by the Equifax data breach, which set off a cascade of resignations, lawsuits and investigations.
CEO of the company, Richard Smith, resigned, as did Chief Information Officer David Webb and Chief Security Officer Susan Mauldin. Nearly a dozen lawsuits were filed in the federal and state courts, as well as in a Canadian court where consumers are seeking $450 billion in damages.
Meanwhile, the Federal Trade Commission announced it is probing the breach. In addition, 40 states have banded together to investigate the incident. Equifax, too, is looking into the breach, as well as $1.8 million in stock sales made by senior executives just weeks before the event was made public.
At HBO, hackers calling themselves Mr. Smith pilfered 1.5 terabytes of data from HBO and dribbled it on the Internet during August. They started with unaired episodes of Ballers and Room 104, as well as written material for an episode of Game of Thrones. They then moved on to dropping four unaired episodes of GoT and prior to that show’s season finale, released a detailed outline of that installment. Some arrests were made in connection with the data theft in India. Police there collared three employees and one former employee of Prime Focus Technology which stores and processes GoT for the Indian streaming website Hotstar.
Past massive data breaches also made headlines during the period. An arrest was made in connection with the June 2015 data breach at the U.S. Office of Personnel management in which sensitive data for more than 21 million people was stolen. Yu Pingan, a Chinese national, was arrested in Los Angeles and later charged with having a hand in the malware that was used for the breach. Meanwhile, the OPM got off the hook for any legal ramifications from the incident when a federal district court judge in D.C. dismissed two lawsuits filed against the agency over the breach.
An arrest was also made in connection to the huge data breach at Yahoo which affected more than a billion user accounts. Karim Baratov, 22, pleaded not guilty in a San Francisco federal court to charges he participated in the Yahoo hack. Yahoo wasn’t as lucky as the OPM in avoiding litigation, though. A federal district court in California ruled that a class action lawsuit could proceed against the company.
According to the Identity Theft Resource Center, there were 791 data breaches during the first six months of the year, a 29 percent jump over the same period in 2016. Breaches continued to climb in the second half of the year. Many of those breaches involved household names.
For example, Dow Jones & Company, Time Warner, Viacom, Verizon and World Wrestling Entertainment all put customer data at risk by misconfirguring cloud servers. Wells Fargo placed information about its wealthiest customers at risk when it accidently sent the data to opposing attorneys in a lawsuit involving the bank. Customer credit card information at Whole Foods and Sonic was compromised by point-of-sale attacks. Instagram’s security, too, was compromised due to a software bug. Meanwhile, Hard Rock Hotels & Casinos discovered payment card information over an eight month period was compromised by a breach ast a third-party reservation system.
Some significant penalties and settlements were also announced during the period. SAManage USA paid a $264,000 fine for exposing the data of Vermont Health Connect users, and TalkTalk, a U.K. IT services provider, paid a £100,000 fine for a breach affecting 21,000 customers. Meanwhile, Ruby Corp. settled a lawsuit against Ashley Madison for $11.2 million, Nationwide Insurance paid $5.5 million to put to rest a case arising from a 2012 data breach that exposed the personal information of 1.27 million customers and healthcare insurer Anthem received preliminary approval of a $115 million settlement of litigation arising from 2015 breach that allowed intruders to access personal identifying information of 80 million people.
CYBERCRIME DIARY
September
Sep. 29. Equifax tells U.S. House of Representatives it is investigating sale of stock by senior executives weeks before a massive data breach at the company was made public. Executives made $1.8 million off the stock sale. Sensitive information on some 143 million Americans was compromised in the breach.
Sep. 29. Crystal Bray and Samuel Cook file putative class action lawsuit against GameStop over six-month data breach that compromised payment cards of its customers. Plaintiffs allege the company’s cavalier approach to data security led to the breach.
Sep. 29. Vermont Attorney General T. J. Donovan announces SAManage USA, which provides support services for Vermont Health Connect, will pay a $264,000 fine for a data breach affecting 660 VHC users.
Sep. 28. Whole Foods, a grocery chain recently acquired by Amazon, reveals a data breach compromised credit card information at taprooms and restaurants at some of its stores. It adds that Payment cards used at its grocery stores were not affected by the breach.
Sep. 28. Chicago files lawsuit in state court against Equifax in connection with data breach at company. City alleges Equifax violated the city’s consumer fraud ordinance and state laws regarding information privacy, consumer fraud and deceptive practices.
Sep. 27. San Francisco files lawsuit in California state court seeking tens of millions of dollars in civil penalties against Equifax in connection with data breach at company.
Sep. 26. Krebs on Security reports data breach at Sonic Drive-In may have compromised some five million payment card accounts. Sonic is a fast-food chain with 3,600 locations in 45 states.
Sep. 26. Richard Smith resigns as CEO of Equifax. During Smith’s tenure at the company, it experienced a data breach in which sensitive information on 143 million Americans was compromised.
Sep. 22. Law firms Robbins Geller and Hagens Berman announce they’ve filed proposed class-action lawsuit on behalf of people in 43 states in federal district court in Atlanta against Equifax in connection with data breach at company,
Sep. 21. Webroot reports an average of 1.4 million phishing sites are created every month. Phishing is a prime method for creating data breaches.
Sep. 21. Kromtech discovers data repository of vehicle device and monitoring company SVR exposed on the Internet due to a configuration error in an Amazon Web Services S3 bucket. Data included information on SVR’s customers and re-seller network, as well as on tracking devices on vehicles.
Sep. 19. U.S. District Court in Washington, D.C. dismisses two lawsuits filed against the Office of Personnel Management over June 2015 data breach in which sensitive data on more than 21 million people was stolen.
Sep. 19. Upguard, a cybersecurity firm, reports about a gigabyte of credentials and configuration files belonging to entertainment giant Viacom were exposed on the Internet via an unsecured server.
Sep. 15. Equifax announces resignations of Chief Information Officer David Webb and Chief Security Officer Susan Mauldin. Resignations follow data breach that affected 143 million U.S. customers.
Sep. 15. U.S. Rep. Jim Himes, D-Conn., files bill to protect consumers affected by data breach at a credit reporting agency. Measure allows consumers to ask for a security freeze on their information free of charge following a breach.
Sep. 14. Scott Meyers, Judey Meyers and Karl Gordon Eikost file a proposed class-action lawsuit in a Chicago federal court against Equifax in connection with data breach at company.
Sep. 12. Jennifer Mertlich and others file proposed class-action lawsuit in a Seattle federal court against Equifax in connection with data breach at company.
Sep. 14. Federal Trade Commission announces investigation of data breach at Equifax.
Sep. 13. Reuters reports nearly 40 states have joined an investigation into data breach at Equifax.
Sep. 12. Canadian consumers seek $450 billion in class-action lawsuit filed in Toronto against Equifax in connection with data breach at company.
Sep. 11. Five citizens of Utah file proposed class-action lawsuit in Salt Lake City federal court against Equifax. Citizens are seeking $5 billion in damages.
Sep. 9. Brian F. Spector of Florida and James McGonnigal of Maryland file proposed class-action lawsuit in an Atlanta federal court against Equifax..
Sep. 8. ZDNet reports Alexander Filinov and Konstantin Teplyakov, two members of the Humpty Dumpty hacker gang have been sentenced by a Moscow court to three years in a penal colony for compromising computers, smartphones and tablets of Russian citizens and stealing data from them. It adds that accounts of high ranking Kremlin officials were also hacked by the group, including the Twitter account of Prime Minister Dmitry Medvedev.
Sep. 7. Credit reporting agency Equifax reveals data breach of its systems placing at risk sensitive information of 143 million American consumers.
Sep. 7. Roman Seleznev, 33, pleas guilty in federal courts in Nevada and Georgia to his role in a cyber theft ring that allegedly stole $50 million using credit card numbers stolen from online sources. Seleznev is the son of Valery Seleznev, a member of Russia’s lower house of parliament who has been critical of U.S. policies.
Sep. 5. Times of London reports data breaches at British universities have doubled in the last two years to 1,152. It notes cyber gangs behind the attacks seek information that they can sell to nation-states.
Sep. 4. Hacker News reports massive data breach at Taringa, known as the Reddit of Latin America. Breach compromised login details of 28 million users. HN says LeakBase, a breach notification service, has obtained a copy of the stolen data.
Sep. 4. Upguard, a security research firm, reports third-party contractor for private military contractor TigerSwan accidentally exposed on the Internet resume files of 9,402 people. Data includes job histories of U.S. military veterans, mercenaries and Iraqi and Afghan nationals who worked in their countries with U.S. forces and government institutions.
Sep. 1. Kromtech reports four million records containing personal information of Time Warner customers were stored without a password on an Amazon server. More than 600 GB of data was exposed, which included usernames, email addresses, MAC addresses, device serial numbers and financial transaction information.
Sep. 1. Crown Records Management releases survey finding that in the U.K. pharmaceutical industry 23 percent of IT decision makers chose not to report a data breach to management or appropriate authorities; 23 percent know someone who hasn’t reported a breach; and 15 percent don’t know to whom to report a breach.
Sep. 1. U.K. Information Commissioner’s Office fines Nottinghamshire County Council £70,000 for exposing to the public Internet personal data of elderly and disabled people in an online directory.
Sep. 1. AXA insurance notifies 5,400 customers some of their personal data is at risk after a data breach at its online health portal. It says email addresses, birth dates and mobile numbers were exposed in the breach.
August
Aug. 31. U.S. District court Judge Lucy Koh rules class action lawsuit may proceed against Yahoo over three data breaches from 2013 to 2015 which affected more than a billion user accounts.
Aug. 30. CeX, a technology and video game retailer, says personal details of up to two million customers may have been compromised in a “sophisticated breach.”
Aug. 30. Instagram, a Facebook company, announces hackers exploited a software bug in its software that allowed them to access the accounts of an unspecified number of “high profile” users. The company says email addresses and phone numbers may have been obtained by the data thieves but not the passwords for the accounts.
Aug. 30. U.S. Food and Drug administration issues recall of 465,000 St. Jude pacemakers so their firmware can be patched to prevent unauthorized tampering with the devices.
Aug. 30. Mid-Michigan Physicians Imaging Center notifies more than 106,000 patients that their personal health information is at risk due to a data breach at a third-party service provider, McLaren Medical Group.
Aug. 30. Silver Cross Hospital in Lenox, Ill. reveals data breach at third-party service provider has exposed health information for up to 9,000 patients.
Aug. 30. U.S. Appeals Court in St. Louis upholds most of lower court ruling dismissing lawsuit stemming from two 2014 data breaches at SuperValu, a supermarket wholesaler and retailer based in Minnesota. However, the court reinstated the case of one of the plaintiffs who demonstrated his credit card was misused because of the data breach.
Aug. 29. Security researcher with the handle Benkow discovers server in the Netherlands containing information on 711 million email accounts for the Onliner spambot. Onliner is used to deliver banking malware and is responsible for more than 100,000 infections around the world, according to Benkow.
Aug. 28. Legal Action Center files lawsuit against Aetna accusing the insurer of breaching the privacy rights of 12,000 customers in 23 states by allowing the words “filling prescriptions for HIV” to be seen in window envelopes sent to the clients. Lawsuit seeks unspecified damages, a change in Aetna’s mailing practices and legal fees and costs.
Aug. 28. Major League Lacrosse sends email to its players informing them a link on the player registration web page directed browsers to a spreadsheet containing social security numbers, email addresses, phone numbers and mailing addresses of everyone in the league’s player pool.
Aug. 26. Hackers known as Mr. Smith, who claim to have stolen 1.5 terabytes of data from HBO, post on Reddit a detailed outline of the much anticipated season finale of the HBO series Game of Thrones.
Aug. 25. U.S. District Court Judge Lucy Koh gives preliminary approval of $115 million settlement of litigation against healthcare insurer Anthem over massive data breach in 2015 when intruders accessed personal identifying information and other data on some 80 million people.
Aug. 25. Taiwan’s Financial Supervisory Commission says no data breach was involved in incidents of credit card fraud involving Apple Pay. Fraudulent purchases were made through the service after user bank accounts were compromised through social engineering attacks.
Aug. 25. ERPScan reports vulnerabilities in point of sale systems developed by SAP and Oracle that allow an adversary to not only compromise credit card data but gain control of the POS server and perform tasks such as changing prices or remotely starting or stopping terminals.
Aug. 24. Yu Pingan, a Chinese national, is accused by U.S. Justice Department of being linked to malware used in massive data theft at U.S. Office of Personnel Management. Pingan was arrested Aug. 21 at Los Angeles International Airport.
Aug. 24. Legal Action Center and AIDS Law Project of Pennsylvania says health insurer Aetna exposed the HIV status of patients in several states in the clear window of the envelopes of mail communications sent to the patients.
Aug. 24. Beaumont, Texas suspends online water bill payment system after it received complaints from taxpayers of unauthorized charges to their iTunes accounts. City says it is investigating potential data breach.
Aug. 23. Karim Baratov, 22, pleads not guilty in San Francisco federal court to charges he participated in the massive hack of Yahoo.
Aug. 21. OneLogin releases survey of 500 IT decision makers finding one in five enterprises say failure to deprovision employees from corporate applications contributed to a data breach in their organizations.
Aug. 21. OurMine hacks Sony PlayStation social media accounts. It also posts to Twitter screenshots of the PlayStation Network’s databases, suggesting they have been compromised.
Aug. 18. The Sun reports a person with alleged connections to the hacktivist group Anonymous has stolen data on 1.2 million patients of the U.K.’s national health system.
Aug. 18. U.S. Department of Labor shuts down portal for employers to report employee injuries and illnesses after it was informed by Department of Homeland Security that data at the site may be compromised.
Aug. 17. San Antonio Institute for Women’s Health warns patients their personal information is at risk after it discovered a keylogger residing on its systems from June 5 to July 6.
Aug. 17. Security researcher Chris Vickery reports misconfigured Amazon Web Services server exposed to the public Internet information on 1.8 million Chicago voters.
Aug. 17. Hacker group calling itself OurMine compromises HBO’s Twitter and Facebook accounts and advises company to tighten up its security.
Aug. 17. Delaware Gov. John Carney signs into law bill requiring free credit monitoring services to citizens of state whose personal information is compromised in a data breach.
Aug. 17. AP Moller Maersk reports $264 million loss due to disruptions in service caused by the NotPetya virus in June.
Aug. 15. Indian Police arrest three employees and one former employee of Prime Focus Technology in connection with leaking an unaired episode of the HBO series Game of Thrones. Prime Focus stores and processes the series for the Indian streaming website Hotstar.
Aug. 11. U.K.’s Information Commissioner’s Office fines IT services company TalkTalk £100,000 in connection with a third-party data breach that allowed unlawful access to the personal data of up to 21,000 customers.
Aug. 9. Nationwide Mutual Insurance agrees to pay states $5.5 million to settle case stemming from 2012 data breach which exposed the personal information of 1.27 million consumers.
Aug. 9. U.S. Department of Justice charges two Iranian nationals — Arash Amiri Abedian, 31, and Danial Jeloudar, 27 — of hacking into online merchants and stealing credit card and personal information of customers.
Aug. 9. Kromtech reports misconfigured Amazon Web Services bucket leaves vulnerable personal identifying information of an estimated 48,000 customers of Indian credit services company Creditseva.
Aug. 8. Colorado Judicial Department reveals inadvertant exposure of files containing more than 600,000 jurors in the state for almost a year. Agency states it doesn’t beleive data was downloaded in bulk, stolen or used illegally.
Aug. 7. Hackers drop second wave of sensitive HBO data on the Internet. Drop includes four episodes of the current Game of Thrones season, the script of an unaired fifth episode and countless internal documents.
Aug. 5. UCLA notifies more than 30,000 current and former students their personal data was on a server accessed by an unauthorized party. University adds it does not believe any sensitive information was obtained by the intruder.
Aug. 4. Protenus reports there were 233 healthcare data breaches during the first half of 2017 affecting 1.2 million patient records.
Aug. 2. FBI arrests Marcus Hutchins, 23, for his role in creating and distributing the Kronos banking Trojan. Hutchins has been credited with stalling the spread of WannaCry malware which crippled the U.K.’s national health care system in May.
Aug. 1. Kaspersky Lab reports DDoS attacks were launched against resources in 84 countries during 2Q 2017, an increase of 14 nations from previous quarter, although almost half the attacks (47.42 percent) were directed at China.
Aug. 1. Cyber insurance underwriter Beazley reports 32 percent of 1,330 client incidents during the first six months of 2017 were caused by hacking and malware attacks. Another 30 percent of the breaches were caused by employee or third-party provider error.
Aug. 1. Mandiant, which is owned by FireEye, confirms the social media accounts and personal laptop of one of its employees were compromised and business documents related to two Israeli customers stolen.
Aug. 1. Federal appeals court rules customers of CareFirst can sue the health insurer over a 2014 data breach of its systems. Appeals court reversed decision of lower court which dismissed the lawsuit.
July
Jul. 31. Entertainment weekly reports hackers stole 1.5 terabytes of data from HBO. Some of data posted to the Internet includes upcoming episodes of Ballers and Room 104, as well as written material from the fourth episode of Game of Thrones.
Jul. 30. France fines Hertz £40,000 after car rental company exposed personal identifying information of 35,357 customers to the public Internet due to a misconfigured server.
Jul. 28. Anthem reports personal identifying information of more than 18,500 members is at risk after an employee emailed the data to a personal account. The healthcare provider notes the employee was engaged in activities related to identity theft..
Jul. 27. Virgin America notifies employees their personal information is at risk after an unauthorized party gained access to login information and passwords used to access the company’s computer network. It notes 3,120 employees and contractors had their login credentials compromised and 110 employees had personal identifying information stolen.
Jul. 26. U.S. grand jury indicts Alexander Vinnik for laundering more than $4 billion in bitcoin, including funds from Mt. Gox, a failed bitcoin exchange.
Jul. 26. UniCredit, Italy’s biggest bank, reports two data breaches at one of its third-party providers resulted in unauthorized access to personal loan accounts of 400,000 customers. Breaches occurred in September and October 2016 and June and July 2017.
Jul. 26. HackRead reports China has arrested 11 hackers suspected of developing Fireball, a malware program which infected 250 million computers worldwide, 20 percent of them in large corporations.
Jul. 26. Gait House hotel in Louisville, Ky. reveals its payment processing system was infected with malware putting at risk payment card transactions performed between Dec. 21, 2016 and April 11.
Jul. 24. Swedish Prime Minister Stefan Lofven calls data breach at country’s Transport Agency “incredibly serious.” Inadequate safeguards at a government contractor exposed all information in the agency’s database to the contractor’s Eastern European subsidiaries. Data included details about bridges, roads, ports, the subway system in Stockholm and other infrastructure. It also may have included the identities of undercover agents working for the Swedish police and armed forces.
Jul. 24. Thales releases 2017 data threat report which finds 43 percent of retailers have suffered an IT breach in the past year.
Jul. 24. RedLock reports hundreds of organizations have misconfigured their Google Groups service exposing personal identifying information of group members to the public Internet.
Jul. 24. Federal court in St. Louis approves Ruby Corp. agreement to pay $11.2 million to settle class action lawsuit stemming from data breach at Ashley Madison adultery website.
Jul. 22. Bloomberg reports Wells Fargo in under investigation by the federal Financial Industry Regulatory Authority for accidentally submitting to an attorney sensitive information for tens of thousands of accounts belonging to high-wealth individuals doing brokerage business with the bank.
Jul. 21. New York Times reports 1.4 gigabytes of data affecting at least 50,000 Wells Fargo customers, including some of the banks wealthiest clients, was inadvertently sent to lawyers of a former employee suing the institution for defamation. Newspaper notes the disclosure is a data breach that potentially violates numerous state and federal consumer privacy laws.
Jul. 21. Darkface, a security firm, reports hackers pilfered 10 GB of data from a North American casino by compromising a fish tank connected to the Internet.
Jul. 21. Federal district court in Colorado dismisses proposed class action lawsuit by credit unions stemming from data breach at Noodles & Co. A data breach at Noodles in September 2016 placed at risk the payment cards of hundreds of thousands of customers who ate at the restaurant chain’s 322 locations in the nation.
Jul. 21. Atlantis Paradise Island resort in the Bahamas reports point-of-sale system for its food, beverage and retail locations was compromised by malware putting at risk all payment card transactions made from Nov. 1, 2016 to April 3, 2017.
Jul. 21. Nuance, a speech recognition company, issues financial statement warning Wall Street analysts that its fiscal 2017 third quarter and possibly the fourth quarter would be negatively impacted by the NotPetya global ransomware attack.
Jul. 20. Ricoh Australia warns banks, government agencies. universities and large businesses that a number of documents about its multifunction devices, some containing sensitive data, have been posted to the Internet and indexed by Google’s search engine.
Jul. 19. Arlington Research releases survey of 500 IT workers commissioned by OneLogin finding that 32 percent of companies take more than a week to remove former workers from their systems. Survey also found that 20 percent of organizations have experienced a data breach caused by an ex-employee.
Jul. 18. Identity Theft Resource Center and CyberScout reports 791 data breaches for the first six months of 2017, a 29 percent jump over 2016.
Jul. 18. Women’s Health Care Group PA in Philadelphia reveals that one of its servers and a workstation were subjected to a ransomware attack affecting 300,000 people. Group was able to continue normal operations by restoring affected data from backups.
Jul. 17. UpGuard reports sensitive and personal information of from two to four million Dow Jones & Company customers was exposed to more than a million users of Amazon Web Services through a cloud-based repository configured for semi-public access. Also exposed were the details of 1.6 million entries in a suite of databases used largely by financial institutions for compliance with money laundering regulations.
Jul. 17. B&B Theatres, the seventh largest theater chain in the United States, says it’s investigating a breach of its credit card system. The announcement came after blogger Brian Krebs reported the company has been leaking customer credit card data from its systems for two years.
Jul. 17. FBI issues warning to consumers to consider cybersecurity before introducing smart, interactive, Internet-connected toys into their homes or trusted environments. Such toys can collect personal information that puts the privacy of children at risk.
Jul. 17. U.S. Virgin Islands police department announces it will stop collecting Social Security information from people filing incident reports. Decision made after police officer stole personal identifying information of four people as part of an alleged identity theft scam.
Jul. 15. U.K. Information Commissioner’s Office fines Boomerang Video £60,000 for 2014 data breach that resulted in the theft of information on 26,331 customers.
Jul. 14. Ruby Corp. agrees to pay $11.2 million to settle class action lawsuit stemming from data breach at Ashley Madison adultery website.
Jul. 14. Kevin Kunlay Williams, 56, pleads guilty in federal court in St. Louis to mail fraud, aggravated identity theft, re-entry of a removed alien and making a false statement relating to citizenship. Williams admits in court that he filed more than 2,000 fraudulent tax returns seeking $12.2 million in refunds.
Jul. 13. The international healthcare group Bupta reveals personal identifying information for 547,000 customers was compromised when an employee copied and removed the data from the company’s systems. It notes no financial or medical data was stolen.
Jul. 12. UpGuard reports a third-party vendor has exposed on the Internet personal identifying information of as many 14 million Verizon customers by misconfiguring a cloud server.It adds that data from a French telco, Orange S.A., was also exposed on the server owned and operated by Nice systems, an Israeli company that’s known to work closely with phone cracking firms Hacking Team and Cellebrite.
Jul. 12. Wilshire Law Firm files proposed class action lawsuit against Sabre Corp. over eight-month data breach that compromised payment card information of customers who made reservations at a number of hotels. Among the affected hotels were Trump Hotels, the Four Seasons, Hard Rock International, Montage Beverly Hills and Loews Hotels.
Jul. 12. Indian law enforcement authorities arrest Imran Chippa, 35, a former engineering student from Rajasthan, for allegedly stealing and posting to the Internet personal data of more than 100 million customers of Reliance Jio, an Indian telecom company.
Jul. 12. University of Iowa Health Care warns 5,300 patients some of their health care information is at risk after it was posted for two years to an unsecure application developer’s website. It notes that the information did not include clinical information like diagnoses, social security numbers or financial information like credit card numbers.
Jul. 12. KnowBe4, a security training provider, releases quarterly analysis of top phishing subject lines. Top lines for the second quarter of 2017 included Security Alert, Revised Vacation & Sick Time Policy and UPS Label Delivery 1ZBE312TNY00015011.
Jul. 10. Kaspersky Lab and B2B International reports that employees in 40 percent of businesses worldwide hide IT security incidents to avoid punishment.
Jul. 7. Krebs on Security reports the seventh largest theater chain in the United States, B&B Theaters, is investigating a two-year breach of its credit card systems. The chain operates 414 screens in 50 locations in nine states.
July 7. Avanti Markets, a self-service payment kiosk operator, notifies users of its machines that some 1900 of them were infected with malware designed to steal payment card and other information. Infection occurred from July 4 to August 4. According to the company, the kiosks are used by 1.6 million customers in 46 states.
Jul. 6. Hard Rock Hotels & Casinos announces that due to a security incident at a third-party reservation system, payment card information is at risk of customers who performed transactions at 11 of the chain’s locations from Aug. 10, 2016 to March 9, 2017.
Jul. 6. The Register reports South Korean law enforcement authorities are investigating a data breach at digital money exchange Bithumb. It noted personal identifying information for 32,000 users — about three percent of the user base — was stolen. Bithumb handled $1.7 billion in bitcoin transactions in 2016.
Jul. 6. Logicforce releases survey of more than 200 law firms finding two-thirds of them (66 percent) reported a data breach in 2016. It also notes that an average of 10,000 intrusions occur daily at law firms.
Jul. 6. UC Davis Health in California notifies some 15,000 patients their personal information is at risk after an employee was duped by a phishing scam.
Jul. 5. MacKeeper reports Kromtech discovered two open and publically accessible Amazon S3 buckets with personal identifying information of more than three million fans of World Wrestling Entertainment.
Jul. 5. Federal court judge in Illinois dismisses putative class action lawsuit against digital toymaker VTech. Litigation stems from data breach in which data on 11 million adults and children was compromised.
Jul. 5. Airway Oxygen, a health care provider in Wyoming, Mich. reports ransomware attack affecting 500,000 people. It says there is no indication that any protected health information was accessed or acquired during the attack.
Jul. 4. FBI alerts Wooster-Ashland Regional Council of Governments in Ohio of a data breach of its computer systems involving more than 200,000 records containing confidential information of the region’s residents.
Jul. 3. Motherboard reports AA, a U.K. auto insurance company, exposed on the Internet sensitive information of more than 100,000 customers due to a misconfigured server and did not tell them about it.
Jul. 3. The Guardian reports that Medicare patient details of any Australian is being sold on the Dark Net for $30 per individual. It noted the data seller says requests for information can be fulfilled by exploiting a vulnerability in the government’s systems.
John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.
The Cybercrime Diary is sponsored by Digital Defense, Inc.
Founded in 1999, Digital Defense is a trusted provider of security risk assessment solutions, protecting billions of dollars in assets for clients around the globe.
Serving clients across numerous industries from small businesses to very large enterprises, Digital Defense’s innovative and leading edge information security technology helps organizations safeguard sensitive data and eases the burdens associated with information security. Frontline Vulnerability Manager™, the original Vulnerability Management as a Service (VMaaS) platform, delivers consistently accurate vulnerability scanning and penetration testing, while SecurED®, the company’s security awareness training promotes employees’ security-minded behavior.