06 Apr Cybercrime Diary, Vol. 5, No. 1: Who’s Hacked? Latest Data Breaches And Cyberattacks
MGM and Marriott leak data while Google, Equifax and Facebook pay fines and settlements
Sausalito, Calif. – Apr. 1, 2020
In cybercrime news last quarter, data on 10.6 million guests who stayed at MGM hotels was posted on the dark Web, while another hotel chain, Marriott, revealed an unauthorized party may have accessed personal information for 5.2 million of its lodgers. Meanwhile, Google settled a data-sharing lawsuit for $7.5 million and Equifax finalized the settlement in its data breach case for $1.38 billion.
In addition, regulators in the U.S. and U.K. had a busy quarter fining Facebook $550 million, Dixon Carphones $613,500, and Cathay Airlines $542,882. And in the country of Georgia, the personal data of pretty near everyone was compromised in a single data breach, while data on every voter in Israel was exposed by a misconfigured app.
Mar. 31. Marriott International reveals an unauthorized party may have accessed personal information of some 5.2 million guests at its hotel properties. It says intruders used credentials of two employees to access the data.
Mar. 28. Under the Breach, a data breach monitoring and prevention service, discovers in an online forum a database containing personal information of more than 4.9 million citizens, both living and dead, of the country of Georgia. Information in the Microsoft Access database included full names, home addresses, dates of birth, ID numbers, and mobile phone numbers
Mar. 27. TechCrunch reports a database containing information for about 217,000 social influencers was stolen by hackers in October 2019 from Social Bluebook, a social media platform that connects influencers with advertisers. TechCrunch says it’s not known yet how the database was stolen or who was behind the theft.
Mar. 24. General Electric warns an undisclosed number of current and former workers that an unauthorized party accessed their personal information, which was contained in an email account at Canon Business Process Services, a third-party vendor that works for GE. Data accessed by the intruder included direct deposit forms, driver’s licenses, passports, birth certificates, marriage certificates, death certificates, medical child support orders, and tax withholding forms.
Mar. 23. Dark Reading reports personal information of 538 million users of Weibo, a Chinese version of Twitter, has been posted for sale for $250 on the dark web. It notes data includes usernames, gender, location, and, in some cases, phone numbers, but does not include passwords or payment information.
Mar. 20. University of Utah Health reveals data breach and malware attack may have exposed data for some of its patients to unauthorized parties. Data included names, dates of birth, medical record numbers, and “limited clinical information.”
Mar. 20. Finastra, a provider of financial software and services to more than 9,000 customers from 130 countries across the globe, including 90 of the world’s top 100 banks, takes several servers offline after reporting ransomware attack. The company did not release details of the attack, but Bad Packets, a cybersecurity firm, says it previously detected some unpatched VPN servers used by Finastra.
Mar. 20. Security researchers at CyberNews reveal discovery of an unprotected online database owned by an unidentified party containing 200 million detailed records of U.S. users. Information included names and titles, email addresses, phone numbers, dates of birth, credit ratings, mortgage and tax records, as well as user profiles that included their personal interests, investments, and political, charitable, and religious donations. CyberNews says the data was subsequently wiped from the Internet, although the database shell remains exposed online.
Mar. 19. Security researcher Bob Diachenko reports discovery of an unprotected online database belonging to an unnamed UK-based security company and containing five billion records related to reported and unreported data breaches occurring from 2012 to 2019. He says the company did not respond to the notice he sent them of the problem, but the database was taken offline within an hour of the notice being sent to the owners.
Mar. 19. Rogers Communications, a Canadian ISP, begins alerting an undisclosed number of users that their personal information is at risk after a vendor database was compromised. Rogers says no credit card, banking, or password information was exposed during the incident.
Mar. 17. Researchers at vpnMentor discover an unprotected online database containing 425GB of sensitive documents belonging to financial companies. They say the data appears to be connected to MCA Wizard, a defunct smartphone app for allowing merchants to obtain short-term loans based on future credit card sales. The data was found in an Amazon Web Services storage bucket without any encryption or access requirements.
Mar. 14. Researchers at vpnMentor report the discovery of an unprotected online database belonging to the Brisk browser exposing 2.9 million records. Brisk is mainly used by web developers to test applications and websites before they’re launched. Users include NASA, Microsoft, Apple, eBay, and UNICEF. Researchers also found the browser collects data from its users and bypasses all security measures they may have in place.
Mar. 13. DynaRisk researchers discover a database of information on travel agents believed to be stolen from a Norwegian Cruise Lines partner portal. They say the database contains 29,969 records, 24,602 of them unique. NCL says no guest data was compromised in the breach.
Mar. 12. Open Exchange Rates, provider of an API service for finding exchange rates for more than 200 currencies, announces an unauthorized party accessed the personal information and hashed passwords for an undisclosed number of customers from February 9 to March 2. Among OER’s customers are Etsy, Shopify, Coinbase, and Kickstarter.
Mar. 11. Champaign-Urbana Public Health District announces its website has been disabled by ransomware. Although employees can’t access the website, they continue to work with email, environmental health records, and patient electronic records which were moved to the cloud six months ago.
Mar. 11. Melbourne Polytechnic in Australia reveals a data theft that occurred between September and December 2018 has exposed personal information of some 90,000 students, staffers, and suppliers. A person has been charged with the crime and a trial on the case is expected later this year.
Mar. 10. Washington Post reports an unprotected online database belonging to Whisper, a personal secrets sharing app, exposed the location, age, and intimate confessions of hundreds of millions of users. The situation was brought to the Post’s attention by Twelve Security, whose two principals, Matthew Porter and Dan Ehrlich, say they were able to access 900 million records collected from 2012 to the present.
Mar. 6. Virgin Media apologizes for exposing personal and private data of 900,000 customers for 10 months on an unprotected online database. It says the database did not contain any financial information or passwords and was accessed only once by an unknown user during the period it was exposed.
Mar. 5. Russian media outlet Izvestia reports theft of personal information of 266,000 users of the Trident Crypto Fund. According to cybersecurity company DeviceLock, some of the data has been posted online on file-sharing sites since February 20.
Mar. 4. Comcast confirms it accidentally published online last fall the contact information of its Xfinity customers who pay to have their phone numbers unlisted or unpublished. The company says the error affects two percent of its 9.9 million voice customers.
Mar. 4. Information Commissioner’s Office of the UK fines airline Cathay Pacific 500,000 euros ($542,882) for a 2018 data breach that exposed personal information of 9.4 million customers worldwide.
Mar. 3. Clothing retailer J. Crew reveals to California Attorney General that the online accounts of some 10,000 customers were accessed in a credential stuffing attack by an unauthorized party in April 2019. Information in online accounts includes card types, last four digits of card payment numbers, expiration dates, and billing addresses.
Mar. 2. Carnival Corporation, the world’s largest cruise ship operator, informs California Attorney General that the personal information of an undisclosed number of guests was accessed by an unauthorized party who compromised some employee email accounts containing the data. It adds that there is no evidence the customers’ information was misused after the incident.
Mar. 2. Tesco, a supermarket chain in the United Kingdom, issues new cards to 600,000 of its Clubcard holders after discovering their user names and passwords in a database stolen from other platforms. Company says its systems have not been breached and the move is a precautionary one.
Mar. 1. Visser Precision, a precision parts maker for space and defense contractors located in Denver, confirms it has experienced a “cybersecurity incident,” which TechCrunch reports was a ransomware attack. TC says its seen a website containing a list of files stolen from Visser in folders tagged with customers’ names, including Tesla, Space X, Boeing, and Lockheed Martin.
Feb. 28. Walgreens, the second largest pharmacy chain in the United States, announces a data leak in the database for its smartphone messaging app has exposed personal messages stored there to other customers. It says that some health-related information was exposed for a small percentage of its customers between January 9 and January 15. The company did not disclose how many customers were affected, but there could be as many as 10 million users of the app.
Feb. 27. Total Quality Logistics, of Cincinnati, alerts its carriers that an unauthorized party penetrated its IT systems and may have gained access to its customers’ business information. TQL works with a network of 85,000 carriers that move 1.8 million loads of freight annually.
Feb. 27. Desjardins Group, of Quebec, Canada, discloses cost of 2019 data breach that exposed data of 4.2 million customers is now estimated at $76.3 million (CA$108 million), up from original estimate of $49.5 million (CA$70 million).
Feb. 26. Clearview AI, a facial recognition software maker, confirms data breach resulting in theft of its list of customers, number of searches they made, and number of accounts they set up. The company, whose customers are primarily law enforcement agencies, says its database of three billion photos was not compromised.
Feb. 25. The U.K.’s Financial Conduct Authority reveals that it accidentally posted online the confidential information of some British citizens, including those who filed complaints against the agency in 2018 and 2019. It explains the mistake was made when responding to a Freedom of Information Request.
Feb. 24. U.S. Defense Information Systems Agency, which handles IT and telecommunications support for the White House and military, warns some 200,000 people their personal data is at risk after a data breach at the agency. It adds that there is no evidence that any of the potentially compromised data has been misused.
Feb. 21. Slickwraps, a maker of vinyl skins for computers, phones, and tablets, apologizes for data breach resulting in theft of sensitive information of more than 857,000 users. The breach occurred when an intruder exploited a vulnerability in the company’s IT system after it was made public on Twitter. Slickwraps says stolen data includes names, user emails, and addresses, but no passwords or personal financial data.
Feb. 21. Government of Quebec province in Canada confirms personal information of nearly 360,000 teachers may have been stolen by an unauthorized party. It says data was pinched after user code and password were compromised.
Feb. 20. Protenus and DataBreaches.net report 41 million patient records were exposed in data breaches in the healthcare industry in 2019, nearly triple the number — 15 million — exposed in 2018.
Feb. 19. ZDNet reports sensitive information of more than 10.6 million guests who stayed at MGM Resort hotels has been published to a hacking forum. It says the data includes personal and contact information for celebrities, tech CEOs, reporters, government officials, and employees at some of the world’s largest tech companies.
Feb. 17. Researchers at vpnMentor discover unprotected online database in Amazon Web Services storage bucket belonging to PhotoSquared. Exposed data included more than 10,000 records from November 2016 to January 2020, including customers’ photos, order records, receipts, and shipping labels.
Feb. 17. Report to Canadian House of Commons finds the country’s federal departments mishandled personal information of 144,000 Canadians in 7,992 data breaches over the past two years. According to the Canadian Broadcasting Corporation, no explanation was included in the 800-page report for the errors, which ranged in seriousness from minor misdeeds to exposure of sensitive personal information.
Feb. 13. Nedbank, one of the largest financial institutions in South Africa, announces that a data breach at one of its vendors, marketing firm Computer Facilities, exposed personal data of 1.7 million customers. Bank says no login credentials, PINs, or passwords were compromised in the incident.
Feb. 13. Rutter’s, a gasoline and convenience store chain in Pennsylvania and West Virginia, reveals payment card information of customers who did business at some 70 of its stores between Aug. 30, 2018 and May 29, 2019 is at risk due to a malware infection of its point-of-sale systems at those locations.
Feb. 11. Jeremiah Fowler, a researcher at Security Discovery, discovers unprotected online database belonging to cosmetics giant Estee Lauder exposed online more than 440.3 million records, including email addresses and system logs, which could be used by hackers to craft future attacks on the company’s IT systems.
Feb. 10. U.S. Justice Department charges four members of Chinese military with cyberattack on credit services company Equifax that compromised the personal data of 147 million Americans. DOJ says the four men — Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei — are part of the notorious hacker group known as APT10, which has been accused of breaking into dozens of business and government systems, including those of HPE, IBM and NASA’s Jet Propulsion Laboratory.
Feb. 8. Group-IB, a cybersecurity company based in Singapore, discovers a database containing more than 460,000 payment card records from Indian banks on Joker’s Stash, a dark web site where stolen information is bought and sold. According to Group-IB, the database contains card numbers, expiration dates, CVV/CVC codes, full names of cardholders, email IDs, phone numbers, and addresses. It estimates the value of the database to be $4.2 million.
Feb. 6. Petition filed with Elections Committee in Israel accuses Likud Party of exposing online the private information of all the voters in the country, some 6.45 million people. Petitioners say Likud stored the information in Elector, an app used to crunch voter numbers, which had a bug that gave administrative access to the data to anyone. According to Seventh Eye, an investigative website that first reported the story, Elector’s code is sloppily written and allows anyone with a browser to get high-level access to information on the app’s website.
Feb. 6. Indiana University discloses that the entire university community was unintentionally given access to a tool designed to allow the school’s staff to see student grade point averages, exposing the records of at least 100,000 current and former students who graduated in 2015 or later.
Feb. 5. Health Share of Oregon, the state’s largest Medicaid coordinated care organization, begins notifying 654,362 people that their personal information is at risk due to the theft of a laptop from one of its vendors, GridWorks IC.
Jan. 30. TechCrunch reports Social Captain, a service for boosting Instagram followers, has exposed thousands of Instagram passwords at its website. It says passwords are visible by looking at the source code on any Social Captain profile page.
Jan. 30. TechCrunch reports personal data of more than 1.2 million passengers of SpiceJet, one of India’s largest privately-owned airlines, is at risk after a self-described ethical hacker accessed an unencrypted backup file on one of the airline’s systems by brute-forcing an easily guessable password. Information at risk includes passenger name, phone number, email address, and date of birth.
Jan. 29. The New Humanitarian, a non-profit news agency, makes public for the first time a report revealing dozens of UN servers in Europe were compromised in July 2019. It says some 400GB of data was downloaded by the intruders, putting at risk the personal information of 4,000 UN staffers.
Jan. 29. Facebook agrees to pay $550 million to settle a lawsuit over its use of facial-recognition technology in Illinois. The lawsuit claims the company violated the state’s biometric privacy law by harvesting facial data for making tag suggestions in photos of millions of users in the state without their permission and without telling them how long the data would be kept.
Jan. 28. Security blogger Brian Krebs reports the first batch of credit card numbers believed to be stolen from Wawa, a fuel and convenience store chain with 850 locations in the United States, has been posted for sale on Joker’s Stash, a Dark Web bazaar for stolen information. He says the seller is offering card data from “a new huge nationwide breach” that includes more than 30 million card accounts issued by thousands of financial institutions across more than 40 states. He adds that the card data initially offered for sale map squarely with purchases made at Wawa.
Jan. 23. Coveware, maker of a ransomware incident response platform, releases its fourth-quarter ransomware marketplace report that finds the average ransomware payment increased 104 percent over the previous quarter, to $84,116 from $41,198. Report also finds that 98 percent of companies that paid a ransom received a working tool to decrypt their data, and 97 percent of the companies successfully decrypted their data.
Jan. 23. Global law firm DLB Piper reports that since the EU adopted the General Protection Data Regulation in May 2018, 160,000 data breach notifications have been reported across the 28 EU states, and regulators have imposed $126 million (114 million euros) in fines under the measure.
Jan. 22. ZDNet reports some 250 million records in a customer support database owned by Microsoft were exposed online without proper protections during most of December last year. Microsoft says the accidental exposure was caused by some misconfigured Azure security rules it deployed on Dec. 5. Information exposed included email addresses, IP addresses, and support case details.
Jan. 21. UPS sends letters to an undisclosed number of users affected by a phishing scam that compromised the email accounts of some 100 of its stores. Information compromised by the campaign included customer names and government-issued identifications and financials. The company says it hasn’t seen any evidence that the compromised information has been misused.
Jan. 20. Mitsubishi Electric, one of Japan’s biggest defense and infrastructure contractors, confirms data breach that occurred in June, resulting in theft of 200MB of sensitive documents. The company says the intruders did not steal any data on its business partners and defense contracts.
Jan. 19. Sunday Times of London reports a vendor with access to an educational database shared information on some 28 million schoolchildren aged 14 and older with two UK betting companies. It notes companies used the data to boost the number of young people gambling online. The database was taken offline after its abuse was made public and an investigation launched into possible violations of the United Kingdom’s privacy laws.
Jan. 16. U.S. Justice Department and FBI shut down weleakinfo.com, a website that allowed users to search data illegally obtained from more than 10,000 data breaches. The site charged subscription fees for searches of its library of 12 billion records, which includes data such as names, email addresses, usernames, phone numbers, and passwords for online accounts.
Jan. 14. Twelve Security, a computer security consulting firm, reveals it found an unprotected online server belonging to Bithouse exposed 100GB of data, which includes email addresses, geographic location data, detailed device data, and links to photos and videos. The company is the developer of Peekaboo Moments, an app that allows parents to share milestones in their children’s development, and has had more than a million downloads from GooglePlay.
Jan. 14. Federal judge in Atlanta gives final approval to $1.38 billion settlement of litigation stemming from the 2017 Equifax data breach resulting in the theft of personal information of 148 million Americans, 15 million Britains, and 20,000 Canadians.
Jan. 10. PIH Health in Whittier, Calif. begins notifying 199,548 patients that their protected health information is at risk after the email accounts of a number of employees were compromised. PIH says there is no evidence that patient information in the accounts has been misused.
Jan. 9. U.S. Department of Justice announces Babatunde Olusegun Taiwo has been sentenced to 48 months in federal prison for his role in a tax fraud scheme that netted Taiwo and his co-conspirators $889,712. Taiwo’s crew used information from a data breach at a payroll company to file more than 2,000 fraudulent tax returns claiming more than $12 million in refunds.
Jan. 9. Amazon acknowledges in response to written congressional queries that it fired four Ring employees over the last four years for improperly accessing video data from smart doorbells. The queries by five Democratic senators were prompted by reports of Wi-Fi flaws in Ring devices.
Jan. 9. U.K. Information Commissioner’s Office fines Dixon Carphones $613,500 (500 pounds) in case arising from point-of-sale attack that resulted in theft of payment card details of 5.6 million people and personal information of 14 million more. The office says Dixon’s poor security arrangements and inadequate measures to protect data led to the breach of its systems.
Jan. 8. Motherboard reports 700,000 files containing sensitive data about college athletes were exposed online in an unprotected Amazon Web Services storage bucket belonging to Front Rush, a services provider for more than 30,000 coaches and 9,500 teams. Information exposed included SAT scores, personal addresses, dates of birth, physical evaluations, post-injury reports, player performance reviews, and athletic financial aid agreements.
Jan. 8. Sentara Healthcare agrees to pay $2.175 million to settle dispute with U.S. Department of Health and Human Services arising from mailing error that resulted in personal data of 577 patients being sent to wrong addresses. The agreement also requires the provider to undergo two years of monitoring, review its privacy policies and procedures, and submit regular reports to HHS on its compliance. The company admits no wrongdoing as part of the settlement.
Jan. 7. Google agrees to pay $7.5 million to settle lawsuit arising from its sharing with third-party developers non-public information of Google+ users. Users affected by the case may receive from $5 to $12, while their attorneys could receive as much as $1.87 million.
Jan. 6. U.S. Federal Trade Commission finalizes settlement with InfoTrax Systems over case arising over the theft of personal information of more than a million customers. According to the FTC, the company, a provider of back-end operations systems and distributor of software for the direct sales industry, experienced more than 20 intrusions from May 5, 2014 and March 7, 2016. As part of the settlement, InfoTrax is prohibited from collecting, selling, sharing, or storing any consumer personal information until it addresses the security issues raised by the FTC. It also must have third-party security audits conducted on its systems every two years to ensure its security is adequate to protect the data on its servers.
Jan. 3. Researchers at vpnMentor discover unprotected online Amazon Web Services storage bucket belonging to PussyCash, an operator of an adult-oriented affiliate network. More than 875,000 files in the bucket were exposed. Data included contracts with detailed personal information for more than 4,000 models.
Jan. 3. Google blocks integration of Xiaomi cameras with some of its hardware and services after one camera owner says the device allowed him to see into other people’s homes. Xiaomi says the bug affected some 1,000 users before it was squashed.
Jan. 2 Landry’s, a multi-brand dining and hospitality business, announces that 63 of its 600 restaurants had order-entry systems infected with malware that harvested payment card information at the locations. Data is at risk of customers who used their payment cards at the eateries between March 13 to October 17, 2019.
Jan. 2 Active Network, which operates a platform used by school systems for administrative and management purposes, announces personal information of users who used its webstore between October 1 and November 13, 2019 is at risk. During that period, an apparent Magecart malware attack was collecting payment card information, including name, payment card number, payment card expiration date, and payment card security code, as well as store username and password.
John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.