Cybersecurity Ventures Cybercrime Diary. PHOTO: Cybercrime Magazine.

Cybercrime Diary, Vol. 5, No. 3: Who’s Hacked? Latest Data Breaches And Cyberattacks

Unprotected servers continue to leak data, while high profile hackers arrested and sentenced

John P. Mello, Jr.

Sausalito, Calif. – Oct. 1, 2020

Unsecured servers and databases continued to expose the personal information of millions of users during the third quarter of 2020.

Also during the period, law enforcement continued cracking down on hackers. Russian national Yevgeny Nikulin, the infamous “LinkedIn Hacker,” was sentenced to 88 months in prison for his nefarious activities. Five Chinese hackers, who are still on the lam, were charged for their cyberattacks on more than 100 organizations. The former CSO of Uber was also charged for his role in covering up a data breach at his company and 30 felony charges were filed against a Florida teen who was behind the hacking of some high-profile Twitter accounts in order to advance a bitcoin scam.

Some hefty fines and settlements also occurred during the quarter that included Premera Blue Cross and Capital One. Meanwhile, the first death attributed to a ransomware attack was reported in Germany.

September

Sep. 30. Healthcare services provider Anthem agrees to pay $39.5 million in a settlement arising from a 2014 data breach that compromised personal health information of 79 million people. Settlement is with a group of states investigating the breach. Previously, Anthem paid $16 million for violating HIPAA rules and $115 million to settle a class-action lawsuit from the breach.

Sep. 30. SafetyDetectives, a security research firm, finds an unprotected server belonging to Edureka, an electronic education provider in India, exposes 45 million records online. The server was secured after the researchers reported the matter to India CERT.

Sep. 29. Yevgeny Nikulin, a Russian citizen, is sentenced in U.S. federal court in San Francisco to 88 months in prison for a series of hacks of U.S. social media companies that compromised tens of millions of user accounts.

Sep. 28. Wall Street Journal reports a data thief has posted online documents stolen from the Clark County School District in Las Vegas. Documents include Social Security numbers, student grades, and other private information. It’s believed the data was posted to a hacker forum where it could be easily viewed because the district, which has about 320,000 students, refused to pay a ransom to destroy the data.

Sep. 28. NBC News reports the computer systems at Universal Health Services, which has more than 400 locations, primarily in the United States, have begun to fail in what appears to be a ransomware attack. It says the medical cyberattack could be one of the largest in U.S. history.

Sep. 25. Premera Blue Cross, the largest health plan provider in the Pacific Northwest and Alaska, agrees to pay $6.85 million to the Office for Civil Rights at the U.S. Department of Health and Human Services. It also agrees to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act, violations that contributed to a data breach affecting more than 10.4 million people. According to HHA, the settlement represents the second-largest payment to resolve a HIPAA investigation in OCR history.

Sep. 23. Comparitech researchers reveal an unsecured online database belonging to Town Sports, which operates a chain of gyms, fitness clubs, and spas mainly in the Northeast United States, exposed to the internet the records of 600,000 members and employees. Comparitech says the database was exposed for at least 11 months before it was secured.

Sep. 23. CHSPSC, of Franklin, Tenn, a management company that serves hospitals, agrees to pay U.S. Health and Human Services Department $2.3 million fine resulting from a 2014 data breach that exposed the information of more than six million people.

Sep. 22. Shopify, an online commerce platform, reveals two rogue members of its support team compromised the data of less than 200 merchants doing business on the shopping site. It says affected stores may have had customer data exposed, including basic contact information, such as email, name, and address, as well as order details, like products and services purchased. Credit card and other financial information was not affected by the incident, it adds.

Sep. 21. Tyler Technologies, of Plano, Texas, a major provider of software services for governments and schools, informs customers an intruder invaded its phone and technology systems, disrupting its internal systems. It says it has no reason to believe that any client data, client servers, or hosted systems were affected by the attack. According to the company, it has 26,000 installations with local, state, and federal government entities in all 50 states, Canada, the Caribbean, Australia and other international locations.

Sep. 21. Athens Orthopedic, a healthcare provider based in Athens, Ga., agrees to pay $1.5 million to U.S. Health and Human Services Department’s Office for Civil Rights to settle potential HIPAA violations arising from a 2016 data breach affecting more than 200,000 people. In June of that year, Athens discovered an intruder, using a vendor’s credentials, accessed the provider’s electronic records system and exfiltrated patient data.

Sep. 17. German authorities announce a woman has died from a ransomware attack on a hospital in Dusseldorf. They say that the woman, who needed immediate treatment, had to be taken to a facility in another city because the Dusseldorf hospital’s systems were crippled by the ransomware. The delay in treatment cost the woman her life. 

Sep. 16. Blackbaud, a service provider for charitable organizations, in a report to the U.S. Securities and Exchange Commission, reveals bank account information and users’ passwords are among the details stolen by hackers in a security breach that occurred earlier this year. The company previously said payment details were not affected by the attack, which has affected hundreds of universities, healthcare providers, and other organizations around the globe.

Sep. 16. Singapore’s Personal Data Protection Commission fines Grab, maker of a transportation, logistics, and financial services app, SG$10,000 ($7,325) for a series of data breaches compromising customer data. The breaches occurred after modifications made to its mobile app exposed to the risk of unauthorized access the information of 21,541 GrabHitch drivers and passengers.

Sep. 16. U.S. Justice Department charges five Chinese citizens with cyberattacks on more than 100 companies and institutions in the United States and abroad, including social media and video game companies, as well as universities and telecommunications providers. According to the Associated Press, the quintet remain fugitives, but two Malaysian businessmen connected to the sorties on the billion-dollar video game industry have been arrested in Malaysia and are facing extradition proceedings.

Sep. 15. The parent of Dunkin’ Donuts agrees to pay $650,000 in fines and costs to settle a lawsuit stemming from a data breach from 2015 to 2018. Under the settlement, Dunkin’ Brands Group agreed to notify customers affected by the attacks, reset their passwords, and provide refunds for unauthorized use of the chain’s value cards. Dunkin’ neither admitted nor denied wrongdoing as part of the agreement.

Sep. 14. The Guardian reports that a leaked database from Zhenhua Data, a Chinese company with reported links to Beijing’s military and intelligence agencies, contains personal details of 2.3 million people around the world. It says most of the data is based on public sources, such as social media profiles, and includes data on politicians, the royal family, celebrities, and military figures. A spokesperson for Zhenhua tells The Guardian that the database is research and just connects individuals to the social media that they use.

Sep. 14. Staples, a “big box” office supply company, reveals in a letter to some of its customers that their order data was accessed by an unauthorized third party. The letter says no sensitive data was exposed and only a limited amount of order data for customers of Staples.com was accessed.

Sep. 14. U.S. Department of Veterans Affairs announces that the personal information of some 46,000 veterans has been exposed in a data breach at the agency. It explains threat actors compromised an application used to send payments to medical providers and diverted the payments into their pockets.

Sep. 13. vpnMentor reports discovery of a flaw in marketing software made by Mailfire has exposed users of more than 70 adult dating and e-commerce sites around the world. It says the software was compromised through an unsecured Elasticsearch server, exposing the users to the risk of identity theft, blackmail, and fraud.

Sep. 11. Bleeping Computer reports a ransomware gang has leaked online 337MB of what they say is stolen data from Artech Information Systems, one of the largest staffing firms in the United States. It says Artech acknowledged a ransomware attack on its systems in a letter sent to affected users. It adds that an investigation of the incident by Artech revealed that data compromised by the attack may have included Social Security numbers, medical information, health insurance information, financial information, payment card information, driver’s license/state identification numbers, government-issued identification numbers, passport numbers, visa numbers, electronic/digital signatures, and username and password information.

Sep. 10. Antonio Romanucci, an attorney for the family of George Floyd, whose death by police in Minneapolis set off a wave of global protests for social justice, states the family has been informed by the Hennepin County Medical Center that Floyd’s confidential data was compromised on multiple occasions by employees who are no longer with the organization. He adds that the letter doesn’t say what information was accessed or if the employees had been fired or resigned.

Sep. 10. Security researcher Bob Diachenko reports he’s found online an unprotected server belonging to Razer, a global gaming manufacturing, e-sports, and financial services company. He estimates the misconfigured hardware has placed at risk the order and shipping details of some 100,000 customers.

Sep. 7. vpnMentor reports a group of free VPN providers has put at risk the personally identifiable information of an estimated 20 million users by failing to secure a shared server connected to the internet. Data exposed includes email addresses, clear text passwords, IP addresses, home addresses, phone models, device IDs, and other technical details. 

Sep. 7. Sydney, Australia-based Service NSW, which provides one-stop services for government customers, releases results of investigation of data breach that occurred in April. It says 47 staff accounts were compromised and used to steal 3.8 million documents, including 500,000 that contained personal information on 186,000 customers.

Sep. 4. Comparitech reveals an unsecured online database belonging to Telemate, which provides telephone services to inmates in U.S. prisons, has exposed tens of millions of call logs, private messages, and personal information about inmates and their contacts to the internet. It says the server was secured within hours of being alerted to the situation by Comparitech.

Sep. 3. Warner Music Group, in breach notifications letter, reveals some of its stores were targeted by magecart thieves earlier this year. Magecart attacks plant malicious code on websites, code that gathers data users put into payment forms. Warner says any user entering personal information after putting an item in a shopping cart at an infected website may have had that data grabbed by an unauthorized party.

 August

Aug. 21. Freepik Company, a free photo and graphics website, reveals data breach affecting 8.3 million users. It explains an intruder used a SQL injection vulnerability to access the usernames and passwords of the users.

Aug. 20. U.S. Justice Department charges Joseph Sullivan, 52, former chief security officer at Uber, for allegedly paying hackers $100,000 to hide a 2016 data breach at the company that affected 57 million users and drivers. The DOJ complaint also alleges Sullivan deceived the new management of the company about the incident after it hired a new CEO in 2017.

Aug. 19. South African branch of consumer credit reporting agency Experian discloses data breach. It says it gave personal details of South African customers to a fraudster posing as a client. Although the company did not say how many customers were affected by the breach, South African Banking Risk Centre, an anti-fraud and banking non-profit, claims the breach affected 24 million South Africans and 793,749 local businesses.

Aug. 19. Compartech reports discovery of unsecured online database exposing nearly 235 million social media profiles. It attributes ownership of the data to a company called Social Data, which took down the servers hosting the data shortly after being informed of their exposure.

Aug. 17. Risk Based Security reports there were 2,037 publicly reported breaches during the first six months of 2020, a 52 percent decrease compared to the first six months of 2019 and 19 percent below the same time period for 2018. It adds that over 27 billion records were exposed between January 1 and June 30, 2020, exceeding the total number of records exposed in 2019 by more than 12 billion records.

Aug. 17. Researchers at CI Security report healthcare data breaches declined 10.4 percent in the first half of 2020 compared to the same period in 2019. They add that the number of breached records during the period declined 83 percent.

Aug. 15. The Canada Revenue Agency announces it has shut down two of its websites after they were hit with cyberattacks. It adds at least 5,500 accounts were affected during the incidents and that exposed information includes email addresses and direct deposit information.

Aug. 14. Brown-Forman, maker of Jack Daniels and Finlandia vodka, confirms a cyberattack on its systems may have affected its data, including employee data. Bloomberg reports the incident may involve REvil ransomware, and the intruders may have exfiltrated 1TB of data.

Aug. 12. Santa Barbara County District Attorney Joyce E. Dudley announces 275-count felony complaint against six people in case involving identity theft and insurance fraud. Complaint includes six counts of unlawful transfer of identifying information for identity theft and 263 counts of unemployment insurance benefit fraud.

Aug. 12. Researchers at Cybernews report discovery of unsecured Amazon data bucket exposing 350 million unique email addresses to the internet. It says that the owner of the bucket could not be identified. It adds that Amazon closed the bucket June 10.

Aug. 10. Thousands of records allegedly from Utah gun and hunting sites are posted on online cybercrime forum. Data, which was offered to anyone for free, includes 195,000 user records for the Utah Gun Exchange, 45,000 records from its video site, 15,000 records from a hunting site, and 24,000 records from a website specializing in recreational drug and medicinal tree leaves. According to Bleeping Computer, all the data was hosted on the same AWS server and appears to be stolen around July 16.

Aug. 10. vpnMentor reports discovery of unsecured Amazon data bucket with more than 5.5 million files. It says it believes the data belongs to InMotionNow, a project management software company. It adds data includes marketing materials of cybersecurity company ISC2, insurance company Brotherhood Insurance, Kent State and Purdue universities, and the Potawatomi Hotel and Casino in Milwaukee.

Aug. 6. U.S. Office of the Comptroller of the Currency fines Capital One $80 million for data breach that resulted in the unauthorized access to the data of 100 million current and potential customers. The agency says the company did not have enough risk management controls in place before the incident took place.

Aug. 3. Sky News reports Garmin, a maker of navigation and fitness devices, paid a multi-million dollar ransom to a ransomware gang that disrupted the company’s computer systems. It says the ransom was paid to the hackers through a third party, Areta IR, which specializes in ransomware negotiations.

July

Jul. 31. Hillsborough State Attorney Andrew Warren announces filing of 30 felony charges against a 17-year-old resident of Tampa, Fla. for a high profile hack of Twitter. The teen allegedly compromised the accounts of a number of companies and individuals, including Apple, Elon Musk, Joe Biden, and Barack Obama, and posted a promotion for bitcoin scam. The scam allegedly made more than $100,000 for the youth.

Jul. 28. Lifespan, Rhode Island’s largest healthcare network, agrees to pay $1 million to settle a 2017 data breach case with the U.S. Health and Human Services Department’s Office for Civil Rights. The breach occurred when a laptop was stolen from an employee’s car, placing at risk the personal information of more than 20,000 patients.

Jul. 28. Drizly, an online alcohol delivery startup, informs its customers their personal information is at risk after a hacker obtained their data during a data breach. It’s estimated that as many as 2.5 million accounts are affected by the incident.

Jul. 28. Bleeping Computer reports that a group of data thieves known as ShinyHunters has posted to an online hacker forum databases from 18 companies, exposing more than 386 million user records. It says the databases are being offered as free downloads and while nine of them have been disclosed in the past, nine others appear to be fresh. They include Havenly, Indaba Music, Ivoy, Proctoru, Rewards1, Scentbird, and Vakinha.

Jul. 28. SafetyDetectives report an unsecured web server at cosmetic maker Avon, which serves some 200 million consumers annually, exposed a database containing 7GB of data and more than 19 million document records. Information exposed on the internet includes more than 40,000 security tokens, internal logs, account settings, and technical server information, as well as personally identifiable information.

Jul. 25. Dave, an overdraft and cash advance service, confirms data breach resulting in the theft of a database containing 7.5 million user records. It says database was stolen when a data breach occurred at one of its former third-party service providers. It says stolen information included user names, emails, birth dates, physical addresses, and phone numbers. It adds theft did not affect bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers.

Jul. 24. Walgreens, the second-largest pharmacy chain in the United States, alerts more than 72,000 customers that their protected health information is at risk after a series of break-ins at about 180 stores across the country. It says that during the break-ins, intruders stole items containing health-related information.

Jul. 23. InstaCart, a grocery and home essentials delivery service, denies a data breach is the source of customer information being sold online on hacker forums. It says it believes the information was stolen from its platform using a “credential stuffing” attack. According to BuzzFeed News, sellers on two dark web stores are hawking information from 278,531 InstaCart accounts.

Jul. 21. U.S. District Court Judge Lucy Koh approves $117.5 million settlement in Yahoo data breach case, but reduces attorney fees to $23 million from $30 million. The breach, the largest in the history of the internet,  occurred in 2014 and affected some 500 million users.

Jul. 14. ZDNet reports size of the 2019 data breach at MGM resorts may have been substantially larger than originally reported. It notes data from the breach has been posted for sale on the dark web for $2,900. It includes details on more than 142 million hotel guests, up from the original estimate of 10.6 million.

Jul. 8. vpnMentor reports discovery of unsecured online database belonging to Clubillion, a popular casino gambling app, has exposed to the internet the daily activities of millions of players around the world, as well as private user information. It says exposure makes players vulnerable to fraud and other kinds of online attacks.

Jul. 7. Freddie Mac, which holds about $2 trillion in mortgage loans, alerts borrowers in letter that one of its vendors, Opus Capital Markets Consultants, experienced a ransomware attack earlier in the year. It says that while there is no evidence that any borrower data, which was encrypted, was affected by the attack, the agency is offering borrowers a two-year subscription, for free, to Experian IdentityWorks, a credit monitoring and identity theft protection service.

Jul. 2. Researchers at WizCase report discovery of unsecured data at five dating sites. It says the number of exposed records is in the millions and contains sensitive information, such as names, billing addresses, email addresses, phone numbers, and private messages.

Jul. 1. Researchers at Comparitech report that since 2005, K-12 school districts and colleges and universities in the United States have experienced more than 1,300 data breaches, affecting more than 24.5 million records. It adds that California schools and universities have had the most records affected during the research period, and that public institutions are affected by breaches at a higher rate than private schools.

Jul. 1. Canadian privacy commissioners in Ontario and British Columbia release report finding that LifeLabs failed to protect the personal health information of the 15 million patients impacted by its 2019 systems breach, due to its failure to implement reasonable security safeguards and policies. The incident was the second-largest healthcare data breach of 2019.

Cybercrime Diary Archives

John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.