Welcome to GearBrain's Weekly Data Breach Report, a collection of known breaches into company databases where someone you don't know got access to your personal information. The frequency at which these break-ins happen appears to be growing, so every week we'll update our report with fresh news on the latest hacks and links on where you can go if there's action to be taken — whether you're concerned about your privacy or not.This week we're looking at a data breach at clothing maker Guess, another at a dermatology company that may have affected 2.4 million people, and a new $10 million award from the White House to thwart ransomware.
- More than 15 percent of used drives sold on eBay still have personal data
- 5 ways to stay secure online
- Two-thirds of hotel websites found to leak personal guest data
TP-Link AX1500 WiFi Extender Internet Booster, WiFi 6 Range Extender Covers up to 1500 sq.ft and 25 Devices,Dual Band up to 1.5Gbps Speed, AP Mode w/Gigabit Port, APP Setup, OneMesh Compatible(RE505X)
Guess has admitted to a data breach
Clothing maker Guess has said that it was breached, with hackers making off with driver's license numbers, passport details, Social Security numbers and more, according to Bleeping Computer. The breach happened between Feb 2, 2021 and Feb 23, 2021. Some people, affected, have been sent letters about the breach which the company reportedly started mailing out on June 9.
A healthcare company based in Wisconsin has reported a data breach
A Wisconsin-based healthcare company, Forefront Dermatology, has stated that its network had a breach that may have allowed access to personal details including patient names, dates of birth and even their medical treatment information, according to PortSwigger. An estimated 2.4 million people may have been affected.
$10 million ransomware awards
The White House has created a $10 million award for information about ransomware
The White House is going to start offering rewards to those who can supply information about cyber crimes, including ransomware, that are being leveled against the U.S. companies and infrastructure, according to the Associated Press. The reward will be upwards of $10 million, and it's part of a new push by the Biden administration to help thwart attacks before they even begin. This includes a new web site, stopransomware.gov, that is a guide educating people about ransomware and how they can better protect themselves against this kind of attack and get help if they are affected.
Week of July 5, 2021: Kaseya
The hackers are demanding a $70M ransomGetty Images/iStock
This week saw a ransomware attack on a Florida-based information technology firm, which saw the seizure of masses of data and the demand of a $70M ransom payment.
Claimed to be one of the largest ransomware attacks of all time, the event affected hundreds of businesses worldwide, from supermarkets in Sweden to schools in New Zealand, reports the Guardian. Generally speaking, Kaseya's services were used by companies too small to have their own IT departments, and it was systems used to protect customers from malicious software that were attacked. It is estimated that between 800 and 1,500 small businesses were affected by the incident, which saw their data accessed by ransomware hackers.
Northwestern Memorial HealthCare
The attack affected Northwestern Memorial HealthCare
Next up, we have an incident that took place at the Northwestern Memorial HealthCare (NMHC). A data breach by Elekta, at a third-party provider used by NMHC has potentially exposed patient information, including patient names, dates of birth, Social Security numbers, health insurance information and medical record numbers.
The Chicago-based healthcare provider said: "On May 17, 2021, Elekta informed us that an unauthorized individual gained access to its systems between April 2, 2021 and April 20, 2021 and, during that time, acquired a copy of the database that stores some oncology patient information."
Financial account and payment card information was not involved, NMHC said, adding that the incident "did not involve access NMHC's systems, network, or electronic health records."
The attack affected the server of a third-party vendor used by Morgan Stanley
Finally this week, investment banking firm Morgan Stanley reported a data breach after attackers stole customer information during an attack on the Accellion FTA server of a third-party vendor. Morgan Stanley was notified by Guidehouse, a provider of account maintenance services, in May 2021 that its Accellion FTA server had been compromised.
Morgan Stanley said in a letter: "There was no data security breach of any Morgan Stanley applications. The incident involves files which were in Guidehouse's possession, including encrypted files from Morgan Stanley."
It is good news that the data is encrypted, but the stolen trove still contains stock plan participants' names, addresses, dates of birth, Social Security numbers and corporate company names.
Week of June 28, 2021: Linked In
Data from LinkedIn is reportedly up for sale on a hacker site
Data from 92 percent of LinkedIn users is reportedly for sale, according to Privacy Sharks, a VPN review site, which found 700 million records from LinkedIn on a hacker forum.
The data includes details from email addresses to gender, names and phone numbers. But LinkedIn told the news site that the details did not come from a data breach and did not include private details from LinkedIn members.
Mercedes-Benz reported that some customer data was left exposed on a cloud platform
Carmaker Mercedes-Benz found that data on some customers and potential buyers was left open on a cloud platform, the company stated. The details of the data included in some cases of self-reported credit scores, credit card information, birth dates, social security numbers and some drivers clines numbers. But they affected fewer than 1,000 people and was information they had entered on to dealer and Mercedes-Benz websites between January 1, 2014 and June 19, 2017.
Herff Jones found "suspicious activity" around payment card details
Yearbook supplier Herff Jones is getting in touch with customers about a breach that may have affected their payment card details. The company found about what they called "suspicious activity" in May, and began investigating finding "theft of certain customers' payment information."
Anyone who believes they've been affected can reach out to the company through its web site, and can Herff Jones is also offering free credit monitoring.
Week of June 21, 2021: Office 365 malware phish
Microsoft is warning people that a group is tricking Office 365 users into downloading a malware Excel file that then gives them a back door into someone's Windows device, reports ZDNet. The initial reach comes via email telling people that they have already downloaded a free version of software and unless they call they will be forced to start paying. This prompts people to place a call to the number in the email.
The malware itself is said to be used to push out ransomware, and Microsoft's own security team is now tracking the malware as well.
Illinois Department of Transportation warns of phish
The Illinois Department of Transportation is also warning people not to respond to emails claiming to be from their agency and asking for personal information, reports local news site 23WIFR. People are reporting that texts and emails are being sent — purporting to be from the DOT, and telling people to delete the messages and crucially not click on any link in them as well.
The agency has told people that they would never reach out through these avenues asking for personal information such as Social Security numbers or even banking account details.
Rhode Island Department of Labor and Training
Over in Rhode Island, the state's Department of Labor and Training is also warning people about email phishes as well, reports local news channel 10WJAR. The emails are asking people to verify their professional license — not something the agency says it would ask people in this manner either.
Their advice? Delete the email without clicking on any links.
Week of June 14, 2021: Wegmans
Wegmans, a chain of grocery stores, has had a data breach that the company says may have left data available for people to find including their home and email addresses, phone numbers, their Shoppers Club numbers, birthdates dates and more.
The details also included passwords to shoppers accounts on Wegman's web site, but the company said these were hashed and salted and therefore the characters were not visible.
Wegmans was alerted to the breach by a third-party security researcher and it confirmed the issue on its own on April 19, 2021. They're suggesting people change the passwords on their Wegmans' accounts.
More than one billion search records done on CVS Pharmacy's web site were available online — and left visible — this spring, according to ABC News, which credits a cybersecurity researcher, Jeremiah Fowler, with finding the issue.
The records are specific to terms people were searching for on CVS Pharmacy's web site, and Fowler found the breach in March, notifying the company. These details include information people were looking for on Covid-19 vaccines, and Fowler said in some instances people put in their email address into the search — which was visible in the records.
CVS admitted to ABC News that the search information was connected to them. They added the breach stemmed from a third-party vendor which had been hosting the information, and that CVS has now shut down that database.
Online shopping site Alibaba was hit with a data leak, which grabbed about 1.1 billion details from users, according the The Wall Street Journal. The data included user names and mobile phone numbers and was grabbed through a crawler, a program that reads through data details, according to news accounts.
The crawler reportedly came from an affiliate marketing outlet, and was taken from Alibaba's shopping outlet Taobao over a period of several months, while Alibaba itself was not made aware of the details until July 2020.
Week of June 7, 2021: Beef supplier JBS
JBS, a supplier of beef to customers worldwide, paid out nearly $11 million in bitcoin to hackers after a ransomware attack shut down its plants in the U.S. and Australia.
Ransomware attacks are a way for hackers to hold a company's data, demanding payment before it's released. A recent ransomware attack on Colonial Pipeline caused a shut down along the East Coast before the company paid out $4.4 million. Much of that money was recovered by the Justice Department.
Arnoff Moving & Storage
An East Coast-based moving company Arnoff Moving & Storage has been reportedly hacked, with its data held for ransomware. The details the hackers claim to have in their possession include customer payments, as well as a subcontractor's W-9 which includes tax identification.
NYC Law Department
The New York City Law Department was hacked freezing employees's access into their accounts. The department includes lawyers who serve the city on issues ranging from real estate leases to acting as legal counsel for city officials.
Both the FBI and the New York Police Department are involved trying to investigate what happened — and where to go from there. The shut down, which was first detected Saturday night, had been continuing into the week.
Week of May 31: Klarna
Klarna users reported this week how they were being mistakenly logged out, then greeted with the accounts of others when logging back in. A buy-now-pay-later company, and Europe's largest private fintec company, Klarna is reportedly close to securing a deal that would value the firm at $40bn.
The information greeting customers included randomized postal addresses and past purchases, as well as partial bank card details, of other users. One user tweeted four screenshots to demonstrate how they were shown a different user each time they logged in. Klarna issued a statement on June 2 to say the issue was not the result of an external attack, and said a maximum of 9,500 customers were affected, having previously pegged that figure at 90,000.
A claimed 1.47TB of data, including personal details belonging to 5.9 million people, has emerged online, feely accessible without encryption or a password. The data, which includes email addresses, IP addresses, Facebook data and more, belongs to customers of AMT Games, a mobile and browser game developer based in China.
Discovered by security researchers from WizCase, the data numbers in the millions and was accessible to anyone who had the link to its location online, WizCase said, adding that the link has since been secured but without a response from AMT Games. Titles produced by the company include Battle For The Galaxy and Heroes of War.
WizCase said the database "leaked approximately 5.9 million player profiles, two million transactions and 587,000 feedback messages. Feedback message data contained account ID, feedback rating given and users' email addresses."
Scripps, a healthcare provider in California, informed more than 147,000 people this week that their personal data may have been exposed to a recent cyberattack. The company took parts of its network offline after a ransomware attack was discovered in early May, leading to four weeks of disruption to patient appointments.
Data that may have been exposed by the attack include health information, social security numbers, driver's license numbers and financial information, Infosecurity Magazine reported.
Scripps told patients this week: "Importantly, this incident did not result in unauthorized access to Scripps' electronic medical record application, Epic. However, health information and personal financial information was acquired through other documents stored on our network...For the less than 2.5 percent of individuals whose social security number and/or driver's license number were involved, we will be providing complimentary credit monitoring and identity protection support activities."
Week of May 24, 2021: Bose
Bose, maker of audio speakers, was hit by what the company refers to as a "sophisticated cyber-incident," that pushed ransomware into its U.S. systems, according to Bleeping Computer, which posted a letter from Bose to the Consumer Protection Bureau. Bose reported in the letter that it first became aware of the concern in March 2021, and then worked with "cyber experts," to figure out if data from its systems had been exposed.
The investigation found that data from six former employees in New Hampshire was "accessed," the company wrote, but consumer data is not mentioned.
New cybersecurity regulations
Following the ransomware attack that brought down the Colonial pipeline for days, impacting gas supplies across some of the East Coast, the Department of Homeland Security is now going to set up new rules that pipeline companies have to follow regarding cyber concerns, reports The Washington Post.
That means that there will be new systems in place — more than the current guidelines — these companies will have to follow regarding cyber concerns. They will also have new actions that they'll have to take if they're attacked as well, including notifying both the Transportation Security Administration and the Cybersecurity and Infrastructure Security Agency.
Apple macOS update
A new Apple update, macOS 11.4, did more than just push out ways to purchase Apple Podcasts to computers, it also addressed some important security concerns, ZDNet reports.
The new update includes a patch, a fix that addresses a vulnerability on the macOS that was allowing malware to work around privacy settings. The bug was allowing screenshots to be taken of someone's desktop, without needing permission, wrote ZDNet, quoting a Security firm Jamf's posting.
This only underscores why everyone needs to be updating their operating systems — whether on a computer, smartphone or other smart device — regularly, and automatically.
Week of May 17, 2021: Eufy Security
This week saw a major privacy blunder at Eufy Security, a maker of smart home devices, including indoor and outdoor security cameras. The incident, blamed by Eufy on a bug caused during a server update, saw over 700 customers able to view the live security camera feeds of other Eufy users. The incident lasted for approximately one hour and 40 minutes, and during that time users reported how they could view strangers' security cameras, and even record footage to their own smartphones using the Eufy Security app.
Users in the United States, New Zealand, Australia, Cuba, Mexico, Brazil, and Argentina were all affected. Eufy has apologized for the incident, saying: "We realize that as a security company we didn't do good enough. We are sorry we felt [sic] short here and are working on new security protocols and measures to make sure that this never happens again."
Health Service Executive, Ireland
This week also saw the head of the Republic of Ireland's health service describe the "catastrophic" impact of a "stomach-churning" hack of its IT systems. Paul Reid, chief executive of Health Service Executives described the ransomware attack as a "callous act," which led to healthcare workers resorting to pen and paper while IT systems were recovered. A similar attack struck the Irish Department of Health a week earlier.
In scenes that echoed the Wannacry ransomware attack on the UK's National Health Service in 2017, many outpatient services were cancelled. Irish Prime Minister (Taoiseach) Micheál Martin told the BBC: "It's a shocking attack on a health service, but fundamentally on the patients and the Irish public,."
The Financial Times reported how health records were being shared online – a claim Irish Communications Minister Eamon Ryan described as "very credible".
Verizon 2021 Data Breach Investigations Report
Lastly this week, Verizon published its annual Data Breach Investigations Report. Covering the last 12 months, the report analyzed 29,207 cybersecurity incidents, of which 5,258 were data breaches – a third more than the previous year. According to the report, which can be read here and summarised by Solutions Review here, phishing attacks increased by 11 percent since the previous year, while ransomware attacks rose by six percent.
Furthermore, a huge 85 percent of breaches involved a human elements, raising questions over the public's ability to spot a cybersecurity incident, and highlighting a lack of training and education on how cyberattacks take place. Four in five incidents were spotted by an outside party and not by the victim.
Week of May 10: Colonial Pipeline
Anyone living along the southeast coordinator of the United States, has likely seen or felt the impact of a reported ransomware attack that hit Colonial Pipeline. The company first reported the attack late last week, in early May, and had shut down its operations as result, which moves more than 100 million gallons of fuel across parts of the U.S., wrote CBS News. The company was able to restart the pipeline this week, on Wednesday, but has warned people that getting back up to speed with gasoline supplies to stations could take many more days.
Pennsylvania Covid-19 contract tracing
A breach of Covid-19 contract tracing details may have exposed private data of about 72,000 people, according to a statement from the Pennsylvania attorney general, and reported by the Associated Press. The information was stored with a contact tracing vendor, Insight Global, which has reportedly admitted that people working for it shared Information, including people's names who may have been exposed to Covid-19 as well as symptoms, among possibly other details, via Google accounts that were not authorized. Pennsylvania's Attorney General Josh Shapiro has stated his office is investigating
Egress, a software company that focuses on data breaches, has issued a security report, stating that it believes 85 percent of organizations that use Microsoft 365 have had an email data breach in the last 12 months. The report, Outbound Email: Microsoft 365's Security Blind Spot, noted that 15 percent of organizations that use Microsoft 365 had more than 500 data breach in the last year, as compared to just 4 percent of companies that had not used it.
The report was compiled from interviews with 500 IT leaders and 3,000 remote workers in the US and the UK in financial services, healthcare and legal.
Week of May 3, 2021: Peloton
It was revealed this week that, in January, security researcher Jen Masters, from Pen Test Partners, reported to Peloton how the up-market exercise bike had a data problem. Masters had discovered that it was possible for anyone to view the personal details of any Peloton user, even if they had their account set to private and had no friends on the exercise platform. Due to an API fault, it was possible to view any Peloton user's age, gender, city, weight and workout statistics.
Mistakes happen, but the bigger issue here was how Peloton did not respond to Masters and did not fix the problem within the industry-standard 90 days Masters gave the company before making his findings public. Peloton has since fixed the issue and apologised for its slow response. "We took action, and addressed the issues based on his initial submissions," Peloton said. "But we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported."
You can read more about this incident in a blog post on the Pen Test Partners website.
Amazon fake reviews scam
This is an interesting data breach, as the exposure of this data also shed light on an Amazon review scam. The exposed 7GB database contained over 13 millions records related to how an Amazon scam review system works. In a bid to gain 5-star reviews for products, sellers contact Amazon users, tell them which products to buy, then refund them the cost through PayPal once a positive, 5-star review has been posted to Amazon. The seller gets a 5-star review for their products, and the customer gets fully refunded for the items they buy.
The database potentially implicates more than 200,000 people in the scam, according to Safety Detectives, which discovered the database on an ElasticSearch server with no password or encryption. Exposed data includes the email addresses and phone numbers of vendors, as well as PayPal account details, email addresses and usernames of reviewers. Over 230,000 Gmail email addresses were also exposed by the unprotected server.
Finally this week, Britain's National Health Service website was found to exposed details on whether a citizen has had their Covid-19 vaccine or not. Discovered by the Guardian, the fault was found in an NHS website used to book vaccinations. The issue is how a person's vaccination status was exposed by the website to anyone who either new the persons's NHS number, or basic information about them. In theory, an employer could find out if someone had had their vaccine or not, with knowing only basic identity information about the person.
"This is a seriously shocking failure to protect patients' medical confidentiality at a time when it could not be more important," said Silkie Carlo, the director of privacy group Big Brother Watch. "This online system has left the population's Covid vaccine statuses exposed to absolutely anyone to pry into. Date of birth and postcode are fields of data that can be easily found or bought, even on the electoral roll."
Week of April 26, 2021: DigitalOcean
DigitalOcean, a cloud-based firm for developers, is warning customers about a data breach that exposed information connected to their billing details. The company is stating that the error that allowed the hacker to get inside has been fixed, but over two weeks they were able to see people's names and addresses associated with their bills as well as the last four digits of any card used to pay their accounts as well, reports Tech Crunch.
DigitalOcean is a service that developers will tap to allow the to create and write programs, and have them stored in the company's cloud as they work. And while passwords were not involved in the breach, nor the actual DigitalOcean account, 1 percent of billing profiles were involved and also included expiration dates and the name of the bank that a payment card was connected to as well.
University of California
A data breach of University of California students' personal details is now showing up on the dark web, according to some students, including at least one alumna, themselves. Some of this information includes Social Security numbers, email and home addresses and also phone numbers, reports The Daily Californian.
The University of California was caught up in the Accellion cyberattack, which precipitated the loss of information of its own community. The UC system is offering a free year of credit monitoring, but some of those affected have raised concerns that this is not sufficient.
JPMorgan Chase Bank
A new phishing attack is making the rounds going after customers of JPMorgan Chase Bank. These phishing attempts are building off details found on social media — which appear to be posted by customers — and gleaning those pieces of information to better tune their attacks, reports Infosecurity Magazine.
One of the attacks actually claims to be a credit card statement, telling customers that their details can now be read. That link takes them to a fake web site, that looks like it's coming from Chase, and asks them to type in their user name and password. But the name of the bank is spelled slightly wrong, with a space between the JP and the Morgan, (which is wrong), and the letter "P"not capitalized.
People should take some time to make sure they're taking steps to try and protect themselves from phishing attacks.
Week of April 19, 2021: Apple
Apple was this week targeted by a $50 million ransomeware attack, after a trove of engineering and manufacturing schematics of its products were stolen from manufacturing partner Quanta. The Taiwanese company manufacturers MacBooks and other products for Apple and the stolen data related to current and future devices, The Record reported.
The leak was reportedly carried out by Russian hacking group REvil, which is also known as Sodinokibi. The stolen images were published online on April 20 to coincide with Apple's Spring Loaded product launch event, after Quanta refused to pay the $50m random demand. The hackers now hope that Apple will pay up, before more images are set to be leaked on May 1.
Douglas Elliman Property Management
Thousands of New York residents learned this month that they may have had their personal information compromised. The data breach stems from Douglas Elliman Property Management, whose three managing directors emailed hundreds of co-operative and condominium boards at the start of the week, advising them about an IT network breach, reports The Real Deal.
Elliman is one of the largest residential property management firms in New York City, representing 390 properties and over 45,000 units as of 2018.
The email said how the firm has detected "suspicious activity" on its IT system on April 7, and had contacted law enforcement. It was said how an unauthorized party gained access to the network, including files containing the personal data or owners and employees. This data may have included names, dates of birth, mailing addresses, Social Security numbers, driver's license numbers, passport numbers and financial information.
Finally, this week saw the reporting of a data breach at the Geico insurance company that left customers' driver's license numbers exposed online for more than a month. The incident was detailed in a data breach notice filed with the attorney general of California, and first reported by TechCrunch.
"We recently determined that between January 21, 2021 and March 1, 2021, fraudsters used information about you – which they acquired elsewhere – to obtain unauthorized access to your driver's license number through the online sales system on our website," the notice said.
It went on: "We have reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name." Geico does not say how many customers may have been affected by the data breach, but says the error has now been fixed.
Week of April 12, 2021: ParkMobile
It's difficult when the app designed to save drivers one of their biggest headaches creates another. But that's exactly what happened when to those who use a very popular app, ParkMobile, which millions of people throughout North American can use to digitally pay for their parking spot on the street. The app's customer data has been breached and is for sale on a crime forum, according to KrebsOnSecurity.
To create an app, drivers have to input the typical — personal — details including phone numbers, email address and in some cases mailing addresses. And because this app helps ensure a driver's specific car has paid for its parking, license plate numbers have been breached as well. ParkMobile apparently knew at least by March 26 about the issue, because they put out a security report. But they did not tell people to go in and change their password. Which we're telling you to do. Now.
The NBA's Houston Rockets, are getting hit with a ransomware attack to reclaim business details about the basketball team, said Bloomberg, which confirmed the news. The team said it prevented some ransomware attempts from being installed on its system, but not all. And the hackers have publicly stated they have some details including contracts, financial information and non-disclosure agreements, and will publish them if they don't get paid. How successful is this particularly hacking group? They reportedly got one victim to pay $85,000.
W2 phishing lures
People are getting phishing emails claiming to be a file regarding a Home Loan, with a link that purports to have their 2020 Tax Returns and a W2 attached. That's the lure. But when people click on the link, they're presented with a form which asks them to put their email details — including password — to get into the file. That, clearly, doesn't open the file as it doesn't exist. Instead, people have just given hackers access to their email account.
Key here is not to click on links in emails almost ever. Even if an email comes from a tested source, these can be spoofed — or faked — and a better course of action is to call the person and confirm that they've actually sent the email you've received.
Week of April 5, 2021: Facebook
This week began with the discovery of the personal details of 533 million Facebook users in a hacking forum. The freely-available data include phone numbers, names and dates of birth from users across 106 countries, with 32 million US citizens implicated. The data came from a vulnerability that was patched by Facebook in August 2019. Facebook has confirmed the legitimacy of the data but says it will not be informing uses that have had their details exposed by the breach.
Instead, users can check if they have been caught up in the breach by entering their phone number into the Have I Been Pwned website, an online tool that cross-references data against data breaches.
Travel website Booking.com has been fined €475,000 (approximately $560,000) due to breaching GDPR law when failing to report a data breach within 72 hours. The company suffered a data breach in 2018 and discovered on January 13, 2019 that the details belonging to 4,100 users had been stolen. But instead of reporting the data breach to regulator within three days, Booking.com waited until February 7 to disclose the incident.
Due to the breach in Europe's data protection laws, Netherlands-based Booking.com was issued with the fine. The Dutch Data Protection Authority said: "This is a serious violation. A data breach can unfortunately happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the recurrence of such a data breach, you have to report this on time."
Michigan State University
Michigan State University (MSU) this week said it has been implicated in a data breach stemming from a cyber-attack on Ohio law firm Bricker & Eckler LLP. The firm was hit by a ransomware attack in January 2021, where an unauthorised party gained access to internal systems over the second half of the month. Exposed data may have included names, addresses and some medical-related and educational-related information, plus driver's licence numbers and, in some cases, Social Security numbers.
It was then reported by Lansing State Journal that the data breach saw the exposure of Title IX case information belonging to just under 350 people at MSU, reports Lansing State Journal. Bricker said in a statement: "A limited number of individuals, some of whom are no longer affiliated with MSU, may have been impacted. Those individuals have been contacted and connected with the proper resources."
Week of March 29, 2021: IRS refund
Hackers are reportedly sending emails targeting college students and universities that use a ".edu" email, claiming to be the Internal Revenue Service and offering tax payers a way to check on the status of their refunds.
The emails, which have different subject lines including "Tax Refund Payment" or "Recalculation of your tax refund payment" then have a link, which when clicked takes people to a phishing site. There, they're asked for details including Social Security number, driver's license number, address, birth date, name and more. Tellingly these are data points the IRS does ask for on its own site — which means hackers could use this information to then reroute legitimate refunds to themselves.
Got one of these emails? You can save the email using the "save as" option, and send that as an attachment to firstname.lastname@example.org.
University of Maryland + University of California
A ransomware attack appears to be going on against the University of Maryland and the University of California, according to ZDNet. Screenshots of passports, a federal tax document, an application for tuition remission and more have appeared, presumably grabbed by the hackers, and show Social Security numbers, birth dates, immigration status and other personal details.
In January 2021, Ubiquiti, which makes networking devices like routers, had reported a breach of its systems that had been hosted by a third-party. At the time, the company said that they were "aware of evidence of access to databases that host user data." Now, Krebs on Security, reports that a whistleblower has said the breach was actually "catastrophic," and that the claim of a third-party being the one targeted — and not Ubiquiti — "…was a fabrication."
Instead, hackers got complete access to the Ubiquiti's databases via Amazon Web Services, which is what the whistleblower says the company pointed to as the third party. Hackers then were able to get into all databases, all user database details and more. Those details reportedly could have allowed hackers to authenticate any of Ubiquiti's cloud-based devices. Which is again a reason to : Change. Your. Password.
Week of March 22, 2021: FatFace
British clothing retailer FatFace this week told its customers that it has been the victim of a data breach – then asked them to keep the matter private. The breach occurred on January 17, two months before the company informed its customers that an unspecified amount of data including names, email and postal addresses, and the last four digits and expiry date of their credit cards, had been compromised.
FatFace said the two-month delay in disclosing the breach was due to identifying who was involved in the incident and what data was involved. The company said: "This identification effort was comprehensive and coordinated by our external security experts; it therefore took time to thoroughly analyze and categorize the data to ensure we can provide the most accurate information possible."
The company then asked affected customers to "keep this email and the information included within it strictly private and confidential."
As security expert Graham Clueley said this week: "What a shame FatFace hadn't been quite so cautious about the privacy and confidentiality of its customer".
Next up this week, we have air charter firm Solairus Aviation, which announced on March 23 that it had suffered a data breach. Some employee and customer data was compromised in an incident at third-party vendor Avianis, an aviation business management platform provider.
Data store by Solairus with Avianis included employee and client names, dates of birth, Social Security numbers, driver's licence numbers, passport numbers and financial account numbers. The company said in a message to customers: "Solairus regrets the inconvenience or concern this incident may cause you. Every member of the Solairus community is important, and Solairus values your security and privacy."
Oil and gas company Shell announced on March 16 that it had suffered a data breach related to an incident involving Accellion's file transfer application, which is used by Shell to securely transfer large data files.
Shell said in a statement: "Upon learning of the incident, Shell addressed the vulnerabilities with its service provider and cyber security team, and started an investigation to better understand the nature and extent of the incident. There is no evidence of any impact to Shell's core IT systems as the file transfer service is isolated from the rest of Shell's digital infrastructure."
The company did not say how many individuals were affected by the data breach, but said an unknown actor gained access to "various files" during the breach. This included personal data and information "from Shell companies and some of their stakeholders."
Week of March 15, 2021: WeLeakInfo
In a reversal many may say is fair, WeLeakInfo — a site where people once went to buy stolen data — leaked the details on those who have made purchases from them. Data on more than 24,000 users was found in an archived ZIP file, according to TechRadar, and is now on sale.
The information stems from sales made over Stripe, which is an online payment system, and includes names, IP addresses, physical addresses, and some credit card details. There are also the dates the transactions happened, Stripe reference numbers and phone numbers.
New York Unemployment
New Yorkers applying for unemployment may have been caught in a phishing scam that captured not only their details — but also actual personal documents. The scam worked over text and email, and if someone clicked on the link, it sent to them a site that looked exactly like the website where people apply for unemployment through New York. Except this site was a fake, according to CBS.
After logging on as they would for unemployment (which then captured their username and password), the fake site asked for documents, further netting Social Security cards and driver's licenses among other details.
Rule of thumb? When going to state or federal web sites, type the URL into Google — do not click on a link.
Another attack that starts with luring victims to click a rogue link comes through a traffic ticket email. People are sent an email with a subject line that claims they've earned a ticket. There's a link in the email which sends them to a rogue site — where they're told to click on a photo to see proof of their violation, says ZDNet.
That link though actually puts malware on their computer — one called Trickbot, known for being used as a banking trojan — which can steal login details on Windows computers.
Again: please do not click on links in emails.
Week of March 8, 2021: Microsoft
Microsoft said on March 8 how it was still seeing "multiple actors" taking advantage of unpatched systems to attack organizations that used its Exchange Server platform. The update came almost a week after the computer giant first announced it has detected multiple zero-day exploits being used to attack on-premises versions of Exchange Server in what it called "limited and targeted attacks."
The computer giant attributed the attack "with high confidence" to HAFNIUM, a group said to be state-sponsored and operating out of China. The White House later users computer network operators to take further steps to ensure their systems are safe, as patches released by Microsoft were found to still leave serious vulnerabilities. The White House said: "We can't stress enough that patching and mitigation is not remediation if the servers have already been compromised, and it is essential that any organization with a vulnerable server take measures ti determine if they were already targeted."
It was found this week that a cyberattack on cloud hosting and IT service provider Netgain now affects an additional 210,000 Americans. Minnesota-based Netgain Technologies had to take down some of its data centers following a cyberattack in November 2020.
Netgain provides services to several companies in the healthcare and accounting sectors, and admitted in December that health informations of patients from Woodcreek Provider Service was stored on servers affected by the attack. The information included names, addresses, medical record numbers, dates of birth, social security numbers, insurance claims, clinical notes, invoices, bank account numbers, DEA certificates, and some medical records, among other data.
Finally this week, a hacking collective breached a database containing the video feeds of security cameras collected by Verkada, a technology startup based in Silicon Valley. The trove of data included live feeds of 150,000 security cameras situated in sensitive locations like schools, police departments, hospitals, prisons and businesses. Bloomberg reported that high profile firms exposed by the breach included Tesla and Cloudfare.
It was reported that the data breach was carried out by hackers who wanted to demonstrate how easily such surveillance systems could be broken into.
Verkada said: "Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement."
Week of March 1, 2021: Malaysia Airlines
The airlines has admitted to the breach and said it was notified by a third-party IT service provider about the issue which took place between March 2010 and June 2019, according to Bleeping Computer. While passwords were not involved, said Malaysia Airlines, members' contact information, their rewards tier level, their frequent flyer number and their birthdays were part of the breach.
Over Twitter, the airline stated this as well, that its computer systems were not involved in the breach, but instead happened on a third-party's network. And the airline further encouraged members to change their passwords.
The airline passenger system, SITA, got hit by a data breach, the company stated on March 4. Involved in the attack, with SITA said happened February 24, 2021, is passenger data was breached. SITA handles details for multiple areas of the airline industry from baggage to passenger processing and the company claims to have about 90 percent of the airlines in the world as its customers.
Qualys, a cloud security and compliance firm, has confirmed that a hack of Accellion, the one that caught a number of other firms including grocer Kroger, has affected them as well.
While the company says operations were not affected, the exploit did affect information that was "part of our customer support system," said the firm in a statement. The company also found that some files were accessed without permission that had been "hosted on the Accellion FTA server," they said. Qualys also stated it had notified "the limited number of customers impacted by this unauthorized access."
Week of February 22, 2021: Kroger
Kroger recently announced it has fallen victim to a data breach that struck at Accellion, a third-party firm providing a file transfer tool. The grocery store is in the process of contacting customers who might have been affected by the breach, which it says has presented no indication of fraud or misuse of personal information.
Krogen stopped using Accellion's service after being informed of the breach in late-January 2021, reported the incident to the authorities, and began a forensic investigation.
Kroger said: "No credit or debit card information or customer account passwords were affected by this incident...While Kroger has no indication of fraud or misuse of personal information as a result of this incident, out of an abundance of caution Kroger has arrange to offer credit monitoring to all affected individuals at no cost to them."
NurseryCam, a service that lets parents view their children through a webcam while at nursery, has suffered a data breach. Informing its users of the incident this week, NurseryCam said it did not believe the incident had resulted in children or staff being watched by anyone without permission, but has switched off its server as a precaution.
The company said attackers had exploited a loophole in its system that allowed them to gather up the usernames, passwords, names and email addresses of parents who had used the service to watch their children remotely, the BBC reports. NurseryCam director Dr Melissa Kao said: "The person who identified the loophole has so far acted responsibly...he stated he has no intention to use this to do any harm".
The UK-based company is based in Guildford, Surrey and provides its services to around 40 nurseries across the country.
Clubhouse, the popular social media app that lets users join audio-only group chats, has suffered a data breach (of sorts). While no personal user data has been stolen, a third-party developer discovered a way to stream audio conversations on their website, despite Clubhouse being iPhone-only and invitation-only. This goes against Clubhouse's claims that audio conversations cannot be recorded, and the user has since been permanently banned from the app.
This incident led to Stanford cybersecurity researchers discovering that user ID numbers and chatroom IDs were being transmitted by Clubhouse in plaintext without any encryption. Clubhouse IDs can be connected to user profiles, leading to identities being traced.Due to these issues, David Thiel, chief technology officer of the Stanford Internet Observatory, warned that users should consider Clubhouse conversations to be "semi-public"
Week of February 15, 2021: Kia Motors American
Kia Motors America, based in California, was hit with a heavy ransomware attack to the tune of 404 bitcoin — which at the time attackers claimed was worth about $20 million. (404 of course is a reference to an error message meaning a link is not turning up a requested page on the web.) Today, bitcoin is hovering at about $51,811 which makes that value jump to $20.9 million. And the attackers actually warned that the amount would jump to 600 bitcoin if the payment was not made in a "specific time frame," according o details obtained by Bleeping Computer.
With the payment, hackers promised to release a tool which would unlock the data — and also to not leak data as well. Kia Motors America however told Bleeping Computer they had not seen evidence that they were in fact victims of a ransomware attack.
Law firm Jones Day
A law firm, Jones Day, has suffered a data breach that involves internal communication within the firm, as well as client data, according to Bloomberg Law.
The breach occurred from the file transfer platform, FTA, used by the firm and provided by Accellion. And at least one other law firm has in recent weeks also been affected by the same breach as well. Accellion has admitted that FTA was hit by a cyberattack, and had notified customers on December 23, 2020.
Up to 20 months of personal information on drivers in California may have been breached during an attack on the state's DMV. The hack came via a third-party breach, one that hit Automatic Funds Transfer Services, according to SF Gate.
Involved are details one would expect the DMV would have drivers' names, addresses and license plate numbers, but not information such as Social Security numbers.
Week of February 8, 2021: Cryptocurrency theft with SIM-swapping
This week, Europol announced the arrests of eight people for their alleged involvement in a series of SIM-swapping attacks targeting high-profile victims in the US. These follow two earlier arrests of people believed to be of the same criminal network. The group is alleged to have targeted thousands of victims throughout 2020, including famous influencers, sports stars, musicians and their families. Europol claims the group is believed to have stolen over $100 million worth of cryptocurrency from the victims, after gaining illegal access to their phones.
SIM-swapping is described by Europol: "It involves cybercriminals taking over use of a victim's phone number by essentially deactivating their SIM and porting the allocated number over to a SIM belonging to a member of the criminal network. The is typically achieved by the criminals exploiting phone service providers to do the swap on their behalf, either via a corrupt insider or using social engineering techniques."
'Compilation of Many Breaches'
An unprecedented 3.27 billion cleartext username and email addresses were leaked on a popular hacking forum this week, putting a huge proportion of internet users at risk to credential-stuffing attacks on their private accounts. Reported by Cyber News, the incident involved the leaking of databases containing usernames and passwords caught up in many previous leaks and data breaches, including those of Netflix and LinkedIn. The incident is known as the COMB, or the Compilation of any Breaches.
Cyber News explained: "This does not appear to be a new breach, but rather the largest compilation of multiple breaches...The impact to consumers and businesses of this new breach may be unprecedented. Because the majority of people reuse their passwords and usernames across multiple accounts, credential stuffing attacks is the biggest threat."
Credential stuffing is where criminals use databases like this to repeatedly guess at the usernames and passwords of online accounts. Once one has been cracked, they can use that email address and password combination on other services, assuming the victim used the same details more than once. The leak is believed to be twice as large as 2017's Breach Compilation, which included 1.4 billion email addresses and passwords from 252 previous breaches, including Minecraft, Badoo, Bitcoin and Pastebin.
Cyberpunk developer CD Projekt
CD Projekt, the Polish developer of the Cyberpunk 2077 video game, fell victim to a cyberattack this week. Hackers broken into the company's servers and claim to have stolen source code relating to its Cyberpunk 2077, Gwent and Witcher 3 video games. A ransom note left by the hackers and published this morning (February 9) by CD Projekt's Twitter account also claims they have obtained "all of your documents relating to accounting, administration, legal, HR, investor relations and more". The hackers say these documents "will be sent to our contacts in gaming journalism," and that the game developer's servers have been encrypted.
The hackers then appear to have put the stolen code up for auction, with a starting price of $1million and a buy-it-now option for $7million. The hackers later claimed to have received an offer for the data, according to cybersecurity firm Kela.
In a statement released alongside a copy of the ransom note, CD Projekt said it discovered the cyber attack on February 8 and admitted that some of its "internal systems" had been compromised. The statement said: "An unidentified actor gained unauthorized access to our internal network, collected data belonging to CD Projekt capital group, and left a ransom note...Although some devices in our network have been encrypted, our backups remain intact. We have already secured our IT infrastructure and begun restoring the data."
Week of February 1, 2021: USCellular
USCellular admitted to a hack of a program that leaked names, addresses, billing information and others details of existing customers. The breach happened in January 2021, and occurred when retail workers in a store downloaded a rogue program to a computer — which then tunneled into USCellular's system, specifically a customer relationship management program.
The company filed a notice with the Office of the Vermont Attorney General, but also reached out to customers involved, alerting them to the breach and to the fact that their login details had been changed as well as PIN numbers. The affected computer has been take offline, and employee login details have also been changed.
People who filed for unemployment in Washington state may have been caught up in a data breach that revealed personal details on 1.6 million claimants from throughout 2020. The breach is being blamed on an outside software service, Accellion, according to GeekWire.
The attack itself occurred on December 25, 2020, and the data affected included people who had filed for unemployment through December 10, as well as some state employees. Details from someone's name to their Social Security number, driver's license, bank information and where they had worked prior to filing was also exposed. People who believe they may have been involved can go to a state web site with more details about the breach, put up by the Office of the Washington State Auditor, for further information.
A car dealership based in Illinois had its database breached, with details on more than 3 million customers involved. The breach, reported by Infosecurity, involved DriveSure, and included information including names, email addresses, phone numbers, the car that is owned, home addresses, car damage and more. It also involved more than 93,000 hashed passwords.
The hack was discovered after the data was uploaded to a dark web forum on December 19, 2020, and included three folders of information including .mil and .gov email addresses.
Week of January 25, 2021: Bonobos
Men's clothing store Bonobos suffered a massive data breach earlier this month, which saw the exposure of millions of customers details in a 70GB database. The trove of data, lifted from Bonobos' website, included customer addresses, phone numbers, the last four digits of credit card numbers, order information and password histories, reports Bleeping Computer.
The data included the addresses and phone numbers of seven million customers or orders, and 3.5 million partial credit card numbers. The retailer, which was bought by Walmart in 2017 for $300 million, says the data was stolen from an online backup rather than from the website itself. The company said: "What we have discovered is an unauthorized third party was able to view a backup file hosted in an external cloud environment. We contacted the host provider to resolve this issue as soon as we became aware of it." Customers of Bonobos are urged to change their passwords immediately, and to change their login details of any other services or accounts they use with the same password.
Online gaming platform VIP Games was found this week to have exposed 23 million data records on a misconfigured server, researchers from WizCase discovered. The data belonged to 66,000 users and included usernames, email addresses, social media IDs, bets, device details, IP addresses and hashed passwords.
VIP Games has in the region of 20,000 daily players and offers online versions of popular classic card and board games like Ludo and Dominoes. Chase Williams from WizCase wrote: "If such data had fallen into the hands of cybercriminals, it could have been exploited for identity theft, fraud, phishing, scamming, espionage and malware infestation. The leak was discovered as part of WizCase' research project that randomly looked for open servers and sought to understand what data these servers contained."
Crytocurrency services are a popular target for hackers, and the latest victim is India-based BuyUCoin, which appears to have had an insecure database accessed by hacking group ShinyHunters. The cryptocurrency exchange says it is investigating claims that sensitive data of hundreds of thousands of its users has been published on the dark web, reports Graham Cluley for BitDefender. The 6GB of leaked data appears to have come from a MongoDB database and includes user bank account details, email addresses, hashed passwords, mobile phone numbers and Google sign-in tokens.
Having first described the incident as "a low impact security incident" which only affected 200 entries of non-sensitive dummy data, BuyUCoin later replaced this statement with a message saying it is "investigating each and every aspect of the report about malicious and unlawful cybercrime activities by foreign entities in mid-2020."
Week of January 18, 2021: Capcom
Gamers of the popular titles "Dark Stalkers" and "Resident Evil," should check their credentials — and start changing passwords. The developer of the titles, Capcom, is now expanding the number of accounts that may have been compromised in a ransomware attack from November 2020, reports Threatpost.
Originally thought to be 40,000 customers, the attack now may have affected 400,000 accounts with personal data involved.
Nitro, a web-based PDF service, just got hit in one of the worst ways, with its database of more than 77 million records leaked online — for free. The details inside include email addresses, names and passwords and even IP addresses which is the unique number assigned to a device, like your computer, to get online.
While the hack actually happened in 2020, the database is actually now online, placed there after offering the download link for $3, according to BleepingComputer.
The security firm Malwarebytes is reporting a hack into its system, gaining access to some internal company emails. The breach gained access through Microsoft Office 365 and Azure, according to Ars Technica, which added that this is the same threat actor that was involved with the attack on SolarWinds in 2019.
Week of January 11, 2021: Parler
Despite being taken offline, and distanced by Apple, Google and Amazon, millions of posts published to the Parler social media app are still visible online. The messages were accessed, 'scraped' from Parler before the service was taken offline on January 11, and uploaded to the Internet Archive. This was done by Twitter user @donk_enby, a so-called hacker and internet activist. She tweeted to say the scraped data included delete and private posts, plus videos that contained "all associated metadata." This data is thought to include the location of where the posts and videos were created.
A such, the data collected by @donk_enby could prove highly valuable, as law enforcement could potentially use the metadata to identify rioters who stormed the Capitol last week. Unusual for Parler is how it doesn't strip out the metadata of uploaded images and videos, as other social networks and web services do.
Ubiquiti Networks, a vendor of networking equipment and Internet of Things devices, informed its customers on January 11 to inform them of a recent security breach. The company said: "We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider." The targeted servers stored information relating to user profiles for the company's account.ui.com web portal.
While the company says it is "not currently aware of evidence of access to any databases that host user data," it admits it "cannot be certain that user data has not been exposed." This data, Ubiquiti says, may include customer names, email addresses and one-way encrypted passwords – in other words, passwords that are hashed and salted. Customers are urged to change their password, and also the passwords of any websites and services that use the same username and email address as on Ubiquiti. Customers should also enable two-factor authentication.
The European Medicines Agency (EMA) announced on January 12 that some of the data stolen from the servers of Pfizer and BioNTech, creators of a Covid-19 vaccine, has been leaked online. The EMA said: "The ongoing investigation of the cyberattack on EMA revealed that some of the lawfully accessed documents related to Covid-19 medicines and vaccines belonging to third parties have been leaked on the internet...Necessary action is being taken by the law enforcement authorities."
The agency was keen to point out that European medicines regulation services remain fully functional, and the evaluation and approval timelines of Covid-19 vaccines have not been affected by the data breach, reports BleepingComputer. It is claimed the stolen data, which was unlawfully accessed in December 2020, includes screenshots of emails, EMA peer-reviewed comments, Word documents, PDFs and PowerPoint presentations.
Week of January 4, 2021: British Airways £3 billion settlement
British Airways to starting to talk about settlements regarding 2018 data breaches that exposed details about 185,000 of the airlines rewards members as well as about 380,000 regular users of its app and web site.
Details from names to email addresses, and even credit card as well as the security codes were breached, and the settlement could reach up to £3 billion, according to Infosecurity magazine.
T-Mobile attacked again
T-Mobile has started alerting customers about a data breach that involved their phone numbers, the number of lines on their accounts and even call records. But the company emphasized that details including Social Security numbers, passwords and even physical addresses were not compromised.
The unauthorized access was stopped, said T-Mobile, which is now investigating and has also "reported this matter to federal law enforcement," it said in a statement.
The company reported a similar attack back in March 2020.
Aurora Cannabis employee data breached
Canadian cannabis company Aurora Cannabis has started to reaching out to employees — both current and past — about a breach on December 25, 2020. Involved were details that the company would have had on file about people who worked there including banking data and home addresses, reports MJBizDaily.
People report they first started hearing about it on December 31, which involved a breach into software including SharePoint and OneDrive.