Search This Blog

Showing posts with label Data Breach. Show all posts

Casepoint Investigates Alleged Breach After Hackers Claimed Theft of Government Data

US-based legal technology platform, Casepoint has apparently investigated a potential cybersecurity incident following claims of threat actors, who have hacked the platform claiming terabytes of sensitive data.

Casepoint offers legal advice for governmental organizations, businesses, and law firms in litigation, investigations, and compliance. The company has a number of well-known clients, including the U.S. Department of Defense (DoD), Marriott Hotels, the Securities and Exchange Commission (SEC), the U.S. Courts, and the Mayo Clinic.

Vishal Rajpara, the CTO and co-founder of Casepoint, released a statement in which he declined to confirm but otherwise did not seem to refute rumors that the ALPHV ransomware gang was responsible for the attack. BlackCat, the Russia-based ransomware gang claims to have stolen two terabytes of confidential data from Casepoint, which included data from the US government and “many other things you have tried so hard to keep,” the gang stated.

Some of the data stolen, according to TechCrunch, included private information from a Georgia-based hospital, a legal document, a state-sponsored ID and an internal document apparently issued by the FBI. However, the FBI is yet to confirm the allegations made by TechCrunch.

Following Casepoint’s acknowledgment of the investigation, ALPHV updated on the issue in a statement published on May 31. The firm also shared what seems to be the login details for the company’s software.

Rajpara published a statement on the issue, saying “Casepoint remains fully operational and have experienced no disruption to our services[…]the third-party forensic firm that we have engaged is currently running scans and deploying advanced endpoint detection monitoring tools and will be looking for signs of suspicious activity.” “We are early on in our investigation and are committed to keeping our clients informed as we learn more.”

However, Rajpara declined to comment on whether the business has technological resources to identify the data that was accessed or exfiltrated or whether it has been contacted by the ALPV ransomware organization with any communications, such as a ransom demand. 


The ALPHV gang has previously claimed to have attacked NextGen Healthcare, a U.S.-based maker of electronic health record software, and Ring, a video surveillance firm owned by Amazon. Despite the hackers' denials that they were connected to the gang, data obtained from Western Digital was also hosted on ALPHV's leak site.

Some other known victims of the ALPHV gang include Bandai Namco, Swissport, and the Munster Technological University in Ireland.  

UK Mental Health Charities Imparted Facebook Private Data for Targeted Ads


Some of the largest mental health support organisations in Britain gave Facebook information about private web browsing for its targeted advertising system. 

The data was delivered via a monitoring mechanism installed in the charities’ websites and includes details of URLs a user visited and buttons they clicked across content linked to depression, self-harm and eating disorders. 

Additionally, it included information about the times visitors saw pages to access online chat tools and when they clicked links that said "I need help" in order to request assistance. Some of the pages that caused data sharing with Facebook were particularly targeted towards youngsters, such as a page for 11 to 18-year-olds that provided guidance on how to deal with suicidal thoughts. 

Details of conversations between charities and users or messages sent via chat tools were not included in the data sent to Facebook during the Observer's analysis. All of the charities emphasised that they took service user privacy very seriously and that such messages were confidential.

However, it frequently involved browsing that most users would consider private, such as information about button clicks and page views on websites for the eating disorder charity Beat as well as the mental health charities Mind, Shout, and Rethink Mental Illness. 

The data was matched to IP addresses, which are typically used to identify a specific person or home, and, in many cases, specifics of their Facebook account ID. The tracking tool, known as Meta Pixel, has now been taken down from the majority of charity' websites. 

The information was discovered following an Observer investigation last week that exposed 20 NHS England trusts sharing data with Facebook for targeted advertising. This data included browsing activity across hundreds of websites related to particular medical conditions, appointments, medications, and referral requests.

Facebook says it makes explicit that businesses should not use Meta Pixel to gather or distribute sensitive data, such as information that could expose details about a person’s health or data belonging to children. It also says it has filters to weed out sensitive data it receives by mistake. However, prior research has indicated that they don't always work, and Facebook itself acknowledges that the system "doesn't catch everything".

The social media giant has been accused of doing too little to oversee what information it is being supplied, and faced questions over why it would allow some entities – such as hospitals or mental health organisations – to send it data in the first place.

Google Drive Deficiency Allows Attackers to Exfiltrate Workspace Data Without a Trace


The free version of Google Workspace lacks event logging, which can be exploited by attackers to download data from Google Drive without any trace of their unauthorized activity, researchers reported in recent findings. 

Mitiga researchers identified a significant "forensic security deficiency" in the widely used productivity application. This deficiency occurs because log generation is only available for users with a paid enterprise license for Workspace. As stated in a recent blog post by Mitiga on May 30, this situation exposes enterprises to insider threats and the risk of potential data leaks. 

A forensic security deficiency refers to a specific weakness or gap in the security measures of a system that hinders effective forensic analysis and investigation. In simpler terms, it means there is a flaw in the system's ability to gather and provide critical information necessary to understand and respond to security incidents. 

Event logging is the process of recording and storing detailed information about events or actions that occur within a system or application. It involves capturing data such as user activities, system events, errors, and other relevant information. 

The purpose of event logging is to provide a trail of recorded events that can be used for troubleshooting, security analysis, auditing, and compliance purposes. Users who have a paid license, like Google Workspace Enterprise Plus, have access to "drive log events" that provide visibility into Google Drive activity. 

These log events track actions such as copying, deleting, downloading, and viewing files. However, users with the default Cloud Identity Free license do not have this visibility. 

“Google Workspace provides visibility into a company’s Google Drive resources using ‘Drive log events,’ for actions such as copying, deleting, downloading, and viewing files. Events that involve external domains also get recorded, like sharing an object with an external user,” Mitiga explained. 

As a result, organizations using the free license cannot detect potential data manipulation and exfiltration attacks promptly. This limitation hinders their ability to effectively assess the extent of data theft, or even determine if any data has been stolen at all. 

“We recommend Google Cloud customers use VPC Service Controls and configure organizational restrictions in Google Cloud Storage buckets for exfiltration protection. Between this and appropriately configured cloud audit logs, customers can rest assured that their data is secure...” 

“…While improving log forensics hasn’t been an issue raised by our customers, we are continually evaluating ways to improve customers’ insight into their storage. The highlighted forensics gap in the blog is one of those areas we are examining,” a Google Cloud spokesperson reported.

SAS Airlines Faces $3 Million Ransom Demand After DDoS Attacks


Scandinavian Airlines (SAS) has recently become the target of a series of Distributed Denial of Service (DDoS) attacks, resulting in a $3 million ransom demand from a hacker group called Anonymous Sudan. This incident highlights the increasing sophistication and financial motivations behind cyberattacks on major organizations.

The DDoS attacks, which overwhelmed SAS's computer systems and disrupted its online operations, were followed by a ransom note demanding the hefty sum of $3 million in exchange for stopping the attacks and preventing further damage. The hackers threatened to expose sensitive data and continue their assault if the ransom was not paid within a specified timeframe.

The airline industry has been a recurring target for cybercriminals due to the potentially massive financial losses and disruption caused by such attacks. In this case, SAS faced significant operational challenges as its website and other online services were rendered inaccessible to customers, leading to a loss of revenue and damaging its reputation.

Responding to the situation, SAS promptly notified the appropriate authorities and engaged with cybersecurity experts to mitigate the ongoing attacks. The company also worked to restore its affected systems and strengthen its overall security posture to prevent future incidents. Collaboration with law enforcement agencies and cybersecurity professionals is crucial in investigating these attacks and bringing the perpetrators to justice.

The incident serves as a reminder for organizations to enhance their cybersecurity measures and be prepared for the evolving threats posed by cybercriminals. Proactive steps, such as conducting regular security assessments, implementing robust network infrastructure, and educating employees about potential risks, can help mitigate the impact of such attacks.

Incident response planning should also be given top priority by enterprises in order to reduce downtime and financial losses in the case of an attack. This entails developing a clear plan for confining and isolating the assault, recovering systems and data from backups, and keeping open lines of communication with key stakeholders all along the procedure.

The SAS Airlines ransom demand serves as a sobering reminder of the constant threat posed by cyberattacks and the significant financial implications for targeted organizations. Heightened cybersecurity measures, swift incident response, and collaboration among industry stakeholders are crucial in combatting these threats and safeguarding critical infrastructure from malicious actors.

Ghost Sites: Attackers are now Exposing Data From Deactivated Salesforce Sites

Varonis Threat Lab researchers recently discovered that Salesforce ‘ghost sites,’ that are no longer in use, if improperly deactivated and unmaintained may remain accessible and vulnerable of being illicitly used by threat actors. They noted how by compromising the host header, a hacker may gain access to sensitive PII and business data.

With the help of Salesforce Sites, businesses can build specialized communities where partners and clients could work collaboratively.

But when these communities are no longer required, they are frequently preserved rather than shut down. These sites aren't examined for vulnerabilities since they aren't maintained, and the administrators don't update the security measures in accordance with contemporary guidelines.

Apparently, Varonis Threat Labs on its recent findings discovered that since these ghost sites were not properly deactivated, they were easily accessible to attackers who were using them to put illicit data, exploiting the sites.

They added that the exposed data did not only consist of the old data of the sites, but also fresh records that were disclosed to guest user, who shared configuration in the Salesforce environment.

Salesforce Ghost Sites

According to Varonis Threat Labs, Salesforce ghost sites are created when a company, instead of using unappealing internet URLs uses a custom domain name. This is done so that the organization’s partners could browse the sites. . “This is accomplished by configuring the DNS record so that ‘’ [for example] points to the lovely, curated Salesforce Community Site at “[…]With the DNS record changed, partners visiting “” will be able to browse Acme’s Salesforce site. The trouble begins when Acme decides to choose a new Community Site vendor,” the researchers said.

Companies might switch out a Salesforce Experience Site for an alternative, just like they would with any other technology. Varonis Threat Labs stated, "Acme subsequently updates the DNS record of '' to link toward a new site that might function in their AWS environment." The Salesforce Site is no longer present from the users' perspective, and a new Community page is now accessible. The new page may not be functioning in the environment or connected to Salesforce in any way, and no blatant integrations are visible.

However, the study found that a lot of businesses only modify DNS entries. “They do not remove the custom domain in Salesforce, nor do they deactivate the site. Instead, the site continues to exist, pulling data and becoming a ghost site,” a researcher said.

Attackers exploit these sites simply by changing the host header. They mislead Salesforce into believing that the site was accessed as making the sites accessible to the attackers.

Although these sites can also be accessed through their whole internal URLs, an intruder would find it difficult to recognize these URLs. However, locating ghost sites is significantly simpler when utilizing tools that index and archive DNS information, like SecurityTrails and comparable technologies.

What is the Solution

Varonis Threat Labs advised that the sites that are no longer in use should be properly deactivated. They also recommended to track all Salesforce sites and their respective users’ permissions, involving both community and guest users. Moreover, the researchers created a guide on ‘protecting your active Salesforce Communities against recon and data theft.’ 

9 Million Patients' Data Exposed by Ransomware Attack on US Dental Giant


A ransomware attack may have compromised nearly nine million individuals' personal information in the United States. This is due to the harm caused by an apparent attack on a dental health insurer — one of the country's largest.

According to Managed Care of North America (MCNA) Dental, a multinational dental insurance company headquartered in the United States, the company took notice of certain activities in its computer system on March 6, 2023. MCNA immediately stopped those activities and began an investigation.

As a result, despite those steps being taken, the LockBit ransomware – which acquired responsibility for the attack – is making a comeback with a threat to leak 700GB of data stolen from MCNA's network if the company does not pay the attackers a $10 million ransom. To allow anyone to download all of the data, reports suggest the group released the data on its website on April 7 for anyone to download.

There are several dental insurers in the United States. However, Managed Care of North America (MCNA) Dental claims to be the nation's largest dental insurer for children and seniors covered by government-sponsored plans. Among the notices the company posted on Friday, it stated it became aware on March 6 that "certain activities in our computer system took place without our permission" and that the company had decided to take action. After it was discovered that a hacker had gained access to their computer system between February 26 and March 7, 2023, the company became suspicious that there was a breach of security. 

A breach notice from MCNA ticks the typical boxes: it was discovered that a criminal could view and copy some information stored in our computer system using IDX, a ZeroFox Inc.-owned company. 

Names, addresses, dates of birth, telephone numbers, e-mail addresses, Social Security numbers, driver's licenses, and other government-issued identification numbers were among the information that was stolen. There was also information regarding health insurance details, dental care records, billing, and insurance details that were taken. 

According to MCNA Dental, the hackers also gained access to information about a patient's health insurance plan information, Medicaid ID numbers, billing and insurance claim information, and bills and insurance claims. 

During this time, PharMerica, a leading pharmacy service provider with over 2,500 facilities in the US and offering over 3,100 pharmacy and healthcare programs, announced a data breach that exposed nearly six million patients. PharMerica operates in more than 2,500 facilities across the country.

As part of the notification to Maine's attorney general regarding the data breach, PharmaCrime indicated that on March 14, its computer network was discovered to have suspicious activity on it. 

It was reported on March 7 that the LockBit ransomware gang was responsible for the attack, saying they were willing to publish 700 gigabytes of stolen data unless the victim paid a $10 million ransom. LockBit released the data on April 7 because MCNA failed to pay the ransom.

To assist people whose personal information may have been involved in this incident, the insurer is now sending individual letters directly to them. 

Several questions must be addressed about possible liability and responsibilities arising from LockBit having the data and publishing it versus MCNA publishing its breach notice. Until well over a month after LockBit first released its data, the company did not notify its patients of the breach, which gave threat actors ample opportunity to target those in the affected area before the company was fully notified.

In the past, security experts have told organizations that are victims of ransomware not to pay the attackers in exchange for the decryption keys, however, due to double-extortion attacks that can lead to both companies and their clients suffering long-term harm due to data leaks, the rules of the game have changed. There are several factors to consider before paying a ransom. It might be to your advantage to give in to a ransom demand. This will save you a lot of trouble and time in the long run. 

Organizations can take several measures to prevent ransomware attacks from gaining a foothold in their networks. These measures include enhancing their overall security defense posture and implementing multifactor authentication (MFA). 

As part of their efforts to prevent phishing attacks, organizations should also maintain strong controls to shield them since attackers often use credentials stolen in this way as an entry point into a network to launch ransomware attacks and other malicious software.

Lazarus Hackers Exploit Windows IIS Web Servers for Initial Access


The notorious Lazarus hacking group has once again made headlines, this time for targeting Windows Internet Information Services (IIS) web servers as a means of gaining initial access to compromised systems. The group, believed to have links to the North Korean government, has a long history of conducting high-profile cyberattacks for various purposes, including espionage, financial theft, and disruption.

According to security researchers, Lazarus has been exploiting a vulnerability in Microsoft Internet Information Services (IIS) servers, specifically targeting those running older versions such as IIS 6.0 and IIS 7.0. This vulnerability tracked as CVE-2021-31166, allows remote code execution and has been previously patched by Microsoft. However, many organizations still fail to apply these critical security updates, leaving their systems vulnerable to exploitation.

The attack campaign starts with the hackers sending specially crafted HTTP requests to the targeted IIS servers, triggering a buffer overflow and ultimately allowing the execution of arbitrary code. Once the hackers gain a foothold in the compromised system, they can further expand their access, exfiltrate sensitive data, or even deploy additional malware for advanced persistence.

The motives behind Lazarus' targeting of IIS servers remain unclear, but given the group's history, it is likely to involve espionage or financial gain. It's important to note that the Lazarus group has been involved in numerous high-profile attacks, including the infamous WannaCry ransomware attack in 2017.

To protect against such attacks, organizations must prioritize the security of their web servers. This includes ensuring that all necessary security updates and patches are promptly applied to IIS servers. Regular vulnerability scanning and penetration testing can help identify any weaknesses that could be exploited by threat actors.

Additionally, organizations should implement robust security measures, such as web application firewalls (WAFs) and intrusion detection systems (IDS), to detect and block suspicious activities targeting their web servers. Strong access controls, regular monitoring of system logs, and user awareness training are also crucial in mitigating the risk of initial access attacks.

The Lazarus group's continued activities serve as a reminder that cyber threats are ever-evolving and require constant vigilance. Organizations must stay proactive in their approach to cybersecurity, staying up to date with the latest threats and implementing appropriate measures to protect their systems and data.

NYC’s Metropolitan Opera Faces Lawsuit for 2022 Data Breach

World’s largest opera house, the New York City’s Metropolitan Opera has recently been charged with a class action lawsuit following a data breach that took place in year 2022 and apparently compromised private information of around 45,000 employees and patrons. The lawsuit has been filed in the Manhattan Supreme Court.

According to Anthony Viti, former Met employee – the largest performing arts organization in the country – and the lead plaintiff in the lawsuit, the private information that is compromised in the breach includes victim’s Social Security number, driver’s license number, date of birth and financial account information.

When the breach was first reported by The New York Times in December, the company's website and box office had been down for more than 30 hours.

The lawsuit reads, “For approximately two months, The Met failed to detect an intruder with access to and possession of The Met’s current/former employees and consumers’ data[…]It took a complete shutdown of The Met’s website and box office for The Met to finally detect the presence of the intruder.”

Following the incident, The Met requested a third-party forensic investigation, which revealed that cybercriminals had stolen personally identifiable information over a two-month period between September and December.

“Through an investigation conducted by third-party specialists, the Met learned that an unknown actor gained access to certain of their systems between September 30, 2022 and December 6, 2022 and accessed or took certain information from those systems,” Stephanie Basta, the opera’s lawyer, wrote in a letter submitted to the Maine Attorney General on May 3.

Following the lawsuit, The Met responded by offering victims with a year of credit monitoring services.

The lawsuit condemned The Met, stating "The Met failed to detect an intruder with access to and possession of The Met's current/former employees' and consumers' data[…]It took a complete shutdown of The Met's website and box office for The Met to finally detect the presence of the intruder."

Viti said The Met's response to the data breach has been "woefully insufficient" and alleged that the organization did not disclose to affected parties that their data had been compromised until May 3, nearly five months after the incident.

However, The Met dejects the claims, saying “We strongly believe this case has no merit.”  

Free VPN Experiences Massive Data Breach, Putting Users at Risk


SuperVPN, a popular free VPN service, is said to have experienced a huge data breach, compromising over 360 million customer accounts. The leak is reported to have exposed 133GB of sensitive information, including user email addresses, originating IP addresses, and geolocation data. According to sources, the material exposed included secret programme keys, unique user identity numbers, and visited website logs. 

The size and scope of the breach highlight the importance of selecting a reliable free VPN service from the hundreds now available, as many fail to provide their users with adequate security cover - despite the fact that many people use a Virtual Private Network for privacy and security in the first place.

The SuperVPN data leak was first revealed on the vpnMentor website by security researcher Jerimiah Fowler, emphasizing the need of conducting thorough research when choosing a secure VPN provider. 

While the contents of this data breach appear to suggest otherwise, SuperVPN promises to offer extensive privacy protection on its help pages, claiming that it:  ‘…keeps no logs which enable interference with your IP address, the moment [sic] or content of your data traffic. We make express reference to the fact that we do not record in logs communication contents or data regarding the accessed websites or the IP addresses”.

In fact, this is the second major data incident involving the widely used free VPN programme. User information related to a few of dodgy providers was released to the tune of over 20 million customers in May 2022, while SuperVPN was also identified as a hazardous malware-ridden VPN programme as early as 2016.

According to Fowler, the situation is especially concerning because SuperVPN appears to be situated in China, a country that has strict regulations on internet usage and regulates the flow of information within its borders.

Rather than being alarmist or jumping on the anti-China bandwagon, Fowler is emphasizing the obvious conflict of interest when an online privacy tool is managed from a country with little to no online privacy. Indeed, he adds that the terms and conditions of SuperVPN included an Orwellian prohibition on "subverting state power, undermining national unity, undermining social stability, and or damaging the honor and interests of the State."

He advocates individuals looking for a VPN to "pay attention to where the company is based" since "certain countries are known for internet censorship (like China or Iran) or surveillance (like the US, the UK, and other members of the Fourteen Eyes alliance)."

Despite the SuperVPN data breach, using a VPN is essentially safe if you choose the proper one.  

Safeguarding Your Data: 10 Best Practices to Prevent a Data Breach


Data breaches have become a significant concern for organizations and individuals alike, as cyber threats continue to evolve in complexity and scale. The consequences of a data breach can be severe, ranging from financial loss and reputational damage to legal implications. It is crucial for businesses to implement robust preventive measures to protect their valuable data and maintain customer trust. Here are some best practices and tactics to prevent a data breach.
  1. Develop a comprehensive security strategy: Establish a well-defined security plan that includes policies, procedures, and guidelines for data protection. Regularly review and update this strategy to adapt to evolving threats.
  2. Educate and train employees: Human error is a leading cause of data breaches. Conduct regular training sessions to educate employees on data security practices, such as strong password management, recognizing phishing attempts, and handling sensitive data appropriately.
  3. Implement strong access controls: Limit access to sensitive data and ensure that access rights are granted based on a need-to-know basis. Regularly review and update user permissions as employees change roles or leave the organization.
  4. Encrypt sensitive data: Utilize encryption techniques to protect data both at rest and in transit. Encryption adds an extra layer of security, making it difficult for unauthorized individuals to access and interpret the data.
  5. Regularly patch and update systems: Keep all software, operating systems, and applications up to date with the latest security patches. Vulnerabilities in outdated software can be exploited by attackers to gain unauthorized access.
  6. Use multi-factor authentication (MFA): Implement MFA for accessing critical systems and sensitive data. MFA adds an extra layer of authentication, making it harder for attackers to gain unauthorized access even if passwords are compromised.
  7. Conduct regular security assessments: Perform comprehensive security assessments, including vulnerability scans and penetration testing, to identify potential weaknesses and address them proactively.
  8. Implement data backup and recovery procedures: Regularly back up critical data and test the restoration process. In the event of a breach, having reliable backups can help restore systems and minimize downtime.
  9. Monitor network and system activity: Employ intrusion detection and prevention systems, as well as log monitoring and analysis tools, to identify and respond to suspicious activity promptly.
  10. Establish an incident response plan: Develop a well-defined incident response plan that outlines the steps to be taken in the event of a data breach. This plan should include communication strategies, containment measures, and coordination with relevant stakeholders.
By following these best practices, organizations can significantly reduce the risk of a data breach and protect sensitive information. However, it's essential to stay informed about emerging threats, industry best practices, and regulatory requirements to ensure ongoing data security. Remember, prevention is key when it comes to data breaches, and a proactive approach can save you from costly and damaging repercussions.

Confidential Report Highlights Bitfinex Security Breach in Massive 2016 Hack


In 2016, a hacker or hackers gained access to the Bitfinex cryptocurrency exchange and took 119,754 bitcoins worth a total of $72 million. The stolen coins' worth had risen to almost $4 billion by the time US police detained rapper Heather Morgan and her husband, startup founder Ilya Lichtenstein, last year on suspicion of laundering them. The US Department of Justice's single greatest recovery in its history. However, the hack's culprit is still at large.

Ledger Labs, a Canadian cryptocurrency consulting and development company, was hired by one of Bitfinex's owners, iFinex, to conduct an investigation. The secret report from that inquiry was never made public. However, a copy of the study with specific conclusions has been obtained by the Organised Crime and Corruption Reporting Project. 

According to the document's in-depth findings, conclusions, and suggestions, Bitfinex failed to put the operational, financial, and technological controls recommended by its partner in cyber security, Bitgo, into place.

Although Bitfinex did not question the legitimacy of the report in contacts with journalists, OCCRP was unable to independently confirm the facts. Bitgo opted out of commenting but did not expressly deny the report's existence or its conclusions. Requests for response from Ledger Labs went unanswered, and the study's author, Michael Perklin, stated that he was unable to do so because his work on the iFinex report was subject to a non-disclosure agreement.

OCCRP was unable to independently verify the results, however in interactions with journalists, Bitfinex did not contest the validity of the study. Bitgo declined to comment, but did not expressly contest the report's validity or conclusions. An inquiry for response was not answered by Ledger Labs, and the study's author, Michael Perklin, declined to speak because his work on the iFinex research was subject to a non-disclosure agreement. 

For cryptocurrency sites, strict digital security is essential since mistakes cost users real money.

“When you’re dealing with the internet of money, the stakes are that much higher,” stated Hugh Brooks, director of security operations at blockchain security firm CertiK. “If you get breached or make a mistake, it’s not just some usernames and passwords, it’s someone’s life savings or potentially a massive amount of funds.”

According to the Ledger Labs report that OCCRP was able to receive, Bitfinex used a security mechanism that required an administrator to possess two out of the three security keys in order to do any substantial exchange activities, including moving bitcoin. 

However, it discovered that Bitfinex made a crucial mistake by putting two of these three keys on the same piece of hardware. An attacker who managed to hack that one device would have complete access to Bitfinex's internal systems and to "security tokens" that gave them control over the operating system. According to the paper, "the hacker was able to take tokens," and in less than a minute, he was able to increase the daily cap on the number of transactions that were allowed in order to fast drain as much bitcoin as possible. 

According to the Ledger Labs report, the hacker obtained tokens associated with a generic "admin" email account and another tied to "giancarlo," which belonged to Bitfinex CFO and shareholder Giancarlo Devasini, a former Italian plastic surgeon with a shady business past. The document did not assign blame for the hack to Devasini.

The paper stated that holding numerous keys and tokens on a single device constituted "a violation of the CryptoCurrency Security Standard," alluding to an industry-led best-practice initiative, however it is unclear whether this particular device was compromised in the hack. It also claimed that other fundamental security precautions, such as monitoring server activities outside of the server, and a "withdrawal whitelist" - a security feature that only allows cryptocurrency transfers to confirmed or approved addresses — were missing.

Based on a rigorous study of source IP addresses, the Ledger Labs document found that the attack most likely started in Poland. 

Although the hacker is still at large, US authorities detained dual Russian-American citizen Ilya Lichtenstein and his wife, Heather Morgan, last year for allegedly laundering stolen bitcoins. Both have pled not guilty and await trial. 

Lichtenstein is a self-described digital entrepreneur and investor who has created a few tiny apps, while Morgan, a trained economist and contributor, has taken over as CEO of some of Lichtenstein's software initiatives. Morgan has an interesting backstory that includes a rapping alter ego known as "Razzlekhan." Nonetheless, US authorities highlighted in an official Department of Justice document that Morgan used her own name to cash out some of the stolen cryptocurrency's online purchases.

American Financial Data Exposed by Debt Collector


An NCB breach notification letter has been sent to affected customers informing them that their data has been hacked. Over 1.1 million people have been exposed by this breach. On February 1st, a US-based company claimed that its systems were breached by attackers, claiming they had penetrated its network. After the company's systems were breached, NCB noticed it within three days of the incident.

Cybernews reported this morning that debt collection agency NCB Management Services has begun notifying customers of data breaches following a breach in February. The breach was first reported by the agency in early 2017. 

It has been reported that an unauthorized third party gained access to confidential information NCB maintains on client accounts recently. The company's letter to potential victims began with the statement: "In the wake of this incident, we are unaware that any of the information you have provided has been misused." 

A report has emerged claiming that NCB had its systems hacked in February. Despite this, it took the company three days to realize this security breach had occurred. 

As a result of cybercriminals stealing personal information from consumers, cybercriminals have launched targeted phishing campaigns via email, phone or text message to defraud those individuals. 

Based on the debt collector's investigation, the type of data accessed from April 19th until now has been determined. Upon reviewing information the company provided to the Maine Attorney General, it appears that the attackers gained access to financial account numbers or payment card numbers. This was done by using security codes, access codes, passwords, or PINs associated with the accounts.

There is a trend of stolen financial data being sold on dark web forums. This is so criminals can mask their illicit activities using others' names. This is done by using stolen information from their bank accounts. 

In my opinion, the amount of financial information exposed is quite concerning as users' credit card numbers could be sold on the dark web if there is no hacking involved. 

In the event hackers are also able to access sensitive data on affected users, it may be possible for them to use their own data to commit crimes such as identity theft or fraud. 

In fact, NCB is a debt collection agency that banks hire to get rid of outstanding amounts owed to them. This is due to its nature as an enforcement agency. This looks like TD Bank and Bank of America have also been indirectly affected by this data breach. 

According to a recent report by JD Supra, the legal advice site, TD Supra, has detailed the possibility that NCB's data breach might impact TD Bank customers as well. This is in a similar manner to that of TD Bank. 

The Toronto-based bank also notified the US Attorney General that the hackers responsible gained access to its customers' names, addresses, account numbers, dates of birth and Social Security numbers. In addition, they gained access to their account balances. This is based on an official filing the bank made with the Main Attorney General. 

One of the recent companies to be breached is Dish, another highly regarded satellite broadcaster in the US. The company has also tried to reassure its affected customers by stating that it had "received confirmation that the extracted data has been deleted." 

Cyber security experts say organizations should never succumb to criminals' demands, as the results are usually high-frequency attacks by the criminals themselves. The FBI and other law enforcement agencies also believe ransomware payments should not be made.

It has been announced that NCB is offering free services to affected users for two years. This will enable them to monitor identity theft for two years and prevent further attacks. 

The National Bank of Boston, in a sample notification letter submitted to the Maine Attorney General, revealed that the bank may also affect Bank of America through the same problem.  

Bank of America has said that if TD Bank offers free access to one of the most effective identity theft protection services, Bank of America will also offer the same to its customers. Bank of America has assured affected customers that it will provide a two-year Experian IdentityWorks subscription. If you have received a data breach notification from NCB, you will have all the information you need about how to set up the subscription. This information is in that notification. 

In the coming year, users affected by this data breach should carefully review their credit reports and account statements. They should look for any unusual activity associated with the breach. 

NCB is working closely with federal law enforcement agencies to figure out who is responsible for the breach and what group of hackers are responsible. Despite that, it is highly likely that the company could pay a fine. This is because hackers accessed its systems for several days before being discovered and getting their hands on them.

The Security Hole: Prompt Injection Attack in ChatGPT and Bing Maker


A recently discovered security vulnerability has shed light on potential risks associated with OpenAI's ChatGPT and Microsoft's Bing search engine. The flaw, known as a "prompt injection attack," could allow malicious actors to manipulate the artificial intelligence (AI) systems into producing harmful or biased outputs.

The vulnerability was first highlighted by security researcher Cris Giardina, who demonstrated how an attacker could inject a prompt into ChatGPT to influence its responses. By carefully crafting the input, an attacker could potentially manipulate the AI model to generate false information, spread misinformation, or even engage in harmful behaviors.

Prompt injection attacks exploit a weakness in the AI system's design, where users provide an initial prompt to generate responses. If the prompt is not properly sanitized or controlled, it opens the door for potential abuse. While OpenAI and Microsoft have implemented measures to mitigate such attacks, this recent discovery indicates the need for further improvement in AI security protocols.

The implications of prompt injection attacks extend beyond ChatGPT, as Microsoft has integrated the AI model into its Bing search engine. By leveraging ChatGPT's capabilities, Bing aims to provide more detailed and personalized search results. However, the security flaw raises concerns about the potential manipulation of search outputs, compromising the reliability and integrity of information presented to users.

In response to the vulnerability, OpenAI has acknowledged the issue and committed to addressing it through a combination of technical improvements and user guidance. They have emphasized the importance of user feedback in identifying and mitigating potential risks, encouraging users to report any instances of harmful behavior from ChatGPT.

Microsoft, on the other hand, has not yet publicly addressed the prompt injection attack issue in relation to Bing. As ChatGPT's integration plays a significant role in enhancing Bing's search capabilities, it is crucial for Microsoft to proactively assess and strengthen the security measures surrounding the AI model to prevent any potential misuse or manipulation.

The incident underscores the broader challenge of ensuring the security and trustworthiness of AI systems. As AI models become increasingly sophisticated and integrated into various applications, developers and researchers must prioritize robust security protocols. This includes rigorous testing, prompt vulnerability patching, and ongoing monitoring to safeguard against potential attacks and mitigate the risks associated with AI technology.

The prompt injection attack serves as a wake-up call for the AI community, highlighting the need for continued collaboration, research, and innovation in the field of AI security. By addressing vulnerabilities and refining security measures, developers can work towards creating AI systems that are resilient to attacks, ensuring their responsible and beneficial use in various domains.

Microsoft Issues Alert Over Rise in Advanced Phishing Scams

Microsoft has issued a warning regarding a surge in sophisticated phishing scams targeting individuals and organizations. These scams employ advanced tactics to deceive users and steal sensitive information. With an increasing number of people falling victim to such attacks, it is crucial to stay vigilant and implement necessary precautions.

Phishing scams involve cybercriminals impersonating trusted entities to trick individuals into revealing personal information, such as passwords, credit card details, or social security numbers. The scams typically rely on social engineering techniques and fraudulent emails or messages designed to appear legitimate.

According to Microsoft, the new wave of phishing scams has become more sophisticated and harder to detect. Attackers are utilizing residential internet protocol (IP) addresses instead of traditional data center IPs to evade detection by security systems. By operating through residential IPs, scammers can bypass security filters that typically flag suspicious activity from data center IPs.

These phishing campaigns often target high-value individuals, such as company executives or employees with access to sensitive data. Scammers employ persuasive language, urgency, and personalized information to deceive their targets and convince them to take action, such as clicking on malicious links or providing confidential information.

To protect against these sophisticated phishing attacks, Microsoft advises individuals and organizations to implement multi-factor authentication (MFA). By enabling MFA, users must provide additional verification, such as a unique code sent to their mobile device, in addition to their password. This adds an extra layer of security and makes it significantly harder for attackers to gain unauthorized access.

Furthermore, individuals should remain cautious when interacting with emails or messages, especially those that request sensitive information or seem suspicious. It is essential to scrutinize sender addresses, look for signs of grammatical errors or inconsistencies, and avoid clicking on links or downloading attachments from unknown sources.

Organizations must prioritize cybersecurity awareness training for employees to educate them about the latest phishing techniques and the potential risks they pose. Regular training sessions and simulated phishing exercises can help individuals develop a strong sense of skepticism and recognize the warning signs of a phishing attempt.

GAO Urges Federal Agencies to Implement Key Cloud Security Practices

The Government Accountability Office (GAO) has called on federal agencies to fully implement essential cloud security practices in order to enhance their cybersecurity posture. In a recent report, the GAO highlighted the importance of adopting and adhering to these practices to mitigate risks associated with cloud computing.

According to the GAO, four federal departments have not fully implemented cloud security practices, which puts their systems and data at increased vulnerability. The report emphasizes that addressing these shortcomings is critical for ensuring the confidentiality, integrity, and availability of sensitive information stored in the cloud.

Cloud computing offers numerous benefits to federal agencies, including increased efficiency, scalability, and cost-effectiveness. However, it also introduces unique cybersecurity challenges that must be addressed proactively. The GAO report outlines several key security practices that agencies should prioritize to strengthen their cloud security posture.

One of the primary recommendations is to implement strong identity and access management controls. This involves ensuring that only authorized individuals have access to sensitive data and systems and that user privileges are properly managed and monitored. By implementing multi-factor authentication and robust user access controls, agencies can significantly reduce the risk of unauthorized access.

Another crucial aspect highlighted by the GAO is the need for comprehensive data protection measures. This includes encrypting sensitive data both at rest and in transit, implementing secure data backup and recovery processes, and regularly testing the effectiveness of these measures. By employing encryption and backup protocols, agencies can minimize the impact of data breaches or system failures.

Additionally, the GAO emphasizes the importance of monitoring and logging activities within cloud environments. By implementing robust logging mechanisms and real-time monitoring tools, agencies can detect and respond to security incidents promptly. This enables them to identify unauthorized access attempts, suspicious activities, and potential vulnerabilities that could be exploited by attackers.

The GAO report further highlights the significance of training and awareness programs for agency personnel. It recommends providing comprehensive cybersecurity training to employees, ensuring they are aware of potential threats, best practices, and their role in maintaining a secure cloud environment. Regular training and awareness initiatives can help strengthen the overall security culture within agencies.

The GAO study concludes by serving as a reminder to government agencies of the significance of fully implementing important cloud security measures. Agencies can dramatically improve their cybersecurity posture in the cloud by giving priority to identity and access control, data protection, monitoring, and training. Federal agencies must act quickly on these recommendations and set aside the necessary funds to guarantee the integrity and security of their cloud-based systems and data.

FBI Warns of Hackers Exploiting Public Charging Stations to Steal iPhone Data

The FBI has issued a warning about a new threat targeting iPhone users - hackers using public charging stations to steal personal data. As the popularity of public charging stations continues to grow, so does the risk of falling victim to this type of cyber attack.

The technique, known as 'juice jacking,' involves hackers installing malicious software on charging stations or using counterfeit charging cables to gain access to users' iPhones. Once connected, these compromised stations or cables can transfer data, including contacts, photos, and passwords, without the user's knowledge.

The FBI's warning comes as a reminder that convenience should not outweigh security. While it may be tempting to plug your iPhone into any available charging port, it is essential to exercise caution and take steps to protect your personal information.

To safeguard against juice jacking attacks, the FBI and other cybersecurity experts offer several recommendations. First and foremost, it is advisable to avoid using public charging stations altogether. Instead, rely on your personal charger or invest in portable power banks to ensure your device remains secure.

If using public charging stations is unavoidable, there are additional precautions you can take. One option is to use a USB data blocker, commonly known as a 'USB condom,' which blocks data transfer while allowing the device to charge. These inexpensive devices act as a protective barrier against any potential data compromise.

It is also crucial to keep your iPhone's operating system and applications up to date. Regularly installing updates ensures that your device has the latest security patches and protections against known vulnerabilities.

Furthermore, using strong, unique passcodes or biometric authentication methods, such as Face ID or Touch ID, adds an extra layer of security to your device. Additionally, enabling two-factor authentication for your Apple ID and regularly monitoring your device for any suspicious activity are proactive steps to safeguard your data.

The FBI's warning serves as a timely reminder of the evolving threats in the digital landscape. As technology advances, so do the tactics employed by hackers. Staying informed and adopting best practices for cybersecurity is essential to protect personal information from unauthorized access.

The FBI's warning emphasizes the possible dangers of using public charging stations as well as the significance of taking safeguards to safeguard iPhone data. Users can lessen their risk of becoming a victim of juice jacking attacks and maintain the confidentiality of their personal information by exercising caution and adhering to suggested security measures.

Royal Mail's £1bn Losses: Strikes, Cyber Attack, and Online Shopping Crash

The Royal Mail, the UK's national postal service, has reported losses surpassing £1 billion as a combination of factors, including strikes, a cyber attack, and a decrease in online shopping, has taken a toll on its post and parcels business. These significant losses have raised concerns about the future of the company and its ability to navigate the challenges it faces.

One of the key contributors to the Royal Mail's losses is the series of strikes that occurred throughout the year. The strikes disrupted operations, leading to delays in deliveries and increased costs for the company. The impact of the strikes was compounded by the ongoing decline in traditional mail volumes as more people turn to digital communication methods.

Furthermore, the Royal Mail was also targeted by a cyber attack, which further disrupted its services and operations. The attack affected various systems and required significant resources to mitigate the damage and restore normalcy. Such incidents not only incur immediate costs but also undermine customer trust and confidence in the company's ability to protect their sensitive information.

Another factor contributing to the losses is the decline in online shopping, particularly during the pandemic. With lockdowns and restrictions easing, people have been able to return to physical retail stores, leading to a decrease in online orders. This shift in consumer behavior has impacted Royal Mail's parcel business, which heavily relies on the growth of e-commerce.

To address these challenges and turn the tide, the Royal Mail will need to focus on several key areas. Firstly, the company should strive to improve its relationship with its employees and work towards resolving any ongoing disputes. By fostering a harmonious working environment, the Royal Mail can minimize disruptions caused by strikes and ensure the smooth functioning of its operations.

Secondly, it is crucial for the Royal Mail to enhance its cybersecurity measures and invest in robust systems to protect against future cyber attacks. Strengthening the company's digital defenses will not only safeguard customer data but also bolster its reputation as a reliable and secure postal service provider.

Lastly, the Royal Mail must adapt to changing consumer behaviors and capitalize on emerging opportunities in the e-commerce market. This could involve diversifying its services, expanding its international reach, and investing in innovative technologies that streamline operations and enhance the customer experience.

Mackenzie Investements: Canada’s Largest Investment Firm Confirms a Major Data Breach

One of Canada's major investment firms' clients' compromising their social insurance numbers (SIN) to a data breach is "so dangerous," according to a former high-level employee of the business.

Till his retirement in 2019, Terry Beck worked with Mackenzie Investments for almost 20 years as the operations manager. He divested his investment before he left. Regardless of this, a couple weeks ago, he reveals that he received a letter from his ex-corporation informing him that his SIN was compromised in a data breach.

In a letter dated April 27, Mackenzie told clients that InvestorCOM Inc., a third-party vendor, had been affected as a result of a cyber security breach involving data transfer provider GoAnywhere. One of the letters, which CTV News Toronto investigated, claimed that customer account numbers, names, and addresses had also been stolen.

On Monday, a Mackenzie spokesperson explained in a statement how the company now uses SINs in order to determine and provide notifications to its clients.

"Companies may use SINs as an identifier for reasons such as consolidating investor holdings so that fees associated with their account are reduced[…]They may also share a client’s SIN as a unique identifier to third parties such as a dealer, group plan sponsor, and third-party service providers," the spokesperson said.

Beck acknowledged the need to combine a client's accounts, but he questioned why a random sequence of numbers couldn't serve in place of a highly sensitive form of government identity as a unique identifier. “It could rear its head at any time down the road,” Beck said.

Following the ransomware attack, Mackenzie released a statement in which it expressed regret for the impact the hack has had on its clientele.

“Mackenzie takes privacy and data protection very seriously and we are committed to protecting the confidentiality of all personal information. We greatly regret any concern or inconvenience this incident may cause to our valued clients,” a company spokesperson said in the statement.

The spokesperson further confirmed that there has been no sign of any data misuse as of yet and that the firm reported the incident to the federal privacy commissioner, along with the provincial privacy commissions.

Clients Await Resources

Shelly Rae, a resident of Toronto and Mackenzie investor for around three decades, expressed concerns after she received a letter in the mail that her personal information had been compromised.

“When someone has your name, phone number, address and SIN, that’s a pretty significant breach,” she said. “They can go on to steal your identity.”

A Mackenzie spokesperson explains how the firm is currently experiencing “particularly high volumes” of calls, resulting in long wait times for victims of the breach, with the firm apologizing for the delays in responses.

“The TransUnion call centers are doing their best to address all client concerns as quickly as possible by enhancing service capacity to help manage call volumes. We are proactively working with TransUnion to manage the high volume of calls and appreciate people’s patience,” the spokesperson said.

In regards to the issue, Mackenzie confirms that it is monitoring a number of suspected sources for exposed data and that they did not yet find any evidence of misuse.  

China's Access to TikTok User Data Raises Privacy Concerns

A former executive of ByteDance, the parent company of the popular social media platform TikTok, has made shocking claims that China has access to user data from TikTok even in the United States. These allegations have raised concerns about the privacy and security of TikTok users' personal information.

The ex-employees claims come at a time when TikTok is already under scrutiny due to its ties to China and concerns over data privacy. The United States and other countries have expressed concerns that user data collected by TikTok could be accessed and potentially misused by the Chinese government.

According to the former executive, Chinese Communist Party (CCP) officials have direct access to TikTok's backend systems, which allows them to obtain user data from anywhere in the world, including the US. This access allegedly enables the Chinese government to monitor and potentially exploit user data for various purposes.

These claims have significant implications for the millions of TikTok users worldwide. It raises questions about how their personal information is secure and protected from unauthorized access or potential misuse. Furthermore, it adds to the ongoing debate surrounding the relationship between Chinese tech companies and the Chinese government, and the potential risks associated with data sharing and surveillance.

ByteDance has previously denied allegations that TikTok shares user data with the Chinese government. The company has implemented measures to address privacy concerns, such as establishing data centers outside of China and hiring independent auditors to assess its data security practices.

However, these latest claims by a former executive fuel the skepticism and reinforce the need for transparency and independent verification of TikTok's data handling practices. It also underscores the importance of robust data protection regulations and international cooperation in addressing the challenges posed by global technology platforms.

Regulators and policymakers in various countries have examined TikTok's data privacy practices and explored potential restrictions or bans. These claims may add further impetus to those efforts, potentially leading to stricter regulations and increased scrutiny of TikTok's operations.

The allegations made by the ex-ByteDance executive regarding China's access to TikTok user data in the US have sparked fresh concerns about data privacy and security. As the popularity of TikTok continues to grow, it is crucial for the company to address these claims transparently and take additional steps to reassure users that their data is protected. Meanwhile, governments and regulatory bodies must continue to evaluate and enforce robust privacy regulations to safeguard user information in the era of global technology platforms.

Bl00dy Ransomware Targets Education Orgs via PaperCut Flaw

The Federal Bureau of Investigation (FBI) has issued a warning about the Bl00dy ransomware gang targeting educational organizations through vulnerabilities in the popular print management software, PaperCut. The cybercriminals are exploiting a critical flaw in PaperCut to gain unauthorized access and launch ransomware attacks, posing a significant threat to the education sector.

The Bl00dy ransomware gang has been actively targeting schools and other educational institutions, taking advantage of the vulnerabilities in PaperCut's software. By exploiting this flaw, the attackers can gain unauthorized access to the system and deploy ransomware, encrypting critical files and demanding a ransom for their release.

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have urged educational organizations to take immediate action to address this vulnerability and strengthen their security measures. It is crucial for educational institutions to promptly update and patch their PaperCut installations to protect against potential attacks.

The Bl00dy ransomware gang's targeting of the education sector is particularly concerning as schools and colleges hold sensitive data, including student records and financial information. The impact of a successful ransomware attack can be severe, leading to significant disruptions in educational services and potential data breaches.

To defend against such attacks, educational organizations must adopt a multi-layered approach to cybersecurity. This includes regularly updating and patching software and systems, implementing robust network security measures, and conducting regular backups of critical data. Additionally, user awareness training can help educate staff and students about potential threats and how to avoid falling victim to social engineering tactics.

The FBI and CISA have emphasized the importance of reporting any suspected or confirmed cyberattacks to law enforcement agencies promptly. Timely reporting can assist authorities in tracking and apprehending cybercriminals, while also providing valuable intelligence to help prevent future attacks.

The PaperCut vulnerability was used by the Bl00dy ransomware gang to extort money, underscoring the constantly changing nature of cyber threats and the necessity for ongoing monitoring. Prioritizing cybersecurity measures is essential as businesses continue to rely on digital systems and services to protect sensitive information and ensure smooth operations.

In order to effectively address risks and adopt cybersecurity measures, educational institutions must be proactive. The education sector may reduce the chance of falling victim to ransomware attacks and safeguard the integrity of their systems and data by being watchful, updating software, and working with law enforcement organizations.