Search This Blog

Showing posts with label Data Breaches. Show all posts

OPM Data Breach: Federal Judge Finalizes $63 Million Settlement for 2015 Data Breach Case Victims

 

On October 14, a federal judge granted the final approval for a $63 million settlement in regard to the 2015 Office of Personnel Management (OPM) data breach, bringing an end to the seven-year-long lawsuit over one of the biggest publicly known and reported security failures by the Federal government. 
 
U.S. district judge Amy Berman Jackson gave approval for the settlement to proceed in a fairness hearing, held at the U.S District Court for the District of Columbia. The judge described the approved terms to be “fair, reasonable, and adequate, and in the best interest of named and class members.” 
 

OPM Data Breach, 2015 

 
The United States Office of Personnel Management (OPM) in June 2015 confirmed it has experienced a series of data breaches targeting personnel records. 
 
Reportedly, about 22.1 million personal records were affected in the breach, including those pertaining to government employees, other individuals who had undergone background checks, and their family and friends. 
 
The data breach is considered one of the largest breaches of government data in U.S. history. The information accessed unlawfully included personally identifiable information (PII) of victims, including their names, dates, place of birth, residential addresses, and Social Security numbers.  
 
The cyber attack was carried out by state-sponsored threat actors working for the Chinese government. 
 

Terms of the settlement 

 
Prospective participants will still have until December 23 to join the lawsuit, after the final fairness hearing, following which the validity of each claim will be accessed.  
 
Furthermore, payouts to the claimants are expected to take place in the first or second quarter of next year, assuming there are no appeals. 
 
In accordance with the settlement terms, the prospective claimant is entitled to a minimum of $700 per claim, and a maximum of $10,000 per claim.  
 
As per Everett Kelley, national president of the American Federation of Government Employees and a plaintiff in the lawsuit, the court ruling was a “significant victory for rank-and-file federal employees.” 
 
“We look forward to continuing to educate our members whose personal information was compromised in this data breach about how they can take part in this settlement and receive the compensation they are due under the law,” Kelley said.

Optus Data Breach: Australia’s Telco Giant Confirms Data of Millions of Users Compromised

 

Australia’s second largest Telecom Company, Optus has recently become a victim of a cyberattack that attack apparently led to the exposure of personal data of its current as well as former customers. According to Trevor Long, a Sydney-based tech analyst, the attack is the biggest breach of personal data from any Australian firm. 

The firm states that as soon as the attack was detected, it worked towards containing the attack, subsequently shutting it down before customers could suffer any harm. The company believes that one of the networks was still exposed to the test network with internet access. 

The data breach notification read, “Following a cyberattack, Optus is investigating the possible unauthorized access of current and former customer [..] Upon discovering this, Optus immediately shut down the attack.” 

In the wake of the attack, the firm confirmed that its customers' private data could be compromised since the attackers had an access to the customer identity database and opened it to other systems via Application Programming Interface (API). The firm further told that its network was accessed from an external source.  

The exposed data, as per the firm’s statement in a press release included customers’ names, dates of birth, contact numbers, email addresses, residential addresses, and identity documents numbers such as passport and driving licenses. The company’s services on the other hand, including mobile and home internet, have not been compromised and the attackers were void of access to messages and phone calls. 

Is Human Error Responsible For The Breach? 

At a media briefing, when asked about the possibility of a human error being responsible for the breach, Optus CEO Kelly Bayers Rosemarin stated that “I know people are hungry for details about the exact specificity of how this attack could occur, but it is the subject of criminal proceedings and so will not be divulging details about that.” 

The company has denied any claims of a human error that could execute this data breach. The CEO also apologized to the firm’s customers, stating it was challenging to offer immediate advice unless the case investigation was complete. 

The CEO also mentioned the strong cyber defense softwares invested in Telco pertaining to the attacks. She further said that this attack should be a wake-up call for all organizations in order to avoid becoming a victim of a data breach. 

Private Details of 1 Billion Chinese Citizens up for Sale on Dark Web

 

In what could be the biggest-ever breach of personal information in history, the massive store of data containing information about more than a billion people has been leaked from a government agency, possibly from China, and put up for sale on Dark Web for 10 Bitcoins. 

More than 23TB of details apparently siphoned from a Shanghai police database stored in Alibaba’s cloud was put up for sale on the underground Breach Forums by someone with the handle ‘ChinaDan’. The leaked data included names, addresses, birthplaces, national ID numbers, cellphone numbers, and details of any related police records. 

"In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on Billions of Chinese citizen," Changpeng Zhao, CEO of cryptocurrency exchange Binance, posted on Twitter. "Databases contain information on 1 billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details."

How did the data leak? 

The root cause of the data leak remains unknown, but experts believe that the database may have been misconfigured and exposed by human error since April 2021 before it was identified. This would contradict a claim that the database’s credentials were inadvertently leaked as part of a technical blog post on a Chinese developer site in 2020 and later employed to steal a billion records from the police database since no passwords were required to access it. 

But according to Bob Diachenko, a Ukrainian security researcher, this may not be correct. In late April, the researchers’ monitoring records show the database was exposed via a Kibana dashboard, a web-based software used to visualize and search massive Elasticsearch databases. If the database didn’t require a password as believed, anyone could have accessed the data if they knew its web address. 

Cybersecurity experts frequently search the internet for leaked exposed databases or other sensitive data. But hackers also run the same scans, often with the motive of copying data from an exposed database, deleting it, and offering the data’s return for a ransom payment — the standard methodology employed by attackers in recent years. 

Diachenko believes that’s what exactly happened on this occasion; a hacker discovered, raided, and deleted the exposed database, and left behind a ransom note demanding 10 bitcoins for its return. 

“My hypothesis is that the ransom note did not work and the threat actor decided to get money elsewhere. Or, another malicious actor came across the data and decided to put it up for sale,” said Diachenko.