CySecurity News - Latest Information Security and Hacking Incidents: Data Leak

Cyber Safety Data Data Breach Data Leak Safety Security User Data User Safety

ERP Firm Data Breach Exposes Over 750 Million Records

A leading Enterprise Resource Planning (ERP) company based in Mexico inadvertently left an unsecured database online, exposing sensitive information on hundreds of thousands of users. This was discovered by cybersecurity researcher Jeremiah Fowler, who reported his findings to Website Planet. According to Fowler, the database contained 769 million records and was accessible to anyone who knew where to look.

The exposed data included highly sensitive and personally identifiable information such as API keys, secret keys, bank account numbers, tax identification numbers, and email addresses. The database, which is 395GB in size, belongs to ClickBalance, a software provider that offers a range of cloud-based business services including administration automation, accounting, inventory, and payroll.

Website Planet describes ClickBalance as one of Mexico’s largest ERP technology providers. Upon discovering the database, Fowler immediately contacted ClickBalance, which secured the database within hours. However, it remains unclear whether any malicious actors accessed the data before it was secured or whether the data has been used in any malicious activities. Fowler emphasizes that only a comprehensive forensic investigation can determine the full extent of the exposure.

The exposure of tax identification numbers and bank account details poses significant risks, enabling cybercriminals to conduct fraudulent activities. The theft of active email addresses is particularly concerning, as it allows criminals to launch phishing attacks that can deliver malware and ransomware.

Despite the severe potential consequences, unsecured databases continue to be a common cause of data breaches. Many large enterprises and government organizations have been found with online databases lacking adequate protection. For instance, a previous incident resulted in the personal information of the entire Brazilian population being leaked.

60 Million Users Exposed: The Pinterest Data Breach Explained



 

User Security

Data Breach Data Leak password hack Pinterest User Security

60 Million Users Exposed: The Pinterest Data Breach Explained

Pinterest, the popular image-sharing platform with over 518 million monthly active users, faces a potential data leak that could affect millions of users. A hacker known as “Tchao1337” has allegedly leaked a database containing 60 million rows of Pinterest user data on a popular data leak forum.

The breach details

The leaked database, which reportedly contains 6 million records, has been compressed to a file size of 1.59 gigabytes. While the full extent of the exposed information is unknown, the leaked data includes email addresses, usernames, user IDs, and IP addresses.

The first and most obvious action is changing your Pinterest password and the related email address. Knowing even a few of your details can allow hackers to piece together information and cause you major difficulties.

Of course, you know not to use the same password for many things, right? If you are guilty of that cardinal sin, change your password everywhere and use one of the best password organizers to create a safe password that you will not forget. Use two-factor authentication to provide maximum security.

Stay cautious: Phishing

If your data has been hacked, you are likely to become the victim of other phishing efforts. Be cautious when clicking dodgy links, and not simply in messages on your Pinterest account.

When using your email account, use caution; any communication that does not appear to come from a known source may be a hoax. Attachments should be treated with caution since they could contain malware.

One of the best VPNs might help you protect yourself from phishing frauds. Nord and Surfshark offer built-in anti-virus with their memberships, while Nord's Threat Protection Pro product is a proven anti-phishing champion.

Currently, Pinterest has not issued an official statement regarding the reported hack. The Cyber Press team has contacted Pinterest to warn them of the data leak and is awaiting their response.

If proven, this data leak might have serious ramifications for Pinterest. The company may incur significant operating costs in investigating the hack and alerting affected users.

As the issue evolves, users should actively check their accounts and look for any formal statements from Pinterest regarding the potential data loss.

Be careful while sharing your data

The greatest method to avoid becoming a victim of a data breach is to use extreme caution while disclosing your personal information. Give websites only what they need; having a VPN enabled prevents many trackers and encrypts your data on both ends, preventing hackers from making sense of it. VPN services frequently have zero-logs policies, which means hackers have nothing to work with.

Activist Hacking Group Claims Leak of Disney’s Internal Data



 

Nullbulge hack

Data Breach Data Leak Disney data leak Disney Slack breach Disney unreleased projects internal communications leak Nullbulge hack

Activist Hacking Group Claims Leak of Disney’s Internal Data

An activist hacking group has alleged that it leaked a substantial amount of Disney's internal communications, including details about unreleased projects, raw images, computer code, and some login credentials.

The group, known as Nullbulge, has claimed responsibility for the breach, asserting that it obtained approximately 1.2 terabytes of data from Disney’s Slack, a popular messaging platform. In an email sent to CNN on Monday, Nullbulge explained that they gained access through “a man with Slack access who had cookies.” The email also indicated that the group is based in Russia.

According to Nullbulge, the user initially attempted to remove them but allowed them to re-enter before the second breach. CNN was unable to independently verify these claims.

Disney issued a statement on Monday, acknowledging the situation and stating that it “is investigating this matter.” The company’s extensive operations span various divisions and platforms, including ESPN, Hulu, Disney+, and ABC News.

The hacking group stated their motivations included concerns about how Disney manages artist contracts and its approach to artificial intelligence (AI), along with what they described as the company's disregard for consumer interests.

Nullbulge had been teasing this major leak over recent weeks on social media. For instance, in June, they posted on X what appeared to be visitor, booking, and revenue data from Disneyland Paris.

The issue of AI has been a contentious topic in recent labor disputes, notably during the Screen Actors Guild and the Writers Guild of America strikes. Writers are worried that AI could replace them in scriptwriting, while actors fear that CGI might entirely replace their roles.

The hackers mentioned that they chose to leak the data rather than negotiate with Disney. “If we said ‘Hello Disney, we have all your Slack data,’ they would immediately lock down and attempt to neutralize us. In a confrontation, it’s better to act first,” the email stated.

This incident recalls the 2014 Sony Pictures hack, which, linked to North Korea, resulted in an international crisis by exposing company emails, celebrity aliases, social security numbers, and entire movie scripts.

AT&T Paid Attackers $370K to Delete Stolen Customer Data



 

User Data

Data Breach Data Leak Ransom Stolen Data User Data

AT&T Paid Attackers $370K to Delete Stolen Customer Data

AT&T reportedly paid a hacker more than $370,000 to remove stolen customer data. In an extraordinary turn of events, the ransom may not have gone to those responsible for the breach.

Last Friday, AT&T disclosed that an April data breach had exposed the call and text records of "nearly all" of its customers, including phone numbers and call counts. In a filing with the Securities and Exchange Commission (SEC), AT&T claimed it has since tightened its cybersecurity measures and is working together with law authorities to investigate the incident.

It now appears that AT&T has taken additional steps in response to the intrusion. According to Wired, AT&T paid a ransom of 5.7 bitcoin to a member of the hacking group ShinyHunters in mid-May, which was worth little more than $373,000 at the time. In exchange for this money, the hacker allegedly deleted the stolen data from the cloud server where it was stored, as well as providing video footage of the act.

However, there is no guarantee that the millions of people affected by the latest massive AT&T attack will be entirely safe, as digital data can be easily copied. The security expert who mediated negotiations between AT&T and the hacker told Wired that they believe the only complete copy of the stolen dataset was wiped. However, partial fragments may remain at large.

Prior to AT&T's announcement of the incident, it was revealed that Santander Bank and Ticketmaster had also been penetrated using login credentials that had been taken by an employee of the independent cloud storage provider Snowflake. According to Wired, following the Ticketmaster breach, hackers may have infiltrated over 160 companies at once using a script.

Cyber Criminals Siphoned 'Almost All' of AT&T's Call Logs Over Six Months



 

User Privacy

Data Breach Data Leak Tech Giant User Data User Privacy

Cyber Criminals Siphoned 'Almost All' of AT&T's Call Logs Over Six Months

Hackers accessed AT&T's data storage platform in April, stealing metadata from "nearly all" call records and messages sent by users over a six-month period in 2022. AT&T filed paperwork with the Securities and Exchange Commission (SEC) on Friday, stating that it learned of the incident on April 19.

The company revealed to a local media outlet that the breach took place via the third-party cloud platform Snowflake, a data storage giant plagued by hackers who have attacked some of the company's most notable clients and released stuff affecting hundreds of millions of individuals. An investigation revealed the attacker stole files from AT&T's Snowflake account between April 14 and April 25.

When asked why the attacker was still able to access the Snowflake account nearly a week after AT&T detected the issue, the spokesman stated that it "took time to investigate the claim of a breach, determine its source, isolate the impacted data, and close off the illegal access point."

The spokesperson stated that the hackers took "aggregated metadata" regarding calls or messages, not the content of the talks. AT&T has the most wireless subscribers in the United States, far more than rivals Verizon and T-Mobile.

According to an annual report for 2022, the incident affected around 109 million people's accounts. The telecom giant believes the hacker stole "files containing AT&T records of customer call and text interactions" from around the beginning of May 2022 to the end of October, as well as on January 2, 2023.

The hack impacted "records of calls and texts of nearly all of AT&T's wireless customers and customers of mobile virtual network operators (MVNO) using AT&T's wireless network.”

“These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month,” the company noted in the SEC filing.

“For a subset of records, one or more cell site identification number(s) are also included. While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.”

AT&T pledged to tell current and former customers, and it stated it had locked down the "point of unlawful access." The company stated in the filing that at least one person was arrested in connection with the theft.

Microsoft’s Breach Notification Emails Wind Up in Spam Folder



 

User Privacy

Data Breach Data Leak Russian Hackers Spam Folder User Privacy

Microsoft’s Breach Notification Emails Wind Up in Spam Folder

Midnight Blizzard, a Russian nation-state hacker gang, breached Microsoft's security last year, gaining access to the emails of multiple customers. In late June, Microsoft revealed that more organisations were affected than previously assumed. However, the company's attempts to notify users may not have reached the intended recipients.

According to Kevin Beaumont, a cybersecurity expert and former senior threat intelligence analyst at Microsoft, the company chose to notify affected victims via email.

“The notifications aren’t in the portal – they emailed tenant admins instead. The emails can go into spam, and tenant admin accounts are supposed to be secure breakglass accounts without email. They also haven’t informed orgs via account managers,” Beaumont stated on LinkedIn.

Apart from Beaumont's warnings, there is some evidence that Microsoft customers are genuinely perplexed. In a Microsoft support page, one customer revealed the email their company received in an attempt to determine whether it was a real Microsoft email.

Others commented on Beaumont's post, alleging that several organisations misunderstood Microsoft's email for a phishing attempt and deleted it or marked it as spam. The breach notification emails allegedly lacked basic email authentication tools including SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).

“Well, at first glance, this did not inspire trust for the recipients, who started asking in forums or reaching out to Microsoft account managers to eventually confirm that the email was legitimate...weird way for a provider like this to communicate an important issue to potentially affected customers,” the Greece-based cybersecurity consultant noted.

In January, Microsoft admitted that Midnight Blizzard attempted to hack the tech giant's internal systems. The same hacking group was behind the infamous SolarWinds hack, which caused havoc on US government installations in 2020.

OpenAI Hack Exposes Hidden Risks in AI's Data Goldmine



 

Vulnerabilities and Exploits

AI companies ChatGPT Data Leak OpenAI Security Vulnerabilities and Exploits

OpenAI Hack Exposes Hidden Risks in AI's Data Goldmine

A recent security incident at OpenAI serves as a reminder that AI companies have become prime targets for hackers. Although the breach, which came to light following comments by former OpenAI employee Leopold Aschenbrenner, appears to have been limited to an employee discussion forum, it underlines the steep value of data these companies hold and the growing threats they face.

The New York Times detailed the hack after Aschenbrenner labelled it a “major security incident” on a podcast. However, anonymous sources within OpenAI clarified that the breach did not extend beyond an employee forum. While this might seem minor compared to a full-scale data leak, even superficial breaches should not be dismissed lightly. Unverified access to internal discussions can provide valuable insights and potentially lead to more severe vulnerabilities being exploited.

AI companies like OpenAI are custodians of incredibly valuable data. This includes high-quality training data, bulk user interactions, and customer-specific information. These datasets are crucial for developing advanced models and maintaining competitive edges in the AI ecosystem.

Training data is the cornerstone of AI model development. Companies like OpenAI invest vast amounts of resources to curate and refine these datasets. Contrary to the belief that these are just massive collections of web-scraped data, significant human effort is involved in making this data suitable for training advanced models. The quality of these datasets can impact the performance of AI models, making them highly coveted by competitors and adversaries.

OpenAI has amassed billions of user interactions through its ChatGPT platform. This data provides deep insights into user behaviour and preferences, much more detailed than traditional search engine data. For instance, a conversation about purchasing an air conditioner can reveal preferences, budget considerations, and brand biases, offering invaluable information to marketers and analysts. This treasure trove of data highlights the potential for AI companies to become targets for those seeking to exploit this information for commercial or malicious purposes.

Many organisations use AI tools for various applications, often integrating them with their internal databases. This can range from simple tasks like searching old budget sheets to more sensitive applications involving proprietary software code. The AI providers thus have access to critical business information, making them attractive targets for cyberattacks. Ensuring the security of this data is paramount, but the evolving nature of AI technology means that standard practices are still being established and refined.

AI companies, like other SaaS providers, are capable of implementing robust security measures to protect their data. However, the inherent value of the data they hold means they are under constant threat from hackers. The recent breach at OpenAI, despite being limited, should serve as a warning to all businesses interacting with AI firms. Security in the AI industry is a continuous, evolving challenge, compounded by the very AI technologies these companies develop, which can be used both for defence and attack.

The OpenAI breach, although seemingly minor, highlights the critical need for heightened security in the AI industry. As AI companies continue to amass and utilise vast amounts of valuable data, they will inevitably become more attractive targets for cyberattacks. Businesses must remain vigilant and ensure robust security practices when dealing with AI providers, recognising the gravity of the risks and responsibilities involved.

Qilin Attack On London Hospitals Leaves Cancer Patient With No Option



 

medical records

Cancer Patient Cyber Attacks Data Leak London Hospitals medical records

Qilin Attack On London Hospitals Leaves Cancer Patient With No Option

The latest figures suggest that nearly 1,500 medical operations have been cancelled at some of London's leading hospitals in the four weeks following Qilin's ransomware attack on pathology services provider Synnovis. But perhaps no one was more severely impacted than Johanna Groothuizen. Hanna, as she goes by, is now without her right breast after having her skin-sparing mastectomy and immediate breast reconstruction surgery swapped with a simple mastectomy at the last minute.

In late 2023, the 36-year-old research culture manager at King's College London—a former health sciences researcher—was diagnosed with HER2-positive breast cancer. It's an aggressive form that requires immediate medical attention as it spreads more quickly and recurs more often. After receiving her diagnosis, Hanna promptly began a course of chemotherapy until she was well enough to undergo what is hoped to be the first and only major surgery to cure the disease.

She had been informed repeatedly between then and the operation, which was set for June 7—four days after the ransomware attack—that the planned procedure was a skin-sparing mastectomy, allowing surgeons to reconstruct her right breast cosmetically right away.

How the ordeal unfolded, however, was an entire different story. Doctors gave Hanna less than 24 hours to make the difficult decision of accepting a simple mastectomy or postponing a life-changing treatment until Synnovis' systems were back up. The decision was thrust upon her on Thursday afternoon, prior to her Friday surgery.

This came after she was compelled to track down the medical staff for updates on whether or not the procedure would even take place. Hanna was informed on Tuesday of that week, the day after Qilin's attack, that regardless of the situation, the staff at St Thomas' Hospital in London intended to proceed with the skin-sparing mastectomy as previously agreed.

Hanna requested details on Thursday, and it was strongly suggested that the procedure would be cancelled. The hospital deemed the reconstruction part of the procedure too dangerous because Synnovis was unable to sustain blood transfusions until its systems were fully operational.

The ransomware attack was difficult for hospitals to deal with. The situation was so serious that blood supplies were running low barely a week after the attack, prompting an urgent need for O-type blood donations. For Hanna, however, this meant having to make a difficult decision between the surgery she wanted and the surgery that would present her the best chance of survival. The mother with two young kids, aged four and two, felt she had no choice but to undergo a routine mastectomy, leaving her with only one breast.

Qilin's attack on Synnovis, a pathology services partnership involving Synlab, Guy's and St Thomas' NHS Foundation Trust, and King's College Hospital NHS Foundation Trust, occurred about five weeks ago as of this writing. According to the most recent NHS bulletin, service disruption remains evident throughout the region, however some services, such as outpatient appointments, are returning to near-normal levels.

Twilio Alerts Authy Users of Potential Security Risks Involving Phone Numbers



 

Twilio Alerts

CyberCrime Cyberhackers Cybersecurity CyberThreat Data Leak Mobile Security Phone number Security Risks Twilio Alerts

Twilio Alerts Authy Users of Potential Security Risks Involving Phone Numbers

The U.S. messaging giant Twilio has been accused of stealing 33 million phone numbers over the past week as a result of a hacker's exploit. Authy, a popular two-factor authentication app owned by Twilio that uses the phone numbers of people to authenticate, has confirmed to TechCrunch today that "threat actors" can identify the phone numbers of users of Authy. It was recently reported that a hacker or hacker group known as ShinyHunters entered into a well-known hacking forum and posted that they had hacked Twilio and received the cell phone numbers of 33 million subscribers from Twilio.

As a spokesperson for Twilio Ramirez explained to TechCrunch, the company has detected that threat actors have been able to identify phone numbers associated with Authy accounts through an unauthenticated endpoint, however, it's yet to be known how this happened. According to a report by TechCrunch earlier this week, someone has obtained phone numbers related to Twilio's two-factor authentication service (2FA), Authy, of which it is a part.

An alert from Twilio on Monday warned of possible phishing attacks and other scams using stolen phone numbers, which the company described as "threat actors" trying to steal personal information. An incident that happened in 2022 occurred following a phishing campaign that tricked employees into using their login credentials to gain access to the company's computer network. During the attack, hackers gained access to 163 Twilio accounts as well as 93 Authy accounts through which they were able to access and register additional devices. It has been revealed that Twilio traced this leak to an "unauthenticated endpoint" that has since been secured by the company.

As the dark web was abuzz last week with the release of 33 million phone numbers from Authy accounts, the threat actor ShinyHunters published a collection of the data. The threat actor, as pointed out by BleepingComputer, appears to have obtained the information by using the app's unsecured API endpoint to input a massive list of phone numbers, which would then be checked to see whether the numbers were tied to the application.

During the investigation into the matter, it was found that the data was compiled by feeding an enormous number of phone numbers into the unsecured API endpoint for an unsecured API. Upon validity of the number, Authy's endpoint will return information about the associated accounts registered with Authy once the request is made. Since the API has been secured, these are no longer able to be misused to verify whether a phone number is being used with Authy because the API has been secured.

Threat actors have used this technique in the past, as they exploited unsecure Twitter APIs and Facebook APIs to compile profiles of tens of millions of users that contain both public and private information about the users. Although the Authy scrape contained only phone numbers, such data can still prove to be valuable to users who are interested in conducting smishing and SIM-swapping attacks to breach the accounts of their consumers.

A CSV file containing 33,420,546 rows is available for download. Each row contains an account ID, phone number, an "over_the_top" column, the account status of the account, as well as the number of devices according to the site. According to reports on Authy's blog, the company has acknowledged that it was attacked. Twilio has confirmed a recent data breach affecting its Authy two-factor authentication app users.

While the company experienced two separate cyberattacks in 2022, it emphasized that this latest incident is not related to the previous breaches. In light of this development, Twilio is urging all Authy users to exercise extreme caution when dealing with unsolicited text messages that appear to be from the company. According to Sean Wright, Head of Application Security at Featurespace, the primary threat stemming from this incident is the potential for targeted phishing attacks. Exposure to users' phone numbers significantly increases the risk of such attacks.

Wright reassures users that direct access to their Authy accounts remains unlikely unless the attackers can obtain the seeds for the multi-factor authentication (MFA) tokens stored within the app. Despite this, he stresses the importance of remaining vigilant. Users should be particularly wary of messages from unknown senders, especially those that convey a sense of urgency or threaten financial loss if no action is taken.

To enhance security, Wright suggests that users consider switching to an alternative MFA application or opting for more secure hardware keys, such as the Yubico YubiKey. Additionally, if any user experiences difficulty accessing their Authy account, Twilio advises immediate contact with Authy support for assistance. Furthermore, Twilio recommends that users update their Authy app on iOS and Android platforms to address potential security vulnerabilities.

Keeping the application up-to-date is critical in safeguarding against future threats and ensuring the highest level of protection for user accounts. This proactive approach will help mitigate the risks associated with the recent breach and reinforce the security of the authentication process for all Authy users.

Wise and Evolve Data Breach Highlights Risks of Third-Party Partnerships



 

Third-Party Risks

Bank Data Leak Customer Data Data Breach Data Leak Financial Data Breach Fintech Ransomware attack Third-Party Risks

Wise and Evolve Data Breach Highlights Risks of Third-Party Partnerships

Wise, a prominent financial technology company, recently disclosed a data breach impacting some customer accounts due to a ransomware attack on their former partner, Evolve Bank & Trust. The breach has raised significant concerns about the security of third-party partnerships, especially in financial services. From 2020 to 2023, Wise partnered with Evolve to provide USD account details for their customers. Last week, Evolve confirmed an attack attributed to the notorious ransomware group LockBit.

The group leaked the data after the bank refused to pay the ransom. The breach underscores the precarious nature of relying on third-party companies for critical services and trusting their security measures. Evolve has not yet confirmed the specific personal information leaked. However, Wise has taken a transparent approach, confirming that the shared information included names, addresses, dates of birth, contact details, Social Security numbers (SSNs) or Employer Identification Numbers (EINs) for U.S. customers, and other identity document numbers for non-U.S. customers.

Evolve’s initial investigation suggests that names, SSNs, bank account numbers, and contact information for most of their personal banking customers, as well as customers of their Open Banking partners, were affected. In response to the breach, Wise assured its customers that they no longer work with Evolve Bank & Trust. Currently, USD account details are provided by a different bank, emphasizing their commitment to security and customer trust.

Wise has implemented additional security protocols and is collaborating with cybersecurity experts to understand the breach’s scope and fortify their defenses. Wise has proactively communicated with its customers, recommending precautionary steps such as changing passwords, enabling two-factor authentication, and monitoring account activity for any suspicious transactions. They have also provided resources and support to help customers protect their information. The breach has heightened concerns among customers regarding the security of their personal and financial information.

Despite the challenges posed by the breach, Wise’s proactive approach and transparent communication have helped reassure customers. The company continues to work closely with cybersecurity experts to enhance their defenses and prevent future incidents. As the investigation progresses, Wise is determined to provide regular updates and support to affected customers. Their dedication to transparency and user security remains unwavering, ensuring that they take every step necessary to safeguard their users’ information and maintain their trust.

This incident highlights the growing threat of cyberattacks on financial institutions and the critical need for robust security measures. Customers are reminded to stay alert and take proactive steps to protect their online accounts. Wise’s efforts to address the breach and protect their users underscore their commitment to maintaining trust and security for their customers.

Australian Man Arrested for Evil Twin Wi-Fi Attacks on Domestic Flights



 

User Safety

Australia Cyber Fraud Data Leak Data Privacy Flight Scam User Safety

Australian Man Arrested for Evil Twin Wi-Fi Attacks on Domestic Flights

Police in Australia have arrested and charged a man with nine cybercrime crimes for allegedly setting up fictitious public Wi-Fi networks using a portable wireless access point to steal data from unsuspecting users.

The man designed "evil twin" Wi-Fi networks at airports, during flights, and other places related to his "previous employment" that would deceive people into registering into the fake network using their email address or social media accounts. Police stated the login data was then transferred to the man's devices.

Dozens of credentials were reportedly obtained. This information might have enabled the perpetrator to get access to victims' accounts and possibly steal further sensitive information such as banking login details or other personal information. Employees of the airline noticed one of the strange in-flight Wi-Fi networks. The anonymous Australian airline then reported the Wi-Fi's presence to authorities, who investigated the situation in April and arrested the suspect in May.

According to the Australian Broadcasting Corporation, the man, Michael Clapsis, appeared before Perth Magistrates Court and was subsequently released on "strict" bail with limited internet access. He also had to submit his passport. Clapsis' LinkedIn profile, which has since been deleted, hints that he may have previously worked for a shipping company.

He has been charged with three counts of unauthorised impairment of electronic communication, three counts of possession or control of data with the intent to commit a serious offence, one count of unauthorised access or modification of restricted data, one count of dishonestly obtaining or dealing in personal financial information, and one count of possessing identification information with the intent to commit an offence. Clapsis is set to appear in court again in August.

Evil twin attacks can use a variety of tactics to steal victims' data. However, they typically entail providing free Wi-Fi networks that appear genuine but actually contain "login pages" designed to steal your data. Genuine Wi-Fi networks should never ask you to login using your social media credentials or provide a password for any of your accounts. It is also recommended to use a VPN and avoid connecting to public Wi-Fi networks when a more secure option is available.

LockBit Ransomware Attack on Infosys McCamish Systems Exposes Sensitive Data of Over Six Million Individuals



 

SSNs

Banking Information customer data compromise Data Breach Data Leak IMS Information Security LockBit LockBit ransomware Ransomware attack SSNs

LockBit Ransomware Attack on Infosys McCamish Systems Exposes Sensitive Data of Over Six Million Individuals

Infosys McCamish Systems (IMS) recently disclosed that a LockBit ransomware attack earlier this year compromised sensitive information of more than six million individuals. IMS, a multinational corporation specializing in business consulting, IT, and outsourcing services, primarily serves the insurance and financial services industries. The company has a significant presence in the U.S., catering to large financial institutions such as the Bank of America and seven out of the top ten insurers in the country.

In February 2024, IMS informed the public about the ransomware attack that occurred in November 2023. Initially, the company reported that the personal data of around 57,000 Bank of America customers had been compromised. LockBit, the group responsible for the attack, claimed to have encrypted 2,000 computers within the IMS network. A recent notification to U.S. authorities revealed that the total number of affected individuals now exceeds six million. The notification outlined the steps taken by IMS, including the involvement of third-party eDiscovery experts, to conduct a thorough review of the compromised data.

This review aimed to identify the personal information accessed and determine the individuals impacted. The compromised data includes a wide range of sensitive information, such as Social Security Numbers (SSNs), dates of birth, medical records, biometric data, email addresses and passwords, usernames and passwords, driver’s license or state ID numbers, financial account information, payment card details, passport numbers, tribal ID numbers, and U.S. military ID numbers. To mitigate the risks associated with this data exposure, IMS is offering affected individuals a free two-year identity protection and credit monitoring service through Kroll.

The notification letters provided instructions on how to access these services. IMS has not disclosed the full list of impacted clients, but the notification mentioned Oceanview Life and Annuity Company (OLAC), an Arizona-based provider of fixed and fixed-indexed annuities, as one of the affected organizations. The list of impacted data owners may be updated as more customers request to be named in the filing.

This breach highlights the critical importance of robust cybersecurity measures and the significant impact such attacks can have on both individuals and large financial institutions. The LockBit ransomware attack on IMS serves as a stark reminder of the vulnerabilities within the digital infrastructure of major corporations and the far-reaching consequences of data breaches.

Top Data Breaches and Cyber Attacks in 2024



 

Threat Landscape

Cyber Attacks Data Breach Data Leak ransomware attacks Threat Landscape

Top Data Breaches and Cyber Attacks in 2024

We're more than halfway into 2024, and we've already witnessed some of the largest and the most damaging data breaches in recent history. And just when you thought some of these hacks couldn't be much worse, they did. The worst data breaches of 2024 to date have already surpassed at least 1 billion stolen records and are expected to rise further. These breaches have an impact not just on the individuals whose data was irretrievably compromised, but also embolden the criminals who profit from their malicious cyberattacks.

AT&T data leak

Three years after an internet hacker leaked a sample of allegedly stolen AT&T customer data, a data breach broker released the whole cache of 73 million user records to the public on an infamous cybercrime forum in March. consumers' names, phone numbers, and postal addresses were among the personal information released in the data, and some consumers attested to the accuracy of their information.

However, the telecom giant didn't respond until a security researcher found that the exposed data contained encrypted passwords needed to access a customer's AT&T account. The security researcher told TechCrunch at the time that the encrypted passwords were easily unscrambled, placing roughly 7.6 million existing AT&T user accounts at risk of hijacking. After TechCrunch reported the researcher's findings, AT&T asked its users to reset their account passwords.

Synnovis ransomware attack

A June cyberattack on Synnovis, a blood and tissue testing lab serving hospitals and health institutions in the United Kingdom's capital, caused weeks of severe disruption to patient services. Following the attack, the local National Health Service trusts that rely on the lab postponed thousands of operations and treatments, triggering the UK health sector to call for a serious emergency.

A Russia-based ransomware gang was blamed for the cyberattack, which resulted in the theft of data relating to nearly 300 million patient interactions over a "significant number" of years. The implications for those affected, similar to those of the Change Healthcare data breach, are expected to be severe and long-lasting.

Snowflake hack

A series of data thefts from cloud data provider Snowflake quickly escalated into one of the year's largest breaches, thanks to the massive volumes of data stolen from its corporate customers.

Cybercriminals stole hundreds of millions of customer records from some of the world's largest companies, including an alleged 560 million records from Ticketmaster, 79 million records from Advance Auto Parts, and approximately 30 million records from TEG, by using stolen credentials of data engineers with access to their employers' Snowflake environments. Snowflake, for its part, does not demand (or enforce) that its customers employ the security feature, which protects against breaches based on stolen or reused passwords.

Pipeline Hijacking: GitLab’s Security Wake-Up Call



 

Vulnerabilities and Exploits

Data Leak GitLab Malicous Code Software Vulnerabilities and Exploits

Pipeline Hijacking: GitLab’s Security Wake-Up Call

A major vulnerability exists in some versions of GitLab Community and Enterprise Edition products, which might be exploited to run pipelines as any user.

GitLab is a prominent web-based open-source software project management and task tracking tool. There are an estimated one million active license users.

Understanding the Critical GitLab Vulnerability: CVE-2024-5655

The security problem resolved in the most recent update is identified as CVE-2024-5655 and has a severity level of 9.6 out of 10. Under some conditions, which the vendor did not specify, an attacker might exploit it to execute a pipeline as another user.

GitLab pipelines are a component of the Continuous Integration/Continuous Deployment (CI/CD) system that allows users to build, test, and deploy code changes by running processes and tasks automatically, either in parallel or sequentially.

The vulnerability affects all GitLab CE/EE versions, including 15.8 through 16.11.4, 17.0.0 to 17.0.2, and 17.1.0 to 17.1.0.

GitLab has resolved the vulnerability by releasing versions 17.1.1, 17.0.3, and 16.11.5, and users are encouraged to install the patches as soon as possible.

What Is CVE-2024-5655?

The vulnerability allows an attacker to trigger a pipeline as any user within the GitLab environment. In other words, an unauthorized individual can execute code within a project’s pipeline, even if they don’t have the necessary permissions. This could lead to several serious consequences:

Unauthorized Access to Sensitive Code: An attacker gains access to private repositories and sensitive code by exploiting this vulnerability. This compromises the confidentiality of intellectual property, proprietary algorithms, and other valuable assets stored in GitLab.

Data Leakage: The ability to run pipelines as any user means that an attacker can potentially leak data, including credentials, API keys, and configuration files. This information leakage could have severe implications for an organization’s security posture.

Malicious Code Execution: An attacker could inject malicious code into pipelines, leading to unintended actions. For instance, they might introduce backdoors, modify code, or execute arbitrary commands.

Affected Versions

The vulnerability impacts specific versions of GitLab:

GitLab versions starting from 15.8 prior to 16.11.5
GitLab versions starting from 17.0 prior to 17.0.3
GitLab versions starting from 17.1 prior to 17.1.1

Gitlab’s response

GitLab promptly addressed this issue by releasing updates that fix the vulnerability:

Upgrade GitLab: Update your GitLab installation to a patched version. GitLab has provided patches for the affected releases, so ensure you apply them promptly.

Review Permissions: Audit user permissions within your GitLab projects. Limit pipeline execution rights to authorized users only.

Monitor Pipelines: Keep an eye on pipeline activity. Unusual or unexpected pipeline runs should be investigated promptly.

China's Backdoor Data Infiltration: A Growing Concern For Indian Government



 

Indian Government

Backdoor Attacks China cyber threats Data Breach Data Leak Indian Government

China's Backdoor Data Infiltration: A Growing Concern For Indian Government

Indian security agencies are concerned about a potential huge data breach triggered by Chinese microchips and hardware detected in biometric attendance systems (BAS) deployed in central and state government buildings, including sensitive departments.

During their investigations, intelligence agencies discovered that over a dozen Indian enterprises that sold these biometric attendance systems to government offices used devices with Chinese-origin parts. The firms are under the scanner for potential data leaks.

Nearly 7,500 central and state government institutions, employing around 900,000 central and 1.7 million state employees, may have been using over 80,000 dubious biometric attendance systems. This includes key central and state government buildings, as well as military and defence offices.

According to intelligence sources, these biometric attendance systems can be easily utilised by Chinese firms to gain access to data such as the number of officials in a specific organisation, their designations, and even their locations.

These companies are bound by China's National Intelligence Law, 2017, to send all of their data to Chinese state intelligence agencies. The law, which went into force in June 2017, gives the Chinese government extensive power to manage and access data from companies that fall under its jurisdiction.

Given China's aggressive spying tactics, India's ministry of home affairs has established a dedicated wing of intelligence officials to monitor Chinese firms' activity in India as well as the Indian security system. Furthermore, the Indian government is working to eliminate the presence of Chinese-made equipment, particularly from the national security apparatus.

Earlier, security officials expressed serious concerns about the potential threat of data leakage from surveillance cameras, particularly those of Chinese origin, installed at various military installations across the country.

According to a letter from the Integrated Defence Headquarters at the Ministry of Defence (MoD), one of the market leaders in surveillance cameras, which is 41% owned by the Chinese government, is operating in India through a collaboration with an Indian company. The modules for these camera systems are supplied by a Chinese company, although the items are advertised as 'Made in India', the MoD stated.

Following the Chinese troops' incursion into Ladakh, the ministry of finance's department of expenditure issued GFR (general finance rule) 144 XI on July 23, 2020, to ensure that Chinese firms do not participate in procurements directly or through Indian/Chinese subsidiaries without first registering with the DPIIT (Department for Promotion of Industry and Internal Trade).

Hacker Claims Data Breach of India’s Blue-Collar Worker Database



 

Indian Government

Data Breach Data Leak Data Privacy Employee Data Indian Government

Hacker Claims Data Breach of India’s Blue-Collar Worker Database

A hacker claims to have accessed a large database linked with the Indian government's portal for blue-collar workers emigrating from the country.

The eMigrate portal's database allegedly includes full names, contact numbers, email addresses, dates of birth, mailing addresses, and passport data of individuals who allegedly registered for the portal.

The Ministry of External Affairs launched eMigrate, which helps Indian workers in emigrating overseas. The portal also offers clearance tracking and insurance services to migrating workers.

The database for sale on a recognised cybercrime forum looks to be genuine and it even includes the contact information for the Indian government's foreign ambassador. While it is unclear whether the data was stolen directly from the eMigrate portal or via a previous breach, the threat actors claim to have access to at least 200,000 internal and registered user accounts.

India's Computer Emergency Response Team (CERT-In) is working with the relevant authorities to take appropriate action, while the Ministry of External Affairs is yet to respond on the matter. This is not the first time India's government portals have been accused of data leak.

Earlier this year, an Indian state government website was found exposing sensitive documents and personal information of millions of residents. In May, scammers were found to have tricked government websites into displaying adverts that redirected users to online betting sites.

The implications of such data breaches is difficult to estimate. However, data breaches can have serious consequences for individuals whose personal information is exposed. Personal information provided on hacker forums is frequently used by attackers to launch phishing attacks, steal identities, and compromise users' financial security.

“Personal data is its own form of digital currency on the internet and breaches cost organizations a significant amount. The breaches impacting organizations and government entities are what the public sees front and center, but the impact on the end user isn’t as visible.” Satnam Narang, sr. staff research engineer, Tenable stated.

Campaign Oversight Results in Leak of Senior Tories' Private Info



 

Senior Tories

Cinservative Party Cyber Attacks CyberCrime CyberThreat Data Leak data threat Private Information Senior Tories

Campaign Oversight Results in Leak of Senior Tories' Private Info

Although local party anger has been expressed over the selection of Conservative Chairman Richard Holden as the party's candidate for Basildon and Billericay, he has been appointed at the very last minute as the party's candidate. The BBC contacted two local Tory officials and they said Mr Holden was the only candidate offered by the National Party to represent Essex.

The former Tory official said the move was a "slap in the face" for local Conservatives. The cabinet minister told the BBC that the decision had 'gone down like a bucket of cold sick'. He did not respond to requests for comment. A Conservative Party spokesperson said he had been "unanimously chosen". A Conservative Party spokesperson stated that he had been elected unanimously. Despite serving North West Durham, nearly 300 miles further north, since 2019, the party chairman will be expelled from the seat for this year's election as part of a review of UK seat boundaries, which means that he will have to find another seat.

A small number of senior association members attended Mr Holden's address on Wednesday evening in the constituency where he represented the senior political association. It was reported that the entire local executive committee was quite dissatisfied with the way the central party handled the issue, but Mr Holden ultimately did "align" with the views and values of locals. In the opinion of another activist - who was not present in the room - the choice of Mr Holden was a "very poor decision" since several cabinet ministers are fighting marginal seats and are aware that they will lose their seats. In addition to making himself a safe seat, Richard has also used a process that is completely insane.

As the Conservative Party scrambles to put together a full slate of candidates before the registration deadline on Friday, the Conservative Party is putting together a full slate of candidates. The Tory MP for Basildon and Billericay has been in the House of Commons since 2001. Last October, he announced that he would be leaving the House of Commons. As a result of his last election victory, the seat was attractive to the Tories as it yielded a 20,412 majority, which made it an ideal location for candidates of the party to run this time around.

Earlier this year, the local association chairman, Richard Moore, told the BBC that the group would be given the option to pick their candidate at a meeting scheduled for a choice of three candidates from the national party. He added that local members were "extremely put out" that the party had waited until two days before the close of nominations to put forward a candidate. "This could have all been done in March or April," he said, adding that the central party had "sat on this for seven months". Andrew Baggot, a local Conservative councillor, also criticised the process, calling it a "slap in the face to local councillors, volunteers and the membership".

Basildon Conservative Association's executive council is expected to meet next week to discuss the next steps for fighting the decision. According to him, members of the association are exploring options to fight the decision. There have been numerous selection disputes in the Labour Party involving left-wing candidates, including Diane Abbott, a close ally of Jeremy Corbyn. In addition, the Conservatives have been triggering discontent within local party branches for a while, following the same process as the opposition. The Conservatives are expected to fill dozens of seats before Friday, but they have also been following a systematic approach.

While the party is scrambling to fill places, several Tory advisers have been selected to run for relatively safe seats for the party during the selection process. As it turns out, Will Tanner, an adviser to Prime Minister Rishi Sunak, has been chosen to run for Bury St Edmunds & Stowmarket. He is reportedly one of three candidates on the list drawn up by the party's headquarters. In Wellingborough and Rushden, Mr Sunak's deputy political secretary, David Goss, has been selected, while in Great Yarmouth, James Clark, a former adviser to the Defence Secretary, has been chosen.

The Conservative Party usually shortlists and approves candidates through local Conservative associations, along with national officials who approve selections. The Labour Party normally offers local branches the opportunity to select candidates based on the longlists that have been approved by the central party. In the closing days of the campaign, local members have been reduced to less than their usual role, as the national party is focusing on filling target seats or seats where MPs are stepping down or suspensions are taking place. As a result, Alex Harrison has been selected as the Labour candidate for Basildon and Billericay, while Stephen Conlay has been selected as the Reform UK candidate and Stewart Goshawk has been selected as the Green candidate.

Behind the Breach: Understanding the Change Healthcare Cyberattack



 

United Health

Change Healthcare Data Breach Data Leak Ransomware United Health

Behind the Breach: Understanding the Change Healthcare Cyberattack

Change Healthcare, a company that handles medical billing, claims processing, and other critical healthcare functions, fell victim to a sophisticated cyberattack. The attackers gained unauthorized access to the company’s systems, compromising a vast amount of sensitive data.

The Breach

UnitedHealth has disclosed for the first time what types of medical and patient data were stolen in the huge Change Healthcare ransomware assault, claiming that data breach notifications will be sent out in July.

On Thursday, UnitedHealth issued a data breach notification, saying that the ransomware attack exposed a "substantial quantity of data" to a "substantial proportion of people in the US."

While UnitedHealth has not disclosed how many people were affected, CEO Andrew Witty indicated during a congressional hearing that "maybe a third" of all Americans' health data was compromised in the hack.

But what exactly was stolen?

Personal Details: The stolen information includes personal identifiers such as names, addresses, and Social Security numbers. These details are valuable for identity theft and fraudulent activities.

Government Identity Documents: The breach exposed government-issued identification documents, such as driver’s licenses and passports. This poses a significant risk to affected individuals, as criminals can misuse these documents for various purposes.

Health Records: The most concerning aspect is the exposure of health records. These records contain diagnoses, treatment plans, medications, test results, and other confidential medical information. Imagine the consequences if this data falls into the wrong hands.

Impact and Ramifications

The impact of the Change Healthcare breach is far-reaching:

Individuals: Patients whose data was compromised face potential harm. Their privacy is violated, and they may suffer financial losses due to identity theft. Moreover, health-related information can be exploited for targeted scams or even blackmail.

Healthcare Providers: Change Healthcare’s reputation is tarnished, and trust among healthcare providers is eroded. The breach highlights vulnerabilities in the industry, prompting urgent security improvements.

Regulatory Compliance: The breach triggers legal obligations. Change Healthcare must notify affected individuals, regulators, and relevant authorities. Compliance with data breach notification laws is crucial.

What have we learned so far?

Encryption: Encrypt sensitive data both at rest and during transmission. Encryption ensures that the data remains unreadable even if attackers gain access without the decryption key.
Access Controls: Implement strict access controls—limit who can access sensitive data and regularly review permissions. Unauthorized access should trigger alerts.
Employee Training: Educate employees about cybersecurity best practices. Phishing attacks often exploit human vulnerabilities. Regular training can prevent such incidents.
Incident Response Plan: Have a robust incident response plan in place. Quick detection, containment, and recovery are essential to minimize damage.



 

User Privacy

Cyber Security Data Leak Financial Fraud Threat Landscape User Privacy

Five Tips to Avoid Financial Fraud

Banks, credit card companies, the government, and a variety of other entities are continually looking for new ways to protect your money and data. But scammers never appear to be far behind.

According to a 2023 Ipsos poll conducted on behalf of Wells Fargo, over one-third (31%) of respondents have been victims of online financial fraud or cybercrime. Furthermore, while nearly 75 percent of Americans believe they have taken the necessary precautions to avoid being scammed, nearly half (48%) believe they will become a victim of financial cybercrime in the future regardless.

While there is no perfect way to avoid becoming a victim of a financial scam, you may dramatically improve your chances by taking a few sensible actions.

Question everything

This is the most critical technique to defend oneself against all types of fraud, not just financial fraud. If something sounds too good to be true, it probably is. When presented with such a bargain, ask plenty of questions, especially why you are offering it to me. What do you (the dealmaker) get out of it? Why is there so much urgency? What happens if I wait a few days to respond? If the person being asked the questions becomes agitated or stops replying, this is a major red flag.

Review all accounts and passwords

Keep track of all your financial accounts and credit cards. Check your statements on a regular basis and ensure that you recognise all of the transactions. And, while it may seem obvious, keep your passwords secure and complex. Also, don't repeat passwords for several accounts.

Never share personal information on social media

Before the pandemic, we'd definitely have said never share personal information online; in fact, we did a few years ago. However, the pandemic has changed much of our lives online, and we can now open bank accounts, investment accounts, and even apply for homes online. In these circumstances, disclose information only when you are certain who will receive it. Also, never post any banking information, credit card information, or personal identity details on social media.

Monitor your credit

It's a common myth that checking your credit score will damage it, but this is not true. Make sure to check your credit reports at least once a year. This will assist you in identifying any unauthorised access to your credit file, halting any applications before they become loans, and taking action if someone successfully accesses credit in your name.

Use two-factor authentication

Even if your password is complex, it can be compromised via phishing attacks, data breaches, and other means. So, when it comes to financial accounts or accounts that include financial information, you may want to go beyond a simple login and password.

Two-factor authentication (2FA) is a security standard that needs two forms of identification before accessing an account. For example, after entering your password, you may be asked to enter a PIN, answer a security question, pass a facial recognition test, or submit a one-time verification code provided via SMS, email, or an authenticator app.

Rider Data Compromised in Ransomware Attack on TheBus, Handi-Van



 

Transport Firm

Data Breach Data Leak Private Data Ransomware attack Transport Firm

Rider Data Compromised in Ransomware Attack on TheBus, Handi-Van

Private data of TheBus and Handi-Van customers appears to have been hacked in an alleged ransomware attack on the company that operates the transportation services. The websites for TheBus and Handi-Van have been down for four days as the alleged attack continues.

This is the second hack of Oahu Transit Services in three years, and the FBI and Hawaii Police Department are investigating. Meanwhile, the city's Department of Transportation Services said that the breach began around 1 a.m. Saturday.

“Our phones went down, our OTS system went down and it became pretty obvious that it was an outside intrusion into the system,” stated Roger Morton, director of the city Department of Transportation Services. “What OTS did was immediately severed all the connections to other systems that they have.”

The bus and the handi-van continue to run their routes. However, the city claims that websites, GPS, and the Holo card were purposely shut down to safeguard people's data. It might be too late, though.

Falcon Feeds, an India-based cybersecurity company that monitors "threat actors," shared a screenshot on its X social media account claiming that "Oahu Transit Services Falls Victim to DragonForce Ransomware.” DragonForce claims to have 800,000 pieces of data and has given OTS 10 days from Tuesday to pay the ransom.

“That’s from the DragonForces dark platform, where they shame most of these victims,” noted Nandakishore Harikumar, Falcon Feeds CEO and founder. “Every data breach, even if it’s leaking one line of data, we believe it’s serious.”

DragonForces is based in Malaysia, but Harikumar is unsure whether the firm that posted the ransom is legitimate or an imposter. Falcon Feeds published screenshots of the data, which included names, addresses, and bus or Handi-Van card ID types. Hawaii News Now masked the private data.

“We have not paid any ransom,” stated Morton, who added it’s against policy to pay ransoms. “They’re methodically putting the system back. Part of that is disinfecting hundreds of work stations on the chance that they might hold some kind of virus on them.”

DTS won't confirm a ransomware incident and claims it is being investigated. Meanwhile, Oahu Transit Services has responded to media requests through a Gmail account. According to Morton, OTS expects all online systems to be operational again Wednesday.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

About Me

Showing result(s) for

Popular Posts

Pages

Menu Item

The breach details

Stay cautious: Phishing

Be careful while sharing your data

Understanding the Critical GitLab Vulnerability: CVE-2024-5655

What Is CVE-2024-5655?

Affected Versions

Gitlab’s response

The Breach

But what exactly was stolen?

Impact and Ramifications

What have we learned so far?