Search This Blog

Showing posts with label Data Leak. Show all posts

Private Data of Europeans Shared 376 Times Daily in Ad Sales

 

Private information about every internet user is shared hundreds of times each day as companies bid for online advertising slots. A brand-new report by the Irish Council for Civil Liberties (ICCL), uncovered that the average European user's data is shared 376 times per day and the figure rises to 747 times daily for US-based users. 

Currently, ICCL is engaged in a legal battle with the digital ad industry and the Data Protection Commission against what it describes as an epic data breach, arguing that nobody has ever specifically consented to this practice. 

The data is shared between brokers acting on behalf of those wishing to place adverts, in real-time, as a web page loads in front of someone who is reading it. The brands in the adverts themselves are not involved. 

That data can be practically anything based on the Interactive Advertising Bureau's (IAB) audience taxonomy. The basics, of course, like age, sex, location, income, and the like are included, but it doesn't stop there. All sorts of websites fingerprint their visitors and those fingerprints can later be used to target ads on unrelated websites. 

It is used to secure the most relevant bidder for the advert space on the page. This all happens automatically, in a fraction of a second, and is a multimillion-dollar industry. Personally-identifying information is not included, but campaigners argue that the volume of the data is still a violation of privacy.  

"Every day the RTB [Real Time Bidding] industry tracks what you are looking at, no matter how private or sensitive, and it records where you go. This is the biggest data breach ever recorded. And it is repeated every day," said Dr. Johnny Ryan, senior fellow at the ICCL. 

According to the ICCL report, the source of the data was a Google feed covering a 30-day period. It is made available to the industry, but not the public. The data about US web users' habits are shared in advert sales processes 107 trillion times per year and European users' data is shared 71 billion times.  

"If the exhaust of our personal data could be seen in the same way pollution can, we'd be surrounded by an almost impenetrable haze that gets thicker the more we interact with our phones.,” tech reporter Parmy Olson, said. 

21M Users' Personal Data Exposed on Telegram

 

A database containing the personal information and login passwords of 21 million individuals was exposed on a Telegram channel on May 7th, 2022, as per Hackread.com. The data of VPN customers was also exposed in the breach, including prominent VPNs like SuperVPN, GeckoVPN, and ChatVPN. 

The database was previously accessible for sale on the Dark Web last year, but it is now available for free on Telegram. The hacked documents contained 10GB of data and exposed 21 million unique records, according to VPNMentor analysts. The following details were included: 
  • Full names
  • Usernames
  • Country names
  • Billing details
  • Email addresses
  • Randomly generated password strings
  • Premium status and validity period
Further investigation revealed that the leaked passwords were all impossible to crack because they were all random, hashed, or salted without collision. Gmail accounts made up the majority of the email addresses (99.5 percent). 

However, vpnMentor researchers believe that the released data is merely a portion of the whole dump. For the time being, it's unknown whether the information was gained from a data breach or a malfunctioning server. In any case, the harm has been done, and users are now vulnerable to scams and prying eyes. The main reason people use VPNs is to maintain their anonymity and privacy. Because VPN customers' data is regarded more valuable, disclosing it has far-reaching effects. 

People whose information was exposed in this incident may be subjected to blackmail, phishing scams, or identity theft. Because of the exposure of personally identifiable information such as country names, billing information, usernames, and so on, they may launch targeted frauds. Threat actors can easily hijack their accounts and exploit their premium status after cracking their credentials. 

If the data falls into the hands of a despotic government that prohibits VPN use, VPN users may be arrested and detained. Users should change their VPN account password and use a mix of upper-lower case letters, symbols, numbers, and other characters for maximum account security.

Anonymous Leaks 82 GB Police Data as Protest Against Australian Detention Centre

Earlier this week, the Anonymous collective released 82 GB worth of emails that belonged to the Nauru Police Force. As per Anonymous, the data leak was a protest against the bad treatment of asylum seekers and refugees by Island authorities and the Australian government. 

Nauru is a small island country in Micronesia, Australia, infamous for an offshore refugee detention camp, for which Australia provides assistance. The total number of leaked emails is around 285,635 and open for direct and torrent downloads via the official website of "Enlace Hacktivista," a forum that tries to document hacker history. 

"Nauru agreed to assess people's claims for international protection and host the facilities required to detain them, while Australia committed to bearing the entirety of the cost. Nauru has a population of 10,000 people, with around 107 asylum seekers as of July 2021. 
 
The majority of asylum-seekers and refugees on Nauru are from Iran, while many are stateless, and others come from Afghanistan, Iraq, Myanmar, Pakistan, and Sri Lanka," says Enlace Hacktivista website. Experts couldn't find out the trove of emails, but Anonymous says that leaked data consists of details related to violence that the Nauru Police Force and the government of Australia tried to hide. 

Anonymous' statement asked authorities to start an inquiry into all accusations of abuse in the refugee detention camp and to compensate lifetime reparations to victims of abuse. It has also asked to end the policy of compulsory immigration detention and permanent shutting of immigration detention facilities, which includes the island of Nauru. DDoSecrets has confirmed the leak and said that the massive data leak is also available on DDoSecrets. 

Besides this @YourAnonNews, a media representative tweeted "anonymous hackers release 1/4 million Nauru Island Immigration Detention Center Police emails documenting abuses suffered by asylum seekers and refugees under successive Scott Morrison (Prime Minister of Australia since 24 August 2018) portfolios." As of now, there is no official statement from Nauru Police Force and the Australian government related to the leak.

Black Basta Ransomware Hits American Dental Association

 

A new ransomware gang dubbed Black Basta is exfiltrating corporate data and documents before encrypting the firm’s devices. It has quickly catapulted into operation this month and has targeted more than twelve firms in just a few weeks. 

The malicious actors then employ stolen data in double-extortion assaults and demand hefty amounts to decrypt files and prevent the publishing of the victim's stolen data. 

According to BleepingComputer, the American Dental Association was targeted by Black Basta last weekend, prompting the shutdown of some parts of its network. The ADA sent emails to its members noting that some of its systems, including ADA email and Aptify, as well as its webchat and telephone lines, have been disrupted as a result of the attack. 

Impacted systems were immediately taken down, with the ADA leveraging Gmail addresses while its email systems are offline. State dental associations, including those in Florida, New York, and Virginia, have also been hit by the ADA breach. 

The attackers claimed to have leaked 2.8GB of data, which they believe accounts for about 30% of the stolen data from the attack. The exfiltrated files include non-disclosure agreements, W2 forms, accounting spreadsheets, and ADA member data. 

The researchers first uncovered the Black Basta attacks in the second week of April, as the operation quickly began targeting firms worldwide. While not much else is known about the new ransomware gang as they have not begun marketing their operation or recruiting affiliates on hacking forums. 

Black Basta modus operandi 

The ransomware infiltrates into an existing Windows service and exploits it to launch the ransomware decryptor executable. The ransomware then changed the wallpaper to display a message stating, “Your network is encrypted by the Black Basta group. Instructions in the file readme.txt” and reboot the computer into Safe Mode with Networking. 

According to security expert Michael Gillespie, the portal Black Basta ransomware utilizes the ChaCha20 algorithm to encrypt files. Each folder on the encrypted device contains a readme.txt file that has information about the attack and a link and unique ID to log in to the negotiation chat session with the threat actors. 

Subsequently, the ransomware operators demand a ransom and threaten to leak data if payment is not made in seven days, and promise to secure data after a ransom is paid. Unfortunately, the encryption algorithm is secure and there is no way to recover files for free. The data extortion part of these attacks is conducted on the 'Black Basta Blog' or 'Basta News' Tor site, which contains a list of all victims who have not paid a ransom.

Conti Ransomware Assault Continues Despite the Recent Breach

 

The notorious ransomware group Conti has continued its assaults on businesses despite the exposure of the group’s operations earlier this year. 

Researchers from Secureworks state that the Conti ransomware gang, tracked as a Russia-based threat actor Gold Ulrick, is the second most prevalent group in the ransomware landscape, responsible for 19% of all assaults in the three months between October and December 2021. 

Conti is one of the most prolific ransomware groups of the last year along with LockBit 2.0, PYSA, and Hive, and has blocked hospital, corporate, and government agency networks while demanding ransom for sharing the decryption key as part of their name-and-shame scheme. 

After the ransomware gang sided with Russia in February to invade Ukraine, an anonymous pro-Ukraine hacktivist under the Twitter handle ContiLeaks released the malware source code, credentials, chat logs, and operational workflows. 

"The chats reveal a mature cybercrime ecosystem with multiple threat groups that often collaborate and support each other," Secureworks said in a report published in March. Groups include Gold Blackburn (TrickBot and Diavol), Gold Crestwood (Emotet), Gold Mystic (LockBit), and Gold Swathmore (IcedID). 

According to Secureworks researchers, Conti has targeted more than 100 organizations in March after the ransomware gang claimed that half of their victims pay ransoms averaging $700,000. More than 30 new victims have already been published on the Conti website in April. 

Recent attacks targeted wind turbine giant Nordex, industrial components provider Parker Hannifin, and cookware and bakeware distribution giant Meyer Corporation. The group has also taken responsibility for a highly disruptive attack on Costa Rican government systems. 

"If GOLD ULRICK operations continue at that pace, the group will continue to pose one of the most significant cybercrime threats to organizations globally," said SecureWorks. 

Meanwhile, technical monitoring of Emotet campaigns by Intel 471 between December 25, 2021, and March 25, 2022, revealed that more than a dozen Conti ransomware targets were in fact victims of Emotet malspam attacks, showing just how close the two operations are intertwined. 

"While not every instance of Emotet means that a ransomware attack is imminent, our research shows that there is a heightened chance of an attack if Emotet is spotted on organizations' systems," said Intel 471.

CNIL Imposes a Fine of 1.5 million Euros Against Software Publisher Dedalus

 

The French Authority for Data Protection (CNIL) has imposed one of its highest General Data Protection Regulation (“GDPR”) sanctions to date against Dedalus Biologie SAS (“Dedalus”), an application software editor that sells and services solutions for use by medical laboratories. 

Following a colossal health data breach disclosed in the press concerning nearly 500,000 individuals in February last year, CNIL has fined the company Dedalus Biologie 1.5 million euros mainly for failure to comply with its data security obligation. 

CNIL Findings 

The amount of the fine was determined with regard to the seriousness of the breaches, especially taking into account the fact that health personal data had been disclosed. CNIL found Dedalus Biologie to be in breach of Article 28(3) of the GDPR, given that the contractual documents concluded between Dedalus Biologie and its customers did not provide the information stipulated under the aforementioned provision. 

As part of the migration of data from one tool to another, as requested by two laboratories using the services of Dedalus Biologie, CNIL found that the latter extracted a larger volume of data than required including health personal data (e.g., health issues, infertility etc.)., and therefore processed data beyond the instructions given by the data controllers, in breach of Article 29 of the GDPR. 

Additionally, CNIL discovered a breach of the obligation to ensure the security of personal data (art 32 GDPR), due to technical breaches, such as: 

• lack of specific procedure for data migration operations; 
• lack of encryption of personal data stored on the problematic server; 
• absence of automatic deletion of data after migration to the other software; 
• lack of authentication required to access the public area of the server; 
• use of user accounts shared between several employees on the private zone of the server; and 
• absence of supervision procedure and security alert escalation on the server. 

To counter data breaches in the future, Dedalus Biologie asserted its willingness to attain the highest level of security and GDPR compliance, by strengthening its IT infrastructures, enhancing its internal and external procedures, and appointing additional DPO and IT information services managers.

Thousands of Secret Keys Discovered in Leaked Samsung Source Code

 

Thousands of secret keys were exposed in the recently stolen Samsung source code, according to an analysis, including several that might be extremely beneficial to nefarious actors. GitGuardian, a business that specialises in Git security scanning and secret detection, conducted the research. 

The firm's analysts examined source code that was recently stolen by a cybercrime outfit known as Lapsus$. In recent weeks, the hackers claim to have hacked into several large corporations, including NVIDIA, Samsung, Ubisoft, and Vodafone. They appear to have acquired source code from the victims in numerous cases, some of which have been made public. Cybercriminals claim to have stolen 190 GB of data from Samsung, and the tech giant has verified that the hacked data contained the source code of Galaxy devices. 

More than 6,600 secret keys were discovered during GitGuardian's analysis of the exposed Samsung source code, including private keys, usernames and passwords, AWS keys, Google keys, and GitHub keys. The number of valid keys revealed is yet to be determined by the firm's researchers. However, 90 percent are likely related to internal systems, which may be more difficult for an attacker to use, according to their research. The remaining keys, which number around 600, can give attackers access to a wide range of systems and services. 

“Of the more than 6,600 keys found in Samsung source code roughly 90% are for Samsung's internal services and infrastructure, whilst the other 10%, critically, could grant access to Samsung's external services or tools such as AWS, GitHub, artifactory and Google,” explained Mackenzie Jackson, developer advocate at GitGuardian. 

The exposure of specific keys, according to Casey Bisson, head of product and developer relations at code security firm BluBracket, might lead to the TrustZone environment on Samsung devices being hacked. Researchers are yet to determine whether the revealed keys undermine the TrustZone, which holds sensitive data like fingerprints and passwords and acts as a security barrier against Android malware attacks. 

Bisson told SecurityWeek, “If the leaked data allows the malware to access the TrustZone environment, it could make all data stored there vulnerable. If Samsung has lost control of the signing keys, it could make it impossible for Samsung to securely update phones to prevent attacks on the TrustZone environment. Compromised keys would make this a more significant attack than Nvidia, given the number of devices, their connection to consumers, and amount of very sensitive data that phones have.”

GitGuardian reviewed the source code leaked from Amazon's live streaming service Twitch, from which hackers obtained and made public around 6,000 internal Git repositories, a few months ago. AWS keys, Twilio keys, Google API keys, database connection strings, and GitHub OAuth keys were among the secrets found by GitGuardian in those repositories.

Threat Actors are Using Leaked Stolen Nvidia Certificates to Hide Malware

 

Malicious actors are using stolen NVIDIA code signing certificates to gain remote access to unsuspecting machines and deploy malicious software in windows. 
 
Earlier this week, NVIDIA, an American multinational firm suffered a cyberattack that allowed hackers to steal credentials and proprietary data of 71,000 employees.  
 
The hacking group, known as Lapsus$, claimed that they stole 1TB of data during the attack and began leaking sensitive information online after NVIDIA rejected their ransom demand.  
 
The exposed data includes two stolen code-signing certificates used by NVIDIA developers to sign their drivers and executable files before rolling them out to the public. It is a more secure way for Windows and prospective users to verify the ownership of the original file. To increase security in Windows, Microsoft also requires kernel-mode drivers to be code signed otherwise the OS will refuse to open the file.  
 
After Lapsus$ leaked NVIDIA's code-signing certificates, cybersecurity experts quickly discovered that the certificates were being used to sign malware and other tools used by threat actors.  
 
Certain variations of malware that were signed with the aforementioned Nvidia certificates were discovered on VirusTotal, a malware scanning service. The samples that were uploaded found that they were being used to sign hacking tools and malware, including Cobalt Strike Beacon, Mimikatz, backdoors, and remote access trojans.  
 
Security researchers Kevin Beaumont and Will Dormann shared that the stolen certificates utilize the following serial numbers:  
 
43BB437D609866286DD839E1D00309F5 
14781bc862e8dc503a559346f5dcc518  
 
Both codes are effectively expired Nvidia signatures, but the operating system will still let them pass just the same. Therefore, using these stolen certificates, threat actors gain the advantage of making their programs look like legitimate NVIDIA programs and allowing malicious drivers to be loaded by Windows.  
 
“Signing certificates are the keys computers use to verify trust in software,” Casey Bisson, head of product and developer relations at code-security product provider BluBracket, stated. “Validating code signatures is a critical step in securing the global code supply chain, and it protects everybody from average consumers running Windows Updates (where signatures are validated automatically) to developers using software components in larger projects (where signatures are hopefully checked as part of the CI process).”  
 
To avoid susceptible drivers from being installed in Windows, David Weston, director of enterprise and OS security at Microsoft, tweeted that admins can configure Windows Defender Application Control policies to manage which specific Nvidia driver can be loaded onto the system.

Hackers Expose 190GB of Alleged Samsung Data

 

Hackers that exposed secret information from Nvidia have now turned their attention to Samsung. The hacker group known as Lapsus$ is suspected of taking 190GB of data from Samsung, including encryption and source codes for many of the company's new devices. 

On Saturday, hackers launched an attack on Samsung, leaking critical data collected through the attack and making it accessible via torrent. The hackers shared the complete data in three sections in a note to their followers, as seen by Bleeping Computer, along with a text file that details the stuff available in the download. 

The exposed material includes "source code from every Trusted Applet" installed on every Samsung smartphone, as per the message. It also includes "confidential Qualcomm source code," algorithms for "all biometric unlock operations," bootloader source code for the devices, and source codes for Samsung's activation servers and Samsung account authentications, including APIs and services. 

In short, the Lapsus$ attack targets Samsung Github for critical data compromise: mobile defence engineering, Samsung account backend, Samsung pass backend/frontend, and SES, which includes Bixby, Smartthings, and store. 

The attack on Samsung comes after the cyber organisation attempted to extort money from Nvidia in a ransom scheme. It's worth noting that it's not a straightforward monetary request. Instead, the hackers have asked Nvidia to lift the restriction on Ethereum cryptocurrency mining that it has placed on its Nvidia 30-series GPUs. Nvidia's GPU drivers must be open-sourced forever, according to the hackers. 

The hackers are plainly looking for money from the disclosed data, as evidenced by the updates. For $1 million, one of them promised to sell anyone a bypass for the crypto nerf on Nvidia GPUs. Another communication from the group, according to The Verge, claimed that instead of making the data public, they are attempting to sell it straight to a buyer. 

Last Monday, Nvidia confirmed the breach, acknowledging a leak of "employee credentials" and "proprietary information." It, on the other hand, disputed that the attack was linked to the ongoing Russia-Ukraine crisis and claimed that the cyberattack would have no impact on its operations. 

As of currently, there are no reports of Lapsus$ demanding a similar ransom from Samsung. If they do, however, Samsung is likely to suffer a significant setback, especially given the type of data that the hacking group now claims to have access to.

Nvidia Confirms Company Data Was Stolen in a Breach

 

Last week Chipmaker company Nvidia witnessed a cyberattack that breached its network. The company has confirmed that the intruders got access to proprietary information data and employee login data. 
As the breach came to light last week, the organization attributed the security breach to a threat group called "Lapsus$".

“We are aware that the threat actor took employee credentials and some Nvidia proprietary information from our systems and has begun leaking it online,” the company said in a statement. 

However, as of now, Nvidia didn’t produce any specific details of the stolen data. Meanwhile, LAPSUS$, the alleged culprit, has claimed that it has looted 1TB of data, including files related to the hardware and software belonging to the organization. Following the incident, Lapsus$ started demanding ransom in cryptocurrency in order to prevent the data from being published online. However, Nvidia has not confirmed its stance or response to the demands made by the hackers. 

The primary purpose of a ransomware attack is to encrypt the victim's credentials and threaten to permanently delete it unless a ransom is paid, often in Bitcoin due to the relative anonymity that cryptocurrency provides. Additionally, the threat groups use Ransomware attacks to steal the victim’s data and then threaten to release sensitive details in public unless certain demands are met. Either way, it amounts to extortion. 

According to the sources, the organization did not confirm technical details yet, therefore, it is difficult to confirm anything as of present. However, as a matter of concern, the information related to the attack continues to trickle out. For instance, some of the leaked data contain references to future GPU architectures, including Blackwell. Also, an anonymous source has apparently sent what they claim is proof of stolen DLSS source code to the folks at TechPowerUp. 

"We are investigating an incident. Our business and commercial activities continue uninterrupted. We are still working to evaluate the nature and scope of the event and don’t have any additional information to share at this time," NVIDIA initially said.

NSW Government Database Compromises 500,000+ Addresses

 

The government of New South Wales (NSW) has admitted to a data breach that exposed more than 500,000 addresses via a government website. 

According to 9News, the NSW Customer Services Department acquired hundreds of thousands of locations through its QR code registration system before making them public on a government website. The locations belonged to firms that were registered as COVID-safe businesses, which was an option offered to all NSW businesses as well as those from other jurisdictions with interests in NSW. 

Skeeve Stevens, a technology specialist in the security and intelligence space who spotted the dataset in September and stated he notified cyber security professionals, who then informed the government. Defence sites, missile maintenance facilities, domestic violence shelters, essential infrastructure networks, and correctional facilities were among the targets. Locations in Western Australia, Victoria, Queensland, South Australia, and the Australian Capital Territory were also included in the database. 

Last October, the government forwarded the matter to the privacy commissioner, who determined that the incident did not constitute a privacy breach. The issue was brought to the attention of NSW Premier Dominic Perrottet this week, and he admitted that the material had been posted incorrectly. 

Perrottet stated, "That was worked through [the] privacy commissioner. My understanding is they were satisfied that the matter was resolved and that information was taken down. It shouldn't have happened."

According to 9News, the NSW Department of Customer Services classified fewer than 1% of the 566,318 locations as sensitive. 

A department spokesperson stated, "These businesses were all contacted by telephone and letter. No issues of concern were raised by any recipients." 

The COVID-Safe Businesses and Organization dataset has been withdrawn, according to a notice on the NSW data website dated 12 October 2021. “We have identified issues with the integrity of the data with the recent increase in volume of registrations. We apologise for any inconvenience,” stated the notice, without revealing what the issue was. 

Last weekend, a marketing stunt by Coinbase used QR codes to bring potential consumers to its site, prompting experts to debate whether they pose a true cyber security danger. Some experts believe they shouldn't be trusted because of the risk of being hijacked by cyber thieves, while others believe the fear around the technology is exaggerated and the real-world threat is minimal.

Morley Businesses Provider Uncovered a Ransomware Attack

 

Morley, a business services company revealed this week , it had been the target of a ransomware assault which could have exposed the personal information of over 500,000 people. The incident was found in August 2021 when it observed certain files had become unavailable owing to a ransomware attack.

Morley Companies, Inc., based in Saginaw, Michigan, provides business operations to Fortune 500 and Global 100 companies, such as session management, back-office procedures, contact centers, and trade show showcases and displays. 

According to an investigation, for all individuals affected, Morley will cover the expenses of 2 years of IDX identity protection. Those who are affected will be alerted and given instructions on how to join IDX's program. The intruders may have had access to user and staff data, including confidential and sensitive health information. To be precise, the hack exposed the personal information of 521,046 people in total. The company did not explain why it took about 6 months after discovering the breach to begin alerting victims in its letters to victims. 

Morley's security incident notification noted, "As a result, Morley realized the data may have been stolen from its digital environment." "Morley then started collecting personal information needed to notify possibly affected persons, which he finished in early 2022." 

In order to determine why the files weren't accessible anymore, Morley said it had to engage a cybersecurity specialist. When the root of the incident was uncovered, which was revealed to have been a ransomware epidemic, the company engaged the assistance of local experts to analyze the information and identify all those who had been impacted. 

Although this looks to be optimistic, the cyber-intelligence platform claims to have only recently uncovered Morley's data on the dark web. This is often a caution, the data will be used in future attacks by other threat actors, such as specific phishing.

 Tennessee State University was Targeted by a Cyber Attack

 

Officials say a data security breach at a Tennessee community college might just have resulted in a sensitive data breach of previous and present students, instructors, and employees. 

In 2021, educational institutions are expected to experience a record number of ransomware attacks, with K-12 schools being the top targets. Productive one-device-per-student and learn-from-anywhere programs have increased the attack surface for numerous cyber risks while improving educational achievements. 

Ransomware is a type of destructive software created by coordinated cybercriminals, often known as "bad actors, "A hacker employs software, which is generally transmitted via phishing emails, to encrypt or prevent access to information systems and documents in a ransomware assault. The victim is told that the only option to regain access is to pay a ransom or a set amount of money.

Officials say a data security breach at a Tennessee community college might just have resulted in unauthorized private data of previous and present students, instructors, and employees being breached. The Tennessee Board of Regents said in a press release, “Pellissippi State Community College is issuing out notices regarding a ransomware attack aimed primarily at encrypting school data in order to extort a ransom payment.” According to the Knoxville college's website, Pellissippi State did not pay a ransom. 

According to the board, which governs the state's community colleges, the college's core database and online payment systems have not been infected, and no data from such networks was accessed by unauthorized individuals. Officials believe a data leak at a Tennessee community college may have exposed the personal information of former and current students, professors, and workers to the public. 

Schools have become increasingly subject to security concerns and potential assaults as a result of the buzz of new technology required to enable the move to remote learning as a reaction to the growing health issue. 

New applications, patching delays, and security measures falling short of mark have added complexity and risks to situations where security had previously been a last-minute consideration. These flaws constitute a serious risk if they are exploited. 

As per the experts, absolute research is significant because it evaluates how virtual learning disruption, particularly new technology adoption, has enabled new attack avenues for bad actors and hackers.

Unsecure Amazon S3 bucket Exposes IDs of Airport Security Employees

 

Securitas AB, a Sweden-based multinational security and investigation service provider has been discovered exposing sensitive data belonging to airport employees across Colombia and Peru. Earlier this week, researchers at SafetyDetectives uncovered a whopping 3 terabytes of data containing over 1.5 million files, thanks to one of its misconfigured Amazon S3 servers. 

According to researchers, Securitas's AWS S3 buckets were not appropriately secured and contained approximately 3TB of data dating back to 2018, including airport employee records. While the researchers were was not able to examine every record in the database, four airports were named in leaked files: El Dorado International Airport (COL), Alfonso Bonilla Aragón International Airport (COL), José María Córdova International Airport (COL), and Aeropuerto Internacional Jorge Chávez (PE). 

The misconfigured AWS bucket, which did not require any authentication to access, contained two main datasets related to Securitas and airport employees. These included photos of ID cards and unmarked photos. The ID card photo displayed PII information of employees such as: 

• Full names 
• Occupations 
• National ID Number 
• Employee photos on the ID card. 

The second set of unmarked photos contained the most sensitive data belonging to airports, employees, and associated companies including photos of planes, photos of employees, photos of employees loading and unloading luggage. Unstripped.EXIF data in these photographs was exfiltrated, providing the time and date the photographs were taken as well as some GPS locations. 

"Considering Securitas' strong presence throughout Colombia and the rest of Latin America, companies in other industries could have been exposed," the researchers say. "It's also probable that various other places that use Securitas' security services are affected. Criminals could even use leaked data to create counterfeit ID cards and badges. A criminal could further strengthen their appearance as a legitimate employee by downloading leaked mobile apps.”

Additionally, application IDs listed within mobile apps were stored in the sever. The IDs were used for airport activities, including incident reports, pointing the researchers to the likely owner in the first place. The SafetyDetectives team reported the data leak to Securitas on October 28, 2021, and followed up on November 2 after receiving no response. Securitas engaged in a conversation with the team and secured the server on the same day.

Over 40 Billion Records Exposed in 2021

 

According to Tenable's analysis of 1,825, breach data incidents publicized between November 2020 and October 2021, at least 40,417,167,937 records were exposed globally in 2021. This is risen from 730 publicly announced incidents with just over 22 billion data exposed over the same period in 2020. 

Organizations can efficiently prioritize security operations to stop attack paths and protect key systems and assets by studying threat actor behavior. Many of the events investigated for this research can be easily mitigated by fixing legacy flaws and fixing misconfigurations, which can help limit attack routes. 

In 2021, ransomware had a huge impact on businesses, accounting for about a 38% of all data breaches.  and unsecured cloud databases were responsible for 6% of all breaches. SSL VPNs that haven't been patched remain an ideal entry point for cyberespionage, exfiltrating sensitive and proprietary data, and encrypting networks. 

Threat groups, particularly ransomware, have been progressively exploiting Active Directory flaws and misconfigurations. When security controls and code audits are not in place, software libraries and network stacks that are frequently utilized among OT devices might create additional threats. 

Cyberespionage operations used the software supply chain to acquire sensitive data, whereas ransomware groups preferred physical supply chain disruption as a technique to extract payment. Data breaches wreaked havoc on the healthcare and education sectors the most. 

Claire Tills, Senior Research Engineer, Tenable stated, “Migration to cloud platforms, reliance on managed service providers, software and infrastructure as a service have all changed how organizations must think about and secure the perimeter.”  

“Modern security leaders and practitioners must think more holistically about the attack paths that exist within their networks and how they can efficiently disrupt them. By examining threat actor behaviour we can understand which attack paths are the most fruitful and leverage these insights to define an effective security strategy. ” 

Fixing assets is difficult enough given the sheer frequency of vulnerabilities revealed, but in 2021 it became much harder due to partial patches, vendor miscommunications, and patch bypasses. 

There were 21,957 common vulnerabilities and exposures (CVEs) reported in 2021, up 19.6% from 18,358 in 2020 and 241% more than the 6,447 declared in 2016. The number of CVEs increased at an average yearly percentage growth rate of 28.3 percent from 2016 to 2021.

City of Grass Valley, California, Suffers Data Breach

 

After discovering about the breach, Grass Valley stated that they took quick steps to safeguard their networks, alerted law enforcement, and launched an investigation with the help of a cybersecurity firm.

The information of employees, citizens, and others was duplicated and transmitted to another network, according to more details about a significant data breach at the City of Grass Valley, California. The city council previously admitted that "unauthorised access" to its networks occurred between April 13 and July 1, 2021, according to a statement. 

The scope of the attack has now been determined, with the malicious actor transferring files outside of the city's network, including the financial and personal information of "individuals associated with Grass Valley," according to the investigation. The following information was accessed: 
  • Grass Valley employees, former employees, spouses, dependents, and individual vendors, name and one or more of the following: Social Security number, driver’s license number, and limited medical or health insurance information. 
  • Individual vendors that were employed by the city, name, and Social Security number. 
  • Individuals whose information may have been provided to the Grass Valley Police Department, name and one or more of the following: Social Security number, driver’s license number, financial account information, payment card information, limited medical or health insurance information, passport number, and username and password credentials to an online account.
  • Individuals whose data was provided to the Grass Valley Community Development Department in loan application documents, name and one or more of the following: Social Security number, driver’s license number, financial account numbers, and payment card numbers. 
Grass Valley stated it started contacting those affected on January 7 and has notified the appropriate authorities, including law enforcement. For everyone affected by the hack, the city is also providing free credit monitoring services. 

It noted, “Grass Valley sincerely regrets that this incident occurred and apologizes for any inconvenience or concern. To help prevent something like this from happening again, Grass Valley continues to review its systems and is taking steps to enhance existing security protocols.”

EHR Vendor QRS Faces Lawsuit After Cyberattack Exposed Nearly 320,000 Patients' Information

 

QRS, a healthcare technology firm, that offers EHR services, is now facing a class-action lawsuit over a data breach that reportedly exposed the health and private details of 319,778 current and former patients last summer. 

The lawsuit was filed by plaintiff, Kentucky resident Matthew Tincher in the U.S. Eastern District Court of Tennessee on Jan. 3, who was one of the victims of a data breach. In a complaint, he alleged that the data exfiltration could have been mitigated if QRS had adequately guarded the patient's health information in its possession. Additionally, the firm took two months to notify affected individuals of the data exposure.

Last year in November, QRS reported that an unauthorized third party accessed one QRS dedicated patient portal server for three days in August, and potentially secured critical data, including Social Security numbers, patient identification numbers, portal usernames, names, addresses, birth dates, and medical treatment information. The lawsuit shows the client was Lexington Heart Specialists in Kentucky. 

According to the Health Insurance Portability and Accountability Act breach notification on the EHR vendor’s website, QRS instantly took the server offline, notified law enforcement, and conducted an investigation. 

“Upon information and belief, based on the criminal hacking activity that targeted Plaintiff’s and Class Members’ Sensitive Information, the time frame of the breach over three days, and Plaintiff Tincher’s experience of actual identity theft shortly after the breach, it is more likely than not that his Sensitive Information was exfiltrated and stolen during the Data Breach,” the lawsuit claimed. 

The suit argues that QRS should have prevented the data breach by implementing cybersecurity measures recommended by the U.S. government, including a training program for workers; strong spam filters; firewall configurations that block access to known malicious IP addresses; patches for operating systems, software, and firmware; regular automatic scans with anti-virus and anti-malware programs; and properly configured access controls. 

The healthcare firm is accused of negligence and/or recklessness, as well as violating federal and state regulations, as well as HIPAA. The lawsuit argues the two-month wait to inform patients placed them at a greater risk of identity theft; but it should be plainly noted that HIPAA requires covered entities and business associates to report breaches within 60 days of discovery, for which QRS complied.

Lastly, the lawsuit raises concerns with the health data left under QRS possession, as it “remains unencrypted and available for unauthorized third parties to access and abuse.” As long as QRS “fails to undertake appropriate and adequate measures to protect” the data remains at risk.

As a result, the victims are seeking injunctive relief, including a court order requiring QRS to implement and maintain "a comprehensive information security program designed to safeguard the confidentiality and integrity of the PII and PHI of plaintiff and class members."

Fertility Centers of Illinois Hit by Cyberattack Impacting Nearly 80,000 Patients

 

A Chicago-based Fertility Centers of Illinois (FCI) has suffered a data breach, impacting 79,943 current and former patients. According to a breach notification by FCI, the incident did not compromise its electronic medical records system, however, an unauthorized third party secured access to some of the patients’ protected health information (PHI) and private files belonging to FCI employees.

FCI detected the breach on its internal systems on Feb 01, 2021, and took instant action to secure its systems. Independent forensic specialists were then hired to determine the nature and scope of the security breach. Fertility Centers of Illinois reported the data breach to the Department of Health and Human Services’ Office for Civil Rights (OCR), affecting nearly 80,000 current and former patients. 

Although the exact modus operandi of the attack remains unknown, the compromised files contained a range of patient data, including names in combination with one or more of the following types of details:

Social Security numbers, passport numbers, financial account information, payment card information, diagnoses, treatment information, medical record numbers, billing/claims information, prescription information, Medicare/Medicaid identification information, health insurance group numbers, health insurance subscriber numbers, patient account numbers, encounter numbers, referring physicians, usernames and passwords with PINs, or account login information.

Staff data most likely compromised in the cyber-attack included names, employer-assigned identification numbers, ill-health/retirement information, occupational health-related information, medical benefits and entitlements information, patkeys/reason for absence, and sickness certificates. 

To mitigate further risks, FCI has enhanced its cybersecurity system, including executing business-class identity verification software and providing extra training to its employees on cybersecurity practices.

"Additional security measures have been taken since the incident to further secure access to data, individual accounts, and equipment, including the implementation of enterprise identity verification software," FCI says. The organization is also offering affected individuals complimentary credit monitoring and identity theft protection services for 12 months through Equifax.

In recent years, the healthcare industry has been the sweet spot for threat actors as the benefits are huge. Last week, Florida’s Broward Health System confirmed the data breach of 1,357,879 patients. In November 2021, a fertility clinic in the United Kingdom also became the victim of attackers when ransomware was employed to target a medical record scanning firm used by Lister Fertility Clinic.

Morgan Stanley to Pay $60M to Resolve Data Security Lawsuit

 

Morgan Stanley agreed to pay $60 million in a preliminary settlement of a class-action lawsuit filed against the company on Friday, according to Reuters, for allegedly neglecting to secure customers' personal data before retiring outdated information technology. 

The settlement offer awaits the approval of New York District Judge Analisa Torres. The lawsuit was filed on behalf of around 15 million Morgan Stanley clients in response to two separate occurrences that occurred in 2016 and 2019. 

Morgan Stanley decommissioned two wealth management data centres in the first incident. Before removing the unencrypted computer equipment from the centres, the bank's vendor, Triple Crown, was tasked with deleting or destroying it. Even after it had left the vendor's control, this device was later discovered to contain data. According to Morgan Stanley, the vendor removed the devices and resold them to a third party without permission. 

As part of a hardware refresh programme, the second incident entailed the replacement and removal of branch office equipment. The bank was unable to discover some of these devices, which could have retained previously deleted information on discs in an unencrypted version due to a software error. 

Customers will receive a minimum of two years of fraud insurance coverage as part of the proposed settlement, as well as compensation for up to $10,000 in related out-of-pocket losses. The bank also stated that it would improve its data security procedures. 

Morgan Stanley maintains that there was no wrongdoing on its part, even though it is seeking a settlement. In a move to dismiss the complaint filed in August 2021, the bank said that despite extensive investigations and ongoing surveillance over the years, it has not discovered a single instance of data misuse generated from any of its own sources. Morgan Stanley was fined $60 million in civil penalties in October 2020 for failing to adequately supervise the decommissioning of its data centres in 2016. 

The Office of the Comptroller of the Currency imposed the penalty after discovering that the bank: failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices.

PulseTV Discloses Potential Breach Affecting 200,000 People

 

PulseTV, a popular online store in the United States, has revealed a credit card data breach that has affected over 200,000 customers. 

VISA notified the company on March 8, 2021, that their website (www.pulsetv.com) was a common point of purchase for some fraudulent credit card transactions owing to a probable compromise, according to the notice letter issued by the Office of the Maine Attorney General. The corporation conducted some security tests on its website but found no evidence of a breach. 

VISA alerted the company again in July, but law enforcement only contacted it a few months later about more payment card hacks that seemed to have emanated from its website. The corporation engaged a legal counsel who hired cybersecurity experts to help them. The investigators learned on November 18, 2021, that the website had been identified as a common point of purchase for several fraudulent MasterCard credit card transactions. 

The data breach notification letter stated, “On November 18, 2021, our investigator learned that the website had been identified as a common point of purchase for a number of unauthorized credit card transactions for MasterCard. Based upon communications with the card brands, it is believed that only customers who purchased products on the website with a credit card between November 1, 2019, and August 31, 2021, may have been affected. The investigation was unable to verify that the website was the cause of the unauthorized transactions.” 

“However, in an abundance of caution, PulseTV is notifying customers, including you, who purchased products on our website during that time period so that they can take steps to protect and secure their credit card information.” 

Only clients who purchased products on the website using a credit card between November 1, 2019, and August 31, 2021, according to PulseTV, were affected. The information that may have been compromised includes: 
  • Full name 
  • Shipping address 
  • Email address 
  • Payment card number 
  • Payment card expiration date 
  • Payment card security code (CVV) 
Customers may be vulnerable to a variety of scams, including fraudulent card-not-present transactions. To avoid similar accidents in the future, the company will take the following steps: adding two-factor authentication to all internal devices, implementing end-point detection and response technologies to improve network visibility and threat prevention, and switching to a new payment system. 

The company is still working with payment card networks and law enforcement to investigate the security compromise, and it has notified state regulators and affected customers. 

The letter concluded, “We recommend that you remain vigilant for incidents of fraud and identity theft by regularly reviewing your account statements and monitoring free credit reports for any unauthorized activity. Information on additional ways to protect your information, including how to obtain a free credit report and a free security freeze, can be found at the end of this letter.”
  
“You should report any incidents of suspected identity theft to your local law enforcement and state Attorney General. If you believe your payment card information may have been compromised, we strongly encourage you to contact your payment card company and/or financial institution and request that the card be cancelled.”