Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Personal Information. Show all posts

Privacy Under Siege: Analyzing the Surge in Claims Amidst Cybersecurity Evolution

 

As corporate directors and security teams grapple with the new cybersecurity regulations imposed by the Securities and Exchange Commission (SEC), a stark warning emerges regarding the potential impact of mishandling protected personally identifiable information (PII). David Anderson, Vice President of Cyber Liability at Woodruff Sawyer, underscores the looming threat that claims arising from privacy mishandling could rival the costs associated with ransomware attacks. 

Anderson notes that, while privacy claims may take years to navigate the legal process, the resulting losses can be just as catastrophic over the course of three to five years as a ransomware claim is over three to five days. This revelation comes amidst a shifting landscape where privacy issues, especially those related to protected PII, are gaining prominence in the cybersecurity arena. 

In a presentation outlining litigation trends for 2024, Dan Burke, Senior Vice President and National Cyber Practice Leader at Woodruff-Sawyer sheds light on the emergence of pixel-tracking claims as a focal point for plaintiffs. These claims target companies engaging in website activity tracking through pixels without obtaining proper consent, adding a new layer of complexity to the privacy landscape. 

A survey conducted by Woodruff-Sawyer reveals that 31% of cyber insurance underwriters consider privacy as their top concern for 2024, following closely behind ransomware, which remains a dominant worry for 63% of respondents. This underscores the industry's recognition of the escalating importance of safeguarding privacy in the face of evolving cyber threats. James Tuplin, Senior Vice President and Head of International Cyber at Mosaic Insurance predicts that underwriters will closely scrutinize privacy trends in 2024. 

The prolonged nature of privacy litigation, often spanning five to seven years, means that this year will witness the culmination of cases filed before the implementation of significant privacy laws. Privacy management poses challenges for boards and security teams, exacerbated by a lack of comprehensive understanding regarding the types of data collected and its whereabouts within organizations. 

Sherri Davidoff, Founder and CEO at LMG Security, likens data hoarding to hazardous material, emphasizing the need for companies to prioritize data elimination, particularly PII, to mitigate regulatory and legal risks. Companies may face significant challenges despite compliance with various regulations and state laws. Michelle Schaap, who leads the privacy and data security practice at Chiesa Shahinian & Giantomasi (CSG Law), cautions that minor infractions, such as inaccuracies in privacy policies or incomplete opt-out procedures, can lead to regulatory violations and fines. 

Schaap recommends that companies leverage assistance from their cyber insurers, engaging in exercises such as security tabletops to address compliance gaps. A real-world example from 2022, where a company's misstatement about multifactor authentication led to a denied insurance claim, underscores the critical importance of accurate and transparent adherence to privacy laws. 

As privacy claims rise to the forefront of cybersecurity concerns, companies must adopt a proactive approach to privacy management, acknowledging its transformation from an IT matter to a critical business issue. Navigating the intricate web of privacy laws, compliance challenges, and potential litigation requires a comprehensive strategy to protect sensitive data and corporate reputations in this evolving cybersecurity landscape.

Mr. Cooper Data Breach: 14 Million Customers Exposed

A major data breach at mortgage giant Mr. Cooper compromised the personal data of an astounding 14 million consumers, according to a surprising disclosure. Sensitive data susceptibility in the digital age is a worry raised by the occurrence, which has shocked the cybersecurity world.

Strong cybersecurity procedures in financial institutions are vital, as demonstrated by the breach, confirmed on December 18, 2023, and have significant consequences for the impacted persons. The hackers gained access to Mr. Cooper's networks and took off with a wealth of private information, including social security numbers, names, addresses, and other private information.

TechCrunch reported on the incident, emphasizing the scale of the breach and the potential consequences for those impacted. The breach underscores the persistent and evolving threats faced by organizations that handle vast amounts of personal information. As consumers, it serves as a stark reminder of the importance of vigilance in protecting our digital identities.

Mr. Cooper has taken swift action in response to the breach, acknowledging the severity of the situation. The company is actively working to contain the fallout and assist affected customers in securing their information. In a statement to Help Net Security, Mr. Cooper reassured customers that it is implementing additional security measures to prevent future breaches.

The potential motives behind the attack, emphasize the lucrative nature of stolen personal data on the dark web. The breached information can be exploited for identity theft, financial fraud, and other malicious activities. This incident underscores the need for organizations to prioritize cybersecurity and invest in advanced threat detection and prevention mechanisms.

"The Mr. Cooper data breach is a sobering reminder of the evolving threat landscape," cybersecurity experts have stated. To safeguard their consumers' confidence and privacy, businesses need to invest heavily in cybersecurity solutions and maintain a watchful eye."

In light of the growing digital landscape, the Mr. Cooper data breach should be seen as a wake-up call for companies and individuals to prioritize cybersecurity and collaborate to create a more secure online environment.

Marna Bay Sands: Data of 665,000 Customers Hacked by Unknown Third Party

 

Singapore is renowned for maintaining stringent cybersecurity and data protection standards in the region. Companies in the country are keenly aware of their responsibility to safeguard cybersecurity, particularly concerning data privacy. In the event of cybersecurity incidents, organizations promptly notify both customers and regulators, implementing swift plans to rectify the situation. 

Recently, Marina Bay Sands (MBS) encountered a data leak involving the personal information of approximately 665,000 members in its shoppers' rewards program, prompting a rapid response from the company.

MBS took immediate action, informing members of its Sands LifeStyle program via email on November 7th about the data leak that occurred between October 19th and 20th. The resort disclosed its awareness of the incident on October 20th and initiated investigations. 

The inquiry revealed that an unidentified third party had accessed the personal data of the affected members. Paul Town, MBS's Chief Operating Officer, reassured members that, as of the investigation's findings, there is no evidence indicating misuse of the data by the unauthorized third party.

The compromised personal data included members' names, email addresses, contact details, country of residence, membership numbers, and tiers. MBS advised affected users to closely monitor their accounts for suspicious activity, change login pins regularly, and stay vigilant against phishing attempts. The company reported the data leak to relevant authorities in Singapore and other applicable countries, collaborating with them in their investigations.

Despite a decline in cybersecurity incidents in Singapore earlier in the year, recent weeks have witnessed an increase in such occurrences. Between the first quarter of 2020 and the first quarter of 2023, data breach statistics in Singapore showed significant fluctuations in the number of exposed records. Besides the MBS data leak, a recent incident involved web service outages in public hospitals and polyclinics due to a distributed denial-of-service (DDoS) attack.

While some might draw parallels between the MBS data leak and recent ransomware attacks on Las Vegas casinos, the situations differ. Unlike the ransomware incidents at Caesars Palace and MGM, MBS did not report any ransom demands. The company asserts that only the personal data of its members was compromised, without any disruption to services. However, the stolen data holds significant value on the dark web. The exact cause of the MBS data leak and whether other data was compromised remains to be determined.

CA Delete Act: Empowering Data Privacy

Governor Gavin Newsom has enacted the California Delete Act, marking a historic step for data privacy. This law represented a big step towards giving people more control over their personal information and was passed with resounding support from the state government.

The CA Delete Act, also known as Assembly Bill 375, is set to revolutionize the way businesses handle consumer data. It grants Californians the right to request the deletion of their personal information from company databases, putting the power back in the hands of the individual.

The bill's passage is being hailed as a major win for privacy advocates. It signals a shift towards a more consumer-centric approach to data handling. According to Governor Newsom, this legislation represents a critical move towards "putting consumers in the driver’s seat when it comes to their own data."

One of the key provisions of the CA Delete Act is the requirement for businesses to conspicuously display an opt-out option on their websites, allowing users to easily request the deletion of their data. This transparency ensures that consumers are fully aware of their rights and can exercise them effortlessly.

Furthermore, the legislation includes penalties for non-compliance. Businesses that fail to comply with deletion requests within the stipulated timeframe may face fines and other legal consequences. This aspect of the bill emphasizes the seriousness with which California is approaching data privacy.

Industry experts predict that the CA Delete Act could set a precedent for similar legislation on a national and even international scale. As businesses increasingly operate in a globalized digital landscape, the demand for comprehensive data protection measures is becoming paramount.

The significance of the CA Delete Act extends far beyond California's borders. It sends a clear message about the importance of prioritizing individual privacy in the digital age. As Joseph Jerome, a privacy expert, stated, "This law will likely serve as a catalyst for other states to take a harder look at consumer privacy."

Data privacy has advanced significantly thanks to the California Delete Act. Individuals now have the power to manage their personal information, which puts more responsibility and accountability on businesses to be open and honest about how they handle customer data. This historic law is a ray of hope for those defending privacy rights in the digital age since it could influence laws comparable to those around the world.


How to Protect Your Personal Financial Information from Data Brokers


In today’s digital age, personal information is a hot commodity. Data brokers buy and sell this information, often without our knowledge or consent. This can include sensitive financial information, which can be used for identity theft or other fraudulent activities.

Fortunately, there are steps you can take to protect your personal financial information from data brokers. 

Here are some tips to help you fight back:

1. Monitor your credit reports: Regularly check your credit reports from the three major credit bureaus (Equifax, Experian, and TransUnion) to ensure that there are no unauthorized accounts or inquiries. If you find any suspicious activity, report it immediately.

2. Freeze your credit: Consider placing a security freeze on your credit reports. This will prevent anyone from accessing your credit report without your permission, making it more difficult for identity thieves to open new accounts in your name.

3. Opt-out of data sharing: Many companies share your personal information with third parties for marketing purposes. You can opt-out of this by contacting the company directly and requesting that they stop sharing your information.

4. Use strong passwords: Use strong, unique passwords for all of your online accounts and enable two-factor authentication whenever possible. This will make it more difficult for hackers to access your accounts and steal your personal information.

5. Be cautious when sharing personal information: Be cautious when sharing personal information online or over the phone. Only provide this information when it is absolutely necessary and when you are sure that the person or company requesting it is legitimate.

Protecting your personal financial information from data brokers is important for preventing identity theft and other fraudulent activities. 

By following these tips, you can take control of your personal information and keep it safe from prying eyes.

FBI Warns of Hackers Exploiting Public Charging Stations to Steal iPhone Data

The FBI has issued a warning about a new threat targeting iPhone users - hackers using public charging stations to steal personal data. As the popularity of public charging stations continues to grow, so does the risk of falling victim to this type of cyber attack.

The technique, known as 'juice jacking,' involves hackers installing malicious software on charging stations or using counterfeit charging cables to gain access to users' iPhones. Once connected, these compromised stations or cables can transfer data, including contacts, photos, and passwords, without the user's knowledge.

The FBI's warning comes as a reminder that convenience should not outweigh security. While it may be tempting to plug your iPhone into any available charging port, it is essential to exercise caution and take steps to protect your personal information.

To safeguard against juice jacking attacks, the FBI and other cybersecurity experts offer several recommendations. First and foremost, it is advisable to avoid using public charging stations altogether. Instead, rely on your personal charger or invest in portable power banks to ensure your device remains secure.

If using public charging stations is unavoidable, there are additional precautions you can take. One option is to use a USB data blocker, commonly known as a 'USB condom,' which blocks data transfer while allowing the device to charge. These inexpensive devices act as a protective barrier against any potential data compromise.

It is also crucial to keep your iPhone's operating system and applications up to date. Regularly installing updates ensures that your device has the latest security patches and protections against known vulnerabilities.

Furthermore, using strong, unique passcodes or biometric authentication methods, such as Face ID or Touch ID, adds an extra layer of security to your device. Additionally, enabling two-factor authentication for your Apple ID and regularly monitoring your device for any suspicious activity are proactive steps to safeguard your data.

The FBI's warning serves as a timely reminder of the evolving threats in the digital landscape. As technology advances, so do the tactics employed by hackers. Staying informed and adopting best practices for cybersecurity is essential to protect personal information from unauthorized access.

The FBI's warning emphasizes the possible dangers of using public charging stations as well as the significance of taking safeguards to safeguard iPhone data. Users can lessen their risk of becoming a victim of juice jacking attacks and maintain the confidentiality of their personal information by exercising caution and adhering to suggested security measures.

Computer Hacker Steals Personal Data from 20000 Christchurch Hot Pools Customers


About the data breach 

Personal information of more than 20,000 members of the public has been stolen in a data breach at Christchurch City Council's He Puna Taimoana hot pools. 

The stolen information consists copies of driver's licenses, rates invoices, passports, utility bills, tenancy agreements, and other council membership cards- all contents given by pool users as residence proof. 

The data breach was found on August 24. Pool users were contacted two weeks later- from an email by Nigel Cox, the council's head of recreation and sport. 

According to him, they were informed about the hack by a third party who had been contacted by an individual who claims to have accessed and downloaded some files stored on the He Puna Taimoana cloud server. 

Following this, Cox has a reason to believe in that the third party who got access and illegally downloaded the files stored on the He Puna Taimoana cloud server is a 'white hat hacker', an actor who compromises computer systems or networks to find vulnerabilities to promote improvement or advancement of the systems and network security. 

"The security of your information is Christchurch City Council's upmost priority and we appreciate the need to provide information regarding the breach to you as quickly as possible"

Current Status 

As of now, the customers have not been told what to do, but they can consider their personal information might be a part of the data breach. The email takes users to the He Puna Taimoana website for more details. 

Affected users can also contact or email the council. Netsafe chief online safety officer Sean Lyons said "worrying" about the data breach. According to him, passport and driver license copies can be misused for identity theft (in worst case scenarios). 

The information from these documents can be used to impersonate someone's identity. He suggests customers to get new passports and drivers license if they are worried about the data breach. 

For all the inconvenience it is probably better than the worry of someone out there using your passport number, he says. 

Cox said:

At this stage, we have no reason to believe the information has been further disclosed by the third-party actor other than to the third party who has informed us of the breach.

The privacy commissioner has been informed. The council is aware about its duty under the Privacy Act, and the possible effect on customers, and said the council has launched an investigation. 

National reports:

Christchurch residents get cheaper tickets to the pools, which opened in 2020, but are required to provide proof of address to get the discount.


Neuro Practice Says 363,000 Users' Personal Info Leaked


About the leak

An Indiana neurology practice is informing around 363,000 people that their personal data was leaked in a recent ransomware attack and that a few of it was posted on the dark web.

The practice doesn't know which ransomware group or data leak site, however, the Russian ransomware group Hive - which was the topic of a recent federal advisor for the healthcare industry- is hinted at in the attack. Hive has been wildly attacking the U.S healthcare sector. 

What do experts have to say?

Nerve and gray matter experts Goodman Campbell Brain and Spine, in a data breach report to the attorney general of Maine in July, said a "sophisticated" ransomware attack that compromised its computer network and communications system- which includes phones and e-mails, compromised employees and patients data. 

"A healthcare entity informing individuals in a breach notification letter or statement that their information has been potentially listed on the dark web is a highly uncommon level of transparency," reports Bank Info Security. 

How did Practice combat the issue?

Once the attack was discovered on May 20, the practice took immediate steps to safeguard its systems and did a forensic analysis and incident response firm. Goodman Campbell also notified the FBI. An inquiry into the case revealed that a malicious third party had acquired info from the practice's systems.

However, the hacker didn't access the electronic medical record system, but accessed patient info and records in other locations in the internal networks, like appointment schedules, insurance eligibility documentation, and referral forms. 

Info compromised in the attack includes date of birth, names, telephone number, address, e-mail IDs, medical record number, patient account number, physician name, dates of service, diagnosis and treatment information, insurance info, and social security numbers. 

"While we have no indication that the information of any impacted individuals has been used inappropriately as a result of this incident, we do know that some information acquired by the attacker was made available for approximately 10 days on the dark web," says the practice notification. 


Private Details of 43,000 London Voters Leaked to Strangers

 

The Electoral Services department of Wandsworth Council was at the center of a massive data protection scandal after the private details of tens of thousands of London residents were accidentally leaked by their council via email to the wrong recipients. 

The emails were intended to inform residents of their nearest polling station ahead of May’s local elections following changes in ward boundaries. However, 43,000 voters – representing nearly 13% of local residents – received names, addresses, and voting instructions for people other than those in their households. 

The council apologized but tried to play down the mistake, saying that “there was a problem with the data merge” and that no electoral fraud could result. However, a follow-up email requested the recipient to delete the erroneously sent email and explained that any of the information accidentally leaked was already available for viewing in the public domain if people decided to visit the electoral register.

“We would like to reassure residents that the information contained in these emails is all publicly available in the borough’s electoral register, which is an open document that can be inspected by any member of the public at any time during the year,” read a statement posted by the council on Twitter. “The emails did not contain any information beyond what is already in the public domain.” 

Judging by the number of concerned residents commenting on the statement, it has done little to allay voters’ fears. “I don’t want people to know my address because I have a sensitive job,” a Wandsworth resident told a local media outlet. “When I received an email from the council with someone else’s name and address, my first thought was ‘Well, who sent me?” 

This breach by the Conservative majority council was on “an unprecedented scale” and is an “unacceptable” incident, Fleur Anderson, Labour MP for Putney and former Wandsworth Borough council member, stated. 

“It is chilling and very worrying for everyone whose personal details have been shared with strangers. The council does not seem to accept the severity of this as its very weak response to everyone affected shows,” Anderson added. “They can’t be trusted with our data, and how can we be sure this won’t happen again?” 

Earlier this year in January, private detail belonging to British Council students was exposed online via an unsecured Microsoft Azure blob repository containing over 144,000 files. The impacted students were exposed to a broad range of malicious activities, including identity theft, phishing attacks, and scams.

A Data Breach at a Croatian Phone Company Affects 200,000 Customers

 

Croatian phone company 'A1 Hrvatska' has announced a data breach that exposed the personal information of 10% of its users, or approximately 200,000 persons. A1 Hrvatska is a Croatian mobile network operator and a strategic partner of Vodafone. It is part of the Telekom Austria Group. A1 is the first and only operator in Croatia to offer the complete 5-play service, which comprises A1 TV, mobile and fixed telephony, and mobile and fixed Internet. 

The notification doesn't go into much depth, other than to say that they had a cybersecurity incident involving unauthorized access to one of their user databases, which contained sensitive personal information. Full names, personal identity numbers, physical addresses, and phone numbers have all been accessed. 

"Unfortunately, despite advanced protection measures and the constant raising of the level of security, a security incident occurred related to one of the user databases, which compromised part of the personal data of part A1 of users. We emphasize that information on bank cards and accounts is not compromised because it is not available in the specified database. We will directly inform all users whose personal data is potentially compromised," said the company. 

A criminal complaint was also filed with the Zagreb Police Administration right away, and information experts assisted in identifying the culprits of the crime. In addition, the competent institutions HAKOM and AZOP, with which the company works closely, were notified. 

A1 Hrvatska is a strategic partner of Vodafone, whose Portugal region was subjected to a very disruptive cyberattack, resulting in the suspension of 4G and 5G data services. Strategic partners occasionally share online infrastructure, but in this case, the link appears implausible, but it cannot be fully ruled out. Because the event does not appear to have impacted A1 Hrvatska's services or operations, it appears to be an instance of unauthorised database access, either through a misconfiguration or stolen credentials. 

 "A1 Croatia adheres to the highest security standards and data protection, and we will continue to make additional investments in improving the security environment. The recurrence of this security incident is not possible and has not had and will not affect the provision of services to customers," the company said.

68K People Who Received Services from Advocates were Affected by Data Theft

 

Approximately 68,000 Advocates clients are being alerted that their personal and protected health information was stolen during a four-day incident in September 2021. Advocates also notified certain employees whose data was stolen during the hacking incident. 

Advocates, Inc. ("Advocates") is a non-profit organization established in Massachusetts that provides a wide range of services to people facing life issues such as addiction, aging, autism, brain damage, intellectual disabilities, mental health, and behavioral health. 

On October 1, 2021, Advocates was notified that an unauthorized actor had copied data from its digital environment. When Advocates discovered this activity, they took action to secure their digital environment. They also hired a top cybersecurity firm to help with the investigation to discover whether personal information was accessed or acquired without authorisation as part of the attack. The research indicated that between September 14, 2021 and September 18, 2021, an unknown person got access and collected data from the Advocates network.

The incident may have involved the following personal and protected health information: name, address, Social Security number, date of birth, client identification number, health insurance information, and medical diagnosis or treatment information. 

Following the inquiry, Advocates began gathering contact information to notify possibly affected individuals. Advocates also alerted the Federal Bureau of Investigation and stated that they will provide whatever assistance is required to hold the criminals accountable, if at all feasible. Advocates take the security and privacy of service recipient information extremely seriously and have taken additional precautions to prevent a similar incident from happening in the future. 

Advocates is not aware of any proof of any information being misused in this incident. However, commencing on January 3, 2022, Advocates distributed notice of this incident to possibly affected persons. Advocates gave information about the incident as well as recommendations that potentially impacted individuals can do to protect their information in this notification letter. Individuals were also given free credit monitoring and identity protection services through IDX, according to Advocates. 

 To answer questions about the incident and address related concerns, Advocates set up a toll-free call centre. Advocates advise users to report their financial institution promptly if they see any suspicious behaviour on any of their accounts, such as unlawful transactions or new accounts opened in their name that they do not recognise. They should also report any fraudulent behaviour or suspected occurrences of identity theft to the appropriate law enforcement authorities as soon as possible.

Ransomware Groups are Enlisting Breached Individuals to Persuade Firms to Pay Up

 

According to recent reports, attackers are utilising stolen data to contact individuals who have been compromised in the attack (through social media, email, or phone). These direct contact strategies are being used by ransomware gangs as additional leverage to get victims to pay up. They call employees or customers whose data was compromised in the attack and urge them to persuade the victim to pay up, threatening them with the release of their personal information if they do not. 

NBC News featured a story on a parent whose child attended a school run by a district that was the target of a ransomware attack. The attackers emailed the parent, asking him to put pressure on the district to pay up, or else all of the exfiltrated materials, including information on him and his son, will be posted on the dark web. 

According to the person interviewed by NBC, the district did not notify parents or many staff members that they had been the victims of an attack, at least not before the assailants established contact with them. The attackers exploit whatever contact information they can obtain, such as employee directories or customer databases, to identify individuals to pressure. 

Allen ISD was the victim of a cyberattack in September 2021 and was afterward the target of attempted extortion by the perpetrators. Allen ISD, located roughly 30 miles north of Dallas, Texas, educates nearly 22,000 K-12 students. Following consultation with external cybersecurity experts, school administrators decided to refuse to pay the hackers' demands, even telling local media that there was no indication that data had been exfiltrated. Despite the fact that the ransomware gang claimed to have collected personal information from district children, families, and staff and sought to extort millions of dollars from Allen ISD. 

Another strategy used by ransomware attackers is to contact employees at a firm during the reconnaissance stages of an assault to see if they can bypass the infiltration stages by exploiting an insider threat. Insider threats are one of a few non-digital threats that have plagued businesses of all sizes to date. 

Insider threats represent a quarter of the eight main cybersecurity risks that significantly affect the corporate and public sectors, according to the Osterman Research white paper White Hat, Black Hat, and the Emergence of the Gray Hat: The True Costs of Cybercrime. 

According to a new survey conducted by identity protection firm Hitachi ID Systems, 65% of surveyed IT and security executives or their staff had been contacted to aid in ransomware cyberattacks. This marks a 17% increase over a similar survey conducted a year ago. The attackers used email and social media to contact employees in the majority of cases, while phone calls accounted for 27% of their approach efforts, a direct and brazen method of communication.

Another T-Mobile Cyberattack Allegedly Exposed User Information and SIM Cards

 

T-Mobile has been subjected to yet another cyberattack following a big data breach in August. According to documents revealed by The T-Mo Report, attackers gained access to "a small number of" users' accounts this time. The damage appears to be far less serious this time. It appears that just a small percentage of consumers are affected. There is no further information regarding what transpired, with the records just stating that some information was leaked. 

Customers who have been affected fall into one of three categories. First, a client may have only been impacted by a CPNI leak. This information could include the billing account name, phone numbers, the number of lines on the account, account numbers, and rate plan information. That's not ideal, but it's far less damaging than the August incident, which exposed client social security numbers. 

The second category into which an impacted consumer may fall is having their SIM swapped. In order to get control of a phone number, a malicious actor will alter the physical SIM card linked with it. This can and frequently does result in the victim's other online accounts being accessed through two-factor authentication codes supplied to their phone number. According to the document, consumers who were affected by a SIM swap have now had that action reversed. The final category consists of both of the previous two. Customers who were affected may have had their private CPNI accessed as well as their SIM card swapped. 

When it comes to account security, T-Mobile does not have the finest track record. As previously stated, a huge data breach occurred earlier this year in August, exposing information on roughly 50 million users across both post-paid and prepaid accounts. The stolen files contained crucial personal information such as first and last names, dates of birth, Social Security numbers, and driver's licence / ID numbers - the kind of information you could use to open a new account or hijack an existing one. It did not appear to include "phone numbers, account numbers, PINs, or passwords." 

Affected customers, who appear to be few in number, have received letters warning them of the unlawful activity on their accounts. Memos have also been placed on those impacted accounts so that reps may see them when they log in.

"We informed a very small number of customers that the SIM card assigned to a mobile number on their account may have been illegally reassigned or limited account information was viewed. Unauthorized SIM swaps are unfortunately a common industry-wide occurrence, however, this issue was quickly corrected by our team, using our in-place safeguards, and we proactively took additional protective measures on their behalf," a T-Mobile spokesperson said.

1.8 Million People's Credit Card Information was Stolen from Sports Gear Sites

 

Four well-known affiliated online sports equipment websites recently disclosed and claimed a significant cyberattack. In this cyberattack, hackers compromised and stole the credit card information of over 1.8 million customers. A law firm representing these four sports gear websites revealed that on October 1st, 2021, a data breach occurred in which hackers compromised personal and credit card information; for the time being, the firm concluded with this much detail only. 

Tackle Warehouse LLC (Fishing gear), Running Warehouse LLC (Running apparel), Tennis Warehouse LCC (Tennis apparel), and Skate Warehouse LLC (Skateboards and skating apparel) are the affected websites. Full name, Financial account number, Credit card number (with CVV), Debit card number (with CVV), and Website account password have all been compromised as a result of this incident.

On the 15th of October, these sites discovered that they had been compromised, and on the 29th of November, they told their consumers about the data breach, in which hackers obtained over 1.8 million credit card information. Finally, on December 16th, they notified and sent security alerts to all affected persons. 

Because none of the published notices impacted customers to provide any information about the nature of the incident, the real means of getting the data remains unknown. However, as stated in the description, "External system breach (hacking)," this appears to be a database breach rather than the installation of card skimmers on the websites, though both situations are possible. 

Tackle’s notification states, “Upon becoming aware of the incident, Tackle Warehouse took the measures. We also reported the incident to the payment card brands in an attempt to prevent fraudulent activity on the affected accounts. However, we have reported this incident to law enforcement and have worked closely with the digital forensics and security firms to enhance the security of our sites to facilitate safe and secure transactions.” 

If customers made a purchase from one of these four compromised websites, they should keep track of everything, such as incoming communications with vigilance, keep an eye on their bank account and credit card statements, and report any unusual activity right away, said the security researchers. Aside from that, they stated that the compromised data is extremely sensitive, but that the portals have not yet given any identity protection services to all of their affected clients.

Desjardins Settles Data Breach Class-Action Lawsuit for Roughly $201 Million

 

After a 2019 data breach exposed the personal information of 10 million clients, a class action lawsuit against Canadian financial services provider Desjardins has been provisionally settled for C$201 million. According to the company, the breach lasted two years and was caused by "unauthorised and illegal access" to data by a "malicious" employee. Desjardins first reported that 2.9 million persons were affected, however this amount was later revised to 4.2 million. However, it was later revealed that 9.7 million people were affected. 

The Desjardins Group is a Canadian financial services cooperative and North America's largest credit union federation. Alphonse Desjardins started it in 1900 in Lévis, Quebec. While the company's legal headquarters remain in Lévis, the majority of its executive management, including the CEO, is situated in Montreal. Desjardins Group was comprised of 293 local credit unions operating 1,032 points of operation and serving over seven million members and clients, primarily in the provinces of Quebec and Ontario, as of 2017. 

The plaintiffs released a press release on December 16th indicating that a settlement figure had been reached. It reads: “The settlement agreement provides for compensation for loss of time related to the personal information breach, as well as compensation for identity theft. In addition, the settlement agreement provides that all class members who have not yet registered for Equifax’s credit monitoring service offered by Desjardins can register and will thus be able to obtain, at no cost, Equifax coverage for five years, and the extension by at least five years of the other protective measures implemented by Desjardins following the breach.” 

The settlement agreement must be authorised by the Superior Court of Québec on an unspecified date in 2022. If it is approved, class members might get up to C$200,852,500 (about US$155 million) in compensation. The class action's attorneys stated that its members are "very pleased" with the settlement sum, which they described as "timely and fair compensation." 

According to the federal Privacy Commissioner's findings, the data breach was caused by a succession of technological and administrative flaws at Desjardins. A rogue employee stole sensitive personal information obtained by Desjardins from clients who purchased or received products through the organisation for at least 26 months, according to the commissioner's investigation. Some of the information included first and last names, dates of birth, social security numbers, street addresses, phone numbers, email addresses, and transaction histories.

400,000 Planned Parenthood Patients' Personal Information has been Leaked

 

According to the Washington Post, Planned Parenthood sent letters to around 400,000 patients earlier this week warning them that some of their personal information had been compromised in a cyberattack. Patients' names, as well as "one or more of the following: address, insurance information, date of birth, and clinical information, such as diagnosis, procedure, and/or prescription information," were stolen, according to the healthcare provider. 

According to the statement, staff members initially discovered unusual activity on their computer network on October 17th. Planned Parenthood Los Angeles shut down its networks, alerted authorities, and hired a third-party cybersecurity firm to assist in the investigation. According to the statement, a hacker gained access to the healthcare provider's network between Oct. 9 and 17, installed "malware/ransomware," and took some files from the system. 

According to Planned Parenthood spokesperson John Erickson, the data leak was limited to the Los Angeles facilities. That's a total of 21 locations, with patients from Beverly Hills to Burbank and Compton affected. “We take safeguarding patients’ information extremely seriously, and have taken steps to address this incident,” Erickson said. “Our focus now is on notifying and supporting those patients whose information was involved in this incident.” 

In a letter to patients, Planned Parenthood compliance officer Kevin Oliver stated, "At this time, we have no evidence that any information implicated in this incident has been exploited for fraudulent purposes." Nonetheless, out of an abundance of caution, Oliver advised all patients affected by the incident to pay closer attention to "statements you get from your health insurer and health care providers." 

According to the statement, the incident was limited to Planned Parenthood Los Angeles and did not affect any other affiliates. Although the purpose of the hack is unknown, Planned Parenthood has previously been the victim of politically motivated cyberattacks. More than 300 Planned Parenthood Federation of America employees' names and email addresses were exposed on a private website run by a group of hackers known as 3301.

The incident happened as Planned Parenthood was mired in controversy over a series of carefully altered undercover videos released by an anti-abortion group accusing the organization of earning illegally from the sale of foetal parts for medical research. The videos were condemned by Planned Parenthood as misleading, and investigations in a dozen states found no evidence of the organization's wrongdoing.

22,000 Data Subjects were Impacted by a Cyberattack on S&R

 

Thousands of data subjects were harmed by the recent cyber-attack on S&R Membership Shopping, according to the National Privacy Commission (NPC). The NPC said in a statement that it got an initial breach report from S&R on November 15, 2021, at 4:47 p.m. regarding a cyber-attack that may have affected the personal data of its members. The breach was found on November 14, 2021, according to the NPC.

S&R is a membership-based shopping club modeled after the American warehouse membership shopping chains. The basic idea is to provide significant value to member-customers through a system that is based on aggressive buying, low-cost distribution, and streamlined operations. 

S&R Pricemart was founded in 2001 as a joint venture with PriceSmart of the United States. Sol and Robert Price, two American businessmen, are known as "S&R." Since the enactment of the Retail Trade Act of 2000, which liberalized the retail sector, PriceSmart was the first big international retailer to enter the Philippine market. The retail chain was rebranded S&R Member Shopping after PriceSmart lost its share in the joint venture in 2005 and was purchased by the Co family in 2006. 

S&R submitted a second breach report on November 24, 2021, indicating that the ransomware assault targeted the company's membership system, affecting 22,000 data subjects, according to the privacy body. The NPC cited the company's report as evidence that the S&R members' personal information, including date of birth, phone number, and gender, had been compromised. 

“Based on the S&R’s disclosure and confirmation from their data protection officer, credit cards and other financial information were not among the compromised personal data,” the Privacy body said. S&R had previously stated that it had been the victim of a cyberattack, but that its "staff quickly and decisively implemented our cybersecurity protocols, allowing us to restart our system operations." 

Despite this, the NPC ordered S&R to give a technical report on the event from a third-party cyber security company. The corporation was also reminded of its need to properly disclose and individually notify any affected data subjects, according to the agency. “They (S&R) informed the Commission that they instituted measures to secure their system, recover compromised data, prevent further disclosure, and recurrence of similar attacks,” the NPC said.

To Stay Under the Radar, Magecart Credit Card Skimmer Avoids VMs

 

A new Magecart threat actor is utilizing a digital skimmer to steal people's payment card information from their browsers. It uses a unique kind of evasion to circumvent virtual machines (VM) so it only targets actual victims and not security researchers. Researchers from Malwarebytes found the new campaign, which adds an extra browser process that checks a user's PC for VMs using the WebGL JavaScript API, according to a blog post published Wednesday. 

It accomplishes this by determining whether the operating system's graphics card driver is a software renderer fallback from the hardware (GPU) renderer. The skimmer is searching for the words swiftshader, llvmpipe, and VirtualBox in the script. SwiftShader is used by Google Chrome, while llvmpipe is used by Firefox as a backup renderer. 

 “By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer,” Malwarebytes Head of Threat Intelligence Jérôme Segura wrote in the post. 

Magecart is an umbrella term for various threat organizations that infect e-commerce websites with card-skimming scripts on checkout pages in order to steal money and personal information from customers. Because security researchers are so familiar with their activities, they are always seeking new and inventive ways to avoid being detected. 

The most frequent way for evading detection, according to Segura, is detecting VMs used by security researchers and sandboxing solutions that are intended to pick up Magecart activity. "It is more rare to see the detection of virtual machines via the browser for web-based attacks," he said. Threat actors typically filter targets based on geolocation and user-agent strings, according to Segura. 

Researchers discovered that if the machine passes the check, the process of personal data exfiltration can proceed regularly. The customer's name, address, email, phone number, and credit card information are all scraped by the skimmer. “It also collects any password (many online stores allow customers to register an account), the browser’s user-agent, and a unique user ID. The data is then encoded and exfiltrated to the same host via a single POST request,” said Segura. 

To help consumers avoid being targeted and compromised by the campaign, Malwarebytes has released the skimmer code as well as a thorough list of indicators of compromise in its post.

CU Boulder Cyberattack Exposes Data of 30,000 Students

 

The University of Colorado Boulder is sending out electronic notifications to roughly 30,000 former and current students that their private details may have been stolen during a recent data breach.

According to a release from the university, the third-party software, provided by Atlassian, had a security loophole that impacted a program used by the Office of Information Security. The office did an internal investigation that showed some data was accessed by a hacker. Atlassian is an Australian software firm headquartered in Sydney that manufactures products for software developers, project managers, and other software development teams. 

The vulnerability “impacted a program used mostly by the Office of Information Technology (OIT) to share resources, such as support and procedural documents, configuration files and collaborative documents,” the university said in a statement. 

The accessed files contained personally identifiable information (PII) for current and former CU Boulder students. Included in that information were names, student ID numbers, addresses, dates of birth, phone numbers, and genders. Fortunately, no Social Security numbers or financial details were compromised during the security incident.

“An analysis by the Office of Information Security revealed some data stored in the program was accessed by an attacker. Atlassian released a software patch for the vulnerability on August 25. (The Office of Information Technology) upgraded the software to the latest version which is not susceptible to the vulnerability that allowed the intrusion,” CU Boulder said in its announcement. “OIT was testing the new version and preparing to implement it when the intrusion occurred.”

Most of the students whose data may have been impacted in the incident are no longer associated with CU Boulder as a student or employee, Dan Jones, associate vice chancellor for integrity, safety, and compliance at the university, stated. However, the university is providing free monitoring services for those whose personal details were compromised.

This is the second known case of CU data being compromised in a cyberattack. Earlier this year in January, CU was one of many clients affected by an attack on Accellion, a large file transfer service. Files of 447 users were compromised in the data breach, containing private details for thousands of students, faculty, and staff across all CU campuses. According to CU, the two cyberattacks are not connected. 

Verizon Phishing Scam Uses Text Messages to Target Customers

 

Verizon subscribers had started to get malicious texts from unknown senders, according to a report published by Phone Arena on Saturday, October 9. Sending messages to a receiver using a suspicious phone number is a phishing technique. The precise contact number is 562-666-1159, and it informs users that their prior month's fee has already been paid. The exact message reads as follows: "Verizon Free Message: Sept bill is paid. Thanks, (first name of the customer)! Here's a little gift for you." 

According to Phone Arena, the majority of Verizon customers have already paid their September bills. As a result, the old invoice suggested that the hacker's message was entirely fictitious. In addition, Verizon is unlikely to deliver a gift to users who have paid their bills in advance. This current phishing attack could indicate that the user's personal information is about to be stolen. 

This attack was similar to what T-Mobile customers experienced previously. Phone Arena said it's conceivable that the phone numbers used to send the phoney messages came from T-Mobile's recent data hack, which affected 48 million members. The text pretended to be from T-Mobile and promised the recipients of the message a $100 free gift as compensation for an outage that occurred somewhere around that time. 

The way T-Mobile was spelled as Tmobile was one of the obvious clues that the whole affair was a hoax. The truth was hidden in the tiny print: the SMS was sent by a marketing firm with no ties to T-Mobile, and the firm was attempting to acquire information about T-Mobile consumers, presumably gathering confirmed phone numbers of the carrier's subscribers.

Coming back to Verizon, the cybercriminals behind the text message will request personal information from subscribers. If a subscriber falls for this ruse, his or her security number, bank account number, and other personal data will be stolen. The threat actor would have access to the required details of a subscriber's Verizon account if this happened. Once the scam is successful, the hackers will order a phone that the user will have to pay for. 

If customers are concerned whether a text or email is real, they should phone the carrier and inquire if someone from that company sent them the message in question, according to Phone Arena. They also recommended that anyone having a wireless account set up a password or PIN to keep their account safe from prying eyes.