Search This Blog

Showing posts with label Personal Information. Show all posts

Computer Hacker Steals Personal Data from 20000 Christchurch Hot Pools Customers

About the data breach 

Personal information of more than 20,000 members of the public has been stolen in a data breach at Christchurch City Council's He Puna Taimoana hot pools. 

The stolen information consists copies of driver's licenses, rates invoices, passports, utility bills, tenancy agreements, and other council membership cards- all contents given by pool users as residence proof. 

The data breach was found on August 24. Pool users were contacted two weeks later- from an email by Nigel Cox, the council's head of recreation and sport. 

According to him, they were informed about the hack by a third party who had been contacted by an individual who claims to have accessed and downloaded some files stored on the He Puna Taimoana cloud server. 

Following this, Cox has a reason to believe in that the third party who got access and illegally downloaded the files stored on the He Puna Taimoana cloud server is a 'white hat hacker', an actor who compromises computer systems or networks to find vulnerabilities to promote improvement or advancement of the systems and network security. 

"The security of your information is Christchurch City Council's upmost priority and we appreciate the need to provide information regarding the breach to you as quickly as possible"

Current Status 

As of now, the customers have not been told what to do, but they can consider their personal information might be a part of the data breach. The email takes users to the He Puna Taimoana website for more details. 

Affected users can also contact or email the council. Netsafe chief online safety officer Sean Lyons said "worrying" about the data breach. According to him, passport and driver license copies can be misused for identity theft (in worst case scenarios). 

The information from these documents can be used to impersonate someone's identity. He suggests customers to get new passports and drivers license if they are worried about the data breach. 

For all the inconvenience it is probably better than the worry of someone out there using your passport number, he says. 

Cox said:

At this stage, we have no reason to believe the information has been further disclosed by the third-party actor other than to the third party who has informed us of the breach.

The privacy commissioner has been informed. The council is aware about its duty under the Privacy Act, and the possible effect on customers, and said the council has launched an investigation. 

National reports:

Christchurch residents get cheaper tickets to the pools, which opened in 2020, but are required to provide proof of address to get the discount.

Neuro Practice Says 363,000 Users' Personal Info Leaked

About the leak

An Indiana neurology practice is informing around 363,000 people that their personal data was leaked in a recent ransomware attack and that a few of it was posted on the dark web.

The practice doesn't know which ransomware group or data leak site, however, the Russian ransomware group Hive - which was the topic of a recent federal advisor for the healthcare industry- is hinted at in the attack. Hive has been wildly attacking the U.S healthcare sector. 

What do experts have to say?

Nerve and gray matter experts Goodman Campbell Brain and Spine, in a data breach report to the attorney general of Maine in July, said a "sophisticated" ransomware attack that compromised its computer network and communications system- which includes phones and e-mails, compromised employees and patients data. 

"A healthcare entity informing individuals in a breach notification letter or statement that their information has been potentially listed on the dark web is a highly uncommon level of transparency," reports Bank Info Security. 

How did Practice combat the issue?

Once the attack was discovered on May 20, the practice took immediate steps to safeguard its systems and did a forensic analysis and incident response firm. Goodman Campbell also notified the FBI. An inquiry into the case revealed that a malicious third party had acquired info from the practice's systems.

However, the hacker didn't access the electronic medical record system, but accessed patient info and records in other locations in the internal networks, like appointment schedules, insurance eligibility documentation, and referral forms. 

Info compromised in the attack includes date of birth, names, telephone number, address, e-mail IDs, medical record number, patient account number, physician name, dates of service, diagnosis and treatment information, insurance info, and social security numbers. 

"While we have no indication that the information of any impacted individuals has been used inappropriately as a result of this incident, we do know that some information acquired by the attacker was made available for approximately 10 days on the dark web," says the practice notification. 

Private Details of 43,000 London Voters Leaked to Strangers


The Electoral Services department of Wandsworth Council was at the center of a massive data protection scandal after the private details of tens of thousands of London residents were accidentally leaked by their council via email to the wrong recipients. 

The emails were intended to inform residents of their nearest polling station ahead of May’s local elections following changes in ward boundaries. However, 43,000 voters – representing nearly 13% of local residents – received names, addresses, and voting instructions for people other than those in their households. 

The council apologized but tried to play down the mistake, saying that “there was a problem with the data merge” and that no electoral fraud could result. However, a follow-up email requested the recipient to delete the erroneously sent email and explained that any of the information accidentally leaked was already available for viewing in the public domain if people decided to visit the electoral register.

“We would like to reassure residents that the information contained in these emails is all publicly available in the borough’s electoral register, which is an open document that can be inspected by any member of the public at any time during the year,” read a statement posted by the council on Twitter. “The emails did not contain any information beyond what is already in the public domain.” 

Judging by the number of concerned residents commenting on the statement, it has done little to allay voters’ fears. “I don’t want people to know my address because I have a sensitive job,” a Wandsworth resident told a local media outlet. “When I received an email from the council with someone else’s name and address, my first thought was ‘Well, who sent me?” 

This breach by the Conservative majority council was on “an unprecedented scale” and is an “unacceptable” incident, Fleur Anderson, Labour MP for Putney and former Wandsworth Borough council member, stated. 

“It is chilling and very worrying for everyone whose personal details have been shared with strangers. The council does not seem to accept the severity of this as its very weak response to everyone affected shows,” Anderson added. “They can’t be trusted with our data, and how can we be sure this won’t happen again?” 

Earlier this year in January, private detail belonging to British Council students was exposed online via an unsecured Microsoft Azure blob repository containing over 144,000 files. The impacted students were exposed to a broad range of malicious activities, including identity theft, phishing attacks, and scams.

A Data Breach at a Croatian Phone Company Affects 200,000 Customers


Croatian phone company 'A1 Hrvatska' has announced a data breach that exposed the personal information of 10% of its users, or approximately 200,000 persons. A1 Hrvatska is a Croatian mobile network operator and a strategic partner of Vodafone. It is part of the Telekom Austria Group. A1 is the first and only operator in Croatia to offer the complete 5-play service, which comprises A1 TV, mobile and fixed telephony, and mobile and fixed Internet. 

The notification doesn't go into much depth, other than to say that they had a cybersecurity incident involving unauthorized access to one of their user databases, which contained sensitive personal information. Full names, personal identity numbers, physical addresses, and phone numbers have all been accessed. 

"Unfortunately, despite advanced protection measures and the constant raising of the level of security, a security incident occurred related to one of the user databases, which compromised part of the personal data of part A1 of users. We emphasize that information on bank cards and accounts is not compromised because it is not available in the specified database. We will directly inform all users whose personal data is potentially compromised," said the company. 

A criminal complaint was also filed with the Zagreb Police Administration right away, and information experts assisted in identifying the culprits of the crime. In addition, the competent institutions HAKOM and AZOP, with which the company works closely, were notified. 

A1 Hrvatska is a strategic partner of Vodafone, whose Portugal region was subjected to a very disruptive cyberattack, resulting in the suspension of 4G and 5G data services. Strategic partners occasionally share online infrastructure, but in this case, the link appears implausible, but it cannot be fully ruled out. Because the event does not appear to have impacted A1 Hrvatska's services or operations, it appears to be an instance of unauthorised database access, either through a misconfiguration or stolen credentials. 

 "A1 Croatia adheres to the highest security standards and data protection, and we will continue to make additional investments in improving the security environment. The recurrence of this security incident is not possible and has not had and will not affect the provision of services to customers," the company said.

68K People Who Received Services from Advocates were Affected by Data Theft


Approximately 68,000 Advocates clients are being alerted that their personal and protected health information was stolen during a four-day incident in September 2021. Advocates also notified certain employees whose data was stolen during the hacking incident. 

Advocates, Inc. ("Advocates") is a non-profit organization established in Massachusetts that provides a wide range of services to people facing life issues such as addiction, aging, autism, brain damage, intellectual disabilities, mental health, and behavioral health. 

On October 1, 2021, Advocates was notified that an unauthorized actor had copied data from its digital environment. When Advocates discovered this activity, they took action to secure their digital environment. They also hired a top cybersecurity firm to help with the investigation to discover whether personal information was accessed or acquired without authorisation as part of the attack. The research indicated that between September 14, 2021 and September 18, 2021, an unknown person got access and collected data from the Advocates network.

The incident may have involved the following personal and protected health information: name, address, Social Security number, date of birth, client identification number, health insurance information, and medical diagnosis or treatment information. 

Following the inquiry, Advocates began gathering contact information to notify possibly affected individuals. Advocates also alerted the Federal Bureau of Investigation and stated that they will provide whatever assistance is required to hold the criminals accountable, if at all feasible. Advocates take the security and privacy of service recipient information extremely seriously and have taken additional precautions to prevent a similar incident from happening in the future. 

Advocates is not aware of any proof of any information being misused in this incident. However, commencing on January 3, 2022, Advocates distributed notice of this incident to possibly affected persons. Advocates gave information about the incident as well as recommendations that potentially impacted individuals can do to protect their information in this notification letter. Individuals were also given free credit monitoring and identity protection services through IDX, according to Advocates. 

 To answer questions about the incident and address related concerns, Advocates set up a toll-free call centre. Advocates advise users to report their financial institution promptly if they see any suspicious behaviour on any of their accounts, such as unlawful transactions or new accounts opened in their name that they do not recognise. They should also report any fraudulent behaviour or suspected occurrences of identity theft to the appropriate law enforcement authorities as soon as possible.

Ransomware Groups are Enlisting Breached Individuals to Persuade Firms to Pay Up


According to recent reports, attackers are utilising stolen data to contact individuals who have been compromised in the attack (through social media, email, or phone). These direct contact strategies are being used by ransomware gangs as additional leverage to get victims to pay up. They call employees or customers whose data was compromised in the attack and urge them to persuade the victim to pay up, threatening them with the release of their personal information if they do not. 

NBC News featured a story on a parent whose child attended a school run by a district that was the target of a ransomware attack. The attackers emailed the parent, asking him to put pressure on the district to pay up, or else all of the exfiltrated materials, including information on him and his son, will be posted on the dark web. 

According to the person interviewed by NBC, the district did not notify parents or many staff members that they had been the victims of an attack, at least not before the assailants established contact with them. The attackers exploit whatever contact information they can obtain, such as employee directories or customer databases, to identify individuals to pressure. 

Allen ISD was the victim of a cyberattack in September 2021 and was afterward the target of attempted extortion by the perpetrators. Allen ISD, located roughly 30 miles north of Dallas, Texas, educates nearly 22,000 K-12 students. Following consultation with external cybersecurity experts, school administrators decided to refuse to pay the hackers' demands, even telling local media that there was no indication that data had been exfiltrated. Despite the fact that the ransomware gang claimed to have collected personal information from district children, families, and staff and sought to extort millions of dollars from Allen ISD. 

Another strategy used by ransomware attackers is to contact employees at a firm during the reconnaissance stages of an assault to see if they can bypass the infiltration stages by exploiting an insider threat. Insider threats are one of a few non-digital threats that have plagued businesses of all sizes to date. 

Insider threats represent a quarter of the eight main cybersecurity risks that significantly affect the corporate and public sectors, according to the Osterman Research white paper White Hat, Black Hat, and the Emergence of the Gray Hat: The True Costs of Cybercrime. 

According to a new survey conducted by identity protection firm Hitachi ID Systems, 65% of surveyed IT and security executives or their staff had been contacted to aid in ransomware cyberattacks. This marks a 17% increase over a similar survey conducted a year ago. The attackers used email and social media to contact employees in the majority of cases, while phone calls accounted for 27% of their approach efforts, a direct and brazen method of communication.

Another T-Mobile Cyberattack Allegedly Exposed User Information and SIM Cards


T-Mobile has been subjected to yet another cyberattack following a big data breach in August. According to documents revealed by The T-Mo Report, attackers gained access to "a small number of" users' accounts this time. The damage appears to be far less serious this time. It appears that just a small percentage of consumers are affected. There is no further information regarding what transpired, with the records just stating that some information was leaked. 

Customers who have been affected fall into one of three categories. First, a client may have only been impacted by a CPNI leak. This information could include the billing account name, phone numbers, the number of lines on the account, account numbers, and rate plan information. That's not ideal, but it's far less damaging than the August incident, which exposed client social security numbers. 

The second category into which an impacted consumer may fall is having their SIM swapped. In order to get control of a phone number, a malicious actor will alter the physical SIM card linked with it. This can and frequently does result in the victim's other online accounts being accessed through two-factor authentication codes supplied to their phone number. According to the document, consumers who were affected by a SIM swap have now had that action reversed. The final category consists of both of the previous two. Customers who were affected may have had their private CPNI accessed as well as their SIM card swapped. 

When it comes to account security, T-Mobile does not have the finest track record. As previously stated, a huge data breach occurred earlier this year in August, exposing information on roughly 50 million users across both post-paid and prepaid accounts. The stolen files contained crucial personal information such as first and last names, dates of birth, Social Security numbers, and driver's licence / ID numbers - the kind of information you could use to open a new account or hijack an existing one. It did not appear to include "phone numbers, account numbers, PINs, or passwords." 

Affected customers, who appear to be few in number, have received letters warning them of the unlawful activity on their accounts. Memos have also been placed on those impacted accounts so that reps may see them when they log in.

"We informed a very small number of customers that the SIM card assigned to a mobile number on their account may have been illegally reassigned or limited account information was viewed. Unauthorized SIM swaps are unfortunately a common industry-wide occurrence, however, this issue was quickly corrected by our team, using our in-place safeguards, and we proactively took additional protective measures on their behalf," a T-Mobile spokesperson said.

1.8 Million People's Credit Card Information was Stolen from Sports Gear Sites


Four well-known affiliated online sports equipment websites recently disclosed and claimed a significant cyberattack. In this cyberattack, hackers compromised and stole the credit card information of over 1.8 million customers. A law firm representing these four sports gear websites revealed that on October 1st, 2021, a data breach occurred in which hackers compromised personal and credit card information; for the time being, the firm concluded with this much detail only. 

Tackle Warehouse LLC (Fishing gear), Running Warehouse LLC (Running apparel), Tennis Warehouse LCC (Tennis apparel), and Skate Warehouse LLC (Skateboards and skating apparel) are the affected websites. Full name, Financial account number, Credit card number (with CVV), Debit card number (with CVV), and Website account password have all been compromised as a result of this incident.

On the 15th of October, these sites discovered that they had been compromised, and on the 29th of November, they told their consumers about the data breach, in which hackers obtained over 1.8 million credit card information. Finally, on December 16th, they notified and sent security alerts to all affected persons. 

Because none of the published notices impacted customers to provide any information about the nature of the incident, the real means of getting the data remains unknown. However, as stated in the description, "External system breach (hacking)," this appears to be a database breach rather than the installation of card skimmers on the websites, though both situations are possible. 

Tackle’s notification states, “Upon becoming aware of the incident, Tackle Warehouse took the measures. We also reported the incident to the payment card brands in an attempt to prevent fraudulent activity on the affected accounts. However, we have reported this incident to law enforcement and have worked closely with the digital forensics and security firms to enhance the security of our sites to facilitate safe and secure transactions.” 

If customers made a purchase from one of these four compromised websites, they should keep track of everything, such as incoming communications with vigilance, keep an eye on their bank account and credit card statements, and report any unusual activity right away, said the security researchers. Aside from that, they stated that the compromised data is extremely sensitive, but that the portals have not yet given any identity protection services to all of their affected clients.

Desjardins Settles Data Breach Class-Action Lawsuit for Roughly $201 Million


After a 2019 data breach exposed the personal information of 10 million clients, a class action lawsuit against Canadian financial services provider Desjardins has been provisionally settled for C$201 million. According to the company, the breach lasted two years and was caused by "unauthorised and illegal access" to data by a "malicious" employee. Desjardins first reported that 2.9 million persons were affected, however this amount was later revised to 4.2 million. However, it was later revealed that 9.7 million people were affected. 

The Desjardins Group is a Canadian financial services cooperative and North America's largest credit union federation. Alphonse Desjardins started it in 1900 in Lévis, Quebec. While the company's legal headquarters remain in Lévis, the majority of its executive management, including the CEO, is situated in Montreal. Desjardins Group was comprised of 293 local credit unions operating 1,032 points of operation and serving over seven million members and clients, primarily in the provinces of Quebec and Ontario, as of 2017. 

The plaintiffs released a press release on December 16th indicating that a settlement figure had been reached. It reads: “The settlement agreement provides for compensation for loss of time related to the personal information breach, as well as compensation for identity theft. In addition, the settlement agreement provides that all class members who have not yet registered for Equifax’s credit monitoring service offered by Desjardins can register and will thus be able to obtain, at no cost, Equifax coverage for five years, and the extension by at least five years of the other protective measures implemented by Desjardins following the breach.” 

The settlement agreement must be authorised by the Superior Court of Québec on an unspecified date in 2022. If it is approved, class members might get up to C$200,852,500 (about US$155 million) in compensation. The class action's attorneys stated that its members are "very pleased" with the settlement sum, which they described as "timely and fair compensation." 

According to the federal Privacy Commissioner's findings, the data breach was caused by a succession of technological and administrative flaws at Desjardins. A rogue employee stole sensitive personal information obtained by Desjardins from clients who purchased or received products through the organisation for at least 26 months, according to the commissioner's investigation. Some of the information included first and last names, dates of birth, social security numbers, street addresses, phone numbers, email addresses, and transaction histories.

400,000 Planned Parenthood Patients' Personal Information has been Leaked


According to the Washington Post, Planned Parenthood sent letters to around 400,000 patients earlier this week warning them that some of their personal information had been compromised in a cyberattack. Patients' names, as well as "one or more of the following: address, insurance information, date of birth, and clinical information, such as diagnosis, procedure, and/or prescription information," were stolen, according to the healthcare provider. 

According to the statement, staff members initially discovered unusual activity on their computer network on October 17th. Planned Parenthood Los Angeles shut down its networks, alerted authorities, and hired a third-party cybersecurity firm to assist in the investigation. According to the statement, a hacker gained access to the healthcare provider's network between Oct. 9 and 17, installed "malware/ransomware," and took some files from the system. 

According to Planned Parenthood spokesperson John Erickson, the data leak was limited to the Los Angeles facilities. That's a total of 21 locations, with patients from Beverly Hills to Burbank and Compton affected. “We take safeguarding patients’ information extremely seriously, and have taken steps to address this incident,” Erickson said. “Our focus now is on notifying and supporting those patients whose information was involved in this incident.” 

In a letter to patients, Planned Parenthood compliance officer Kevin Oliver stated, "At this time, we have no evidence that any information implicated in this incident has been exploited for fraudulent purposes." Nonetheless, out of an abundance of caution, Oliver advised all patients affected by the incident to pay closer attention to "statements you get from your health insurer and health care providers." 

According to the statement, the incident was limited to Planned Parenthood Los Angeles and did not affect any other affiliates. Although the purpose of the hack is unknown, Planned Parenthood has previously been the victim of politically motivated cyberattacks. More than 300 Planned Parenthood Federation of America employees' names and email addresses were exposed on a private website run by a group of hackers known as 3301.

The incident happened as Planned Parenthood was mired in controversy over a series of carefully altered undercover videos released by an anti-abortion group accusing the organization of earning illegally from the sale of foetal parts for medical research. The videos were condemned by Planned Parenthood as misleading, and investigations in a dozen states found no evidence of the organization's wrongdoing.

22,000 Data Subjects were Impacted by a Cyberattack on S&R


Thousands of data subjects were harmed by the recent cyber-attack on S&R Membership Shopping, according to the National Privacy Commission (NPC). The NPC said in a statement that it got an initial breach report from S&R on November 15, 2021, at 4:47 p.m. regarding a cyber-attack that may have affected the personal data of its members. The breach was found on November 14, 2021, according to the NPC.

S&R is a membership-based shopping club modeled after the American warehouse membership shopping chains. The basic idea is to provide significant value to member-customers through a system that is based on aggressive buying, low-cost distribution, and streamlined operations. 

S&R Pricemart was founded in 2001 as a joint venture with PriceSmart of the United States. Sol and Robert Price, two American businessmen, are known as "S&R." Since the enactment of the Retail Trade Act of 2000, which liberalized the retail sector, PriceSmart was the first big international retailer to enter the Philippine market. The retail chain was rebranded S&R Member Shopping after PriceSmart lost its share in the joint venture in 2005 and was purchased by the Co family in 2006. 

S&R submitted a second breach report on November 24, 2021, indicating that the ransomware assault targeted the company's membership system, affecting 22,000 data subjects, according to the privacy body. The NPC cited the company's report as evidence that the S&R members' personal information, including date of birth, phone number, and gender, had been compromised. 

“Based on the S&R’s disclosure and confirmation from their data protection officer, credit cards and other financial information were not among the compromised personal data,” the Privacy body said. S&R had previously stated that it had been the victim of a cyberattack, but that its "staff quickly and decisively implemented our cybersecurity protocols, allowing us to restart our system operations." 

Despite this, the NPC ordered S&R to give a technical report on the event from a third-party cyber security company. The corporation was also reminded of its need to properly disclose and individually notify any affected data subjects, according to the agency. “They (S&R) informed the Commission that they instituted measures to secure their system, recover compromised data, prevent further disclosure, and recurrence of similar attacks,” the NPC said.

To Stay Under the Radar, Magecart Credit Card Skimmer Avoids VMs


A new Magecart threat actor is utilizing a digital skimmer to steal people's payment card information from their browsers. It uses a unique kind of evasion to circumvent virtual machines (VM) so it only targets actual victims and not security researchers. Researchers from Malwarebytes found the new campaign, which adds an extra browser process that checks a user's PC for VMs using the WebGL JavaScript API, according to a blog post published Wednesday. 

It accomplishes this by determining whether the operating system's graphics card driver is a software renderer fallback from the hardware (GPU) renderer. The skimmer is searching for the words swiftshader, llvmpipe, and VirtualBox in the script. SwiftShader is used by Google Chrome, while llvmpipe is used by Firefox as a backup renderer. 

 “By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer,” Malwarebytes Head of Threat Intelligence Jérôme Segura wrote in the post. 

Magecart is an umbrella term for various threat organizations that infect e-commerce websites with card-skimming scripts on checkout pages in order to steal money and personal information from customers. Because security researchers are so familiar with their activities, they are always seeking new and inventive ways to avoid being detected. 

The most frequent way for evading detection, according to Segura, is detecting VMs used by security researchers and sandboxing solutions that are intended to pick up Magecart activity. "It is more rare to see the detection of virtual machines via the browser for web-based attacks," he said. Threat actors typically filter targets based on geolocation and user-agent strings, according to Segura. 

Researchers discovered that if the machine passes the check, the process of personal data exfiltration can proceed regularly. The customer's name, address, email, phone number, and credit card information are all scraped by the skimmer. “It also collects any password (many online stores allow customers to register an account), the browser’s user-agent, and a unique user ID. The data is then encoded and exfiltrated to the same host via a single POST request,” said Segura. 

To help consumers avoid being targeted and compromised by the campaign, Malwarebytes has released the skimmer code as well as a thorough list of indicators of compromise in its post.

CU Boulder Cyberattack Exposes Data of 30,000 Students


The University of Colorado Boulder is sending out electronic notifications to roughly 30,000 former and current students that their private details may have been stolen during a recent data breach.

According to a release from the university, the third-party software, provided by Atlassian, had a security loophole that impacted a program used by the Office of Information Security. The office did an internal investigation that showed some data was accessed by a hacker. Atlassian is an Australian software firm headquartered in Sydney that manufactures products for software developers, project managers, and other software development teams. 

The vulnerability “impacted a program used mostly by the Office of Information Technology (OIT) to share resources, such as support and procedural documents, configuration files and collaborative documents,” the university said in a statement. 

The accessed files contained personally identifiable information (PII) for current and former CU Boulder students. Included in that information were names, student ID numbers, addresses, dates of birth, phone numbers, and genders. Fortunately, no Social Security numbers or financial details were compromised during the security incident.

“An analysis by the Office of Information Security revealed some data stored in the program was accessed by an attacker. Atlassian released a software patch for the vulnerability on August 25. (The Office of Information Technology) upgraded the software to the latest version which is not susceptible to the vulnerability that allowed the intrusion,” CU Boulder said in its announcement. “OIT was testing the new version and preparing to implement it when the intrusion occurred.”

Most of the students whose data may have been impacted in the incident are no longer associated with CU Boulder as a student or employee, Dan Jones, associate vice chancellor for integrity, safety, and compliance at the university, stated. However, the university is providing free monitoring services for those whose personal details were compromised.

This is the second known case of CU data being compromised in a cyberattack. Earlier this year in January, CU was one of many clients affected by an attack on Accellion, a large file transfer service. Files of 447 users were compromised in the data breach, containing private details for thousands of students, faculty, and staff across all CU campuses. According to CU, the two cyberattacks are not connected. 

Verizon Phishing Scam Uses Text Messages to Target Customers


Verizon subscribers had started to get malicious texts from unknown senders, according to a report published by Phone Arena on Saturday, October 9. Sending messages to a receiver using a suspicious phone number is a phishing technique. The precise contact number is 562-666-1159, and it informs users that their prior month's fee has already been paid. The exact message reads as follows: "Verizon Free Message: Sept bill is paid. Thanks, (first name of the customer)! Here's a little gift for you." 

According to Phone Arena, the majority of Verizon customers have already paid their September bills. As a result, the old invoice suggested that the hacker's message was entirely fictitious. In addition, Verizon is unlikely to deliver a gift to users who have paid their bills in advance. This current phishing attack could indicate that the user's personal information is about to be stolen. 

This attack was similar to what T-Mobile customers experienced previously. Phone Arena said it's conceivable that the phone numbers used to send the phoney messages came from T-Mobile's recent data hack, which affected 48 million members. The text pretended to be from T-Mobile and promised the recipients of the message a $100 free gift as compensation for an outage that occurred somewhere around that time. 

The way T-Mobile was spelled as Tmobile was one of the obvious clues that the whole affair was a hoax. The truth was hidden in the tiny print: the SMS was sent by a marketing firm with no ties to T-Mobile, and the firm was attempting to acquire information about T-Mobile consumers, presumably gathering confirmed phone numbers of the carrier's subscribers.

Coming back to Verizon, the cybercriminals behind the text message will request personal information from subscribers. If a subscriber falls for this ruse, his or her security number, bank account number, and other personal data will be stolen. The threat actor would have access to the required details of a subscriber's Verizon account if this happened. Once the scam is successful, the hackers will order a phone that the user will have to pay for. 

If customers are concerned whether a text or email is real, they should phone the carrier and inquire if someone from that company sent them the message in question, according to Phone Arena. They also recommended that anyone having a wireless account set up a password or PIN to keep their account safe from prying eyes.

Private Details of 63,126 Health Employees Compromised in Navistar Data Breach


After four months of detailed analysis, US truck manufacturer Navistar has confirmed a data breach on its systems that exposed the details of 63,126 healthcare employees. 

Navistar straight away implemented its cybersecurity response program after learning of a data breach on May 20. The manufacturer also collaborated with third-party cybersecurity specialists to discover the nature and extent of the security breach. 

Ten days later, the American manufacturer received information regarding the exfiltration of data from its systems. In the first week of June, the healthcare provider filed 8-K papers with the US Security and Exchange Commission, alerting investors regarding the data breach. The notification generated press coverage about the incident from Reuters and other media outlets, as investigators continued to examine the impact of the incident.

The investigation into the data theft confirmed on August 20, 2021, that the stolen files contained the protected health information of present and former members of Navistar Health Plan and the Navistar Retiree Health Benefit and Life Insurance Plan. 

According to a statement by Navistar, the exfiltrated data possibly contained names, addresses, birth dates, and data linked with participation on the medical and insurance policies, which might have contained certain health-related data like the names of healthcare providers and prescription medications. 

The stolen private details are commonly used and traded by attackers because it offers a means to run more convincing phishing scams and to apply for fraudulent lines of credit under false names, researchers explained.

Navistar claimed it has strengthened the security after the data breach, which includes using the latest technologies and performing additional training for the employees. Security controls will still be assessed and kept up to date as necessary to avoid further disruptions. 

Earlier in July, Navistar sent notification letters to the victims to advise them regarding the data breach. The company is also providing a 2-year free membership to credit monitoring and identity theft protection services to persons whose Social Security number was affected in the attack.

Additionally, the healthcare provider sent the breach report to the Maine Attorney General suggesting that 63,126 persons were affected. The breach report was also submitted to the Department of Health and Human Services’ Office for Civil Rights stating that 49,000 plan members’ PHI was exposed.

Thailand's Data on 106 Million Visitors has been Breached


After uncovering an unsecured database collecting the personal information of millions of tourists to Thailand, a British cybersecurity researcher unexpectedly stumbled upon his own personal data online. An unencrypted Elasticsearch server was discovered by Bob Diachenko, a cybersecurity researcher and security leader at Camparitech, exposing the personal data of approximately 106 million international passengers to Thailand. The data was accessible online in an unsecured database, allowing anyone to access it. 

Threat actors are constantly on the lookout for unprotected servers. There is no proof of how long the database was exposed before Diachenko's disclosure in this case. A honeypot, on the other hand, was set up to monitor hacker intrusions.

 “Notably, the IP address of the database is still public, but the database itself has been replaced with a honeypot. Anyone who attempts access at that address now receives the message: This is honeypot, all access were logged,” Diachenko added. 

A honeypot is a security tool that detects or prevents unauthorized network and information system breaches. The organization set up a honeypot to see how quickly hackers would attack an Elasticsearch server using a dummy database and fake data. From May 11 until May 22, 2020, Comparitech left the data exposed. It discovered 175 attacks in just eight hours after the service went live, with a total of 22 attacks in a single day. 

After he reported the problem to Thai authorities, the database was safeguarded. According to Diachenko, every visitor who visited Thailand in the last ten years may have had their personal information exposed as a result of the event. Over 200GB of user data was stored in the database. Date of arrival in Thailand, full name, sex, passport number, residency status, visa type, and Thai arrival card number were among the data disclosed. 

“Any foreigner who traveled to Thailand in the last decade or so probably has a record in the database. There are many people who would prefer their travel history and residency status not be publicized, so for them there are obvious privacy issues. None of the information exposed poses a direct financial threat to the majority of data subjects,” Diachenko stated. 

“No financial or contact information was included. Although passport numbers are unique to individuals, they are assigned sequentially and are not particularly sensitive,” Diachenko added.

Lubbock County Denies Data Leak, Says Data Temporarily Attainable Under New Software System


Earlier this month, the personal court records for residents of Lubbock County, located in the US state of Texas, were exposed when the county transitioned to a new computer software system. The exposed data contained non-disclosure orders, criminal cases, and civil and family law records. 

According to the county’s official website, Lubbock County Defense Lawyers Association and county officials are not on the same page concerning how to define the incident.

In a news release from the County, Judge Curtis Parrish said: “On Tuesday, September 14, 2021, Lubbock County Information and Technology Department became aware that certain court records that were previously unavailable for review by the public had become viewable under Lubbock County’s new software system. Some of these records include non-disclosure orders, criminal cases, civil and family law records. This access portal has now been blocked temporarily until we can identify which court records maybe [sic] accessed by the parties, attorneys, and the general public.

This was not a data breach [sic], or an issue where the computer system was compromised. Lubbock County will continue to review policies concerning all court records, in our effort to make these documents accessible to the attorneys and the public.” 

However, an earlier release by the Lubbock County Defense Lawyers Association characterized the incident as a data breach. The association said it became aware of the situation on September 10. 

“This data includes information on individuals who have had criminal cases expunged or non-disclosure orders signed in their criminal case. This breach affected cases at all levels and in all courts in Lubbock County. Some individuals’ data have been removed from the public access system, while other individuals’ data are still available,” said Lubbock County Defense Lawyers Association in their news release. 

The attacks on local governments is a growing concern for law enforcement agencies and government officials. Due to their shoestring budget, local governments rarely have dedicated security experts and that leaves a huge hole in their security. In March 2021, a report from consumer tech information site Comparitech revealed that American government organizations suffered a loss of $18.88 billion due to cyber-attacks. 

Over the past three years, 246 ransomware attacks struck U.S. government organizations. These attacks potentially affected over 173 million people and nearly cost $52.88 billion. The motive of most of these attacks was to halt processes, interrupt services and cause disruption, not to steal data, according to the report.

Hackers Can Use the SSID Stripping Flaw to Mimic Real Wireless APs


A group of researchers discovered what appears to be a new way for threat actors to mislead people into connecting to their wireless access points (APs). The method, called SSID Stripping, was revealed on Monday by AirEye, a wireless security company. It was discovered in conjunction with Technion - Israel Institute of Technology researchers.

Simply put, unwary users might be duped into connecting to hacker-created Wi-Fi hotspots. This vulnerability exposes users to data theft as well as access to their personal information on their devices. Because it affects nearly all software systems, including MS Windows, macOS, Apple iOS, Ubuntu, and Android, SSID Stripping has emerged as a serious concern. 

A user can see a connection that resembles the name of one of their trusted connections in an SSID Stripping attack, according to researchers. The catch is that the user must manually join the false network. The network, on the other hand, will get through the device's security restrictions since the original SSID name will be saved in the string the attacker has added, which the user won't be able to see on the screen. As a result, people will connect to the phoney AP.

“The SSID published by any AP in the proximity of a wireless client is processed by that client – regardless of whether there is any trust between the client device and the AP. Hence an attacker may attempt to include malicious payload within the SSID in an attempt to exploit a vulnerable client implementation,” researchers noted. 

They were able to create three different sorts of "display errors," as they call them. One of these entails adding a NULL byte into the SSID, which causes Apple devices to show just the portion of the name preceding this byte. To achieve the same effect on Windows machines, the attacker may utilize "new line" characters. 

Non-printable characters are used to represent the second sort of display error, which is more prevalent. Without notifying the user, an attacker may add unusual characters to the SSID's name. For example, instead of aireye_network, the attacker can show aireye_x1cnetwork, where x1c indicates a byte having a hex value of 0x1c. 

The third display error removes a section of the network name from the viewable region of the screen. In this case, an iPhone may show an SSID named aireye_networknnnnnnnnnnnrogue as aireye_network, eliminating the word rogue. This method, along with the second type of error, can successfully disguise the suffix of a rogue network name.

School Childrens' Personal Information on Dark Web: Potential Identity Theft


NBC News, an American broadcaster has published a report on the data theft of millions of school children and how it can set up a child for a lifetime of potential identity theft. The data includes medical condition, family financial status, Social Security numbers, and birth dates of school children.

According to the NBC report, threat actors posted the excel sheet titled “Basic student information”, maintained by one of the schools on the dark web after they refused to pay the ransom, as instructed by the FBI.

 “It lists students by name and includes entries for their date of birth, race, Social Security number, and gender, as well as whether they’re an immigrant, homeless, marked as economically disadvantaged, and if they’ve been flagged as potentially dyslexic,” states the NBC report. 

When NBC News contacted some of the targeted schools regarding the data leak, they were unaware of the problem. “I think it’s pretty clear right now they’re not paying enough attention to how to ensure that data is secure, and I think everyone is at wits’ end about what to do when it’s exposed. And I don’t think people have a good handle on how large that exposure is,” said Doug Levin, the director of the K12 Security Information Exchange, a nonprofit organization devoted to helping schools protect against cyberthreats. 

Worsening Situation 

The recent surge in ransomware attacks has aggravated the problem, as those hackers often release victims’ files on their websites if they refuse to pay the ransom. While the average person may not know where to find such sites, criminal hackers can find them easily. In 2021 only, hackers released data from more than 1,200 American K-12 schools, according to a tally provided to NBC News by Brett Callow, a ransomware analyst at the cybersecurity company Emsisoft. 

The situation is complicated by the fact that many schools are unaware of all the information that’s stored on all their computers, and therefore do not realize the extent of what hackers have stolen. When the Dallas-area Lancaster Independent School District was targeted in a ransomware attack in June, it notified parents but told them the school’s investigation “has not confirmed that there has been any impact to employee or student information,” Kimberly Simpson, the district’s chief of communications, said in an email. 

But the NBC News’ investigation uncovered the truth when it discovered the audit from 2018 that listed more than 6,000 students, organized by grade and school, as qualifying for free or reduced-price meals. When contacted for comment on the audit, Simpson did not respond. 

Another tactic employed by the attackers is to target a third party that holds students’ data. In May 2021, attackers published files they had stolen from the Apollo Career Center, a northwestern Ohio vocational school that was in the collaboration with 11 regional high schools. The leaked data included hundreds of high schoolers’ report cards from the last school year, all of which are currently visible on the dark web.

“We are aware of the incident and are investigating it. We are in the process of providing notifications to the students and other individuals whose information was involved and will complete the notifications as soon as possible,” Allison Overholt, a spokesperson for Apollo, said in an email. 

 Taking action 

American parents are quickly releasing that addressing these problems may fall to them. Due to the poor knowledge regarding the data stored on their computers, schools may not even know if they have been hacked or if those hackers have released students’ information on the dark web. Federal and state laws for student information often do not issue clear guidance for what to do if a school is hacked, Levin said. 

Eva Velasquez, the president of the nonprofit Identity Theft Resource Center, which helps victims of data theft, is advising parents to freeze their children’s credit to keep them safe from identity theft. “We should for all intents and purposes believe that for the most part, all of our data’s been compromised. We’ve been dealing with data breaches since 2005, and they are absolutely ubiquitous, and just because you didn’t receive a notice doesn’t mean it didn’t happen,” Velasquez said.

Freezing a child’s credit can often be time-consuming, and doing it effectively requires completing the process with all three major credit monitoring services, Experian, Equifax, and TransUnion. But it has become an essential step for digital safety, Velasquez said. 

“We encourage parents to freeze children’s’ credit. From an identity theft perspective, that is one of the most robust, proactive steps that a consumer can take to minimize the risk. And it applies to kids, and it’s free,” she concluded.

Private Details of 70M AT&T Users Offered For Sale on Underground Hacking Forum


A notorious hacking group, known as Shiny Hunters, is reportedly selling a database containing private details of 70 million AT&T customers. However, AT&T, an American telecommunication provider denied suffering from a data breach. 

Last week, ShinyHunters posted a sale for “AT&T database + 70M (SSN/DOB)” on RaidForums, a popular Darkweb marketplace. Threat actors set the bidding with a starting price of $200,000 and incremental offers of $30,000. Apart from this, there is also a flash sale where customers can buy the entire database for $1 million. 

"In the original post that we discovered on a hacker forum, the user posted a relatively small sample of the data. We examined the sample and it appears to be authentic based on available public records,” Sven Taylor of RestorePrivacy, who first reported the data breach, stated. 

ShinyHunters shared a sample subset of stolen data, name, contact numbers, physical addresses, social security numbers (SSN), and dates of birth. An anonymous security expert told BleepingComputer that two of the four people in the samples were identified users in the AT&T database. The hackers are also working on decrypting the data that they believe comprises customer accounts’ PINs.

"Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems," AT&T responded to the claims of ShinyHunters.

In a follow-up email to BleepingComputer, the telecom provider hedged over whether the data could have been stolen from a third party: “Given this information did not come from us, we can’t speculate on where it came from or whether it is valid,” the firm stated. 

In the past, ShinyHunters has targeted the likes of Microsoft, Mashable, Tokopedia, BigBasket, Nitro PDF, Pixlr, TeeSpring,, Mathway, and droves of other small-to-mid-sized platforms. Its modus operandi is to steal credentials, API keys or buy large troves of data, then dump and sell it on underground platforms.

Earlier this month, a fellow Telecom provider, T-Mobile suffered a data breach that exposed the private details of tens of millions of its users. To address the issue, T-Mobile assured its users to provide free identity protection services.