Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label SSNs. Show all posts

California Pizza Kitchen Spilled 100K+ Employee SSNs in Data Breach

 

California Pizza Kitchen (CPK) data breach exposed the names and Social Security numbers (SSNs) of over 100,000 current and past workers.

According to a Data Breach Notification released on the Maine Attorney General's website, the "external system breach" happened on Sept. 15 at the popular U.S. pizza chain, impacting 103,767 people. CPK was formed in 1985 in Beverly Hills, California, and now has over 250 locations across 32 states. As per the statement, CPK identified suspicious behaviour in its computing environment on or about Sept. 15 and responded swiftly to mitigate and investigate the incident with third-party IT professionals. 

The company stated in the notice CPK sent to affected residents of Maine, “CPK immediately secured the environment and … launched an investigation to determine the nature and scope of the incident.” 

Following the notice, by Oct. 4, investigators had determined that some files on CPK's computers "could have been accessed without authorization." According to the company, by the end of the initial investigation on Oct. 13, it was evident that the breach had provided attackers with the names of previous and present employees, as well as their Social Security numbers. 

On Monday, Nov. 15, CPK notified all persons affected by the incident. According to the firm, there is no evidence that the information acquired has been misused by cybercriminals at this time. There have been no details released concerning the sort of breach that happened or how the attackers gained access to the system. CPK did not respond to Threatpost's request for comment on the incident right away.  

The firm is presently assessing existing security standards and has adopted additional measures – such as safeguards and employee training – to assist avoid future instances. 
 
Employee training, as per one security expert, is a critical component of preventing breaches like these, which are all too often at firms that have sensitive information on their networks but generally employ personnel who have no specialized expertise in how security breaches occur. 

Al-Khalidi, co-founder and co-CEO of security firm Axiad, stated in an email to Threatpost, “Every business like California Pizza Kitchen possesses valuable PII data which makes them a prime target for attackers. To help protect against attacks, enterprises need to ensure their employees practice good cybersecurity hygiene.” 

He believes that ongoing training may help reinforce a company's overall security defense by preventing employees from falling prey to phishing or other socially engineered assaults that can bring a whole IT system down.

Wind River Security Incident Exposed Personnel Records, SSNs, Passport Numbers

 

Wind River Systems, on Friday, cautioned of a "security incident" that had exposed personnel records. Wind River Systems, otherwise called Wind River, is an Alameda, California-based entirely owned subsidiary of TPG Capital. Wind River Systems was formed by a partnership of Jerry Fiddler and Dave Wilner. In 2009, Wind River was obtained by Intel. In 2018, Intel spun out its Wind River division, which was then acquired by TPG Capital. The organization creates embedded system software consisting of run-time software, industry-explicit software, simulation technology, development tools, and middleware.

One or more files were downloaded from the organization's network on or about September 29, 2020, it said. “We have been working with law enforcement and outside experts to investigate a security incident that occurred toward the end of September,” as per the security-incident notice, recorded with California's Attorney General as a part of the state's data breach notification requirements. “We have no indication that any information in these files has been misused.” 

Wind River said that the full scope of data affected incorporates dates of birth, SSNs, social insurance, driver's license or public national identification numbers, passport or visa numbers, health data, or financial account information. However, details regarding the specific health data that was affected remain unclear. If accessed, this sort of information can give cybercriminals the tools that they need for identity-theft attacks, phishing tricks, and more. It's indistinct as to how many people were affected, and if those affected incorporate any customers. As of 2018, the organization had 1,200 workers. What’s also not stated is the context around how the files were downloaded from Wind River's network. 

The organization said in its notice that it doesn't know about any “actual or attempted misuse” of individual data as a result of the event. “Recent searches by our experts did not uncover any of these files online,” as indicated by Wind River. The organization said that it has installed extra security monitoring tools and implemented new processes as a result of the incident. Meanwhile, it is advising those affected to stay vigilant by observing their credit reports.