Data Breaches News and Analysis
Sleeping on the job? Verlo Mattress Factory exposes database
It looks like Verlo Mattress Factory forgot to leave off the last “S” for security: A security researcher has come across an open Elastic database set containing 387,000 records associated with customers of Verlo Mattress Factory. Jeremiah Fowler, senior security researcher with SecurityDiscovery.com, reported that he discovered the non-password protected database on September 5 that…
Thinkful confirms breach
On the heels of its acquisition by Chegg, developer education site Thinkful said an unauthorized third party had breached its systems. “We recently discovered that an unauthorized party may have gained access to certain Thinkful company credentials so, out of an abundance of caution, we are notifying all of our users,” company Vice President of…
Report: Scotiabank exposed source code and credentials on GitHub repositories
For months in some instances, Canadian banking giant Scotiabank reportedly stored highly sensitive digital property on a series of publicly open and accessible GitHub repositories, potentially exposing its internal source code, login credentials and access keys. The financial institution had the repositories “torn down” earlier this week after being alerted to the error, according to…
Cyber insurance premium costs rise 5 percent for 2019, despite increased attacks
The average cost for cyber insurance rose about five percent in 2019 despite the large increase in the number of attacks and claims files, a new report has found. The business insurance advisory firm AdvisorSmith told SC Media this counter intuitive result is due to the fact that while claims rose 20 percent in 2018…
Malinda Air locks down publicly exposed servers
Indonesian budget airline Malindo Air reported on September 19 it had locked down the formerly publicly exposed servers that had compromised passenger data. The airline had confirmed just one day prior that passenger data had been compromised and that it was working with Amazon Web Services and its e-commerce partner GoQuo to investigate the problem.…
GootKit actors leave open databases, exposing data they stole
The actors behind the information-stealing GootKit trojan apparently slipped up and left open two MongoDB databases last July, briefly exposing data that they had lifted from thousands upon thousands of infected victims. Bob Diachenko, cyber threat intelligence director at Security Discovery, revealed in a company blog post yesterday that he spotted the open servers last…
Report: Russian man to plead guilty to financial firm hacks
Russian Andrei Tyurin will reportedly plead guilty to taking part in a cybercriminal campaign that targeted the U.S. financial sector and stole personal data from roughly 100 million customers of various firms. Citing court documents filed last Friday, Bloomberg reported yesterday that Tyurin, 36, has reached a plea deal with federal prosecutors in New York,…
Millions of medical records exposed online
HIPAA be damned – medical records, including images and data, on more than five million patients in the U.S. and millions of others worldwide lie unprotected online in full view of anyone with the wherewithal to look and a web browser. A Pro Publica investigation unearthed 187 servers in medical systems across the country that…
Exposed server leaks PII on all 16.6 million Ecuador citizens
If another leaky Elasticsearch server may seem a little anticlimactic, considering how frequently they occur, the latest find by security researchers might have more of a “wow” factor since it exposed information on nearly all of Ecuador’s 16.6 million citizens, 6.7 million of them children. “The irresponsible handling of Personally Identifiable Information (PII) has literally…
FEMA offers free credit monitoring after mishandling disaster survivors’ data
The Federal Emergency Management Agency (FEMA) last week publicly acknowledged that for roughly 10 years it unnecessarily exposed the personally identifiable information of roughly 2.5 million disaster survivors to a third-party contractor. FEMA does not believe citizens’ data was compromised due to the error, which was originally reported last month by the U.S. Department of Homeland…
Misconfigured database exposes 198M records on prospective auto buyers
Dealer Leads, LLC, a digital marketing company for car dealerships, was discovered last month to have exposed an Elastic database that contained 198 million records on prospective automotive buyers. Publicly accessible information included the plain-text names, email addresses, phone numbers, home addresses and IP addresses of visitors to numerous websites affiliated with Dealer Leads, cybersecurity…
Secret Service probing breach at federal IT contractor
Credentials and email messages pilfered in a breach of a federal government contractor that could be used to access the contractor’s systems and those of its customers – including the U.S. Department of Transportation, the National Institutes of Health (NIH), and the U.S. Citizenship and Immigration Services (USCIS) – were auctioned off in a Russian cybercrime site in August, prompting…
North Carolina Boy Scouts PII compromised
A third-party vendor that handles sales for the Boy Scouts of America suffered a data breach exposing the PII of up to 12,900 Mecklenburg County Council scouts. Trails End last week told the North Carolina Scouts that information including children’s full names, dates of birth, email addresses, phone number, parent names, favorite product and affiliation…
CirclCI data breach exposed customer GitHub and Bitbucket logins
The software integration firm CircleCI is informing its clients a third-party analytics vendor suffered an incident exposing login information for their GitHub and Bitbucket accounts. The company said in a statement it was informed of the breach on August 31, but affected customers who accessed the CircleCI platform starting June 30, 2019. The information compromised…
Webcomic XKCD forum user data exposed
In an incident practically ripped from the plot of one of its own stories, the webcomic XKCD reported that user data from its online forum section was found in an exposed database. XKCD, which labels itself a “webcomic of romance, sarcasm, math, and language,” posted in a brief note that portions of its PHPBB user…
Half a million Teletext Holidays files unsecured
UK-based travel company Teletext Holidays left a trove of its customer data unsecured, exposing 530,000 files including some to 200,000 audio files of calls made by customers. The Amazon Web Services (AWS) server, left unsecured for three years, showed the names of the users, their email and home addresses, telephone numbers and dates of birth, reported…
Aliznet exposed database leaks data on 2.5 million Yves Rocher customers
Personal information on customers of French retail consultancy Aliznet were exposed through an unprotected Elasticsearch server. “The most sensitive leaked data involves [2.5 million Canadian] customers of Aliznet’s client Yves Rocher, an international cosmetics and beauty brand,” according to a blog post by vpnMentor, whose research team led by Noam Rotem and Ran Locar discovered…
Flight booking site Option Way exposed personal info on customers
A data breach at flight booking site Option Way exposed personal details on passengers and their flight and travel plans. Researchers at vpnMentor led by Noam Rotem and Ran Locar were “able to access over 100 GB of data, a massive amount of customers’ unencrypted Personally Identifiable Information (PII),” including names, birth dates, gender email addresses,…
Foxit forcing customer password resets after data breach
Foxit Software is forcing its customers to reset their passwords in response to an unauthorized party gaining access to user accounts. The company, which makes PDF Reader and PDF Edit, did not say when it discovered the data breach, but made its first public report on the incident on August 30. Those affected participate in…
Despite concerns over breaches, 40% of cardholders have provided Social Security numbers online
Two years after the Equifax breach, four in 10 consumers holding credit or debit cards have included their full Social Security numbers on an online form, a new report has found. In research conducted for the second year in a row to mark the anniversary of the 2017 Equifax breach that exposed the personal information…
