Data Breach news and analysis | SC Media

Data Breaches News and Analysis

facebook server

Sleeping on the job? Verlo Mattress Factory exposes database

It looks like Verlo Mattress Factory forgot to leave off the last “S” for security: A security researcher has come across an open Elastic database set containing 387,000 records associated with customers of Verlo Mattress Factory. Jeremiah Fowler, senior security researcher with SecurityDiscovery.com, reported that he discovered the non-password protected database on September 5 that…

Thinkful confirms breach

On the heels of its acquisition by Chegg, developer education site Thinkful said an unauthorized third party had breached its systems. “We recently discovered that an unauthorized party may have gained access to certain Thinkful company credentials so, out of an abundance of caution, we are notifying all of our users,” company Vice President of…

Report: Scotiabank exposed source code and credentials on GitHub repositories

For months in some instances, Canadian banking giant Scotiabank reportedly stored highly sensitive digital property on a series of publicly open and accessible GitHub repositories, potentially exposing its internal source code, login credentials and access keys. The financial institution had the repositories “torn down” earlier this week after being alerted to the error, according to…
Gogo caught using fake Google SSL certificates

Malinda Air locks down publicly exposed servers

Indonesian budget airline Malindo Air reported on September 19 it had locked down the formerly publicly exposed servers that had compromised passenger data. The airline had confirmed just one day prior that passenger data had been compromised and that it was working with Amazon Web Services and its e-commerce partner GoQuo to investigate the problem.…

GootKit actors leave open databases, exposing data they stole

The actors behind the information-stealing GootKit trojan apparently slipped up and left open two MongoDB databases last July, briefly exposing data that they had lifted from thousands upon thousands of infected victims. Bob Diachenko, cyber threat intelligence director at Security Discovery, revealed in a company blog post yesterday that he spotted the open servers last…
"EFF asks court to find NSA internet spying a violation of Fourth Amendment"

Report: Russian man to plead guilty to financial firm hacks

Russian Andrei Tyurin will reportedly plead guilty to taking part in a cybercriminal campaign that targeted the U.S. financial sector and stole personal data from roughly 100 million customers of various firms. Citing court documents filed last Friday, Bloomberg reported yesterday that Tyurin, 36, has reached a plea deal with federal prosecutors in New York,…

Exposed server leaks PII on all 16.6 million Ecuador citizens

If another leaky Elasticsearch server may seem a little anticlimactic, considering how frequently they occur, the latest find by security researchers might have more of a “wow” factor since it exposed information on nearly all of Ecuador’s 16.6 million citizens, 6.7 million of them children. “The irresponsible handling of Personally Identifiable Information (PII) has literally…

FEMA offers free credit monitoring after mishandling disaster survivors’ data

The Federal Emergency Management Agency (FEMA) last week publicly acknowledged that for roughly 10 years it unnecessarily exposed the personally identifiable information of roughly 2.5 million disaster survivors to a third-party contractor. FEMA does not believe citizens’ data was compromised due to the error, which was originally reported last month by the U.S. Department of Homeland…
Automakers pen 'privacy principles' for in-car technology

Misconfigured database exposes 198M records on prospective auto buyers

Dealer Leads, LLC, a digital marketing company for car dealerships, was discovered last month to have exposed an Elastic database that contained 198 million records on prospective automotive buyers. Publicly accessible information included the plain-text names, email addresses, phone numbers, home addresses and IP addresses of visitors to numerous websites affiliated with Dealer Leads, cybersecurity…
Following cyber order from Obama, CISPA is back

Secret Service probing breach at federal IT contractor

Credentials and email messages pilfered in a breach of a federal government contractor that could be used to access the contractor’s systems and those of its customers – including the U.S. Department of Transportation, the National Institutes of Health (NIH), and the U.S. Citizenship and Immigration Services (USCIS) – were auctioned off in a Russian cybercrime site in August, prompting…

North Carolina Boy Scouts PII compromised

A third-party vendor that handles sales for the Boy Scouts of America suffered a data breach exposing the PII of up to 12,900 Mecklenburg County Council scouts. Trails End last week told the North Carolina Scouts that information including children’s full names, dates of birth, email addresses, phone number, parent names, favorite product and affiliation…
Secure signin

CirclCI data breach exposed customer GitHub and Bitbucket logins

The software integration firm CircleCI is informing its clients a third-party analytics vendor suffered an incident exposing login information for their GitHub and Bitbucket accounts. The company said in a statement it was informed of the breach on August 31, but affected customers who accessed the CircleCI platform starting June 30, 2019. The information compromised…
emails

Webcomic XKCD forum user data exposed

In an incident practically ripped from the plot of one of its own stories, the webcomic XKCD reported that user data from its online forum section was found in an exposed database. XKCD, which labels itself a “webcomic of romance, sarcasm, math, and language,” posted in a brief note that portions of its PHPBB user…
VacationingLaptop

Half a million Teletext Holidays files unsecured

UK-based travel company Teletext Holidays left a trove of its customer data unsecured, exposing 530,000 files including some to 200,000 audio files of calls made by customers. The Amazon Web Services (AWS) server, left unsecured for three years, showed the names of the users, their email and home addresses, telephone numbers and dates of birth, reported…
Defending the database

Aliznet exposed database leaks data on 2.5 million Yves Rocher customers

Personal information on customers of French retail consultancy Aliznet were exposed through an unprotected Elasticsearch server. “The most sensitive leaked data involves [2.5 million Canadian] customers of Aliznet’s client Yves Rocher, an international cosmetics and beauty brand,” according to a blog post by vpnMentor, whose research team led by Noam Rotem and Ran Locar discovered…
Leaks reveal the spy tactics which leveraged Wi-Fi in a major airport to track travelers.

Flight booking site Option Way exposed personal info on customers

A data breach at flight booking site Option Way exposed personal details on passengers and their flight and travel plans. Researchers at vpnMentor led by Noam Rotem and Ran Locar were “able to access over 100 GB of data, a massive amount of customers’ unencrypted Personally Identifiable Information (PII),” including names, birth dates, gender email addresses,…

Foxit forcing customer password resets after data breach

Foxit Software is forcing its customers to reset their passwords in response to an unauthorized party gaining access to user accounts. The company, which makes PDF Reader and PDF Edit, did not say when it discovered the data breach, but made its first public report on the incident on August 30. Those affected participate in…