Data Breaches News and Analysis
Hackers add bogus scores to Trump’s U.S. Golf Association account
Hackers accessed President Trump’s U.S. Golf Association account and added four fake golf scores for games allegedly played at two courses. After being alerted to media reports, “as we dug into the data it appears someone has erroneously posted a number of scores on behalf of the GHIN user,” Golfweek cited Craig Annis, the managing…
Open database, poor decision making exposes PII of 8 million
The recent mistaken exposure of the information of 8 million people due to an open Elasticsearch database exposed the danger not only of cloud storage security, but the importance of individuals keeping their personal information close to the vest. Security researcher Sanyam Jain came across a database belonging to Ifficient, a company that gathered leads…
New Jersey amends data breach law, expanding definition of personal info
New Jersey last week officially passed Bill S-52, which amends its previous data breach notification law. Governor Phil Murphy signed the bipartisan legislation into law on May 10, after the bill sailed through the state’s General Assembly and Senate last February. The new law expands the definition of what constitutes personal information that, if exposed in…
Boost Mobile breached
Boost Mobile was hit with a breach which affected an unknown number of customer accounts. “Boost.com experienced unauthorized online account activity in which an unauthorized person accessed your account through your Boost phone number and Boost.com PIN code,” the company said in a notification. “The Boost Mobile fraud team discovered the incident and was able…
Hackers access, steal info from 460K Uniqlo Japan online accounts
Hackers stole data, including partial credit card numbers, on 460,000 Uniqlo Japan online customers in an incident that took place between April 23 and May 10. “We deeply apologize to our customers and pledge to prevent this from happening again,” according to a statement from Fast Retailing Co., the parent of Uniqlo and GU Japan, which…
Anti-virus vendors named in Fxmsp’s alleged source code breach respond
McAfee, Symantec and Trend Micro are reportedly the anti-virus companies whose source code the cybercriminal group Fxmsp claims to have stolen. Comments issued by the vendors minimized the threat, although Trend Micro did confirm that a breach had occurred. Last week cybersecurity firm Advanced Intelligence (AdvIntel) reported in a company blog post that Fxmsp was…
Equifax data breach recovery costs pass $1 billion
In Equifax’s latest Security and Exchange Commission filing the company is estimating it has spent about $1.4 billion recovering from its 2017 data breach that exposed the PII of 148 million customers, according to a published report. This includes a $690 million charge made during the first quarter of 2019 related to outstanding litigation and…
Report: Hackers claim compromise of four AV firms, offer source code for sale
A high-profile hacking collective claims it compromised the networks of four premiere U.S. anti-virus vendors, and is offering to sell their stolen source code for $300,000, according to researchers. The cybercriminal group, called Fxmsp, is known for breaching corporate and government networks, then selling their digital assets via a network of proxy resellers, according to…
Verizon Breach Report: Attacks on top executives and cloud-based email services increased in 2018
Social engineering attacks against C-level executives, hacks of cloud-based email servers, and compromises of payment card web apps were all notably up last year, according to the newly released 2019 Verizon Data Breach Investigations Report (DBIR). Other key takeaways from the past year included a marked decrease in successful attacks against physical point-of-sale terminals and…
Amazon hackers stole funds from merchant accounts
Hackers stole funds from approximately Amazon.com Inc. Seller Central merchant accounts during a six-month period in 2018. Between May and October 2018 the miscreants nicked cash from the accounts and directed the money into their own Barclay plc and Prepaid Technologies Ltd. accounts, Bloomberg cited a formerly redacted U.K. legal filing as saying. In the…
Samsung leaked SmartThings app source code and secret keys
A security researcher at a Dubai-based cybersecurity firm SpiderSilk discovered a development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects — including its SmartThings platform. The researcher, Mossab Hussein, found Samsung engineers had left dozens of internal coding projects on a GitLab instance hosted…
Hackers hold 275M records on Indian citizens for ransom after removing them from open database
One week after a researcher revealed a publicly configured database exposing more than 275 million sensitive records on Indian citizens, a hacking group removed that data and replaced it with an apparent ransom note. The 275,265,298 records appear to have been collected in a large-scale data scraping operation, according to researcher Bob Diachenko, who found…
Canada’s Freedom Mobile Elasticsearch database exposed
Researchers are claiming to have found an open Elasticsearch database containing 5 million records related 10 1.5 million Freedom Mobile customers — figures disputed by the telecommunications company. Noam Rotem and Ran Locar from vpnMentor said they came across the database on April 17 and attempted to contact Freedom Mobile on April 18 and 23…
Federal bill to curtail CBP PII reveals, Illinois tackles digital assistant eavesdropping
A bipartisan group of Senators plan to introduce a bill that would stop U.S. Customs and Border Protection (CBP) from selling the PII of citizens who move out of the country. The bill, sponsored by Senators Steve Daines, R-Mont., and Gary Peters, D-Mich., addresses a loophole that allows CBP to sell certain pieces of personal…
Buena Vista Horace Mann student data compromised
An unknown number of students at Buena Vista Horace Mann (BVHM) school in San Francisco had their information exposed when a district worker emailed their information to unauthorized individuals. The error occurred on April 10 when the email containing student identification numbers, student names, and student usernames and default passwords for San Francisco Unified School…
Oracle, Airbus, Toshiba, and Volkswagen financial data leaked following cyberattack
Threat actors stole financial data from a company that provides internet infrastructure for dozens of the world’s largest companies including Oracle, Airbus, Toshiba, and Volkswagen. The cybercriminals stole data from Germany-based CITYCOMP, which provides servers, storage and other computer equipment to other enterprise-level organizations and subsequently blackmailed the firm and threatened to publish the stolen…
Info on 80 million American households found in open database
A cybersecurity research team has found an unidentified open database containing 24GB of records detailing information on 80 million American households. VPNMentor’s research team of Noam Rotem and Ran Locar found the database hosted on a Microsoft cloud server containing extremely detailed information about individual homes ranging from the owners name, address, age, map coordinates…
Docker Hub database access compromises 190,000 accounts
Docker Hub reported a single database was accessed by an unauthorized user on April 25 exposing 190,000 accounts. The company did not indicate how the database was accessed, but it is asking users to reset their Docker Hub password. Exposed information included usernames and hashed passwords for a small percentage of users as well as…
Flaw in Columbia, S.C., website search tool exposed database, SMPT server passwords
A misconfiguration in the search tool on the city of Columbia, S.C. website had a security flaw that could have exposed database and SMPT server passwords. Independent Researcher Arif Khan discovered the flaw in the fall and began trying to contact the city to disclose, tweeting in November, “Hi @CityofColumbia, A security issue has been detected…
FBI fielded roughly $2.7 billion worth of Internet crime complaints in 2018
The FBI’s Internet Crime Complaint Center (IC3) received nearly 352,000 complaints related to cybercrime activity that collectively was responsible for $2.7 billion in losses, according to the agency’s 2018 Internet Crime Report. The three most commonly reported internet crimes last year were non-payment/non-delivery scams (i.e. the scammer never pays for or never ships ordered merchandise),…
