Breach, Data Security, Incident Response, TDR, Vulnerability Management

PR Newswire alerts customers to change passwords following breach

PR Newswire announced Wednesday that it became the latest company to be breached by a group of attackers said to also be responsible for striking LexisNexis, the National White Collar Crime Center (NW3C) and Adobe.

“Notwithstanding our efforts, we recently learned that a database, which primarily houses access credentials and business contact information for some of our customers in Europe, the Middle East, Africa and India, was compromised,” Ninan Chacko, CEO of PR Newswire, said in a statement.

Additionally, a PR Newswire spokesperson told SCMagazine.com on Thursday that details beyond the official statement could not be provided due to an ongoing investigation.

Preliminary findings revealed customers likely did not have payment data compromised, according to the Chacko statement, but the marketing and communications provider is making a password reset mandatory for all account holders.

Alex Holden, CISO at information security services company Hold Security, the organization that uncovered details of the incidents and – along with technology journalist Brian Krebs – alerted affected companies, told SCMagazine.com on Thursday that partial website source code and configuration data was accessed, along with a database of PR Newswire customers that includes passwords.

Holden said he is almost certain the same hacker group is at work here because the PR Newswire data was discovered hidden within an image “that was over a hundred megabytes” and stored on the attackers' repository server, which housed source code stolen from Adobe.

A couple of weeks ago, Adobe announced to nearly three million of its customers that their credit card data had been breached and that intruders had stolen product source code.

Holden said that PR Newswire was deliberately targeted and pointed to evidence, dated Feb. 13, of a significant attack aimed at the company's multiple networks hitting more than 2,000 IP addresses using ColdFusion exploits. The attack came from a different server used by the same group of attackers, Holden added.

“What still confuses me is why PR Newswire was targeted,” Holden said, adding there are other companies that have been hit by these attacks. “PR Newswire does not have many financial records to the best of my knowledge – and in their statement they don't believe any were taken.”

Meanwhile, PR Newswire said it is taking measures to ensure this type of incident does not happen again.

“We continue to refine our security approach in light of the ever-changing nature of threats and implement security enhancements on a regular basis,” Chacko said in the statement. “From an internal perspective, we continue to implement security improvements and additional protocols to help further protect user portals and customer and proprietary information.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.