April 6, 2023

Monthly Breach Report: April 2023 Edition

PKWARE

Reports indicate that there are as many as 2,200 cyber attacks per day, with an attack occurring every 39 seconds on average. Already this year, we’ve seen multiple high-profile cybersecurity incidents, some of which are recurring attacks from previous years or months, while others are big data leaks on small healthcare companies. A big name brand doesn’t protect an organization from attacks, as these household names recently experienced.

BMW Leaves the Doors Unlocked

German multinational luxury automobile manufacturer BMW recently took its eyes off the road, leaving sensitive files exposed to the public via an unprotected environment (.env) and .git configuration files hosted on their official BMW Italy website. Traditionally locally stored, the environmental files included data on production and development environments. Any threat actor could exploit the data, stealing website source code and potentially even accessing customer information.

On its own, none of the exposed information would be enough for attackers to compromise the BMW Italy website. However, the data could be used for reconnaissance: Attackers could choose to us the data to find and access customer information. Additionally, because the .git configuration file contained the repository for the site’s source code, it could have been used to uncover additional vulnerabilities.

BMW holds a host of information about its users, including name, address, phone number, email, what vehicle they own, the location of user phones if they have the BMW or Mini connected apps installed—which could increase the possibility of the car being stolen since hackers would know if you are nearby your vehicle or not. Drivers are cautioned to review suspicious emails and monitor banking activity.

Sources

Ferrari Sideswiped by Ransomware

March proved unkind to yet another high end automobile manufacturer when Ferrari announced a ransomware attack that could result in exposure of customer contact details. The sports car maker discovered the attack upon receipt of a ransom demand, at which time they launched an immediate investigation with a third-party cybersecurity firm.

Ferrari has declared they will not pay the ransom, citing that “. . . paying such demands funds criminal activity and enables threat actors to perpetuate their attacks.” Instead, the manufacturer notified clients and customers of potential data exposure, which includes names, addresses, email addresses, and phone numbers. At press time, there was no evidence suggesting that financial information or details on owned/ordered vehicles had been exposed. Nevertheless, a contact list of wealthy customers could still be worth its weight in gold to cybercriminals who may attempt to target customers via malicious emails.

While still unconfirmed, popular theory is that ransomware gang RansomEXX is involved in the attack. Meanwhile, Ferrari has been working to improve system security.

Sources

ChatGPT Joins the Data Breach Ranks

On March 20, 2023, ChatGPT suffered its first data breach. The breach was discovered when OpenAI took ChatGPT offline to correct a bug in an open-source library that allowed come users to see titles from other users’ chat histories. While patching the bug, OpenAI uncovered that the same bug was potentially responsible for a larger issue: a personal data breach.

“In the hours before we took ChatGPT offline . . . it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time,” OpenAI officials stated.

AI has become the current fascinating trend, with many marketing and customer experience professionals using it to help bolster campaigns. Yet AI has also become another place where individuals share personal data with technology, and data privacy must remain at the forefront, or organizations risk facing significant consequences. For instance, Italy decided to temporarily ban ChatGPT after the data breach until it can investigate whether or not the breach constitutes a violation of GDPR. OpenAI is required to report what privacy measures it has enacted within 20 days or risk being fined either €20M or 4 percent of its annual global revenue.

Still others are pushing for AI regulation, with technology moguls and AI experts alike calling for a six-month pause in developing systems more powerful than the recently released ChatGPT-4.

Sources

Hacker Chirps about Stolen Twitter Source Code

Social media platform Twitter recently had portions of its source code leaked online via GitHub. The information, which included “proprietary source code for Twitter’s platform and internal tools,” was removed after Twitter filed a DMCA request.

Proprietary source code is considered by many organizations to be among the most closely guarded trade secrets. Source code may reveal software vulnerabilities and non-public internal workings, giving both attackers and competitors the leg up they need against the organization. Hackers commonly target source code, as seen previously in attacks on Microsoft and the Cyberpunk 2077 developer CD Projekt Red. The main concern over Twitter’s leaked code is that hackers would discover vulnerabilities that allow them to uncover private information about Twitter users, or even take the site down from the inside.

Twitter has filed with California courts to attempt to find the individual responsible, asking for the name, address, telephone number, email, social media profiles, and IP addresses of both the user who posted the code and any users who may have downloaded the data. Executives suspect a recently departed employee may be responsible for the leak; thousands have been laid off since the platform was purchased by Elon Musk.

Sources

Ransomware Gang Brags about SpaceX Blueprints

If the Twitter source code leak wasn’t headache enough, ransomware gang LockBit also claimed recently to have stolen data from a supplier to Elon Musk’s SpaceX. According to reports, LockBit breached the systems of Maximum Industries—which makes parts for SpaceX—and stole data that included approximately 3000 drawings certified by SpaceX engineers. The ransomware gang says it plans to auction off the drawings to other manufacturers. No details are available yet on how LockBit succeeded in hacking Maximum Industries.

LockBit entered the ransomware scene in early 2020. According to the United States Department of Justice, it has made minimum $100 million from ransom victims worldwide since then. The gang has been under investigation by the FBI since March 2020; the Bureau estimates there to be as many as 1000 victims across the globe.

SpaceX manufactures the Starship rockets that NASA is counting on to bring astronauts to the Moon’s surface in a few years, which means this leak could garner some additional unwanted attention from the government.

Sources

Big names and small, organizations of all shapes and size are targeted by cyber attackers every day. A data breach is a “when,” not an “if.” But even if you have no choice about being attacked, you can choose to protect your data so it is devalued in the event of a breach. Find out how PKWARE finds and protects all your data automatically without interrupting workflows. Get your free demo now.

Share on social media
  • Data Retention: Aligning Data Protection Strategies with Compliance Requirements
    Ben Meyers March 13, 2024
  • Data Breach Report: March 2024
    PKWARE March 8, 2024
  • PCI DSS 4.0 Compliance: Safeguarding the Future of Payment Security
    PKWARE February 22, 2024
  • Data Breach Report: February 2024
    PKWARE February 15, 2024