Blog

Monthly Breach Report: December 2019 Edition

With year-end rapidly approaching, the trend of growing cyber breaches continues. Here’s a list of prominent data breaches that occurred over the last month.

T-Mobile

US-based T-Mobile issued a data breach notification stating that a million of its customers’ data was compromised, including details like customers’ names, billing addresses, phone numbers, account numbers, rates, plans, and calling features. The security mishap came to the forefront by T-Mobile early last month. Representatives have clarified that payment and credit card data were not breached in this attack. The wireless network operator has further revealed that the data leak affected less than 1.5 percent of its overall customer base.

For the second time in two years, T-Mobile became the target of a nasty data hack. A similar incident occurred in August 2018 when approximately two million customers of T-Mobile had to bear the brunt of a security hack. Although the incident didn’t result in theft of any financial data or Social Security numbers, other key data exposed in the incident included names, billing zip codes, phone numbers, email addresses, account numbers, and account types (prepaid or post-paid).

A statement from T-Mobile said, “Our Cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account. We promptly reported this to the authorities. None of your financial data (including credit card information) or Social Security numbers were involved, and no passwords were compromised.”

Source:
PYMNTS

Church’s Chicken

A payment card breach affecting a minimum 160 Church’s Chicken restaurants in the US was the result of a compromised payment processing systems. Although the breach happened in October this year, the company has yet to find out the full scale of this security breach.

Atlanta-based Church’s Chicken is a quick-service restaurant chain with 1,500 locations across 23 countries globally. In the US, Church’s Chicken has 1,000 locations in 29 US states with the majority of them being franchised instead of corporate-owned.

According to a statement issued by Church’s Chicken, the breach impacted the corporate-owned restaurants only. None of the franchised locations and customers who placed orders via Uber Eats and DoorDash were part of this cyber breach that hit 11 US states, including Alabama, Arkansas, Florida, Georgia, Illinois, Louisiana, Mississippi, Missouri, South Carolina, Tennessee, and Texas.

Church’s Chicken has initiated a probe into this matter by collaborating with a prominent cybersecurity forensics firm to understand the extent to which the incident may have impacted. Moreover, it has informed the law enforcement authorities, payment card networks, and credit monitoring agencies about this cybersecurity breach.

Source:
Mobile Payments Today

Macy’s

Data hackers infiltrated Macy’s online store, exposing client payment information. A letter issued by Macy’s states the breach occurred on October 7 and was discovered and removed on October 15. This is Macy’s second data hack involving credit card details of customers took place. Cyber-thieves attacked Macy’s last year in a similar incident.

This US-based iconic retail giant notified the affected shoppers stating that the hackers stole payment data from the “Checkout” and “My Wallet” page. Reports suggest that Magecart, famous for injecting payment card skimmers into ecommerce websites, was the mastermind behind this attack. Considering the breach into account, Macy’s has ramped up security measures to avoid such incidents, informed the federal law enforcement about the mishap and collaborated with prominent forensics company to investigate the issue.

The retailer has also advised customers to keep a close watch on their credit card statement for any fraudulent activity. Meanwhile, Macy’s has decided to provide a free year of the Experian IdentityWorks credit monitoring service to the affected customers. The Cincinnati-based retailer ranks among one of the most popular websites in the US.

Source:
TechSpot

Disney Plus

A data breach impacted thousands of Disney Plus users after cyber thieves stole their account details and resold them on underground cybercrime forums. The news came as a rude shock considering Disney Plus is a new subscription-based streaming service Disney had only launched one month prior.

New reports suggest the security breach occurred within hours of the Disney Plus launch. The compromised data (including the type of subscription and expiration date) were up for sale on the dark web for as little as $3.

Users complained that hackers accessed their Disney Plus accounts, then changed the password and email associated with their account, locking them out of the service.

To get support help, victimized Disney Plus users waited on telephone and online chat lines for several hours. Meanwhile, Disney said that they pay utmost importance to their users’ security and didn’t find any indication of a security hack to its systems. The entertainment giant said that the hackers may have used spyware on users’ devices or stole re-used login credentials.

Disney launched the streaming service to compete with Netflix in which members could view its 500 movies and 7,500 TV episodes from Disney, Pixar, Marvel, Star Wars, and National Geographic. In the first week of Disney Plus’ launch, 10 million people signed up for it. Currently, it is available in the US, Australia, Canada, New Zealand, and the Netherlands only.

Source:
BBC

Desjardins Group

Desjardins Group announced that a data breach from earlier this year impacted its 4.2 million members. The scope of the breach is much larger than previously anticipated. When first discovered, the government took steps to safeguard the personal data in Quebec.

In June, the Canadian Cooperative clarified that unauthorized use of internal data by an employee led to personal data being breached for 2.7 million members and 137,000 business customers. Last month, Desjardins Group shared an update claiming that the breach affected 4.2 million members, compromising information such as social insurance numbers, addresses, and banking habit details of the data.

With seven million members, the Canadian cooperative is the largest federation of credit unions (also known as caisses) in North America. Starting in July of this year, Desjardins identity protection offered coverage of up to CA $50,000 for the expenses related to identity theft offered protection to all members engaged in banking activities in Quebec and Ontario.

To help the affected members, the co-op will provide access to lawyers and experts apart from reimbursing them for the expenses incurred due to the theft. Members may choose to avail the credit monitoring service of Desjardins that sends alerts if personal data undergoes change or requests for new credit inquiries.

Source:
Reuters

Palo Alto Networks

American Multinational Palo Alto Networks encountered a nasty digital attack, leaking personal information of both previous and existing employees. According to news reports, a former employee of Palo Alto Networks revealed that a breach hit the business giant.

The cybersecurity company confirmed that a third-party vendor posted the personal data of about seven present and former employees online in February this year. Compromised information included names, dates of birth, and Social Security numbers of the employees. The company didn’t disclose the external contractor’s name who was responsible for this security lapse as Palo Alto Networks wasn’t sure of the motive of the breach.

Meanwhile, a statement from the cybersecurity company said, “We took immediate action to remove the data from public access and terminate the vendor relationship. We also promptly reported the incident to the appropriate authorities and to the impacted individuals. We take the protection of our employees’ information very seriously and have taken steps to prevent similar incidents from occurring in the future.”

Source:
TechRadar

One Plus

Chinese smartphone manufacturer OnePlus encountered a data leak last month when an unauthorized party accessed their user data. The Shenzhen-based company confirmed on its website’s FAQ page that the data breach exposed sensitive details from particular customers’ orders including their phone numbers, names, and address details.

It also stated that an existing vulnerability resulted in the data breach and the hackers leveraged this security lapse to gain access to the order details of few customers only. The security team of OnePlus discovered the breach. They clarified that payment-related data, passwords, and accounts were safe and that the breach didn’t target all its customers. The company has issued a security notification to the impacted users via email that included the possible reason of breach and remedial steps taken. Post this security hack, the business major has ramped up its security measures and requested affected customers to be cautious.

According to an official statement from OnePlus, “We are continually upgrading our security program—we are partnering with a world-renowned security platform next month and will launch an official bug bounty program by the end of December.”

For the second time in two years, OnePlus became the target of cybercriminals. In January last year, a similar incident affected up to 40,000 customers of OnePlus forcing the smartphone maker to stop credit card payments on its ecommerce platform.

Source:
ZDNet

Don’t be next month’s data breach headline. Find out how PKWARE can help you safeguard your data. Learn more with a free demo.