Monthly Breach Report: December 2020 Edition

Data breaches did not go easy on November in 2020. Of the most significant 103 breaches reported, there were at least 586 data records compromised, creating vulnerabilities for millions of individuals’ personal data. The breaches were fairly evenly spread between cyberattacks and ransomware, with internal errors causing the next most common breach type.

Someone Didn’t Get the Message

We have all been relying on tech to stay in touch with friends and family, in addition to co-workers, through the pandemic. But it’s not always safe: In November, it was widely reported that over 100 million users’ private messages, photos, documents, voice messages, and other media with personal data from popular Android messaging app GO SMS Pro had been publicly exposed.

The vulnerability seems to be, in part, a result of incomplete code and an unpatched bug in the app in the version released in February 2020. In August, experts discovered that private messages could be viewed by anyone accessing links that were intentionally generated for those using the service without an account. The links generated a clickable URL to shared media that anyone could access without prior authentication. Adversaries could then guess the sequence of other recipient URLs using a redirect to a CDN server where GO SMS Pro stores the shared files to retrieve other shared media and chats.

Cybersecurity experts attempted to contact GO SMS Pro with no response, thus public disclosure initiated once the 90-day deadline for company disclosure passed. Cyber reporting began piecing the story together and warning people without a user account to stop using the GO SMS Pro messaging service. Although there has been a software update since the flaw was detected, it has not addressed the issue.

Off-Key Music

Spotify subscribers might have noticed some funky business in November. A credential-stuffing operation accessed 350,000 or more accounts, passwords, and other personal data like email addresses and countries of residence on an Elasticsearch database. The database with these data elements is actually not Spotify’s.

So far, it’s not known how the credentials were obtained, nor the origins of the guilty database. The exposed data elements could be used to identify users through the personal information. The fraudsters who secured the data could sell the personal information to other criminals and subsequently build false profiles, using them to threaten the real individuals in financial fraud and identity theft schemes.

These types of account takeovers (ATOs) have been growing in frequency throughout 2020. The infiltrators take advantage of lax company practices in securing personal information and accounts. Conversely, companies that protect personal data with encryption and other obfuscation techniques can prevent their customer identities from hackers.

Not All Fun And Games

Japanese mega-giant video games creator Capcom found out early in November that it had been the target of extensive hacking through a Ragnar Locker ransomware infection. The company is well known for creating a host of popular multi-million revenue-generating game franchises, as well as an array of games based on Disney® animations.

The ransomware infection exposed customer records and compromised personal data of customers, business partners, employees, and others. In addition, data on their servers was corrupted, encrypted, and destroyed. Over 350,000 elements of PII were likely exposed. The company reported that some of its financials and sales reports were also impacted, as were some future product release dates. Because payments are handled by a third party, no credit card data was included in the breach.

Although more investigation and research are needed to ascertain the full damage, the company’s forthcoming attitude in noting the leak’s massive potential impact and contacting specific individuals they believe may have been affected is positive and admirable. Capcom is working with law enforcement both in Japan and the US, and has created a new cybersecurity advisory board.

Do a Temperature Check

In the midst of a global pandemic, professionals in health care around the world continue to have to manage fraudsters’ theft and threats of releasing sensitive personal, financial, and health data of patients. Cybercrimes affecting hospitals are incredibly expensive, often costing millions of dollars to repair data breaches and resulting in costly downtime.

In Iowa, Mercy Hospital experienced a phishing attack when a third party used an employee’s email account to send false phishing emails to over 60,000 individuals whose personal data was compromised. Affected personal data included names, Social Security numbers, dates of birth, driver’s license numbers, medical treatment information, financial records, and health insurance information. With both Social Security numbers and correlating driver’s license numbers, individuals are vulnerable to identity theft.

In Delaware, it was announced mid-November that a public health temporary employee inadvertently sent an unencrypted email to an unauthorized person. The content included extraordinarily sensitive information regarding COVID-19 tests of over 10,000 individuals, including names, dates of test, locations of tests, birthdates, phone numbers, and test results. The person who erroneously received the email notified DHSS and also reported deleting the emails and files attached. Further measures are being taken to prevent an event like this from recurring.

Ecommerce Continually Targeted

In India, top online grocer BigBasket reported that over 20 million customers’ personal information was stolen in a data breach and is now being sold on the dark web. Stolen data includes full names, email IDs, password hashes, PINs, contact numbers, physical addresses, birth dates, IP addresses and locations, and possibly payment information.

Major ecommerce platforms are also being attacked. X-Cart offers digital presence to over 30,000 companies with web design, ecommerce hosting, over a hundred payment gateways, advertising add-on apps and tools, and support for enterprises and small businesses through omnichannel international offerings. Their merchants sell over $3 billion in volume a year, with nearly 40,000 online stores. And in November, X-Cart reported a ransomware attack that caused outages, scrambling customer orders and changing settings, affecting customers on their shared hosting plans. The ecommerce giant’s only way to get back online was to restore systems from backups, which meant losing data from previous days. The company has not yet released a report of the ransomware’s strain or impact, but it is thought the attack likely came through third-party support software gaining access to the hosting systems.

Failed PCI Compliance Leaves a Door Unlocked

Cloud Hospitality, owned by Prestige Software of Barcelona and Madrid, Spain, was a ripe target for cyber pilfering in November. A misconfigured cloud bucket was found to have personal data continuously updated with fresh data, including highly sensitive data dating back to 2013. In the last four months alone, more than 180,000 records were exposed that included personal private data of more than one person.

According to cybertheft analysts, Prestige Software likely could have avoided exposing over 10 million individual log files of people’s private data. This breach puts Prestige Software in violation of the Payment Card Industry Data Security Standard (PCI DSS).

Start the new year out right by fiercely protecting individuals’ personal, financial, and health data. Get started with a free demo.