Monthly Breach Report: February 2020 Edition
No organization wants to be a victim of a phishing attack, but the sad reality is that it can and does happen to businesses on a daily basis. Hardly a day goes by without data breaches grabbing headlines. Believe it or not, Europe reported more than 160,000 data breach notifications since the GDPR came into effect on May 25, 2019.
Undoubtedly, data is one of the most crucial assets a company has, and with the emergence of The Data Economy, organizations are generating economic growth by leveraging data insights to improve their products, customer experience, find new markets, and remain competitive. Having said that, the truth is many organizations are struggling to be proactive with data protection and privacy when it comes to being compliant on new regulations and effectively responding to data breaches. These challenges are not an end goal, but rather a starting point on their journey as data stewards to earn the trust of their customers.
Aside from reputational consequences, data breaches have far-reaching consequences for businesses. Most notably, consumers can now file a class-action lawsuit against the company that failed to protect their information. Under the California Consumer Privacy Act (CCPA), consumers have the right to sue a business for a data breach if they requested their information be deleted. Recently, Facebook was slapped with a class-action lawsuit worth $550 million over the use of its face-tagging technology to gather facial-recognition data on its social media channel.
Despite the massive regulatory consequences of data breaches, they continue. Below is a snapshot of only 10 that hit the news in January 2020:
Washington-based tech conglomerate Microsoft had a rocky start to 2020 after it exposed 250 million Customer Service and Support (CSS) records online last month with no password protection or other authentication needed. Comparitech security research team led by Bob Diachenko discovered the security lapse and informed Microsoft immediately. It was also revealed by Comparitech that the unprotected data was available for access on five Elasticsearch servers in December of last year.
Acknowledging the breach, Microsoft explained the cause was due to “misconfiguration of an internal customer support database,” which the organization uses to keep track of the support cases. The database contained logs of conversations between Microsoft support agents and global customers over the last 14 years. Microsoft also claims the breach was the result of a modification made to the database’s network security group on December 5, 2019.
While admitting to this breach in a blog post, Ann Johnson, corporate vice president of the Cybersecurity Solutions Group at Microsoft said, “Although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and hold ourselves accountable.”
The US-based business giant has already run into problems for not issuing a patch for Internet Explorer zero-day vulnerability.
The Hacker News
San Francisco-headquartered Zynga, a social game developer, reported a data breach incident that occurred in September of last year affecting 170 million individuals. New reports suggest that the incident has impacted usernames, passwords, and email addresses.
Although Zynga acknowledged the hack in 2019, it was only last month that the exact number of compromised accounts was accounted for. Zynga has issued notifications to users about the leak but didn’t divulge any details related to compromised financial data.
According to Zynga, “We have identified account login information for certain players of Draw Something and Words With Friends that may have been accessed. As a precaution, we have taken steps to protect these users’ accounts from invalid logins. We plan to further notify players as the investigation proceeds.”
Japan-based electronics and electrical equipment manufacturer Mitsubishi Electric fell victim to a data breach last month that actually happened almost six months back. It was revealed that the cyberattack allowed hackers to gain access to servers and computers at Mitsubishi headquarters and other company offices.
The Tokyo conglomerate issued an in-depth statement about the incident: “On June 28, last year, a suspicious behavior was detected and investigated on a terminal in our company, and as a result of unauthorized access by a third party, data was transmitted to the outside.”
According to reports, the intrusion was the result of suspicious files located on the company’s servers. In fact, a hacked employee account allowed access to the systems of an affiliated enterprise in China and the company systems located on Mitsubishi premises in Japan.
Mitsubishi undertook an in-house probe to gauge the impact of the breach and found that sensitive data on social infrastructure (like electric power and railways), business partners, and key technical data were not compromised.
A malware attack launched on New Year’s Eve hit the London-headquartered currency exchange Travelex, forcing it to take down its global websites across 30 nations. The breach leads to several customers getting stranded in foreign locales without access to cash they put on their Travelex ATM cards.
Post attack, the company switched to manual means to continue its operations in branches, airports, and standalone, over-the-counter stores.
The exchange blamed a software virus for the security lapse that forced them to go offline. A statement posted by Travelex on Twitter read, “Our investigation to date shows no indication that any personal or customer data has been compromised.”
Meanwhile, the hacker group “Sodinokibi” is claiming responsibility for the leak, stating they have access to customers’ personal information including Social Security numbers, birth dates, and payment card details. However, the foreign exchange giant maintains that there are no signs of compromised customer data, despite global presence across 70 nations with over 1,200 branches and 1,000 ATMs.
Currently, the investigation into the attack is being led by the Metropolitan Police.
Australian banking organization P&N Bank has notified its customers about a data breach that exposed Personal Information (PI) and sensitive account information. While the bank has not yet confirmed the exact count of customers hit by the breach, the financial institution stated that the security lapse affected its customer relationship management (CRM) run by a third-party hosting firm. P&N Bank shut down the CRM system soon after discovering the breach. It also divulged that hackers gained access to the bank’s CRM system last year in December when it underwent an upgrade.
The compromised information included sensitive data (like names, addresses, emails, phone numbers, customer numbers, age, account numbers, and account balances) and non-sensitive data like the interactions between the bank and its customers.
An official statement from the retail banking major said, “P&N Bank’s core banking system is completely isolated and separate from the impacted system, so we can be confident this incident has not caused the loss of any customer fund, enabled third parties to access customer credit card details, and compromised any banking passwords.”
A massive data breach struck Peekaboo Moments App, which parents use to store their baby’s videos, images, height, weight, location, and other special moments.
Dan Ehrlich, part of the US-based computer security consulting firm Twelve Security, discovered the Elasticsearch database of Peekaboo Moments, comprising of more than 70 million log files from Peekaboo Moments’ user data that contained links to videos, photos, geo-location coordinates, and 800,000 email addresses that were exposed.
Singapore-based Alibaba Cloud hosts the Elasticsearch database of Peekaboo Moments, a free service. Also, Peekaboo needs to clarify who might have accessed the leaked data. In the past, Elasticsearch has faced severe data breach incidents as well.
Launched in 2012, the Peekaboo app boasts over a million downloads from the Google Play Store.
Canada-based online pharmacy store PlanetDrugsDirect has notified its customers that their Personal Information (PI) and financial data may have been compromised due to unauthorized access by hackers.
With roughly 400,000 customers, PlanetDrugsDirect is an online prescription referral service that offers customers direct access to affordable prescription and non-prescription medications and is an active Canadian International Pharmacy Association member.
As the online pharmacy investigates the impact of the breach, information related to the method or number of individuals impacted remains uncertain. The company also couldn’t confirm if the breach compromised passwords for online access.
PlantDrugsDirect gathers different data about its online customers like family medical history, drug-related allergies, the name of the primary physician, the occupation and employment status, etc.
Fresh Film Production
A UK-based production company specializing in TV commercials for health and beauty brands, Fresh Film Productions became a data breach target last month when it unintentionally left a company server hosted online on an unprotected Amazon Web Services S3 bucket, exposing the sensitive personal data of individuals who took part in Dove’s “real people” campaign.
The exposed data included passport scans and bank details of Dove campaign participants. When Fresh Film Productions became aware of the leak, they took immediate measures to secure the affected server. Reports suggest that the breached server hosted a wide range of production files, comprising of more than 1,500 files containing sensitive data. Fresh Film Productions has not clarified if cybercriminals accessed the impacted server.
Richard Carter-Hounslow, a producer at Fresh Film, said, “We take things like data protection very seriously and will be looking into this matter with urgency.”
IWG Plc (formerly Regus)
IWG plc, formerly Regus, a global provider of serviced offices, coworking spaces, business lounges, virtual offices, meeting rooms, and video teleconference services, encountered a data breach that published job performance data of over 900 employees online. The incident surfaced after IWG commissioned Applause to audit the performance of sales staff using covert filming.
Reports suggest that Trello, a task management website, unintentionally leaked the results—listing names, work contact information, and performance-related data. New reports suggest a spreadsheet containing the employee data was available online due to the public settings of the Trello board. Soon after learning about the incident, Regus removed the content from the external provider’s site and also initiated a third-party audit to identify the use of any unapproved third-party software tools.
A statement issued by IWG said, “Team members are aware they are recorded for training purposes and that each recording is shared with the individual team member and their coach to help them become even more successful in their roles. We are extremely concerned to learn that an external third-party provider, who implemented the exercise, inadvertently published online the outcomes of an internal training and development exercise. As our primary concern, we took immediate action and the external provider has now removed the content.”
Seattle-based Wyze Labs, a smart security camera manufacturer, reported a data leak that exposed personal data of approximately 2.4 million customers.
While acknowledging the breach, Dongsheng Song, Wyze co-founder and chief product officer, said that the leak occurred because of a new internal project launched to identify better ways to gauge business metrics such as device activations, failed connection rates, etc.
He further added, “We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4 when they were using this database, and the previous security protocols for this data were removed.”
The leaked information was comprised of usernames and emails of customers who bought cameras and installed them at their home, details of user emails who shared camera access, lists of cameras used in homes, and health-related information for a subset of users from December 4 to 27.
The news about the breach first surfaced on Twelve Security blog. Wyze Labs’ executives became aware of it when a customer posted the Twelve Security blog post on a Wyze Online forum.
New York Times
Don’t become next month’s data breach headline. Protect your data with the help of PKWARE. Get a free demo now.