Monthly Breach Report: February 2023 Edition

Last year, US organizations issued more than 1,800 data breach notifications that reported sensitive information exposure affecting more than 400 million individuals. It’s not quite a record number of data compromises in the US in a year, but it’s close. Hospitals are continuing to experience the largest number of data breaches, a trend that’s continuing into 2023. Read more about some of the recent top breaches that are occurring around the world.

Hackers Out-Pizza the Hut

Yum Brands, parent company to fast food giants Pizza Hut, Taco Bell, and KFC, confirmed a ransomware attack that impacted “certain information technology systems,” largely affecting UK operations. The brand responded by taking some of its systems offline and closing approximately 300 restaurants in the UK for 24 hours.

While there’s no clarity as of yet when the attack began nor how the systems were accessed, Yum Brands says there is “no evidence” that any customer data was stolen. The company has initiated an investigation and is using industry-leading cybersecurity and forensics professionals to learn more about what happened. The ransomware attack mainly impacted UK operations; however, Yum Brands also notified US federal law enforcement agencies. The incident is expected to have little to no additional impact on the business.

Sources

• CIO Economic Times
• Bleeping Computer
• Market Watch
• TechCrunch

Top ERP Firm Still In Danger

Independent security researcher Anurag Sen recently uncovered a misconfigured Elasticsearch server owned by a major international enterprise resource planning (ERP) software provider is exposing data to the public. Data at risk includes the personal data of half a million job seekers in India, along with current employee data and client records from corporations such as Apple and Samsung.

Anurag discovered the exposed server in December 2022 while scanning for misconfigured databases on Shodan and found a server exposing more than 6GB of data without security authentication or password protection. The server belongs to a California-based company that has offices around the world, including India. Thus far, the name of the organization that owns the server is not being revealed due to the fact that the server remains exposed.

Sources

• Hackread
• Red Sky Alliance

Data Breaches Drive Need for Better Security with Nissan and Toyota

Automotive manufacturers certainly have had a rough few months. Nissan North America reports that they experienced a data breach affecting 17,998 people. The breach, discovered in September with customers notified in December 2022, was the result of a third-party software development vendor who used Nissan customer data for development and testing, storing it temporarily in a cloud-based public repository. Breached data includes customer names, dates of birth, and NMAC account numbers, but does not include Social Security or credit card numbers.

“This is yet another example of where supply chain issues can impact organization,” says Erich Kron of KnowBe4. “Nissan provided the information in good faith to an organization contracted to do testing, however that organization failed to properly secure the data. This serves to outline the contractual requirements when providing information to third parties, even when they have a legitimate need.”

Third parties wishing to do business with German automotive manufacturers must adhere to TISAX standards to protect data. TISAX standards have not been adopted by manufacturers based in other countries.

Toyota, meanwhile, revealed that an access key has been available to the public on GitHub for more than five years, resulting in a data breach that may have compromised customer personal information. The breach occurred at Toyota Kirloskar Motor, a joint venture with Indian giant Kirloskar Group. Toyota India has reported the breach to the appropriate authorities in India. As many as 296,000 customer records may have been compromised. There are currently no indications of data theft, but Toyota is unable to completely rule out the possibility that data was accessed and/or stolen.

Sources

• IndustryWeek
• GBHackers

Smash-and-Grab Operation Fries Five Guys Applicant Data

Anyone hoping to ask a customer if they want fries with that at Five Guys may need to be extra vigilant about their personal data. The burger chain revealed it was part of what appears to be a “smash-and-grab” operation, where cyberattackers broke into a file server and stole the personally identifiable information of individuals who had applied for jobs.

Five Guys took action immediately, following prescribed steps to contain the breach and launching and investigation with the help of an outside cybersecurity firm. Impacted individuals were notified at the end of December that applicant names and “other information” not specified in the public notice. Although Five Guys has offered credit monitoring and identity protection services to those impacted, law firm Turke & Strauss is also reaching out to those impacted about potential legal action. According to the firm, exposed data includes Social Security and driver’s license numbers.

Currently, it is unclear whether the data leak was part of a ransomware attack or simply an unlucky finding of unprotected cloud storage.

Sources

• InfoSecurity Magazine
• DarkReading
• Chain Store Age

Cyberattacks Leave Healthcare Orgs Bleeding Data

Healthcare continues to suffer multiple attacks around the globe. Saint Gheorghe Recovery Hospital in Botoşani, Romania, was targeted by ransomware at the end of 2022. The complex attack is still impacting medical activity: Neither computer scientists nor analysts have been able to decrypt the files. This leaves the hospital unable to report on any services completed in December 2022, causing additional strain by impacting the ability to pay employee salaries.

Ransomware struck another facility, this time in Pennsylvania, where the nonprofit Maternal and Family Health Services recently announced it suffered a financial data breach in early 2022 that compromised patient medical and financial data. Despite being attacked in April 2022, the organization did not post notifications until January 2023. The nonprofit supports an extensive network of health and nutrition centers spread across 17 Pennsylvania counties. Investigations report that the unauthorized access could have occurred as early as August 2021, and revealed information such as name, address, birthdate, Social Security number, driver’s license number, payment card information, usernames and passwords, medical information, and health insurance information.

Mental and behavioral health providers are also suffering from breach impacts. Both Lutheran Social Services of Illinois and Mindpath Health in North Carolina were victims of ransomware attacks. Combined, these attacks threaten the sensitive information of close to 400,000 individuals. Regarding the breaches, president of privacy and consulting firm The Marblehead Group remarked, “Because of the stigma and delicacy surrounding behavioral health, providers stand to lose patient trust and possible legal action.”

Even healthcare technology is at risk. Electronic health record provider NextGen Healthcare recently announced it is working with cybersecurity experts to recover after a ransomware cyberattack. The attack is credited to AlphV/BlackCat ransomware hackers who listed NextGen among its victims in January. A spokesperson confirms that thus far, there is no evidence pointing toward access to or exfiltration of client data.

Sources

• Romania Insider
• BankInfo Security
• ibid.
• The Record

PKWARE exists to keep your company out of the news by ensuring your data is protected wherever it lives and moves. Find out how we can empower you to find and protect your business’ most crucial and sensitive data. Request your free demo now.