Monthly Breach Report: January 2021 Edition

The year 2020 had some tough months when it came to massive data breaches that exposed vast and sometimes not yet known stores of personally identifiable information. But with just one extensive breach, December outran the other months of 2020. Here are some of the biggest hits of the month.

Russia’s SolarWinds Intrusion

A massive breach attributed to Russia’s Foreign Intelligence Service, SVR, of the Russian Federation was discovered and reported in December 2020. SVR is the agency that collects intelligence from countries outside the post-Soviet republics (CIS). While many reports named the incident an attack, it was more factually international espionage made possible by one of the most extensive data breaches in history. It will take time to fully investigate and prove responsibility, if it can be fully proven.

Despite President Trump’s downplaying the likelihood of Russian interference, Russia’s responsibility is nearly universally unquestioned. In the US, the FBI, the Cybersecurity and Infrastructure Security Agency, and the National Security Agency formed a joint task force that is unified in characterizing the attack and gathering effort as likely Russian in nature.

Here is what we know.

  1. SolarWinds, a US company, offers IT remote monitoring and management tools to over 300,000 global customers, including a network management tool called Orion that offered an upgrade late Q1 2020. The hackers slipped through a back door in the upgrade.
  2. The supply chain attack allowed the SVR to infiltrate every business and government customer of SolarWinds that clicked on the upgrade prompt.
  3. According to the internet archive that saved SolarWinds’ customer list, all five branches of the US military, the state department, the White House, the NSA, 425 of the Fortune 500 companies, all of the top five accounting firms, and hundreds of universities and colleges are among its customers. SolarWinds indicated over 17,000 of their customers installed this malicious update.
  4. Microsoft identified multiple customers who were infiltrated using this vulnerability. The bulk of those were in the US, but networks in Canada, Mexico, Belgium, Spain, the UK, Israel, and the UAE were also targeted. This list includes governments, government contractors, IT companies, thinktanks, and NGOs — and the list will certainly grow.
  5. The SVR then established persistent access and began moving laterally around the networks to extract data. It is yet unclear how much personally identifiable information was swept up in the SVR’s spy effort. It will take years before we learn which networks the SVR penetrated and where it still has access. Much of that will probably be and remain classified, which means that the public likely will never know.

Sources

  1. BBC
  2. Business Insider
  3. Microsoft

270,00 Users' Data Hacked in People’s Energy Breach

A popular clean energy provider based in Edinburgh suffered a serious cyber attack, resulting in their entire database being stolen. The People’s Energy database included sensitive personal details on all 270,000 of its customers. Exposed customer data includes names, addresses, dates of birth, phone numbers, People’s Energy account numbers, tariff details, and gas and electricity meter identification numbers.

People’s Energy rapidly contacted customers and reported the breach immediately to the Information Commissioner's Office (ICO), the energy regulator Ofgem, the National Centre for Cyber-Security, and the police.

People’s Energy has identified how its security was compromised and addressed the breach. Personal data that was taken could leave People’s Energy customers vulnerable to phishing attacks in the future. So far, no information about the hackers is known.

Sources

  1. ComputerWeekly
  2. Current News UK

Workplace Pension Provider NOW: Pensions Contractor Leak

About 30,000 customers of UK-based NOW: Pensions learned in mid-December that their personal data had been leaked to a public forum. In an email sent to affected customers, the workplace pensions firm warned that names, postal and email addresses, birth dates, and National Insurance numbers all were posted on the internet.

NOW: Pensions seemed to downplay the incident, which took place over three days. “Our current understanding is that one of our service partners unintentionally posted some members’ personal data in a public software forum. This happened between Friday, 11 and Monday, 14 December, 2020. The data was visible only to users of that forum for a short time and was copied by a small number of unknown parties,” said NOW: Pensions’ CEO. “We acted as soon as we were made aware of the issue. Relevant members, fewer than 2 per cent of our total membership, are affected by this incident,” he continued.
 
The Information Commissioner's Office (ICO) and The Pensions Regulator were informed. The company has also begun damage control offering affected customers 12 months of free Experian Identity Plus. A UK consumer action law firm said affected members could be eligible to submit claims for compensation.

Sources

  1. The Guardian
  2. Telegraph
  3. The Register

Spotify Exposed Personal Data to Business Partners for Seven Months

“Spotify discovered a vulnerability in our system that inadvertently exposed your Spotify account registration information, which may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify.” This was the December 2020 notice from Spotify to its impacted users.

Akamai researcher Steve Ragan explained, “Hackers are very attracted to the high profile and value of online streaming services.” Spotify says it has conducted an internal investigation into the incident and that it has already contacted the business partners that may have accessed user data to make sure that leaked information was deleted. The company is conducting an investigation on how the data breach occurred. Thus far, no related suspicious incidents have been reported.

Sources

  1. The Daily Swig
  2. Security Week

Internal Leak by River City Bank Employee Compromised Customer Data

River City Bank notified its customers after discovering insider behavior exposing personal data. The bank discovered the problem in late September 2020, but waited until December to communicate the incident. An employee downloaded customer data to a personal storage drive and later sent it to a third party. The download was not part of any authorized access or duties.

The employee access was immediately cut off, law enforcement was notified, and the bank underwent a review of all the databases and files affected. Two years of monitoring services are being provided to affected customers.

Source

  1. Sacramento Business Journal

UiPath's Limited Data Leak

Romania-based tech unicorn UiPath, a leading robotic process automation company that offers software to help organizations efficiently automate business processes, experienced a security incident on December 1 that involved unauthorized customer data being disclosed online. Users who had registered on the platform prior to March 17, 2020, were impacted.

Exposed details include real names, email addresses, usernames, company name, country locations, and UiPath certification details for those users who signed up for the UiPath Academy learning platform.

The company shared information with affected customers on December 10, yet cannot disclose the name of the expected source of the leaked data while security investigations continue.

Source

  1. ZDNet

Cyberattacks aren’t likely to let up in 2021. Ensure your business is protecting personal and sensitive data. Get started with a free demo.