Monthly Breach Report: May 2023 Edition

The cost of cybercrime is predicted to hit $8 trillion in 2023 and is growing exponentially, according to Forbes. Ransomware and phishing incidents are not only increasing in numbers, but also in the financial and reputational costs to businesses and organizations.

Without the right protection, companies and organizations of every type are vulnerable to data breaches and ransomware attacks that leave them reeling. The latest targets include school children in Tasmania, a luxury super yacht manufacturer in Germany, and a consumer lender in Canada. Read on to learn the details in our May Breach Report.

Ransomware Attacks on the Menu

When Yum Brands, the parent company of KFC, Pizza Hut and Taco Bell first reported being hit by a ransomware attack in January it had to close 300 of its UK restaurants for a day. It thought then that it had escaped data leaks, but it was not so lucky. The fast food chain company recently sent notification letters to those whose personally identifiable information was stolen during the attack. The information includes names, drivers’ license numbers, and other key identifying details.

While there is no evidence so far that the information has been used for fraud or theft, the company noted in its annual report filed with the SEC that it continues to incur expenses related to the attack.

Yum Brands was not the only organization in the restaurant industry left to pick up the pieces after an attack this spring. The Black Cat group went after NCR’s Aloha point of sale platform which the company says is used by more cashiers and servers than any other in the industry. The software company, formerly known as National Cash Register, said that affected customers were still able to serve diners, and that it provided them workarounds. But platform users, including a franchisee with 100 workers, complained on Reddit that the attack sent their operations back to the “stone age,” forcing them to use paper and pen.

BlackCat has built its reputation by targeting US Defense Contractor NJVC and other critical organizations. It claimed responsibility in February for hacking into Solar Industries India Limited, an industrial explosives manufacturer, and stole more than 2 TB of critical data.

Sources

• Security Week
• Bleeping Computer (Yum Brands)
• Security Affairs
• Bleeping Computer (Aloha)

Delayed Detection Has Lasting Effects

Consumer lending company TMX Finance is facing at least four lawsuits following a data breach that got past them. It took the Canada-based firm three months to discover the breach  impacting more than 4.8 million customers. The lending company and its subsidiaries —InstaLoan, TitleMax and Title Bucks—operate in the United States, Canada, the UK, Australia, and China.

The firm told impacted customers that the breach occurred in December 2022, but the company did not detect it until February 13, 2023. The exposed data included personally identifiable information such as passport, driver’s license, and Social Security numbers.

Four class action lawsuits filed in the wake of the breach accuse TMX of failing to follow basic security procedures that would have prevented the data from being exposed. TMX said in its notice to impacted customers that it contacted the FBI and planned to implement additional security measures including endpoint protection and monitoring.

Sources

• Net
• Bleeping Computer
• Top Class Actions

Hackers Take Aim at Wealthy Clients

The personally identifiable information of the uber rich continues to be a shiny lure for cyber criminals. A ransomware attack in April targeted one of the globe’s leading makers of luxury super yachts, while an upscale car manufacturer was caught with its trunk of sensitive data unlocked.

German shipbuilder Lürssen, the maker of mega luxury yachts, and military vessels, reported suffering a ransomware cyberattack on Easter weekend. The firm manufactures some of the world’s largest yachts, and produces vessels for the German navy. Reports said the attack temporarily shut down much of the multi-billion-dollar operation. The company shared little information publicly, except to say that it took protective measures and informed authorities.

A Cybernews research team delivered some bad news to luxury carmaker Volvo recently. The investigators discovered that a Brazilian retail arm of the company was unwittingly leaking sensitive files for nearly a year. Dimas Volvo says it has since plugged the leak. The team found that the public could access sensitive files hosted on the dimasvolvo.com.br website, belonging to a Volvo retailer in the Santa Catarina region of Brazil.

Exposed data included authentication information and credentials that could be used to access the contents of databases that might have stored personal user data. Researchers also found the website’s Laravel application key was exposed and could have been used to decrypt user cookies.

Volvo is not the only luxury car brand put on notice about holes in their data dam. Research by Cybernews earlier this year showed that German luxury car maker BMW also made sensitive files public.

Sources

• Info Security
• Buten un Binnen
• Cybernews
• Security Affairs

Lawyers Take A Hit

Both the American Bar Association and a powerful international law firm discovered in April that they had left sensitive data unsecured for months. Proskauer, which represents the likes of Major League Baseball and Morgan Stanley, inadvertently put confidential M&A data at risk for six months. Proskauer blamed a vendor it hired to create an information portal on a third-party, cloud-based storage platform. The vendor left exposed a total of approximately 184,000 files stored on the platform. The files contained private and privileged documents, non-disclosure agreements, financial deals, and files relating to high-profile acquisitions.

Meanwhile, the world’s largest organization of lawyers and legal professionals warned its members in April that information regarding 1.4 million members may have landed in the hands of a hacker the month before. The American Bar Association said the data breach included the login credentials for a legacy member website it stopped using in 2018. The information was hashed and salted and therefore more secure; however, it is still possible for hackers to decipher. In many instances, the passwords were the default ones assigned by the ABA, and one concern is that members on the current site used the same credentials, making the portal and member information vulnerable. The ABA recommended that members change their passwords and look out for possible phishing attempts.

Sources

• TechCrunch
• Above the Law
• Law 360
• Bleeping Computer

Tasmanian School Kids’ Information Lands on Dark Web

Kids were not immune to hacks either. A Russian-linked group leaked thousands of Tasmanian education department financial statements and invoices containing information about students and their parents to the dark web in April. The group, called Clop, targeted a third-party transfer service GoAnywhere MFT the Tasmanian school department uses. Some of the data in the 16,000 files included information related to student applications for assistance. According to the state’s science and technology minister, Madeleine Ogilvie, while this is an evolving situation, no Tasmanian government IT systems have been breached. As of press time, no ransom demands have been made for the information.

Sources

• The Guardian
• AFR.com

PKWARE is committed to helping organizations find and maintain the safety of sensitive and personal information so they stay out of similar headlines and situations. Find out how we can help with your data by requesting a free demo now.