Monthly Breach Report: November 2019 Edition
As data breaches continue to raise its ugly head all across the globe, let’s take a look at a few of the most prominent ones that occurred last month.
California-based computer software enterprise Adobe publicly acknowledged they unintentionally exposed the personal information of approximately 7.5 million Creative Cloud accounts to the public. This massive data breach jeopardizes the security of the affected users while increasing their threat of targeted phishing scams and hacking attempts.
New reports suggest that a data repository containing sensitive user details (like email addresses, creation dates, products used, current subscription status, country/region information, Adobe Employee or Member ID status, last login info, and payment status) was available online and allowed access to anyone using a web browser without any password or authentication. This security mishap didn’t impact data related to payment details and account passwords.
Security researcher Bob Diachenko, who identified the leak, claims the data was available for unauthorized access for nearly a week before Adobe secured the database. On October 19, Diachenko found out about the leak and immediately informed Adobe about it.
Adobe secured the database on the same day and issued a statement that said, “Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability. The environment contained Creative Cloud customer information, including email addresses, but did not compromise any passwords or financial information. This issue was not connected to, nor did it affect, the operation of any Adobe core products or services. We are reviewing our development processes to help prevent a similar issue occurring in the future.”
This isn’t for the first time that Adobe has been the victim of a data breach. In 2013, Adobe accidentally exposed credit card and login information for an unknown number of users.
The Mercedes-Benz connected car app, MercedesMe, experienced an accidental security lapse last month when it failed to pull in correct information from individual’s accounts and instead started displaying other car owners’ details like names, recent activity, phone numbers, etc. Soon after discovering the glitch, the app went offline, citing maintenance issues.
The MercedesMe app allows car owners to remotely locate, unlock, and start their vehicles.
According to a statement issued by Donna Boland, a spokesperson for Daimler, the parent company of Mercedes-Benz, “There was a short interval [Friday] during which incorrect customer data was displayed on our MercedesMe app. The information displayed was cached information—not real-time access to the account, no financial info was viewable nor was it possible to interact with, or determine the location of, the vehicle associated with the account.”
Italy-based global banking and financial services company UniCredit disclosed that its cybersecurity team identified a data breach that exposed personal records of three million domestic clients including names, telephone numbers, and email addresses.
The lender clarified that customers who created accounts during or after 2016 were not impacted by this breach. The financial institution further said in an online statement that the impacted records didn’t contain any banking related data that would allow hackers to access customer accounts or carry out unauthorized transactions.
UniCredit hasn’t shared the exact reason for the data hack. To avoid such incidents from happening in the future, the banking lender initiated an internal probe and informed relevant authorities about the incident.
Since 2016, the bank has spent 2.4 billion euros to enhance its IT systems and strengthen cybersecurity.
National Neurology Registry (NNeuR)
Personal information of over 17,000 patients was leaked on the government-linked National Neurology Registry (NNeuR) website. Created in 2008, the website aims to collect data about stroke and epilepsy in Malaysia. The Health Ministry blamed scripting errors for exposing the NRIC numbers, phone numbers, and addresses of affected patients.
The Health Ministry has already initiated an investigation along with National Cyber Security Agency (Nacsa), Malaysia Communications and Multimedia Commission (MCMC), and Cybersecurity Malaysia.
For the second time in 2019, Malaysia’s Health Ministry became victim to a data breach. In September this year, Germany’s security enterprise Greenbone Networks stated that data on 19,992 radiological reports from Malaysia was available online.
California-based healthcare provider Kaiser Permanente issued a data breach alert stating that about 1,000 of its patients in the Sacramento area were affected.
According to Kaiser Permanente, the email account of a Kaiser Permanente healthcare provider based in Sacramento that included patients’ PHI became accessible to an unauthorized individual for 13 hours. Kaiser discovered the security breach in an IT security process and resolved it immediately after identifying it.
Angela B Anderson, Kaiser’s regional compliance director and privacy and security officer for Northern California, said that the affected data did not include members’ Social Security numbers or financial information. She also added, “We do not have any evidence that the information was viewed, used, or copied. Kaiser Permanente takes the protection of our member data very seriously.”
News Report suggests the breach occurred on August 12, 2019, with Kaiser becoming aware of it on August 19, 2019.
Customer support ticketing platform Zendesk discovered a security breach last month dating back to November 2016 that exposed the personal data of 15,000 users that had registered Zendesk Support and Chat accounts.
Zendesk software is the preferred choice of global organizations such as Uber, Shopify, Airbnb, and Slack. A security notice published by Zendesk claimed that a third party identified the breach and the compromised data included passwords, emails, names, phone numbers, and other relevant service data.
According to a statement issued by Zendesk, “As of September 24, 2019, we identified approximately 10,000 Zendesk Support and Chat accounts, including expired trials and accounts that are no longer active, whose account information was accessed without authorization.”
Soon after discovering about the security lapse, Zendesk alerted the impacted users, inked collaboration with a third-party team, initiated an internal probe to find out how this breach happened, and informed global regulatory bodies about the breach.
Panama-based virtual private network provider NordVPN suffered a server breach last month when a hacker gained access to a Finland-based data center from which the company rented servers.
A statement from NordVPN said, “The attacker gained access to the server by exploiting an insecure remote management system left by the data center provider while we were unaware that such a system existed.”
NordVPN did not divulge the details of the data center provider but stated that the breach occurred in March last year. Although NordVPN came to know about the breach some time back, it decided to wait before going public about the breach to make sure that the servers were secure.
NordVPN ended its contract with the Finnish server provider soon after discovering the breach. Post this security incident, NordVPN unveiled a stringent internal audit to review the complete infrastructure and follow strict rules before collaborating with data centers.
Newcastle-based Home Group, one of the UK’s biggest housing associations, became the target of a data breach when the personal details of approximately 4,000 of their customers were stolen. The breach compromised customer names, addresses, and contact information, but didn’t include financial details.
Currently, the charity offers rented homes to over 116,000 people in 55,000 properties across England (including North East, North West, Yorkshire) and Scotland. Home Group stated that a third-party cybersecurity expert identified the breach.
John Hudson, chief financial officer at Home Group, said, “We have a robust incident response protocol in place to deal with situations such as this, which meant the vulnerability was identified and fixed extremely quickly.”
Despite resolving the issue within 90 minutes, the housing association issued a warning and contacted all customers affected by the breach.
Czech-based security software maker Avast became the target of a cybersecurity breach after witnessing a malicious intrusion into its network. According to the antivirus giant, the cyber-espionage campaign allowed hackers to access its network. Currently, Avast has over 400 million customers for its various antivirus and cybersecurity products.
Reports suggest that hackers accessed Avast’s network using a temporary VPN account and compromised credentials. Although the security invasion witnessed minimal damage, Avast claimed it to be a sophisticated attempt in which the hacker proceeded with utmost caution.
According to Avast Chief Information Security Officer Jaya Baloo, the company witnessed varied hacking attempts between May 14 and October 4. Post this security mishap, Avast collaborated with Czech-based Security Information Service (BIS), an intelligence agency, and an external forensics team to investigate the matter.
Avast hinted that the intrusion was likely aimed at compromising the releases of the popular CCleaner utility. In September 2017, Avast saw a similar incident when few versions of CCleaner was available for download on Piriform’s site.
Keep your business from becoming next month’s data breach headline. Protect your data with PK Protect. Learn more by requesting a free demo.