Monthly Breach Report: November 2020 Edition
October 2020 seemed to be a month during which large enterprises of major industries were suffering a huge number of security breaches in which significant personal data was exposed, at risk, or nefariously obtained and used for leverage by the attackers and leakers. Among key industries reporting organizational or enterprise breaches were health care, higher education, transportation, and, yet again, retail and ecommerce. While plenty of the breaches were in the US, many breaches were discovered and reported across the entire world. And internationally, some sovereign states were reported as hacking into systems, breaching personal data for underhanded purposes. There is intersectionality of lucrative targets, espionage, and foreign entity tampering in many of these arenas. It was a big month.
eCommerce Supermarkets and Restaurant Reservation Systems, Meet Singapore October 2020
Singapore is a city many people associate with iconic attractions and shimmery evening waters. Stolen personal data doesn’t really fit that romance. The eCommerce platform Lazada is Alibaba’s Southeast Asia flagship. Lazada hosts the largest selection of brands and sellers. In Singapore, Lazada hosts a myriad of such companies and acquires some of them. RedMart is one. It’s a supermarket business that is wildly popular in COVID times and holds personal information of millions of users. An online forum made claims in October 2020 to have secured personal information of about 1.1 million users, including names, phone numbers, email addresses, mailing addresses, and some credit card information. Lazada suggests some of the information may be aged and required all affected customers to input a new password for their login to reaccess their accounts.
Another Lazada restaurant reservations eCommerce company that is broadly popular, eatigo, was the subject of a huge data security breach reported at the end of October this year. The breach had been going on for a year and a half when detected and reported. This breach reportedly impacted 2.8 million total accounts, 400,000 or so belonging to people in Singapore. The personal data stolen and put up for sale on the dark web includes names of customers, email addresses, phone numbers, and more are being investigated.
Eatigo sent out an email to affected customers to say it will collaborate with the relevant authorities on the security incident in which the personal information was stolen. That and that some data was old were the key points of the email message.
This stiff-armed response that customers’ personal data might be out of date seems possibly irrelevant for millions of Singaporeans. Furthermore, if the databases were redundant, as claimed in both instances, why are both companies’ legacy databases still online and not providing personal data protection? Finally, SHA-1 hashed passwords are notoriously hackable. That leads back to the observation that it’s paramount companies provide protections and safeguards for their customers’ personal data. Knowing what personal data sits in what datastores and then providing encryption of personal identities and their information would be a strong first move for all companies holding customers’ personal data.
China Comes Full Circle Hacking COVID-19 Research Firms
According to the NSA, US research organizations working on improving our country’s response to the novel coronavirus have been hacked by Chinese nation-state actors. Personal data of individuals impacted by the virus as well as research information have been extracted by malware called Taidoor of the Chinese government. The data mining is part of ongoing data collections operations stealing personal information of tens of millions of people in the US. The malware targets handfuls of commonly exploited vulnerabilities. In addition to the personal data, economic, military, and political information has been compromised. Measures to protect against these exploits include personal data protections such as encryption and multi-factor authorization, and improved credential requirements and monitoring who accesses the data, flagging unusual access.
Let’s Pause Just a Little Bit Longer . . . Still Looking at You, China
Chinese hackers are continuing to target Taiwan companies, extracting personal data found on job-seeking sites of up to 10 million people. The Mid-Autumn festival holiday attack was launched against 104 Job Bank, a service for job seekers, early in October 2020. The data included names, birthdates, emails, mobile numbers, and home addresses of nearly 6 million individuals, ages 20-58. According to authorities, the Chinese hackers stole and leaked personal information of nearly four million people from another popular forum and job bank in Taiwan, 1111. Although some of the personal data has been in the stores for years, much of these types of personal data rarely change, if ever, so these individuals are considered vulnerable to further phishing attacks and personal data extractions. Stolen datasets were being sold by at least one hacker group for amounts between $500 and $1,000 per set. A fund of 200 million yuan (just over $15 million) was established to compensate individuals whose personal information was leaked.
Other October reports linked to Chinese hacker groups—stopped by Facebook—by Silent Fade shows malware accessed session token cookies to obtain logins and post items on the social media platform. Another Chinese hacker group called APT41 was just charged for cyberattacks on US companies. All companies must be vigilant to discover and protect personal data they store.
Before we leave China, consider that Chinese hackers have been hitting targets consistently for years. According to US government cybersecurity officials, October shows that pattern remains strong not only in their own region but also in the US and many other countries. Chinese hackers were at work against organizations in Russia, Ukraine, Kazakhstan, Kyrgyzstan, and in Asia against India and Malaysia. Diplomatic entities and NGOs in Africa, Asia, and Europe were targeted in October by Chinese hackers using leaked code from HackingTeam. These October incidents are all nipping on the heels of indictments by the US Department of Justice against five different Chinese hackers with ties to Chinese intelligence services hacking over 100 US organizations operating in IT, social media, academia, and government.
Apparently, China may not have noticed the irony of having passed its own Personal Information Specification standards earlier this year, which came into force on 1 October 2020, to protect personal information— including personal sensitive information and biometrics—and layout extensive requirements on data subject consent, all while being nabbed in continual personal data breaches around the world.
Pay Attention as Holiday Shopping Season Approaches
We will be sharing a lot more about retail, personal data, payments, and data breaches during November 2020, but here is a heads up as we ramp up our personal buying season. A significant data breach was experienced by Home Depot on October 29, 2020, in Canada. Customers received email reminders for order pick-ups and online order confirmations that were utterly random, not related to the receivers, including names, addresses, email addresses, order details, and some credit card information. One individual received over 660 emails filled with these reminders. While investigators are still assessing the full impact, it appears, while breaking privacy regulations, the hackers distributed around 1,000 customers’ personal data to hundreds of people. The incident also follows an incredible data breach against Home Depot in 2014, when 50 million credit card numbers and 53 email addresses were stolen with access to the network and the company’s point of sale (POS) system. That incident resulted in nearly $20 million in victim compensation. An incident like that one, and this year’s, can further trigger untold follow-on malicious privacy attacks on those people whose personal data was loosely and rapidly dispersed.
The breach issue seemed to have to do with a misconfiguration in the internal systems of Home Depot in Canada. The company might have averted impact on customers if discovery and protection of personal data had been handled upfront, preventing de-encrypted information from being erroneously shared.
Healthcare Giants and Frontline Organizations Are Not Immune
Frontline worker organizations in the healthcare industry were hit hard by data breaches in the US and other countries as the coronavirus pandemic of COVID-19 is ramping up here and around the world.
On October 27, attacks were waged against Sky Lakes Medical Center in Oregon and St. Lawrence Health System in New York, both involving Ryuk ransomware. Investigations are still underway to determine the extent of personal data that was exposed. There were three hospitals in the St. Lawrence Health System, which, in turn, affected ambulance services, diverting care to other hospitals and endangering patients being transported to the emergency rooms. Ryuk ransomware has a history of exfiltrating patient data before the patients’ files are encrypted.
Another data breach on an ambulance service, AAA Ambulance Service, was reported on October 8, 2020. The number of patients impacted is not yet assessed, but personally identifiable information accessed includes names, social security numbers, bank details, dates of birth, diagnoses, account numbers, prescriptions, medical records information, and health insurance details. The hacker proofs indicate the hackers pulled over 24 GB of information in files. AAA is notifying those affected and offering credit monitoring services along with its apology.
Universal Health Services (UHS) spent most of October furiously trying to recover from their crippling data leaks, having been attacked just as the month began. UHS made public statements that none of the tremendous volumes of personal health information that moves through their systems was impacted or compromised in the attacks. It took 3 weeks to bring the 400 sites in the system back online. It’s expected this attack was Ryuk ransomware.
Meanwhile, Legacy Community Health Services announced and notified over 228,000 patients that the company had experienced a data breach, potentially exposing personal data including names, dates of services, social security numbers, and health information. An employee had responded inadvertently to a phishing email the day before the breach.
OSF Health Care operates in Illinois and Michigan and includes 14 hospitals and 30 urgent care centers. It was discovered that some locations had experienced data breaches exposing patients’ names, addresses, email addresses, phone numbers, dates of birth, treating physicians, and treatment locations of the patients. The company released an email stating they won’t disclose numbers of patients affected.
Hitting Tech Where It Hurts, Nitro Breach Exposes 13,772 Accounts
Nitro offers a PDF service that allows users to create, edit, and sign PDF documents. Over 10,000 businesses and 1.8 million customers around the world use Nitro. On October 21, 2020, Nitro announced it had been breached when an unauthorized third party accessed some Nitro databases. Companies often use Nitro in signing sensitive business, financial, and legal documents, so there is concern over the value of information in the stolen documents. The hacker is trying to auction user and document databases as well as 1-TB of cloud service documents. Key industry cloud providers have had their Nitro documents stolen in this heist. There are conflicting reports from Nitro and from BleepingComputer, who has been assessing the breach. According to BleepingComputer, in looking at samples from an affected database, even the titles of the documents reveal information about finances, M&A activities, individuals’ names, email addresses, bcrypt hashed passwords, and other data that can be easily traced back and connected to individuals’ identities. Furthermore, all the data exposes many of Nitro’s business customers with significant systems-related data taken. Nitro’s environment was secured right away once the breach was recognized, and customers are being advised, implementing a password reset.