Search This Blog

Showing posts with label Data Breach. Show all posts

Audi And Volkswagen's Data Breach Affected 3.3 Million Customers

 

Volkswagen announced that a massive data breach exposed the personal information of over 3.3 million customers after one of its vendors left a cache of customer data unencrypted on the internet. In a letter to customers, Volkswagen said that the vendor utilized by Volkswagen, its subsidiary Audi, and authorized dealers in the United States and Canada had left customer data from 2014 to 2019 unsecured for two years between August 2019 and May 2021. 

Personal information about clients and potential buyers were included in the data, which was collected for sales and marketing purposes. Volkswagen Group of America, Inc. (VWGoA) is the German Volkswagen Group's North American subsidiary, responsible for Volkswagen, Audi, Bentley, Bugatti, Lamborghini, and VW Credit, Inc. operations in the United States and Canada. 

Between August 2019 and May 2021, a vendor left insecure data accessible on the Internet, according to data breach notices submitted with the California and Maine Attorney General's offices. This specific vendor informed the VWGoA in March that an unauthorized person had gained access to the data and may have accessed customer information for Audi, Volkswagen, and some authorized dealers. 

According to VWGoA authorities, the hack affected 3.3 million customers, with almost 97% of those affected being Audi customers or potential buyers. The data breach appears to have exposed information ranging from contact information to more sensitive data including social security numbers and loan numbers. 

"The data included some or all of the following contact information about you: first and last name, personal or business mailing address, email address, or phone number. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color, and trim packages," disclosed VWGoA in a data breach notification. 

"The data also included more sensitive information relating to eligibility for purchase, loan, or lease. More than 95% of the sensitive data included was driver’s license numbers. There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers." 

The hackers are demanding between $4,000 and $5,000 for all of the records, claiming that the database contains no social security numbers. The threat actors earlier stated that the database for a VPN service provider with various Android apps on the Google Play Store was on sale for $1,000. 

Volkswagen is offering free credit protection and monitoring services to the 90,000 customers whose personal information was exposed, as well as $1 million in identity theft insurance.

Carnival Cruise Line Unveiled a New Data Breach

 

Carnival Corporation one of the biggest cruise ship operators in the world, and another major firm that reveals it is affected by data breaches. 

Carnival Corp. encountered an illegal entry to its computer networks on 19 March. According to the company, authorities have been contacted and a cybersecurity company has been employed. 

The research discovered that third parties, using a "limited number of e-mail accounts" could access personal information of clients, staff, and crew on their Carnival, Holland America, and Princess cruise lines.

The data obtained included names, addresses, telephone numbers, passport numbers, birth dates, health information, and in some cases additional information, like national identity numbers or social security. 

According to Carnival, the impacted information includes “data routinely collected during the guest experience and travel booking process or through the course of employment or providing services to the company, including COVID or another safety testing.” The Carnival letter stated that data was exploited with "low likelihood." 

It is worth noting that ever since 2019 Carnival has been attacked by numerous cyber threat actors, including last summer's ransomware attack. Just as cruise lines start booking trips following an extended COVID-19 halt, Carnival faces yet another question mark on cyber safety, said Erich Kron, the KnowBe4 security adviser. 

Kron said that this is no surprise that they have been attacked, given the type of data and the volume it gathers, and that Carnival records some highly important information to attackers. 

The majority of large cruises prefer to visit ports abroad in their very nature so that they acquire sensitive data that is necessary for the processing of customs as well as other travel-related objectives. Such types of attacks are generally initiated by e-mail phishing and firms seeking to avoid problems like Carnival would be advised to invest in high-quality e-mail filters and a training program for employees focusing on recognizing e-mail phishing attacks and proper password hygiene. 

Cohn Bambenek, Threat Intelligence Advisor at Netenrich, stressed the necessity for the organization to ask some important questions about what it is doing to secure the sensitive information since it has been hit three times in the past few months. 

“At a certain point, they are advertising to the world that they are an easy target and can look forward to more frequent and serious attacks,” Bambenek added.

Carnival Cruise Line is a multinational cruise line with its headquarters in Doral, Florida. It is a division of Carnival Corporation & plc. The corporation operates several of the largest cruise lines, including the Princess Cruises and Carnival Cruise Line. 

Fraudsters are Mailing Modified Ledger Devices to Steal Cryptocurrency

 

Scammers are mailing fraudulent replacement devices to Ledger customers who were recently exposed in a data breach, which are being used to steal cryptocurrency wallets. 

With increased cryptocurrency values and the use of hardware wallets to secure crypto funds, Ledger has become a frequent target for scammers. After receiving what appears to be a Ledger Nano X device in the mail, a Ledger user published a devious fraud on Reddit. The gadget arrived in authentic-looking packaging with a sloppy letter claiming that it was sent to replace their existing device as their customer information had been leaked online on the RaidForum hacker community. 

"For this reason for security purposes, we have sent you a new device you must switch to a new device to stay safe. There is a manual inside your new box you can read that to learn how to set up your new device," state the fake letter from Ledger. 

"For this reason, we have changed our device structure. We now guarantee that this kinda breach will never happen again." 

Despite the fact that the letter contained numerous grammatical and spelling issues, the information for 272,853 persons who purchased a Ledger device was published on the RaidForums hacking site in December 2020. This provided a slightly convincing reason for the new device's arrival. 

A shrinkwrapped Ledger Nano X box was also included in the package, containing what appeared to be a genuine device. After becoming skeptical of the device, they opened it and posted photos of the printed circuit board on Reddit, which clearly indicated the modification of devices. 

Mike Grover, a security researcher, and offensive USB cable/implant expert informed BleepingComputer that the threat actors added a flash drive and hooked it to the USB port based on the photos. 

Grover told BleepingComputer in a conversation about the photographs, "This appears to be a simple flash drive slapped on to the Ledger with the purpose of being for some form of malware delivery." 

"All of the components are on the other side, so I can't confirm if it is JUST a storage device, but.... judging by the very novice soldering work, it's probably just an off-the-shelf mini flash drive removed from its casing." 

As per the image examining, Grover highlighted the flash drive implant connected to the wires while stating, "Those 4 wires piggyback the same connections for the USB port of the Ledger." 

According to the enclosed instructions, it instructs people to connect the Ledger to their computer, open the drive that appears, and execute the accompanying application. The person then enters their Ledger recovery phrase to import their wallet to the new device, according to the guidelines. 

A recovery phrase is a human-readable seed that is used to produce a wallet's private key. Anyone with this recovery phrase can import a wallet and gain access to the cryptocurrency contained within it. After entering the recovery phrase, it is sent to the attackers, who use it to import the victim's wallet on their own devices to steal the contained cryptocurrency funds. 

This fraud is acknowledged by Ledger and they issued warnings about it in May on their dedicated phishing website. 

Recovery phrases for Ledger devices should never be shared with anybody and should only be input directly on the Ledger device the user is trying to recover. The user should only use the Ledger Live application downloaded straight from Ledger.com if the device does not allow to enter the phrase directly. 

Ledger customers flooded with scams: 

In June 2020, an unauthorized person gained access to Ledger's e-commerce and marketing databases, resulting in a data breach. 

This information was "used to send order confirmations and promotional mailings — largely email addresses, but with a subset that also included contact and order details including first and last name, postal address, email address, and phone number." 

Ledger owners began getting several of the phishing emails directing them to fraudulent Ledger apps that would fool them into inputting their wallet's recovery codes. After the contact information for 270K Ledger owners was disclosed on the RaidForums hacker community in December, these scams became more common. 

The leak resulted in phishing operations posing as new Ledger data breach notifications, SMS phishing texts, and software upgrades on sites imitating Ledger.com.

CVS Health Database Breach Left 1 Billion User Records Exposed Online

 

Security researchers have discovered an online database belonging to CVS Health which exposed over a billion records online.

On March 21st, 2021 Website Planet research team in collaboration with independent cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database belonging to CVS health that contained over 1 billion records.

CVS Health, headquartered in Woonsocket, Rhode Island is an American healthcare firm that owns CVS Pharmacy, a retail pharmacy chain; CVS Caremark, a pharmacy benefits manager; Aetna, a health insurance provider, among many other brands. 

The database, which was approximately 204 gigabytes in size, contained event and configuration data including production records of visitor IDs, session IDs, customer email addresses, and customer searches on CVS Pharmacy websites for COVID-19 vaccines and other medications. The leaked database had no form of authentication in place to prevent unauthorized entry, Jeremiah Fowler stated.

"Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails," Fowler wrote.

According to Website Planet, the leaked database could be used in targeted phishing by cross-referencing some of the emails also logged in the system -- likely through accidental search bar submission -- or for cross-referencing other actions. Competitors, too, may have been interested in the search query data generated and stored in the system.

WebsitePlanet sent a responsible disclosure notice to CVS Health and quickly received a response confirming the dataset belonged to the company. CVS Health said the database was managed by an unnamed vendor on behalf of the firm and public access was restricted following disclosure.

"In March of this year, a security researcher notified us of a publicly accessible database that contained non-identifiable CVS Health metadata. We immediately investigated and determined that the database, which was hosted by a third-party vendor, did not contain any personal information of our customers, members, or patients. We worked with the vendor to quickly take the database down. We've addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter," CVS Health told ZDNet.

AmeriGas: US Largest Propane Supplier Suffered a '8-second' Data Breach

 

America's largest propane supplier, AmeriGas, has revealed a data breach that lasted ‘8-second’ but affected 123 employees and one US resident. It serves more than 2 million customers in all 50 US states and has more than 2,500 distribution locations. 

Threat actors exploited networks of J. J. Keller – a vendor responsible for providing Department of Transportation (DOT) compliance services to AmeriGas. On May 10th, J.J. Keller detected anomalous activity on their systems associated with a company email account. The vendor quickly began investigating its network to discover that a J.J. Keller employee had been the victim of a phishing email, causing his account to be compromised.

After resetting the employee’s account credentials, J.J. Keller quickly began its forensic activities to determine the full scope of this breach. It revealed that the eight-second data breach leaked sensitive records of 123 AmeriGas employees.

"According to J.J. Keller, during the 8-second breach, the bad actor had access to an internal email with spreadsheet attachments containing 123 AmeriGas employees' information, including Lab IDs, social security numbers, driver's license numbers, and dates of birth. To date, we are unaware of any actual or attempted misuse of this personal data as a result of this incident," revealed AmeriGas in a sample data breach notification letter dated June 04, 2021.

Apart from 123 AmeriGas employees, the personal details of New Hampshire resident were also exposed, who has since been alerted of the data breach and been provided with free credit monitoring services. Fortunately, there are no indications that any employee information was copied or misused. 

A second data breach involving AmeriGas this year

This latest data breach comes after AmeriGas suffered a data breach in March 2021, when a company customer service agent was fired for potentially misusing customer credit card information. 

According to AmeriGas, some customers who called AmeriGas customer service had verbally revealed their banking details to this representative who may have misused this information to make unauthorized purchases. 

“We recently detected that there were unauthorized disclosures of credit card information to one of our customer service agents. We do not know whether your credit card information was shared but are writing in an abundance of caution. We investigated the issue as a precaution to further secure your information. The agent involved has been terminated and we have already implemented additional safeguards,” the company had revealed at the time.

Emails and Passwords of Government Officials Exposed due to Data Breaches

 

Hundreds of Union government officials' emails and passwords have been exposed to hackers as a result of recent data breaches of Air India, Domino's, and Big Basket, according to the government. The Hindu obtained a copy of an internal document that stated that compromised emails on government domains such as @nic.in and @gov.in are potential cyber threats because they are being exploited by "adversaries" to send malicious emails to all government users. 

A malicious web link provided on WhatsApp and SMS days after the alert was sent on June 10 targeted many government offices, including Defence Ministry officials, requesting them to update their vaccination status. The message directed officials to https://covid19india.in to generate a digital certificate of COVID-19 inoculation, forwarding them to a page called "@gov.in," which looks similar to the government website mygov.in, and asking for their official e-mail and password. 

According to cyber expert Rajshekhar Rajaharia, the website was hosted in Pakistan in June. “The page mentioned @nic.in email IDs to make the official believe it is a government page. The purpose seemed to be getting the e-mails and passwords of only government officials and get unauthorised access to government systems, the page does not accept any other domain such as gmail.com,” said Mr. Rajaharia. 

On May 15, Air India informed passengers that its passenger service system, which is provided by multi-national IT company SITA, was the target of a sophisticated cyber-attack in the last week of February that affected nearly 45 lakh “data subjects” worldwide who registered between August 26, 2011 and February 3, 2021. Officials from the government are frequent travellers on Air India. 

The alert sent to officials said, “It is intimated that recent data breaches of Air India and other companies like Domino’s, Big Basket etc. have resulted in exposure of e-mail ID and passwords of many users, which includes lots of government email IDs as well. All such compromised gov. domain emails are potential cyber threats as they are being used by the adversaries to send out malicious mails to all gov email users. It may please be noted that largely these are name based email IDs which are available with the malicious actors.” 

On March 1, the Union Power Ministry announced that multiple Indian power centres had been targeted by “state-sponsored” Chinese cyber gangs. Recorded Future, a cyber security and intelligence organization based in the United States, determined that Chinese state-sponsored actors may have infiltrated Indian power grids and seaports with malware.

South Korea And Taiwan: McDonald Hit by a Data Breach

 

After unauthenticated activity on their system, the personal data of some consumers in South Korea and Taiwan were disclosed as McDonald's became the latest data breach affected firm. 

The attackers have obtained e-mails, telephone numbers, and delivery details, but consumer payment information was not included in the breach, the company claimed. On Friday, McDonald's also said that the event was swiftly recognized and managed as a comprehensive study was undertaken. 

The investigation discovered that the information from companies was breached in countries namely the U.S., South Korea, and Taiwan. 

McDonald's said the failure revealed certain corporate contact information for the US staff and franchisees and some information about locations such as seating capacity and the square footage of play areas in a message to U.S. employees. No customer information has been infringed in the US and the information regarding the employees in the United States that was exposed was not sensitive. The corporation urged employees and franchisees to keep an eye on phishing e-mails and request information from them. 

McDonald's said attackers obtained emails of consumers in South Korea and Taiwan along with their shipping numbers and addresses. McDonald's reported that hackers also took staff information of customers from Taiwan, particularly their names and contact information.

The F&B chain has indicated that its South Korea and Taiwan businesses have notified Asian regulators of the infringement and would also contact clients and staff. The officials said that its departments would also communicate probable unlawful access to the data to some South African and Russian staff. These countries were also flagged by the investigation. 

McDonald's asserted that the businesses at its restaurants were not impacted by the infringement and that there was no ransomware attack in which hackers asked for ransom to return data and transactions control to enterprises. McDonald's has declared that no ransom has been requested nor have they paid the hackers. 

McDonald's noted that its cybersecurity defense investment has expanded in recent years and that these mechanisms have helped them respond to the recent incident. Shortly after the breach was detected, the corporation announced it would shut hackers' access to data off. 

“McDonald’s will leverage the findings from the investigation as well as input from security resources to identify ways to further enhance our existing security measures,” the company said.

RockYou2021: The Largest Data Leak with 8.4 Billion Passwords

 

According to Cybernews, what appears to be the world's largest password collection, called RockYou 2021, has been leaked on a famous hacker site. A forum user uploaded a 100GB TXT file containing 8.4 billion password entries. 

All of the passwords in the leak, according to the author, are 6-20 characters long, with non-ASCII characters and white spaces eliminated. According to the same individual, the collection has 82 billion passwords. However, Cybernews discovered that the actual figure was roughly ten times lower, at 8,459,060,239 entries, after conducting its own testing. 

The forum member has named the compilation ‘RockYou2021,' probably in allusion to the historic RockYou data breach that occurred in 2009 when threat actors hacked into the social app website's servers and obtained over 32 million user passwords stored in plain text. 

This leak is equivalent to the Compilation of Many Breaches (COMB), the greatest data breach compilation ever, with a collection that exceeds its 12-year-old namesake by more than 262 times. The RockYou2021 compilation, which has been accumulated by the individual behind the compilation over several years, contains its 3.2 billion hacked credentials, as well as credentials from numerous other hacked databases. Given that only roughly 4.7 billion people are online, the RockYou2021 compilation might theoretically contain the passwords of the entire global online population almost two times over. 

“By combining 8.4 billion unique password variations with other breach compilations that include usernames and email addresses, threat actors can use the RockYou2021 collection to mount password dictionary and password spraying attacks against untold numbers of online accounts,” CyberNews notes.

“Since most people reuse their passwords across multiple apps and websites, the number of accounts affected by credential stuffing and password spraying attacks in the wake of this leak can potentially reach millions, if you feel one or more of your passwords may have been exposed as a result of the RockYou2021 incident, you should change your passwords for all of your online accounts right away. A password manager, according to Cybernews, can help you build strong, complex passwords that aren't easy to remember. You may also set up two-factor authentication (2FA) across all of your accounts. Finally, as always, carefully check all unsolicited spam emails, phone calls, and text messages for signs of phishing.

India’s Finance Software Powerhouse NSE Blown By EpsilonRed Ransomware

 

Nucleus Software Exports, an Indian financial software company has witnessed a major ransomware attack. The company that facilitates Indian banks and retail stores with software has suffered severely in regard to its internal networks and encrypted essential business data. 

As per the latest data, Nucleus Software Company is a leading provider of Banking and Financial Services and is also known for lending and transaction banking consultancy services to the global financial services industry. 

In the wake of the security incident, the company reported that they filed a report on Tuesday with the Indian National Stock Exchange authority, which said that the incident occurred on May 30, and the group that has attacked the system is known as ‘EpsilonRed’. 

Alongside, the NSE published its quarterly report in which it wrote that the company’s cyber-security researchers' team is working hard to get back its sensitive business credential, and towards fixing the damaged part of the system. Meanwhile, the company’s spokesperson assured their customers and said, “So far as sensitive data is concerned, we’d like to assure our customers that there is NO financial data of any customer available/stored with us and therefore the question of any leakage or loss of client data does not arise’’. 

The researchers' team from the cybersecurity community has disclosed that the ransomware that caused damage to the NSE’s network which is colloquially known as EpsilonRed, is also known as BlackCocaine. EpsilonRed/BlackCocaine is a different type of ransomware that has been discovered very recently. 

UK security firm Sophos had first reported on this new strain, last month. According to the Sophos report, the EpsilonRed gang makes its victims from unpatched Microsoft Exchange email servers, target the ProxyLogon exploit, after getting full command into the system, hackers install a collection of PowerShell scripts that gives access to hackers into the inside of a victim’s network. 

Furthermore, Sophos told that the ransomware gang got success in some of its attacks, and made payments of around $210,000 from its previous attacks. 

NSE has not disclosed the exact details of the breach nor if it followed the demand of the hackers. However, it is widely accepted that the attack was caused by an Exchange server. 


Cybercrime Forum Publishes Alleged Database, Source Code From Russian Firm That Helped Parler

 

A seller on a famous cybercrime website claims to be selling source code and a database that they claim belongs to DDoS-Guard, the Russia-based hosting firm that helped social media company Parler relaunch after Amazon Web Services banned it. 

DDoS-Guard also offers computing capacity and restricts the recognition of website owners of hundreds of shady resources involved in unlawful goods sales, gambling, and copyright infringements, according to Group-IB research on online piracy. 

On May 26, Group-IB, a global threat hunting, and adversary-centric cyber intelligence firm specialized in investigating and combating high-tech cybercrime, uncovered a database supposedly connected to bulletproof hosting provider DDoS-Guard that was placed for sale on a cybercrime website. 

Customers' names, IP addresses, and payment details are allegedly stored in the database. In addition to the database, the threat actor claims to possess the DDoS-Guard infrastructure's source code. The entire collection is currently up for auction, with a starting bid of $350,000. Since the threat actor did not offer a sample, it is impossible to verify the legitimacy of the allegedly stolen material. 

DDoS-Guard also offers computing capacity and restricts the recognition of website owners of hundreds of shady resources involved in unlawful goods sales, gambling, and copyright infringements, according to Group-IB research on online piracy.

“Initially, the threat actor was auctioning off the lot with a starting price of $500,000. Shortly after the amount was reduced to $350,000,” stated Oleg Dyorov, Threat Intelligence analyst at Group-IB. “The threat actor didn’t provide a sample of the database, which makes it impossible to verify the authenticity of the reported stolen database and the source code. The seller registered this account on exploit in January 2021 and has been looking to buy access to different corporate networks ever since. It is only the second time that they are trying to sell data on the forum. Despite the regular activity, the threat actor has no reputation on the forum and has made no deposits yet.” 

According to the Group-IB Threat Intelligence & Attribution system, this user had an account on exploit[.]in before being barred by the forum administrators for refusing to use the escrow service. DDoS-Guard provides DDoS prevention, CDN, and hosting services, and its data is allegedly being traded on a hacker site. 

“As an international certified emergency response team, we get to interact with dozens of hosting providers around the world every day to ensure violations are removed promptly,” says Reza Rafati, a senior analyst at CERT-GIB in Amsterdam. 

“Whenever we establish a connection with this company, it immediately reflects a red flag. We’ve seen a number of rogue websites hosted by DDoS-Guard. They were almost impossible to take down. Their answer to our numerous complaints on them protecting illegal resources is that they are not the owners of these websites. Such a safe environment for illicit online activity doesn’t do any good for the global effort against cybercrime.”

Scripps Health Care Facility Reported Ransomware

 


Scripps Health care facility has reported on Tuesday that the organization has started sending alert notifications to nearly 150,000 individuals after a group of threat actors has stolen the sensitive data of people during a ransomware attack on one of its local health care facility on 01st May. 

What is Scripps Health care and how this works? 

Scripps is a nonprofit health care facility in San Diego, California, United States. The medical firm operates five hospitals and 19 outpatient facilities. The firm also treats a half-million patients around the year through 2,600 affiliated physicians. In addition, Scripps Healthcare also runs several medical education programs and research programs. 

A statement has been released by the firm in which a medical professional said, that the company has just begun notifying victims so that they can take protective measures against this attack which would allow them to safeguard their personal information from further misuse. “About 2.5 percent of those — nearly 3,700 — are said to have had their Social Security and/or driver’s license numbers taken. For those, the company said, it will provide complimentary credit monitoring and identity protection support services,” he further added. 

As per the information shared by the firm, the cybercriminals have stolen clinical credential data that includes the address of the individuals, patient account number, date of birth, medical record number, health insurance information, doctor’s name, and medical data, etc. Reportedly, the data was stolen from the system, however, the firm did not disclose which system the information came from. 

The breach has forced medical professionals at all levels of the healthcare facility to work differently because the system was at risk. Professionals have to use paper charts for their document work. Additionally, access to the important clinical data, including previous test results, was also unavailable for weeks. 

The health care facility further said that the investigation is being conducted on the attack and at present, they are unable to disclose all the technical details. “We still don’t know what the rest of the document seems to be related to. We have started an extensive manual review of these documents…”

“…This is a time-consuming process that can take months, but we will notify affected individuals and organizations as soon as possible in accordance with applicable regulatory requirements,” Scripps added.

Data of 6 Million Battle for the Galaxy Players Leaked

 

WizCase security experts recently uncovered an unsecured ElasticSearch server owned by AMT Games, a Chinese mobile and browser game company, that exposed 5.9 million Battle for the Galaxy users' accounts, as well as 2 million transactions and 587,000 feedback messages. 

Despite the fact that AMT Games used the server to store profile information, payment history, and feedback messages for millions of Battle for the Galaxy players, the researchers discovered that data stored in the ElasticSearch server was not encrypted and the server was not secured with a password. 

AMT Games, which has a slew of mobile and social games with tens of millions of downloads, exposed 1.5TB of data through an Elasticsearch server. AMT Games Ltd. is a renowned mobile and browser-based online game company based in China. It creates games for Android, iPhone, Steam, and web browsers. Battle for the Galaxy, Heroes of War: WW2 Idle RPG, Epic War TD2, and Trench Assault are among of the company's most popular games. 

Player IDs, usernames, country, total money spent on the game, and data from Facebook, Apple, or Google accounts if the user linked them to their gaming account are often included in profiles. Account IDs, feedback ratings, and users' email addresses are all included in feedback messages. 

According to WizCase, transaction data includes price, item purchased, time of purchase, payment provider, and occasionally buyer IP addresses. Users who had their data exposed were advised that it could have been snatched up by opportunistic cyber-criminals looking for misconfigured databases. It went on to say that information on how much money people have spent on the site might help fraudsters target the biggest spenders. 

WizCase warned that "it is common for unethical hackers and criminals on the internet to use personal data to create trustworthy phishing emails. The more information they possess, the more believable these emails look." Bad actors could utilize personal information like email addresses and user difficulties with the service to "pose as game support and send users to fraudulent websites where their credit card credentials can be stolen," according to the report. 

The company advised players to enter as little personal information as possible when purchasing or setting up an account, and parents not to lend their credit cards to their children. WizCase stated that it notified AMT Games of the data breach but received no response. Access to the database was later disabled by the company.

New Zealand Reserve Bank: Taking Action to Respond to Data Breach Reports

 

Two independent investigations into an unauthorized data breach and the handling of sensitive information have been announced by the Reserve Bank of New Zealand. 

“The Bank accepts the findings and has implemented, and will continue to implement, the recommendations,” stated Reserve Bank Governor Adrian Orr. 

“As signalled in our Statements of Intent, we are well advanced on multiyear investment initiatives related to our digital systems and data management. We have prioritized these initiatives consistent with the recommendations outlined in the reports". 

On December 25, 2020, the Reserve Bank became the target of a cyber-attack on the third-party application it utilizes to exchange and store information. Following that, KPMG was appointed to conduct an independent investigation into the bank's rapid response to the security incident and identify areas where the bank's systems and processes may improve. 

He also stated that, despite being the victim of a massive illegal attack on the file-sharing system, the Reserve Bank accepts complete responsibility for the inadequacies in the KPMG report. 

“We were over-reliant on Accellion – the supplier of the file transfer application (FTA) – to alert us to any vulnerabilities in their system. In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning". 

As per KPMG, the bank's controls and processes need to be enhanced, which is now being done. If these procedures had been in place at the time of the unlawful breach, the damage would have been lessened. 

Background 

In late 2020, the Bank recruited Deloitte to conduct an independent investigation to assist the Reserve Bank of New Zealand in better managing sensitive data. This was in response to two incidents in which sensitive information was improperly kept in a draft internal report and disclosed to a small group of financial services firms just before it was made public. 

Initiatives to put the report's recommendations into action are also underway. The Bank estimates that the total cost of the security breach response, including internal resources, will be around $3.5 million.

In January 2021, the Reserve Bank discovered a data breach through Accellion FTA, a third-party file-sharing application that was utilized to share and store information. As part of the inquiry into the event, the Bank recruited KPMG to conduct an independent assessment of its systems and processes.

Prometheus: Emerging Ransomware Group That Has Published Mexican Government Data For Sale

 

Emerging technology has changed the way we make money or hoard wealth, indeed as in the 21st century, information and data means money, and the spy groups that are compromising systems of large tech companies around the world including public and private organizations, have reached some sort of a pinnacle of sophistication. 

The last few years have witnessed a rapid surge in cyberattacks around the world and the consistency of these attacks has been growing dramatically. 

Recently, a new ransomware cyber gang identified as ‘Prometheus’ is making headlines, the group has become a threat to the Mexican Government as the threat actors published illegally compromised data on the dark web which was available for sale today itself. 

Following the aforementioned security incident, the group also became the first cyber-hacking group that has assailed the big state of Latin American at this level. 

Resecurity, a cybersecurity company out of Los Angeles while reporting about the attack said, the leaked data was compromised from the multiple e-mails handles as a result of ATO/BEC and leveraging network resources that belong to several Mexican government firms. The company also added that as of now, it is not easy to determine the extent of consequences and the end impact of the leaks. However, one thing is ascertained: it is an extortion game that has been played by malicious actors. 

As per the available data, Mexico is known as the big trading partner of the United States, the second-largest economy in Latin America, and the 17th-largest exporter around the world. In the past few years, the number of cybercrimes reported in the state has skyrocketed and in 2020, Mexico has become one of the countries with the most cybercrimes in Latin America. 

The data that has been leaked today on the website by the Prometheus group belongs to 27 victims. Some victims are from Hotel Nyack (New York, USA) Ghana National Gas, enterprises in France, and Tulsa Cardiovascular Center of Excellence (Oklahoma, USA), and others are from Switzerland, Norway, Netherlands, UAE, Brazil, and Malaysia. For the time being, The Institute for Security and Technology-coordinated Ransomware Task Force is conducting its research on the issue. 

Threat Actors Release Patient Data Stolen from New Zealand Hospitals to the Local Media

 

Cybercriminals who targeted hospitals in New Zealand’s Waikato district have published the stolen patient data to the local media outlets, with the outlets declining to publish the details as health systems struggled to come back online more than a week after the ransomware attack. According to the local media, the leaked data includes official-looking records and documents containing names, phone numbers, and addresses of patients and staff. 

The release of the information comes a week after the health system’s information services were entirely shut down by hackers, impacting clinical service, disrupting the treatment of patients and the payroll process of staff members. As a result, hospitals shifted to manual processes to support a backlog of patients while the public was asked to look for alternative avenues for treatment for non-critical conditions.

The breach comes after Ireland’s hospitals suffered a ransomware attack which was quite similar to the Waikato ransomware attack. Officials were forced to shut down many of their computers after hackers secured access to the health service’s systems. Also, hospitals had to cancel services and staff had to rely on pen and paper rather than PCs. 

The Federal Bureau of Investigation (FBI) stated this week that the hackers who targeted the Irish hospitals call themselves the ContiLocker Team and use a strain of ransomware known as Conti to break into victims’ machines and extort payments. When Waikato hospitals first had to shut down, the head of New Zealand’s doctors’ association, Deborah Powell, said the attack appeared to be of the same type. 

“This is a criminal investigation and we have every confidence that it is being dealt with by NZ Police and cybersecurity experts. Care and safety of patients remain our highest priority, and we must concentrate on health services and supporting our staff to do their job,” Waikato DHB Chief Executive Kevin Snee said in a statement.

Andrew Little, the health minister and the minister responsible for New Zealand’s intelligence agencies, said he could not give anxious patients any assurance that their personal data hadn’t been compromised. 

The New Zealand government’s cyber agency refused to comment on the collaboration with Irish authorities regarding the incident. “The NCSC knows from its involvement in other significant cyberattacks that malicious actors can monitor what is being said in the media, and this can influence their behavior,” the National Cyber Security Centre said in a statement.

Fearing Data Breach, BBMP Shuts Down COVID-19 Test Data Collection Portal

 

The Bruhat Bengaluru Mahanagara Palike (BBMP) has shut down its COVID-19 test data collection portal after a possible data breach, which allows hackers to access the health information of citizens. The incident was flagged by the Free Software Movement of India after they showed how the data could be easily accessed just with the phone numbers.

BBMP was collecting the health records of the citizens for its Public Health Activities, Surveillance, and Tracking (PHAST) portal which included name, age, gender, patient ID, ICMR test ID, lab name, test result (positive/negative), the sample collected and received date, sample type, hospital name (if the patient is hospitalized) and status of symptoms. 

The Free Software Movement of India has requested the local authorities to not only conduct a security audit but to also take action against the software company for its complacency in designing software without any security. 

Kiran Chandra, general secretary of the Free Software Movement of India wrote about the breach to BBMP Special Commissioner (Health and Information technology) Rajendra Cholan P and said it was not hard for a data broker to harness these details by writing an automated script. 

“The IT Rules of 2011 clearly states that health record information is ‘sensitive’ data and the collection, storage and disclosure of such data must be bound by ‘Reasonable security practices and procedures. This is a clear violation of IT Rules (2011) and shows an appalling lack of attention to protecting individual’s personal and sensitive data. The lack of proper security practices for sensitive health record data, especially in the midst of the peak of the pandemic can lead to misuse, exploitation and poses a catastrophic risk overall,” the letter read. 

However, BBMP Chief Commissioner Gaurav Gupta clarified on Friday that no data has been leaked from the portal. “While one could enter the phone number provided at the time of Covid-19 testing to get details including test result among others, the portal will now seek an OTP before allowing access to the information. The updated version of the portal would be made available soon,” he said on Friday. 

Unfortunately, this is the second instance when the data of COVID-19 patients has been compromised. In November last year, a Bengaluru resident accidentally discovered a massive loophole in the Karnataka government’s website where people could check their COVID-19 results. At the time, resident Shashi Kumar put out a series of tweets explaining how sensitive information could be obtained just with the SRF number issued at the time of testing.

Canada Post's Data Breach Affected 950K Customers

 

The state-owned postal service, Canada Post has reported that a cyber-attack on a third-party provider resulted in a data breach affecting 950,000 parcel recipients. Canada Post Corporation, also known as Canada Post, is a Crown corporation that serves as the country's major postal operator. 

Canada Post claimed in a press release on May 26 that it had notified 44 "major business customers" that they may have been compromised by "a malware assault" targeting Commport Communications, a supplier of electronic data interchange (EDI) services. 

On May 19, the supplier informed Canada Post that “manifest data housed in their systems, which was related with some Canada Post customers, had been compromised.” 

It stated that the data was compromised between July 2016 and March 2019, with 97% of it containing the names and addresses of receiving consumers. According to the firm, the remaining 3% contained email addresses and/or phone numbers. The Crown corporation has already "taken preventive measures and will continue to take all required efforts to mitigate the repercussions," according to the statement. 

“Canada Post will also incorporate any learnings into our efforts, including the involvement of suppliers, to enhance our cybersecurity approach which is becoming an increasingly sophisticated issue,” the statement further read.

According to Canada Post, a thorough forensic investigation was conducted, but “no evidence” of financial information being compromised was found. Despite the fact that the breach was caused by a supplier, Canada Post claimed in a statement on Wednesday that they “sincerely regret the difficulty this may cause our valued customers. Canada Post respects customer privacy and takes matters of cybersecurity very seriously.”

“We are now working closely with Commport Communications and have engaged external cybersecurity experts to fully investigate and take action,” the company said.
 
The postal service is currently "proactively alerting" impacted business clients, as well as providing the required support and information "to help them select their future steps." “The Office of the Privacy Commissioner has been notified,” Canada Post said.

In November 2020, Canada Post mentioned: "a potential ransomware issue" reported by Commport Communications to its IT division, Innovapost. However, “Commport Communications advised there was no evidence to imply any customer data had been hacked at that time,” according to the report.

Plaintext Passwords of 8.3 Million Users Leaked in a DailyQuiz Data Breach

 

Earlier this year, a cybercriminal exploited the vulnerabilities in the DailyQuiz server and stole personal details of 13 million users, which was then proposed for sale on the dark web and Telegram channels. 

According to The Record, the database contained details of nearly 12.8 million users, including plaintext passwords, emails, and IP addresses for 8.3 million accounts. It had been sold since January 2021 for around USD 2000 in cryptocurrency but is now publicly accessible after landing in the hands of a security researcher. 

The leaked data has also been provided to Have I Been Pwned, a website managed by Australian security researcher Troy Hunt. To check if the personal details of DailyQuiz users were exposed in the site’s security breach they can visit Have I Been Pwned website. When approached by the analyst of The Record to comment on the security breach, DailyQuiz refused to comment. However, the company may have some explaining to do, especially when it comes to storing users’ passwords in plaintext, a big security no-no.

Unfortunately, DailyQuiz is not the first company that committed the error of storing passwords in plaintext; others that made the same mistake also include the likes of Russian social media giant VK, Italian email provider Email.it, stock trading service Robinhood, Google’s G Suite platform, and even social media giant Instagram. 

Security risks to DailyQuiz users 

The most vulnerable users are those who reused their username, email, and password on other sites. They should change their passwords immediately and are also advised to check and update any type of financial information linked to these websites.

Security researchers have advised this because cybercriminal groups collect personal details of the victims and use the data to carry out credential stuffing attacks — where they check a person’s DailyQuiz username/email and password combination at other online services in an attempt to hijack other accounts.

Studies suggest that a majority of users, by some estimates as high as 85%, reuse the same login credentials for multiple services. As long as this practice continues, the credential stuffing will remain fruitful. Credential stuffing attacks are fueled by breaches like these, as it allows the attackers to use the plaintext passwords right away, without having to expend huge computational and financial resources to crack hashed passwords (the format in which most passwords are stored).

Japanese E-Commerce Platform Mercari Suffers Major Data Breach

 

Mercari, an e-commerce platform, has disclosed a major data breach that occurred as a result of the Codecov supply-chain attack. Mercari is a publicly listed Japanese online marketplace that has recently expanded its operations to the United States and the United Kingdom. 

As of 2017, the Mercari app had been installed by over 100 million people around the globe, making the firm the first in Japan to achieve unicorn status. Codecov, a popular code coverage tool, was the victim of a two-month supply-chain attack. During these two months, the hackers modified the legal Codecov Bash Uploader tool to exfiltrate environment variables from Codecov customers’ CI/CD environments (which included sensitive information such as keys, tokens, and credentials). 

The popular code coverage tool Codecov was a victim of a supply-chain attack that lasted for two months. During this two-month period, the attackers have modified the legitimate Codecov Bash Uploader tool to exfiltrate environment variables (containing sensitive information such as keys, tokens, and credentials) from Codecov customers’ CI/CD environments. 

Using the credentials gathered from the tampered Bash Uploader, Codecov attackers managed to hack hundreds of customer networks. Now, the e-commerce giant Mercari has disclosed a major impact from the Codecov supply-chain attack on its customer data. The e-commerce platform has confirmed that the Codecov breach exposed tens of thousands of customer data, including financial details, to threat actors. 

According to Mercari, the following details have been compromised as a result of the investigation: 

• Between August 5, 2014, and January 20, 2014, there were 17,085 records related to the transfer of sales proceeds to customer accounts. The leaked data included bank code, branch code, account number, the account holder (kana), and the transfer amount. 

• For a select few, 7,966 records on ‘Mercari’ and ‘Merpay’ business associates were revealed, including names, dates of birth, affiliations, e-mail addresses, and more. 

• There are 2,615 documents on certain workers, including those who work for Mercari. Employee names, company email address, employee ID, phone number, date of birth, and other information as of April 2021. 

• Details of previous staff, vendors, and external company employees who dealt with Mercari 217 customer service support cases between November 2015 and January 2018. 

• Customer information exposed includes name, address, e-mail address, phone number, and inquiry material. 

• There are 6 records related to a May 2013 incident. Shortly after Codecov’s initial disclosure in mid-April, Mercari became aware of the consequences of the Codecov breach.

Mercari was also notified by GitHub on April 23rd of suspicious behavior linked to the incident seen on Mercari’s repositories. As Mercari found that a malicious third party had obtained and manipulated their authentication credentials, the company deactivated the compromised credentials and secrets immediately, while continuing to investigate the full scope of the breach.

"At the same time as this announcement, we will promptly provide individual information to those who are subject to the information leaked due to this matter, and we have also set up a dedicated contact point for inquiries regarding this matter," Mercari stated in its original press release.

"In the future, we will continue to implement further security enhancement measures and investigate this matter while utilizing the knowledge of external security experts, and will promptly report any new information that should be announced. We sincerely apologize for any inconvenience and concern caused by this matter," the company further added.

Data Breach: Affects Student Health Insurance Carrier guard.me

After a vulnerability enabled a threat attacker to access policyholders' personal details, student health insurance provider guard.me has taken their website offline. 

guard.me is among the world's largest insurance providers in international education, protecting thousands of individuals studying and working abroad. Founded in 1998 and incorporated in Canada as Travel Healthcare Insurance Solutions Inc. 

On May 12th, after a vulnerability permitted a threat actor to access policyholders' personal details, Guard.me discovered suspicious activity on their website. Visitors to the website are automatically redirected to a maintenance page informing them that the site is unavailable while the insurance provider enhances security. 

"Recent suspicious activity was directed at the guard.me website and in an abundance of caution we immediately took down the site. Our IS and IT teams are reviewing measures to ensure the site has enhanced security in order to return the site to full service as quickly as possible." displays on the guard.me website. 

Today, guard.me started sending out data breach notifications to students, according to BleepingComputer, stating that a website vulnerability enabled unauthorized people to access policyholders' personal details. 

Our Information Systems team found suspicious activity on our website late on May 12, 2021, and as a precaution, they took down the website and took immediate measures to protect our systems. The security flaw has been fixed. Our investigators are working closely to discover more about the incident, guard.in states on the data breach notification. 

The threat actor was able to gain access to students' dates of birth, sex, and encrypted passwords thanks to this flaw. The email addresses, mailing addresses, and phone numbers of certain students were also made public. 

The bug was patched, and urgent steps to protect their system were taken, according to the international student health insurance company, and it has withstood more attempts by their cybersecurity team to circumvent the additional protections. The insurance company also reports that they are implementing new security measures, including such as database segmentation and two-factor authentication. 

Guard.me is a Canadian corporation, so it's unclear whether it informed the Privacy Commissioner of Canada about the violation, and it hasn't responded to BleepingComputer's requests for more details.