Search This Blog

Showing posts with label Data Leak. Show all posts

Private Details Compromised After Cyber Attack on NSW Health

 

The New South Wales Ministry of Health (NSW Health) has confirmed that it was impacted by a cyberattack involving the Accellion file transfer system. The system was widely used to share and store files by organizations across the globe, including NSW Health. 

NSW Health has been working with NSW Police and Cyber Security NSW and to date, and so far, there is no evidence any of the information has been misused. Strike Force Martine has been set up to determine the impact on NSW government agencies that were caught up in the attack on Accellion.

It is estimated that some 100 organizations across the globe were affected by the Accellion hack, including global corporations, financial institutions, government departments, hospitals, and universities. Within this group, the company said that fewer than 25 appeared to have suffered significant data theft. 

"Following the NSW government's advice earlier this year around a worldwide cyber-attack that included NSW government agencies, NSW Health is notifying people whose data may have been accessed in the global Accellion cyber-attack. Different types of information, including identity information and in some cases, health-related personal information, were included in the attack," NSW Health spokesperson stated.

The local authorities said medical records in public hospitals were not stolen and the software involved is no longer in use by NSW Health.

 “A cyber incident help line has been set up to provide further information and support to those people NSW Health is contacting. If you are contacted by NSW Health, you will be given the cyber incident help line details; if you are not contacted by NSW Health, no action is required. The privacy of individuals is of the utmost importance to NSW Health, and we are making impacted people aware of the attack so that they can take appropriate precautions and access our support services," the spokesperson added. 

In April 2020, the NSW government suffered a cyberattack compromising the private records of 186,000 customers. After an investigation that lasted four months, Service NSW said it discovered that 738GB of data (over 3.8 million documents), was stolen from 47 staff email accounts. 

The Australian Securities and Investments Commission (ASIC) confirmed in January that one of its servers was breached in relation to Accellion software used by the agency to transfer files and attachments.

Prometheus: Emerging Ransomware Group That Has Published Mexican Government Data For Sale

 

Emerging technology has changed the way we make money or hoard wealth, indeed as in the 21st century, information and data means money, and the spy groups that are compromising systems of large tech companies around the world including public and private organizations, have reached some sort of a pinnacle of sophistication. 

The last few years have witnessed a rapid surge in cyberattacks around the world and the consistency of these attacks has been growing dramatically. 

Recently, a new ransomware cyber gang identified as ‘Prometheus’ is making headlines, the group has become a threat to the Mexican Government as the threat actors published illegally compromised data on the dark web which was available for sale today itself. 

Following the aforementioned security incident, the group also became the first cyber-hacking group that has assailed the big state of Latin American at this level. 

Resecurity, a cybersecurity company out of Los Angeles while reporting about the attack said, the leaked data was compromised from the multiple e-mails handles as a result of ATO/BEC and leveraging network resources that belong to several Mexican government firms. The company also added that as of now, it is not easy to determine the extent of consequences and the end impact of the leaks. However, one thing is ascertained: it is an extortion game that has been played by malicious actors. 

As per the available data, Mexico is known as the big trading partner of the United States, the second-largest economy in Latin America, and the 17th-largest exporter around the world. In the past few years, the number of cybercrimes reported in the state has skyrocketed and in 2020, Mexico has become one of the countries with the most cybercrimes in Latin America. 

The data that has been leaked today on the website by the Prometheus group belongs to 27 victims. Some victims are from Hotel Nyack (New York, USA) Ghana National Gas, enterprises in France, and Tulsa Cardiovascular Center of Excellence (Oklahoma, USA), and others are from Switzerland, Norway, Netherlands, UAE, Brazil, and Malaysia. For the time being, The Institute for Security and Technology-coordinated Ransomware Task Force is conducting its research on the issue. 

Domino’s Data Leak Exposed Data of 18 Crore Orders

 

The famous Pizza company Dominos suffered a data leak again this year wherein the details of 18 crore orders are made accessible on the dark web, according to some security experts. 

A hacker alleged that earlier in April he had successfully gained access to Dominos data in the value of 13TB. Data belonging to more than 180,00,000 purchase orders containing telephone numbers, e-mail addresses, and billing information, and user credit card details would be included in the leak. 

Domino's Pizza, Inc. is a multinational American pizza restaurant chain established in 1960, known as Domino's. The F&B chain is particularly prominent in India, which can be seen in the smooth functioning of its operations despite the ongoing pandemic. 

Rajshekhar Rajaharia, a security expert, took to Twitter to announce that Dominos was again infringed upon while showing that 18 crore orders' data was made available as hackers built a search engine on the Dark Web; customers will most probably find their personal information there if they are regular dominos buyers. The information leaked comprises users' name, e-mail, telephone number, and even their GPS locations. 

"Data of 18 crore orders of Domino's India have become public. Hacker created a search engine on Dark Web. If you have ever ordered @dominos_india online, your data might be leaked. Data include Name, Email, Mobile, GPS Location, etc," Rajaharia tweeted. 

The incident was brought to light before the beginning of April by Alon Gal, CTO of cybersecurity company Hudson Rock. He said that users' data were sold for about ten BTC by hackers. The hackers want to create a search engine to enable data to be queried, Gal further added. 

The data compromised include 10 Lakh credit card details and even addresses of people who have purchased Dominos Pizza. However, Dominos India had denied leakage of financial information of users in a declaration given to Gadgets 360. 

When Jubilant Food Works, the master franchise holder for Domino's in India, Nepal, Sri Lanka, and Bangladesh, was approached, it was confirmed that the company recently had a security incident but no financial details were revealed. 

"Jubilant Food Works experienced an information security incident recently. No data about financial information of any person was accessed and the incident has not resulted in any operational or business impact.” 

"As a policy, we do not store financial details or credit card data of our customers, thus no such information has been compromised. Our team of experts is investigating the matter and we have taken necessary actions to contain the incident," the company spokesperson said.

Data Breach: Affects Student Health Insurance Carrier guard.me

After a vulnerability enabled a threat attacker to access policyholders' personal details, student health insurance provider guard.me has taken their website offline. 

guard.me is among the world's largest insurance providers in international education, protecting thousands of individuals studying and working abroad. Founded in 1998 and incorporated in Canada as Travel Healthcare Insurance Solutions Inc. 

On May 12th, after a vulnerability permitted a threat actor to access policyholders' personal details, Guard.me discovered suspicious activity on their website. Visitors to the website are automatically redirected to a maintenance page informing them that the site is unavailable while the insurance provider enhances security. 

"Recent suspicious activity was directed at the guard.me website and in an abundance of caution we immediately took down the site. Our IS and IT teams are reviewing measures to ensure the site has enhanced security in order to return the site to full service as quickly as possible." displays on the guard.me website. 

Today, guard.me started sending out data breach notifications to students, according to BleepingComputer, stating that a website vulnerability enabled unauthorized people to access policyholders' personal details. 

Our Information Systems team found suspicious activity on our website late on May 12, 2021, and as a precaution, they took down the website and took immediate measures to protect our systems. The security flaw has been fixed. Our investigators are working closely to discover more about the incident, guard.in states on the data breach notification. 

The threat actor was able to gain access to students' dates of birth, sex, and encrypted passwords thanks to this flaw. The email addresses, mailing addresses, and phone numbers of certain students were also made public. 

The bug was patched, and urgent steps to protect their system were taken, according to the international student health insurance company, and it has withstood more attempts by their cybersecurity team to circumvent the additional protections. The insurance company also reports that they are implementing new security measures, including such as database segmentation and two-factor authentication. 

Guard.me is a Canadian corporation, so it's unclear whether it informed the Privacy Commissioner of Canada about the violation, and it hasn't responded to BleepingComputer's requests for more details.

App Census Study Reveals that Android Devices Leak User Data Stored in Contact Tracing Applications

 

According to security experts, hundreds of third-party applications on Android devices have access to confidential information collected by Google and Apple API contact-tracking devices. The Department of Homeland Security provided about $200,000 to App Census, a U.S. start-up that specializes in data protection practices in Android applications, earlier this year for testing and validating the reliability of contact tracking apps. 

The researchers of the business observed that the primary contact tracking information inside the device's system logs are recorded by Android Phones logging data from applications that use Google and Apple's Exposure Notifications System (ENS), that is used for collecting details, and usually where applications receive usage analytics and malfunction reports data. 

In an effort to assist medical authorities around the globe to develop contact tracing apps associated with the data protection requirement underlying the Android and iOS ecosystems, Google and Apple jointly launched ENS last year. API built by Apple and Google allows governments to build decentralized Bluetooth-based contact tracking software. 

The app-equipped devices send confidential, regularly changing IDs, known as RPIs, that are diffused via Bluetooth in such a way that nearby telephones that also use the application can be "heard". 

The observations of App Census reveal that the two Tech Giants' privacy pledge has certain deficiencies. Both transmitted and heard RPIs can indeed be identified in the machine logs of Android phones – as well as the device even records the existing Bluetooth MAC address of the destination server on RPIs that have been heard. Thus App Census found many ways of using and computing datasets to conduct data protection attacks since the RPI and the Bluetooth MAC addresses are unique and anonymized.

"Of course, the information has to be logged somewhere to do the contact-tracing, but that should be internally in the ENS," Gaetan Leurent, a researcher at the French National Institute for Research in Digital Science and Technology (INRIA), stated. "It is unsettling that this information was stored in the system log. There is no good reason to put it there." 

The RPIs could have been used along with different pieces of datasets to determine that whether users checked for COVID-19 positively, whether they had contacted an infectious individual or whether two persons met each other with access to device registers from multiple users. It is meant to preserve privacy in the contact tracing process, and precisely this type of data should be avoided. Therefore, the entire defense which should form the foundation of this protocol is defeated. 

A Google spokesperson told: "We were notified of an issue where the Bluetooth identifiers were temporarily accessible to some pre-installed applications for debugging purposes. Immediately upon being made aware of this research, we began the necessary process to review the issue, consider mitigations and ultimately update the code." 

The spokesman added that these Bluetooth identifications neither disclose the location of a customer nor provide any other identifying details, and also they are not aware that they were used in any manner. As per Google, roll started many weeks ago with the upgrade on Android devices and is due to be completed in the coming days. Previous publications of the researcher have shown that irrespective of implementation, the use of digital technology for contact tracking would necessarily present a risk to privacy.

Credit Scores of Americans were Exposed Through Experian API

 

According to a researcher, almost every American's credit score was leaked due to an API platform used by the Experian credit bureau that was left accessible on a lender's website without even basic security safeguards. Experian, for its part, dismissed security experts' fears that the problem could be structural. 

The Experian Connect API is a platform that helps lenders to simplify FICO-score queries. According to a published article, Bill Demirkapi, a sophomore at Rochester Institute of Technology, was looking for student loans when he came across a lender who would verify his eligibility with only his name, address, and date of birth. Demirkapi was taken aback and wanted to look into the code, which revealed that the tool was driven by an Experian API, he said.

“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi told Krebs On Security, which was the first to break the story of the leak. “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.” 

Demirkapi said he was able to create a command-line tool called "Bill's Cool Credit Score Lookup Utility" that allowed him to automate lookups even after entering all zeros in the fields for date of birth. Krebs said he was able to use the API link to get “risk factors” from Experian that clarified possible vulnerabilities in a person's credit background, in addition to raw credit scores. He ran a credit check for his buddy "Bill," who had “Too many consumer-finance company accounts,” according to his mid-700s credit score.

Demirkapi refused to reveal the identity of the lender or the website where the API was revealed to Experian. He declined because he believes there are hundreds, if not thousands, of firms using the same API, and that all of those lenders are leaking Experian's customer data in the same way. “If we let them know about the specific endpoint, they can just ban/work with the loan vendor to block these requests on this one case, which doesn’t fix the systemic problem,” he explained. 

“We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter,” Experian said in a written statement. “While the situation did not implicate or compromise any of Experian’s systems, we take this matter very seriously. Data security has always been, and always will be, our highest priority.”

250 Million Americans Sensitive Data Leaked Online by Pompompurin

 

As of 22nd April 2021, a Pompompurin named hacker group dropped a database of more than 250 (250,806,711) million American citizens and residents which included their personal and sensitive household information. 

The database that was published on a popular hacker forum, included 263 GB of documents, each with 200,000 CSV subfiles. Although the origin of the leak comes from open Apache SOLR on Amazon Web Server, it is not clear who obtained or managed the data. Besides, three separate IP addresses were made accessible for the data which is something the hacker obtained before its owner disabled or reassigned them. 

The stolen information is nothing short of a treasure trove for cybercriminals and state-supported hackers as it contained massive amounts of information such as full names, telephone numbers, mailing addresses, DOB, Status of marriage, home developed year, Zip code, gender, house rental, home address, credit capability, political participation, number of proprietary cars, details on wages and taxes, number of domestic animals, children's numbers in a home. However, the leak didn’t contain any passwords. 

After the database had been leaked online for a whole week, it was then exposed alongside Telegram chat groups on even several Russian-speaking hacker forums. 

The leaked documents are a treasure trove among malicious people looking for US civilians based on the ongoing diplomatic line-up between Russia and the United States over the SolarWinds hack. 

Moreover, this is not the first instance that US people and residents have been unveiled with a collection of confidential household data online. Data of 200 million people from the US was mistakenly disclosed by a marketing agency in June 2017. Further in December 2017, a data analytics company based in California revealed household data, in which 123 million Americans were compromised due to an AWS bucket that was not properly installed. 

The leaked documents now constitute a threat to the confidentiality and physical protection of victims online. Although some may use the data to find people, hackers and scammers may send phishing emails, SMS, and use the data to try SIM swapping or other identity frauds. However, if an unknown party sends users an email emphasizing clicking on a connection or logging in then they must not click on the links sent as Text messaging.

Crypto at Risk After Facebook Leak: Here’s how Hackers Can Exploit Data

 

The tech giant Facebook has been hit with a new wave of data leaks, yet again but this time, the number of users whose records were exposed was not 50 million but a massive 500 million. 

According to a security analyst, sensitive personal information for over half a billion Facebook users was leaked on a well-trafficked hacking forum on April 3, posing a danger to millions of cryptocurrency traders who may now be susceptible to sim swapping and other identity-based attacks.

What should be done? 

In response to the question that how exactly does this most recent breach place at risk the crypto assets of individuals, Dave Jevans, CEO of blockchain security firm CipherTrace, told Cointelegraph that people who have had their phone numbers leaked need to be extra careful because a lot of fraud involving digital assets hinges on such details. 

He further added, “We’ve seen an increase in SIM swaps, phishing attacks, and other types of fraud involving cryptocurrencies that rely on acquiring the phone numbers of victims to execute. Leaked info about the identity of high-profile crypto users gave bad actors the ability to target them.” 

Ben Diggles, co-founder, and chief revenue officer at Constellation, told Cointelegraph that Facebook's latest security lapse is unsurprising, especially given that most Facebook users have a different approach, in which they prefer their world to be managed and structured for them. 

“Those that are crypto holders that were on the list have little to worry about unless they were storing descriptive details of their holdings and access on their Facebook account. However, these hackers have gotten really sophisticated, so I have no idea what tricks they may have [up] their sleeves with regards to scraping info specific to crypto wallets and exchanges.”, he added. 

However, he suggests that most users should update their passwords for all of their social media profiles, as well as all other sites that share their data with Facebook, as a precaution. 

Does decentralization matter? 

As more data leaks occur, a large majority of people around the world are understanding the value proposition that decentralized systems offer in terms of protection, particularly, since they do not feature a single point of failure. 

On the matter, Eli Arkush, a cloud solutions engineer at cybersecurity firm GlobalDots, suggests that having a platform's backend system distributed using blockchain technology could make it more difficult for hackers to obtain user information; however, once credentials fall into the wrong hands, password reuse may become a concern. 

However, Stephen Wilson, the CEO of Lockstep Group and a member of the Australian government's National Blockchain Roadmap Cybersecurity Working Group, believes that, contrary to popular belief, storing personal information on any blockchain ecosystem is never a good idea. He pointed out that the type of personal data breached by Facebook should never be stored in a blockchain, and even if it is, such data can never be completely protected by blockchain in the long run.

“Blockchain and DLTs usually only decentralize some aspects of data management. They don’t usually decentralize data storage in any relevant sense because they tend to duplicate ledger entries across multiple systems. The storage is distributed, but identical copies of information are available in multiple locations and can be vulnerable to attackers or thieves.”, he further added. 

Most hacking schemes in the past have primarily focused on stealing funds from cryptocurrency exchanges. For example, in 2014 and 2018, the total amount of money compromised as a result of exchanges being hacked was $483 million and $875 million, respectively. 

However, an increasing number of offenders are focusing their attention on stealing user data because it provides them with unique opportunities to obtain funds quickly. As a result, cryptocurrency owners must protect their assets.

Cyberextortion Threat Evolves as Clop Ransomware Attacked 6 U.S Universities Data Security

 


Malicious actors are now using novel ways to extract universities' data, and are threatening to share stolen data on dark websites unless universities pay them a lot of money. 
The current update reads that the Clop ransomware group claimed to have access to six top universities of the United States including institutions’ financial documents information and passport data belonging to their staff and students. According to the report, a group of hackers has first posted the stolen data online on March 29. 

The universities' that have been attacked, include — The University of Miami, the Yeshiva University, the University of Maryland, the Stanford University, the University of Colorado Boulder, And the University of California, Merced. 

However, there is no official confirmation regarding this cyber-attack from any of the aforementioned universities, it's unsure whether or not the cyberinfrastructure of these universities has been attacked or the hacker group asked for money in exchange for data. 

Additionally, a few days back, Michigan State University also confirmed a cyber attack by a group that was threatening to share it on the dark websites unless a bounty is paid. 

The data stolen by the Clop ransomware group include federal tax documents, passports, requests for tuition remission paperwork, tax summary documents, and applications for the Board of Nursing. 

This data breach affected several individuals and staff of the universities as the shared information also exposed sensitive credentials, such as names of individuals, date of birth, photos, home addresses, immigration status, passport numbers, and social security numbers. 

Not only this, but some news websites also confirmed that the leaked data included several more screenshots including retirement documentation, and 2019/2020 benefit adjustment requests, late enrollment benefit application forms for employees, and the UCPath Blue Shield health savings plan enrollment requests, amid much more. 

It should be noted that such attacks are not unusual for the Clop ransomware group as the group is known for its assault against various organizations. Furthermore, Michigan State University’s officials stated in the regard that, “Payment to these criminals only allows these crimes to be perpetuated and further target other victims. The decision not to pay was in accordance with law enforcement guidance and reached with support from the university’s Board of Trustees and president”.

Data Leak of 10cr Users: ‘The Largest KYC Data Leak in History’

 

According to cybersecurity researcher Rajshekahar Rajaharia, mobile payment app Mobikwik came under attack after the data of 10 crores of its users was posted for sale on a hacker website on the dark web. The alleged data breach was conducted by a group of hackers known as the ‘Ninja Storm,' who have also been selling the ‘leaked' details online since March 26. 

The data is being sold for 1.5 Bitcoins, which is nearly Rs 63 lakhs, as per a post by the hacker community. Ever since tens of thousands of people have taken to Twitter to share screenshots of their personal information being exposed. It is the ‘largest KYC data leak in history,' according to cybersecurity researcher Elliot Laderson. 

Personal information of merchants who obtained loans via Mobikwik is also said to be available for purchase in exchange for bitcoins. Over 4 crore Mobikwik customers' card details and hashes are reportedly included in the leak. 

The Gurugram-based fintech firm has maintained a denial of its involvement in the breach, accusing the researchers who made the infringement public of being "media-crazed" and offering "concocted files" as evidence. "We thoroughly investigated and did not find any security lapses. Our user and company data are completely safe and secure," said a spokesperson from Mobikwik. 

On January 20, a hacker named 'Jordan Daven' took over 8 terabytes (TB) of private user data from Mobikwik's main server and posted it on dark-web websites, according to Rajaharia. “Regular keys and passwords should have been changed and logs should have been monitored to prevent this kind of security compromise,” he said. 

Furthermore, in February, Rajaharia claimed that a hacker was selling Mobikwik user data, including PAN card numbers, Aadhar numbers, debit/credit card numbers, phone numbers, and other personally identifiable information that is typically exchanged mostly during Know Your Customer (KYC) process. 

To complicate things, Mobikwik claims that its technology has not been hacked. In a statement, it said, “Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media.“ 

It isn't the first time Mobikwik has been the target of a cyber-attack. The business witnessed another information security incident in 2010. 

According to reports, the Reserve Bank of India is keeping an eye on such security breaches and has enacted many new regulations, along with the upcoming payment aggregator and payment gateway guidelines, that will limit customer data exposure to a few databases of approved gateways.

Russian Hacking Forum Maza Hijacked, Suffers Data Breach

Cybercriminal forum Maza was recently hit by a data breach that led to the leak of user information. Earlier this week, experts at Flashpoint found the breach suffered by Maza, (earlier called Mazafaka) that has been on the web since 2003. It is a reserved and strictly restricted platform for Russian hackers. The group is involved in carding, which involves the selling of stolen credit card/financial information on the web, besides this, the forum discusses spam, exploits, malware, phishing attacks, money laundering, and much more. The hackers posted a warning message "This forum has been hacked/Your data has been leaked," after the successful breach of the platform.  

The leaked information includes usernames, user IDs, email IDs, links to messenger app that include- MSN, messenger, and login credentials (obfuscated and hashed). ZDNet reports, "In January, Russian forum Verified was taken over without warning. The introduction of new domains, temporary open registration, and the silence of old moderators has raised suspicion among some users as to the intentions of the new owners." According to Flashpoint, around 2000 user accounts were breached. Users discussing the breach said that they'll now have to find another forum, whereas other users believe that the breach is partial or old. 

As of now, the experts are unaware of who hijacked the forum besides the fact that hackers might have used an online translator to post the warning. It implies that the hackers may not be Russian speaking unless they did it intentionally to misguide.  This is not the first time Maza was hacked, back in 2011 by a rival group named DirectConnection, around 2000 user accounts were leaked. Soon, DirectConnection was compromised as a retaliation.  

Aleksei Burkov, known as alias 'Kopa,' is said to be the admin for both the forums. He was sentenced to prison for 9 years by US authorities against the charge of running the Cardplanet carding forum. "Users may be justified in such concerns, especially considering law enforcement is now posting 'friendly' warnings on hacking forums to discourage illegal activities," says ZDNet.As of now, no latest developments have appeared. Stay updated to know more.

Data of 14 Million Amazon and eBay Accounts Leaked on Hacking Websites

 

An anonymous user offered 14 million data from Amazon and eBay accounts on a prominent hacking website for dissemination. The details seem to have been obtained from customers of Amazon or eBay having accounts from 18 countries between 2014-2021.

In Seattle, USA- focused on e-commerce, cloud computing, internet streaming, and artificial intelligence, Amazon.com Inc. is an international corporation based in Washington. Founded in 1994, the business was named "one of the most influential economic and cultural forces in the world" as well as the most valuable brand in the world. Whereas eBay Inc. is also a U.S. international e-commerce company headquartered in San Jose, California that allows transactions and sales to customers and companies through its website. eBay was founded in 1995 by Pierre Omidyar and became a remarkable success story for the dot-com bubble. 

The database acquired by the hacker was sold for 800 dollars where the accounts were divided through each country. The details leaked contain the entire customer name, mailing code, shipping address and store name, and a telephone number list of 1.6 million users. Although two copies had already been sold, the blog publisher has now closed the deal. 

The way the blog-publisher has acquired data is at present- unclear. Though the firm researching this incidence did not independently check or validate that Amazon or eBay data were certainly from the 2014-2021 period. A representative of Amazon said that the allegations had been reviewed with no evidence of any data violation. 

Also, it is more probable that Amazon or eBay have not experienced any infringements. Instead, a common form of password spraying was presumably used by the threat actor to get the passwords. Spraying passwords is an attack attempting to enter a wide number of accounts with a few popular passwords (usernames). Standard attacks by brute forces seek to enter a single account by guessing the password.

Fortunately, highly confidential material, including billing records, national ID numbers, or even e-mail addresses, does not exist on the server. However, the data being sold at this time is also potentially vulnerable and can be used for a range of reasons, such as doxing users by public dissemination of private data (e.g. sensitive things that nobody needs to hear about). The data may also be exploited by cybercriminals for purposes of creating a spam list or business intelligence.

Resident Evil Developer Capcom Became a Victim of Ransomware Attack

 

The year 2020 had been a year that witnessed a lot of data leaks and hacks of assorted kinds for apps and websites. This time it was the turn of an Osaka headquarters video game developer company, Capcom that became the victim of a data breach and ransomware attack in November 2020. Not only the company but its users have also been compromised because of this attack. As a result of the ransomware attack, Capcom had to shut down its assorted parts of the network including its email and file services. 

Initially, they never disclosed that if any customer's information was breached or any of its websites, servers, or games were compromised because of this attack. However, on 16th November 2020, the company published that almost 9 of its users had their personal information compromised and further added that 350,000 of its users were at risk of a data breach. 

In this attack, Capcom witnessed hundreds of thousands of pieces of personal data stolen from its servers, including the names and addresses of customers and former employees. The estimated number of victims of the aforementioned case is 16,415. 

Capcom later affirmed that they were suspicious that the company’s information, including "sales reports, financial information, game development documents, [and] other information related to business partners," was illicitly accessed during the attack. They stated that Documents matching that description have been circulating around certain corners of the Internet since November. 

Capcom further stated that "the company has also ascertained that the potential maximum number of customers, business partners, and other external parties, etc., whose personal information may have been compromised in the attack is approximately 390,000 people (an increase of approximately 40,000 people from the previous report)." 

Not only that Capcom's network was hit by a Ransomware attack but a note was also left on the server by the threat actors. The letter affirmed that Ranga Locker, the ransomware gang is behind this cyber-attack. The gang left some hyperlinks as proof of the attack by them. Those links led the company to a file that had personal information of the company and its users as well as employees, that was later published on the internet. 

Additionally, the company wrote, "Capcom would once again like to reiterate its deepest apologies for any complications or concerns caused by this incident.”

Freedom Finance's customer data got leaked after employee fell for phishing attack

Broker Freedom Finance admitted the fact of hacking its internal network and stealing data leaks about 16,000 clients of the company for 2018. The founder and CEO of the company Timur Turlov announced this on Instagram.

He called the incident "an extremely unpleasant and shameful incident in information security", which occurred on December 24, and admitted: "We screwed up."

According to him, one employee of the company received a phishing email, which he opened and ran on the local machine despite the security warning. "And then all the weak points of our security were revealed," said Turlov.

“Cyber ransomware attacked a segment of our internal network and stole some data from the local machines of a number of employees in Russia. These are machines belonging to the employees of a Russian broker that provides access to the Russian stock market and almost the entire data packet is dated 2018,” wrote Turlov on his Instagram.

Almost no customers who opened accounts in the United States were affected. The broker's international clients were not affected either.

He assured that hackers did not get access to CRM, back-office reports, trading platform data, and also did not get customer passwords.

Turlov promised that the company will contact affected customers as soon as possible, tell them what documents have been made publicly available, and advise on how to minimize risks.

"Of course, now we have completely cleaned out the network and all local machines, have already rebuilt it, and are convinced that data is no longer leaking," assured he.

Turlov believes that the system was hacked to blackmail the company with media publicity and extort money.

"The company has decided to admit its mistake and not cooperate with criminals," said Turlov.

On November 24, Ashot Hovhannisyan, the founder of the Data Leakage & Breach Intelligence (DLBI) service, announced the appearance of Freedom Finance's customer data.

Sensitive Data of 7 Million Indian Cardholders Circulating On Dark Web


There is a rapid increase in the number of data breaches last year, jumping by 17%, which has become an increasingly serious issue. Recently, sensitive data of 7 million debit and credit cardholders has been circulating on the dark web.

The 2GB database included names, contact numbers, email addresses, Permanent Account Number, income details, and employers' firm.

As per the screenshots of the leaked data, the details were found on a public Google Drive document discovered by Rajshekhar Rajaharia, an Internet cybersecurity researcher who informed Inc42, warning that as the private data pertains to the finances, it is highly valuable and can potentially be used by malicious actors to develop phishing attacks.

The database that also included the PAN numbers of around 5 lakh users, relates to the time period between 2010 and 2019 which could be of extreme significance to cybercriminals and scammers, per se. Although the card numbers were not available in the database, Rajaharia managed to verify the details for certain users including himself. He matched the LinkedIn profiles of the names mentioned in the list, and it proved to be accurate.

In a conversation with Suriya Prakash, Sr Security Researcher Cyber Security and Privacy Foundation Pte Ltd, Ehacking News attempted to understand the source of the breach: He said, "These usually don't originate at the bank level as they have secure environments. Regulators and banks often misunderstand this and spend crores securing infrastructure."

"The main source of data breaches are usually due to bank employees using their official emails to create accounts in third-party sites (social media etc). When these third parties get breached its causes issues for the bank. This can be simply avoided by putting in the SOP that employees should not use their official emails for other services, any usage should get written permission from the admin team. If this is strictly enforced majority of data breaches can be avoided."

"Also websites that collect payments like e-commerce sites should be brought user RBI regulations as they too might be causes of the breach," he concluded.

The scale of data leaks of patients with coronavirus in Russia has become known


More than a third of all cases of leaks of personal data of patients with coronavirus, as well as suspected cases, occurred in Russia.

According to InfoWatch, in just the first half of 2020, there were 72 cases of personal data leakage related to coronavirus infection, of which 25 were in the Russian Federation. Leaks in Russia were caused by employees of hospitals, airports, and other organizations with access to information resources. In general, for this reason, 75% of leaks occurred in the world, another 25% were due to hacker attacks.

The company clarified that in 64% of cases worldwide, personal data associated with coronavirus was compromised in the form of lists. Patient lists were photographed and distributed via messengers or social media groups. Some leaks were due to the accidental sending of data by managers to the wrong email addresses.

According to InfoWatch, 96% of cases on the territory of the Russian Federation are leaks of lists, and 4% are leaks of databases.  In all cases, data leaks occurred due to willful violations. InfoWatch stressed that the disclosure of such data often led to a negative attitude towards coronavirus patients from the society.

The Russian Federal Headquarters for coronavirus declined to comment.  Moreover, the press service of the Moscow Department of Information Technology reported that since the beginning of 2020, there have been no leaks of personal data from the information systems of the Moscow government.

In Russia, there are no adequate penalties for organizations in which personal data leaks occurred, said Igor Bederov, CEO of Internet search. In addition, there is still no understanding of the need to protect personal data in electronic systems. There are not enough qualified specialists in this industry. As a result, network cloud storage used by companies, including for processing personal data, is poorly protected.

Orange Confirms Ransomware Attack Compromising Data of 20 Enterprise Customers


Orange, the fourth-largest mobile operator in Europe has confirmed that it fell prey to a ransomware attack wherein hackers accessed the data of 20 enterprise customers. The attack targeted the 'Orange Business Services' division and was said to have taken place on the night of 4th July and was continued into the next day, ie., 5th July.

Orange is a France based multinational telecommunications corporation having 266 million customers worldwide and a total of 1,48,000 employees. It is a leading provider of global IT and telecommunications services to residential, professional, and large business clients. It includes fixed-line telephone, mobile communications, Internet and wireless applications, data transmission, broadcasting services, and leased line, etc.

The attack was brought to light by Nefilim Ransomware who announced on their data leak site that they acquired access to Orange's data through their business solutions division.

In a conversation with Bleeping Computer, the company said, "Orange teams were immediately mobilized to identify the origin of this attack and has put in place all necessary solutions required to ensure the security of our systems." Orange further told that the attack that occurred on the night of 4th July affected an internal IT platform known as, "Le Forfait Informatique", it was hosting data belonging to 20 SME customers that were breached by attackers, however, there were no traces of any other internal server being affected as a result of the attack. Giving insights, Tarik Saleh, a senior security engineer at DomainTools, said, "Orange certainly followed best practices by promptly disclosing the breach to its business customers, who will need to take all the possible precautions to make their data unusable in future attacks: changing the password of their accounts and looking out for potential phishing or spear-phishing emails."

While commenting on the security incident, Javvad Malik, Security Awareness Advocate at KnowBe4, said that in these times, it is essential, "that organizations put in place controls to prevent the attack from being successful, as even if they have backups from which they can restore, this won't bring back data that has been stolen."

"As part of this, organizations should implement a layered defensive strategy, in particular against credential stuffing, exploitation of unpatched systems, and phishing emails which are the main source of ransomware. This includes having technical controls, the right procedures, and ensuring staff has relevant and timely security awareness and training," he further added.

Welcome Chat App Harvesting User Data and Storing it in Unsecure Location


A messaging platform for Android, Welcome Chat spies upon its users and stores their data in an unsafe location that is accessible to the public. The authors of the app claim it to be available on the Google Play store, meanwhile, marketing it to be a secure platform for exchanging messages which however is not true by any means.

The website of the malicious 'Welcome Chat' app publicizes the platform as a secure communication Android solution, however, security researchers from ESET discovered the app being associated to a malicious operation having links to a Windows Trojan called 'BadPatch' which was employed by Gaza Hackers in a malicious campaign – a long-running cyber espionage campaign in the Middle-East. While the origins of the website advertising the app are unknown, the domain was registered by the developers in October 2019. Interestingly, the app doesn't only function as spyware but works perfectly as a chatting platform as well.

After downloading the app, users need to give permission for allowing installation from unknown sources as the app was not installed via the official app store. Once the Welcome Chat is activated, it asks permission to access the user's contacts, files, SMS, location details, and record audio. Although the list of permissions gets pretty exhaustive for a user to not doubt it, then again they are used to it, especially in case of a messaging platform.

As soon as the app receives all the permissions, it starts mining the victim's data which includes phone recordings, location details, SMS messages and sends it to the cybercriminals behind the malicious operation.

While giving insights about the app, Lukáš Štefanko, researcher at ESET, told, “In addition to Welcome Chat being an espionage tool, its operators left the data harvested from their victims freely available on the internet. And the app was never available on the official Android app store.”

“We did our best to discover a clean version of this app, to make its developer aware of the vulnerability. But our best guess is that no such app exists. Naturally, we made no effort to reach out to the malicious actors behind the espionage operation,” added Štefanko.

Devicelock: data from 115 thousand Russians was put up for sale on the Web


A database with the data of Russians stuck abroad because of the coronavirus and returning to their homeland was put up for sale, its authenticity has not been confirmed, said Ashot Hovhannisyan, Technical Director of DeviceLock.

According to him, the first announcement of the sale appeared in late April. The seller asked for 240 thousand dollars for the database and claimed that it contained 79.6 thousand lines.

The seller did not provide any evidence that this database exists and it is authentic, and a few days later removed the advertisement.

In June, a similar offer appeared from another seller, who claims that the database is relevant for the current month and it has about 115 thousand lines. The data was estimated at 66.6 bitcoins (about 627 thousand dollars).

"Based on the samples provided by the seller, we can say that the database contains 58 columns, including full name, date of birth, passport data, address, phone number, e-mail, date of entry and exit from Russia, date of application on the public services portal, as well as Bank card and account data, passport data and country of location," said Hovhannisyan.

He explained that, most likely, the database was copied when it was transferring from one Department to another via electronic communication channels.

Expert added that it is also likely that this is a fake, since the seller put an unusually high price and did not confirm the authenticity of the data, except for screenshots with 34 lines.

The expert warned that if the database exists, victims may receive phishing emails about allegedly accrued compensation and receive calls from fraudsters asking them to name the code from the Internet Bank.

According to Hovhannisyan, the seller writes that he uses the database for carding, purchasing App Store & iTunes Gift Card gift certificates with the existing card details, which he then sells.

Maze Ransomware Operators Leaked 2GB of Financial Data from Bank of Costa Rica (BCR)


Bank of Costa Rica (BCR) has been receiving threats from the threat actors behind Maze ransomware who have stolen credit card details from the bank, the ransomware gang started publishing the encrypted financial details this week.

The Banco de Costa Rica is one of the strongest state-owned commercial banks operated in Costa Rica, starting from humble origins of mainly being a private commercial bank, it expanded to become a currency issuer and one of the most renowned baking firms in Central America contributing largely in the financial development of the nation.

The hacker group behind the data leak have demanded a ransom from Banco de Costa Rica at various occasions, however, to their dismay they observed a lack of seriousness in the way the bank dealt with these previous leaks and it served as a primary reason that motivated the latest data leak, according to an interview with Maze ransomware operators.

As per the claims made by the attackers, Banco de Costa Rica's network remained insecure till February 2020; it was in August 2019 when they first compromised the bank's network and the second attempt was made in the month of February 2020 to see how the security has been improvised – if at all so.

The 2GB of data published by the Maze ransomware attackers on their leak site contains the details of at least 50 Mastercards and Visa credit cards or debit cards, a few being listed more than once.

As per the statements given by Brett Callow, a threat analyst with Emsisoft to ISMG, "Like other groups, Maze now weaponizes the data it steals,"

"The information is no longer simply published online; it's used to harm companies' reputations and attack their business partners and customers."

"The Maze group is a for-profit criminal enterprise who are out to make a buck," Callow says. "The credit card information has been posted for one of two reasons: Either to pressure BCR into paying and/or to demonstrate the consequences of non-compliance to their future victims," Callow further told.