Search This Blog

Showing posts with label User Privacy. Show all posts

Lubbock County Denies Data Leak, Says Data Temporarily Attainable Under New Software System

 

Earlier this month, the personal court records for residents of Lubbock County, located in the US state of Texas, were exposed when the county transitioned to a new computer software system. The exposed data contained non-disclosure orders, criminal cases, and civil and family law records. 

According to the county’s official website, Lubbock County Defense Lawyers Association and county officials are not on the same page concerning how to define the incident.

In a news release from the County, Judge Curtis Parrish said: “On Tuesday, September 14, 2021, Lubbock County Information and Technology Department became aware that certain court records that were previously unavailable for review by the public had become viewable under Lubbock County’s new software system. Some of these records include non-disclosure orders, criminal cases, civil and family law records. This access portal has now been blocked temporarily until we can identify which court records maybe [sic] accessed by the parties, attorneys, and the general public.

This was not a data breach [sic], or an issue where the computer system was compromised. Lubbock County will continue to review policies concerning all court records, in our effort to make these documents accessible to the attorneys and the public.” 

However, an earlier release by the Lubbock County Defense Lawyers Association characterized the incident as a data breach. The association said it became aware of the situation on September 10. 

“This data includes information on individuals who have had criminal cases expunged or non-disclosure orders signed in their criminal case. This breach affected cases at all levels and in all courts in Lubbock County. Some individuals’ data have been removed from the public access system, while other individuals’ data are still available,” said Lubbock County Defense Lawyers Association in their news release. 

The attacks on local governments is a growing concern for law enforcement agencies and government officials. Due to their shoestring budget, local governments rarely have dedicated security experts and that leaves a huge hole in their security. In March 2021, a report from consumer tech information site Comparitech revealed that American government organizations suffered a loss of $18.88 billion due to cyber-attacks. 

Over the past three years, 246 ransomware attacks struck U.S. government organizations. These attacks potentially affected over 173 million people and nearly cost $52.88 billion. The motive of most of these attacks was to halt processes, interrupt services and cause disruption, not to steal data, according to the report.

Republican Governors Association Targeted in Microsoft Exchange Server Attacks

 

The Republican Governors Association was one of many U.S. organizations attacked in March when a nation-state group exploited vulnerabilities in Microsoft Exchange email servers, according to a breach notification letter filed with the Maine attorney general's office this week.  

For companies worldwide, the situation became a cause of concern; nearly 500 persons linked with the RGA's personal information might have been exposed due to the assault. According to the organization's attorney, personal information includes social security numbers. 

The RGA was notified of the breach on March 10, eight days after Microsoft made the campaign public. At this time, it's highly uncertain who is to blame for the breach and what happened to the data compromised. 

Microsoft exchange server attack’s fallout: 

This incident is the latest fallout to arise from the massive breach of the Microsoft Exchange Server earlier this year. The breach was connected to hacker organizations supported by the Chinese government. A computer exploit made the vulnerabilities public, allowing opportunistic fraudsters to launch a large-scale attack. 

According to the RGA, on February 28, hackers hacked into “a small portion of [its] email work environment". It went on to say that it only discovered the hacking campaign on March 10, eight days after Microsoft made a public announcement about it. 

The RGA's spokesman declined to elaborate on specifics of the breach, such as about the offenders and the damage. It further said it was “unable to determine what personal information, if any, was impacted as a result of the incident.”

The US skeptical of China's role in the Microsoft hack

After the cyberattack, the RGA stated it upgraded its Microsoft software. China was blamed by the US government for its participation in the Microsoft Exchange attack in July. As a response, the United Kingdom and the European Union-backed the United States' condemnation of China. 

Four Chinese nationals were also charged with criminal charges by the US Department of Justice. 

As per security experts, tens of thousands of US state and local companies were using vulnerable software at the height of the Exchange Server attack. However, many companies were able to safeguard themselves by installing a software update. 

The US National Security Council has gathered numerous times since the event, urging corporations to amp up their cyber defenses. Businesses in countries other than the United States were also affected by the attack. This includes Europe, where the European Union's financial authority, the Norwegian parliament, and two German government bodies have all been attacked. 

In accordance with the country's cybersecurity body, it also affected a considerable number of companies in Australia.

Precautionary Measures: 

The Republican Governors Association states that since the assault was identified in March, it has implemented the Microsoft updates for the vulnerable versions of its on-premises Exchange server. According to the letter, law enforcement and other organizations have also been alerted. 

The credit monitoring services are also being given to the approximately 500 persons impacted by the assault. 

"Out of an abundance of caution, RGA is also offering you two years of complimentary credit monitoring and identity restoration services with Experian." 

"RGA has also notified the Federal Bureau of Investigation, certain state regulators, and the consumer reporting agencies of this incident as required."

Massachusetts is Investigating the Massive T-Mobile Data Breach

 

On Tuesday, Massachusetts Attorney General Maura Healey announced that she will look into the cyberattack on T-Mobile US Inc (TMUS.O), which compromised the personally identifiable information of over 53 million people.

After the third-largest U.S. cellphone carrier reported the hack on Aug. 16, Attorney General Maura Healey announced the investigation. 

The breach exposed names, birthdays, social security numbers, driver's licence information, PIN numbers, and other personal information of an estimated 13.1 million current and 40 million past, and potential T-Mobile users.

It was one of many cyberattacks in recent years that impacted banks, gas pipelines, and hospitals, among other businesses. 

Healey aims to examine whether the Bellevue, Washington-based corporation has sufficient measures in place to secure consumer information and mobile devices. Last month, the Federal Communications Commission in the United States launched an investigation into the matter. 

According to court records, consumers and other private plaintiffs have filed at least 23 lawsuits against T-Mobile as a result of the data leak. 

About the security breach

On August 16, T-Mobile US Inc (TMUS.O) admitted a data breach but said it has yet to determine if any customer information had been compromised, a day after an online forum claimed that the personal data of over 100 million of its users had been compromised. 

In a blog post, the telecom provider stated that it was certain that the entry point used to obtain the data had been shut down. It did not disclose the number of accounts impacted. 

"We are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims, and we are coordinating with law enforcement," the company stated. 

According to a report in Vice's Motherboard, the forum post does not specify T-Mobile but the attacker informed Vice that they acquired data on over 100 million individuals from T-Mobile servers. 

Following the news, T-stock Mobile's share dropped 2.8 percent in afternoon trade.

School Childrens' Personal Information on Dark Web: Potential Identity Theft

 

NBC News, an American broadcaster has published a report on the data theft of millions of school children and how it can set up a child for a lifetime of potential identity theft. The data includes medical condition, family financial status, Social Security numbers, and birth dates of school children.

According to the NBC report, threat actors posted the excel sheet titled “Basic student information”, maintained by one of the schools on the dark web after they refused to pay the ransom, as instructed by the FBI.

 “It lists students by name and includes entries for their date of birth, race, Social Security number, and gender, as well as whether they’re an immigrant, homeless, marked as economically disadvantaged, and if they’ve been flagged as potentially dyslexic,” states the NBC report. 

When NBC News contacted some of the targeted schools regarding the data leak, they were unaware of the problem. “I think it’s pretty clear right now they’re not paying enough attention to how to ensure that data is secure, and I think everyone is at wits’ end about what to do when it’s exposed. And I don’t think people have a good handle on how large that exposure is,” said Doug Levin, the director of the K12 Security Information Exchange, a nonprofit organization devoted to helping schools protect against cyberthreats. 

Worsening Situation 

The recent surge in ransomware attacks has aggravated the problem, as those hackers often release victims’ files on their websites if they refuse to pay the ransom. While the average person may not know where to find such sites, criminal hackers can find them easily. In 2021 only, hackers released data from more than 1,200 American K-12 schools, according to a tally provided to NBC News by Brett Callow, a ransomware analyst at the cybersecurity company Emsisoft. 

The situation is complicated by the fact that many schools are unaware of all the information that’s stored on all their computers, and therefore do not realize the extent of what hackers have stolen. When the Dallas-area Lancaster Independent School District was targeted in a ransomware attack in June, it notified parents but told them the school’s investigation “has not confirmed that there has been any impact to employee or student information,” Kimberly Simpson, the district’s chief of communications, said in an email. 

But the NBC News’ investigation uncovered the truth when it discovered the audit from 2018 that listed more than 6,000 students, organized by grade and school, as qualifying for free or reduced-price meals. When contacted for comment on the audit, Simpson did not respond. 

Another tactic employed by the attackers is to target a third party that holds students’ data. In May 2021, attackers published files they had stolen from the Apollo Career Center, a northwestern Ohio vocational school that was in the collaboration with 11 regional high schools. The leaked data included hundreds of high schoolers’ report cards from the last school year, all of which are currently visible on the dark web.

“We are aware of the incident and are investigating it. We are in the process of providing notifications to the students and other individuals whose information was involved and will complete the notifications as soon as possible,” Allison Overholt, a spokesperson for Apollo, said in an email. 

 Taking action 

American parents are quickly releasing that addressing these problems may fall to them. Due to the poor knowledge regarding the data stored on their computers, schools may not even know if they have been hacked or if those hackers have released students’ information on the dark web. Federal and state laws for student information often do not issue clear guidance for what to do if a school is hacked, Levin said. 

Eva Velasquez, the president of the nonprofit Identity Theft Resource Center, which helps victims of data theft, is advising parents to freeze their children’s credit to keep them safe from identity theft. “We should for all intents and purposes believe that for the most part, all of our data’s been compromised. We’ve been dealing with data breaches since 2005, and they are absolutely ubiquitous, and just because you didn’t receive a notice doesn’t mean it didn’t happen,” Velasquez said.

Freezing a child’s credit can often be time-consuming, and doing it effectively requires completing the process with all three major credit monitoring services, Experian, Equifax, and TransUnion. But it has become an essential step for digital safety, Velasquez said. 

“We encourage parents to freeze children’s’ credit. From an identity theft perspective, that is one of the most robust, proactive steps that a consumer can take to minimize the risk. And it applies to kids, and it’s free,” she concluded.

UN Computer Networks Breached by Hackers Earlier This Year

 

Hackers breached the United Nations' computer network and stole data, according to researchers at cybersecurity firm Resecurity, 

According to Bloomberg, the theft's unknown perpetrators appear to have acquired access by simply stealing login credentials from a UN employee. 

Logging into the employee's Umoja account provided access. The enterprise resource planning system Umoja, which means "unity" in Kiswahili, was deployed by the United Nations in 2015. The login and password used in the cyber-attack are believed to have been obtained from the dark web. 

Gene Yoo, chief executive officer at Resecurity, stated, “Organizations like the UN are a high-value target for cyber-espionage activity. The actor conducted the intrusion with the goal of compromising large numbers of users within the UN network for further long-term intelligence gathering.” 

Researchers discovered that hackers initially gained access to the UN's networks on April 5, 2021, and that network breaches lasted until August 7. Based on the findings, the attackers did not seem to have harmed or disrupted the UN's computer network. Instead, the hackers seem to have been motivated by a desire to gather information. 

After reporting the security issue to the UN, Resecurity stated it worked with the UN's security team to evaluate the extent of the intrusion. While the UN claims that the assault was a reconnaissance operation by hackers who just captured screenshots of the organization's vulnerable network. The breach resulted in the theft of data, as per the Resecurity experts. 

The UN discontinued interacting with Resecurity, according to Yoo, when proof of data theft was provided to the organization. 

Hackers have previously attacked the United Nations and its agencies. In 2018, Dutch and British law enforcement prevented a Russian cyberattack on the Organisation for the Prohibition of Chemical Weapons (OPCW), which was investigating the deployment of a lethal nerve agent on British territory. 

According to a Forbes article, the UN's "core infrastructure" was hacked in a cyberattack in August 2019 that targeted a known flaw in Microsoft's SharePoint platform. The breach was not made public until the New Humanitarian newsgroup published the news. 

In the context of the latest breach, UN spokesman Farhan Haq told DailyMail.com, “This attack had been detected before we were notified by the company cited in the Bloomberg article, and corrective actions to mitigate the impact of the breach had already been planned and were being implemented.” 

“At that time, we thanked the company for sharing information related to the incident and confirmed the breach to them.” 

Haq added that the United Nations is often targeted by cyber-attacks, including sustained campaigns.

McDonald’s Password for the Monopoly VIP Database Leaked

 

The fast-food chain McDonald's mistakenly sent out emails with login credentials associated with a database for its Monopoly VIP game. 

McDonald's UK had to postpone the famous Monopoly VIP game for a year due to the COVID -19 pandemic. This year, on August 25th, McDonald's reintroduced the game. 

McDonald's Monopoly is a well-known marketing gimmick in which customers can win gifts and money by entering codes found on purchases. Basically, every time a person purchases a meal from a McDonald's restaurant, they have a chance to win a gift. 

Unfortunately, the game encountered a roadblock over the weekend when a bug resulted in prize redemption emails sent to prize winners, including the user names and passwords for the production and staging database servers. 

Troy Hunt released an unredacted screenshot of an exception fault in an email issued to prize winners with BleepingComputer, which includes critical information for the online application. 

The redacted email sent to a Monopoly VIP winner contained hostnames for Azure SQL databases and the databases' login names and passwords. The prize winner who shared the email with Troy Hunt stated that the production server was firewalled off but that the staging server could be accessed using the attached credentials. 

The person informed Troy Hunt in an email published with BleepingComputer, "I tried to connect to production to gauge the severity of the issue and whether or not getting in touch was an urgent matter but luckily for them they had a set of firewall rules setup. I did however gain access to staging, which I disconnected from immediately for obvious reasons." 

Since these files may have contained winning prize codes, an unethical individual might have obtained unused game codes and exploited them to claim the rewards. 

Luckily for McDonald's, the individual appropriately reported the problem to them. While they did not receive a reply but later discovered that the staging server's password had been changed. 

Though this was not a unique incident, as several people claimed to have seen the credentials and even went so far as to record their experience on TikTok. 

McDonald's notified BleepingComputer that just the staging server's credentials were compromised, while the error clearly stated that the credentials of both a production and staging server were leaked.

In a statement, McDonald's told BleepingComputer, "Due to an administrative error, a small number of customers received details for a staging website by email. No personal details were compromised or shared with other parties." 

"Those affected will be contacted to reassure them that this was a human error and that their information remains safe. We take data privacy very seriously and apologize for any undue concern this error has caused.”

Irish Regulator Fines WhatsApp $266 Million for Breaching EU Privacy Regulations

 

Facebook-owned WhatsApp has been directed to pay a 225 million euros ($266 million) fine for violating the EU’s General Data Protection Regulation after it failed to notify the users and non-users on what it does with their personal data. 

The penalty was handed down by the Irish Data Protection Commission (DPC), the leading data privacy regulator for Facebook within the European Union, following an investigation started in December 2018 after the DPC received multiple complaints from "individual data subjects" (both users and non-users) regarding WhatsApp data processing activities.

"We examined whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp's service. This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies," DPC said.

In addition to the fine, the 266-page decision by the DPC directs WhatsApp to bring its processing into compliance by taking eight remedial actions within the next three months. One of WhatsApp's Spokesperson stated the penalty and said that the company provided detailed information to the users. The fine imposed by DPC is "out of step with previous GDPR-related fines" levied against other technology giants. 

"We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018, and the penalties are entirely disproportionate," said the spokesperson. 

The DPC says it discovered that WhatsApp's practices violated four specific parts of GDPR: 

• Article 5, covering principles relating to the  processing of personal data; 

• Article 13, covering information to be provided when personal data gets collected from a data subject;

• Article 14, covering information to be provided when personal data has not been obtained from a data subject; 

• Article 15, which concerns a data subject's right to access their personal data from a controller. 

The fine imposed on WhatsApp is the second-highest fine ever issued so far under GDPR, outranked only by an $885 million fine against Amazon, according to Jonathan Armstrong, a compliance and technology lawyer with London-based law firm Cordery. 

According to Ireland's Data Protection Commission, it initially proposed a penalty in the range of 30 million euros to 50 million. But the European Data Protection Board reviewed the WhatsApp case and on July 28 issued a binding decision instructing the DPC to reassess and increase its proposed fine. The DPC says that based on the board's instructions, it increased the fine to 225 million euros. 

"An eye-catching aspect of that process was the increase in the size of the fine from a range of 30 million to 50 million euros first proposed by the DPC. The fine highlights the importance of compliance with the GDPR's rules on transparency in the context of users, non-users, and data sharing between group entities," says John Magee, who heads law firm DLA Piper's privacy, data protection, and security practice in Ireland.

Surge in Sextortion Attacks Cost Targeted Users $8 This Year

 

The FBI IC3 (Internet Crime Complaint Center) raised an alert about a great surge in sextortion complaints since January 2021, which has led to a total financial loss of around $8 Million till July. FBI got over 16000 complaints of sextortion until July, most of them coming from the age group of 20-39. "Victims over 60 years comprised the third largest reporting age group, while victims under the age of 20 reported the fewest number of complaints," says FBI. Sextortion happens when potential victims are blackmailed by criminals in person or through dating sites, emails, and online chats that may expose sensitive or private photos/videos if the victims fail to pay the ransom. 

Started with an email scam, the Sextortion incident came to light in July 2018, when criminals started mailing victims threatening that they had proof of them surfing adult sites (which include victim passwords exposed through data leaks) to get credibility. Email sextortion campaign scammers also distributed various malware strains that range from ransomware to data-stealing trojans. As per the majority of the victims, the initial contact with the criminal is mutual as it is made via dating apps and websites. After the interaction, the criminal then requests the target to connect on some other platform for conversation. 

According to the FBI, "the fraudster instigates the exchange of sexually explicit material and then encourages the victim to participate via video chat or send their own explicit photos. Immediately after the victim complies, the fraudster blackmails the victim and demands money to prevent the release of the photos or videos on social media." The victims have it even worse, as the criminal may also get access to the target's social media account or contact no. They threaten the victims to leak sensitive images which the criminals possess and show them to the victim's friends and family. 

If any user ends up as a victim in such situations, they are advised to immediately stop all contact with the criminal, they should immediately report the incident to authorities and register a complaint at FBI IC3 as soon as the sextortion incident happens. To be safe from such incidents FBI suggests: 

•NEVER send compromising images of yourself to anyone, no matter who they areâ or who they say they are. 

•Do not open attachments from people you do not know. Links can secretly hack your electronic devices using malware to gain access to your private data, photos, and contacts, or control your web camera and microphone without your knowledge. 

•Turn off your electronic devices and web cameras when not in use.

Beaumont Health: The Latest Victim of Accellion Breach

 

Beaumont Health, headquartered in Michigan, is the latest victim of the Accellion data breach, which began in December 2020 and has so far claimed 100 victims. Threat actors exploited zero-day vulnerabilities in Accellion's File Transfer Application (FTA), compromising the data of millions of patients. 

Approximately 1500 patients have been alerted by Beaumont Health that their personal information may have been compromised as a result of the December cyberattack on Accellion software. Beaumont hired Goodwin Procter LLP to offer legal services, and the firm used Accellion's File Transfer software to make massive transfers on behalf of its customers. 

Goodwin notified the healthcare provider on February 5 that patient data had been breached. Following the announcement of the Accellion breach, Goodwin conducted a digital forensics investigation and discovered that an unknown person had exploited a vulnerability in the application to obtain specific documents. 

“The potentially impacted information included a listing of roughly 1500 patients who had one of two procedures performed at a Beaumont Hospital,” mentioned in a statement issued on August 27 by Beaumont Health. 

“The list included the patient name, procedure name, physician name, the internal medical record number and the date of service. This incident is limited to these patients and does not affect all patients of Beaumont.” 

The healthcare provider also stated that the breach had no financial implications and neither Beaumont nor Goodwin had discovered any indication of the exposed data being exploited. 

On behalf of Beaumont, Goodwin contacted impacted people via mail on August 27 at their last known address to inform them about the data breach. The letter advises patients on the actions they should take to protect themselves from identity theft. 

“The notice letter specifies steps impacted individuals may take to protect themselves against identity fraud, including enrolling in complimentary credit monitoring services (if eligible), placing a fraud alert/security freeze on their credit files, obtaining free credit reports, remaining vigilant in reviewing financial account statements and credit reports for fraudulent or irregular activity on a regular basis and taking steps to safeguard themselves against medical identity theft,” stated Beaumont. 

“At Beaumont, protecting the privacy of personal information is a top priority,” the statement concluded. 

Goodwin is examining its data security policies and protocols in the aftermath of the incident. 

Accellion is now facing lawsuits

As the number of breaches escalates, Accellion is experiencing over a dozen lawsuits. In February, the Cybersecurity and Infrastructure Security Agency (CISA), together with security agencies in the United Kingdom, New Zealand, Singapore, and Australia, issued a warning to companies about the Accellion hack. 

Clop ransomware took responsibility for the assault and abused four previously unknown vulnerabilities. Some of the ransomware group's most recent victims include Kroger, Bombardier, Southern Illinois University School of Medicine, and Trillium Community Health Plan. 

In April, Trinity Health, located in Michigan, alerted over 580,000 patients that their information had been compromised. Demographic data, names, medical record numbers, and medical tests were among the information stolen. 

Centene also alerted over 1.3 million patients of the Accellion data leak in April. Contact information, birthdates, insurance ID numbers, and treatment information were all acquired by the hackers. 

During a major extortion attempt, the Clop ransomware published stolen data online, and some of the affected companies got emails from the intruders attempting to intensify extortion attempts. The number of victims continues to rise months after the initial attack.

Autodesk Disclosed it was Targeted in SolarWinds Hack

 

Autodesk has disclosed that it was also targeted by the Russian state hackers behind the large-scale SolarWinds Orion supply-chain assault, nearly nine months after finding that one of its servers had been compromised with Sunburst malware. 

It is an American multinational software corporation that makes software products and services for the architecture, engineering, construction, manufacturing, media, education, and entertainment industries. 

In a recent 10-Q SEC filing, Autodesk stated, "We identified a compromised SolarWinds server and promptly took steps to contain and remediate the incidents." 

"While we believe that no customer operations or Autodesk products were disrupted as a result of this attack, other, similar attacks could have a significant negative impact on our systems and operations." 

While the company went on to state that there was no additional damage to its systems, the company's announcement of the breach in its most recent quarterly results serves as a reminder to the world of how widespread the SolarWinds supply chain breach was. 

An Autodesk spokesperson told BleepingComputer that the attackers did not deploy any other malware besides the Sunburst backdoor, likely because it was not selected for second stage exploitation or the threat actors didn't act quickly enough before they were detected. 

The spokesperson stated, "Autodesk identified a compromised SolarWinds server on December 13. Soon after, the server was isolated, logs were collected for forensic analysis, and the software patch was applied. Autodesk’s Security team has concluded their investigation and observed no malicious activity beyond the initial software installation." 

One of 18000 tech firms targeted in a large-scale cyber attack

SolarWinds' infrastructure was hacked as a result of a supply-chain assault conducted by the Russian Foreign Intelligence Service's hacking division (aka APT29, The Dukes, or Cozy Bear). 

The attackers trojanized the Orion Software Platform source code and build issued between March 2020 and June 2020 after obtaining access to the company's internal systems. These malicious builds were then used to deploy the Sunburst backdoor to around 18,000 clients, but fortunately, the threat actors only chose a small number of people for second-stage exploitation. 

Before the assault was revealed, SolarWinds stated to have 300,000 clients globally, including over 425 US Fortune 500 firms and all top 10 US telecom corporations. 

A long list of government agencies was also among the company's clients (the US Military, the US Pentagon, the State Department, NASA, NSA, Postal Service, NOAA, the US Department of Justice, and the Office of the President of the United States). 

The US Department of Justice was the latest US official agency to reveal that during last year's SolarWinds global hacking spree, 27 US Attorneys' offices were compromised. 

Although Autodesk was not the only big corporation attacked in the SolarWinds breach, other companies such as Cisco, VMware, Intel, and Nvidia revealed similar issues in December.  

T-Mobile CEO Apologizes for Hack of More Than 54 Million Users Data

 

Mike Sievert, CEO of T-Mobile, is in a spot of bother after a major data breach of the carrier’s servers. In a statement issued last week, he apologized for a data breach but also tried to paint a rosy picture of the data breach by claiming no financial details were stolen but confirmed that millions of social security numbers were compromised.

The attack on the carrier’s servers impacted more than 54 million current, former and prospective users. Leaked data included social security numbers, names, contact numbers, driver’s license information, IMEI and IMSI information, and addresses for some, but not financial details. Meanwhile, device identifiers and PINs were obtained for certain accounts. 

“What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data. In short, this individual’s intent was to break in and steal data, and they succeeded,” Seivert stated. 

Hacker John Binns, a US citizen living in Turkey, has taken credit for the attack, calling the carrier's security practices "awful." Binns has reportedly been scanning T-Mobile's systems for vulnerabilities since last summer, and finally discovered a vulnerable internet-exposed router in July, which provided access to T-Mobile servers in a data center near East Wenatchee, Washington state. He claimed it took him roughly a week to breach the servers storing customer data. 

The hacker said he targeted T-Mobile servers to grab the attention of the world. Last year, he filed a lawsuit against several US government agencies including the CIA and FBI, claiming that he had been blackmailed, surveilled, and tortured. 

T-Mobile became one of the country’s largest cellphone service carriers, along with AT&T and Verizon, after buying rival Sprint last year. It reported having a total of 102.1 million U.S. customers after the merger. 

T-Mobile has previously disclosed a number of data breaches over the past years, and it doesn’t seem to have learned from those incidents, something that has been mentioned in the lawsuits filed against the carrier as a result of the latest breach.

Sievert said the company has collaborated with cybersecurity firms Mandiant and KPMG LLG to strengthen security. He also apologized to the affected users for the data breach and announced that the company will offer impacted individuals two years of free identity protection services as promised to take steps to prevent these types of incidents in the future.

Chinese Android Game Developer Exposes Data of Over 1 Million Gamers

 

The Chinese developers of famous Android gaming applications exposed user information via an unprotected server. As per the report shared by vpnMentor's cybersecurity team, headed by Noam Rotem and Ran Locar, identified EskyFun as the owner of a 134GB server exposed and made public online.

Rainbow Story: Fantasy MMORPG, Adventure Story, The Legend of the Three Kingdoms, and Metamorph M are among the Android games developed by EskyFun. 

According to the team on Thursday, the users of the following games were included in the data leak and altogether they have over 1.6 million downloads combined: 
-Rainbow Story: Fantasy MMORPG
-Metamorph M
-Dynasty Heroes: Legends of Samkok u 

According to the researchers, the supposed 365,630,387 records included data from June 2021 onwards, exposing user data gathered on a seven-day rolling basis. 

As per the team, when their software is downloaded and installed, the developers impose aggressive and highly troubling monitoring, analytics, and permissions settings, and as a consequence, the variety of data gathered was considerably more than one would imagine mobile games to need. 

The records constituted IP and IMEI data, device information, phone numbers, the operating system in use, mobile device event logs, whether or not a smartphone was rooted; game purchase and transaction reports, email addresses, EskyFun account passwords, and support requests. 

vpnMentor estimates that up to or more than, one million users' information may have been compromised. 

On July 5, the unprotected server was detected, and EskyFun was approached two days later. However, after receiving no answer, vpnMentor tried again on July 27. 

Due to the continued inaction, the team was forced to contact Hong Kong CERT, and the server was safeguarded on July 28. 

The researchers commented, "Much of this data was incredibly sensitive, and there was no need for a video game company to be keeping such detailed files on its users. Furthermore, by not securing the data, EskyFun potentially exposed over one million people to fraud, hacking, and much worse."

38 Million Records Exposed Due to Microsoft Misconfiguration

 

According to experts, some 38 million records from over a thousand web apps that use Microsoft's Power Apps portals platform were left accessible online. Data from COVID-19 contact tracing operations, vaccine registrations, and employee databases, including home addresses, phone numbers, social security numbers, and vaccination status, is believed to have been included in the records. 

Major corporations and organizations were impacted by the incident, including American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools. While the data breaches have already been fixed, they demonstrate how a single incorrect configuration setting in a widely used platform can have far-reaching repercussions.  

Customers can use the Power Apps services to easily create their own web and mobile apps. It provides developers with application programming interfaces (APIs) to use with the data they collect. Upguard discovered, however, that accessing those APIs makes data received through Power Apps Portals public by default, necessitating manual reconfiguration to keep the information private. 

In May, researchers from the security firm Upguard began investigating the problem. They discovered that data from several Power Apps portals, which was intended to be secret, was accessible to anyone who knew where to look. According to Upguard, on June 24th, it provided a vulnerability report to the Microsoft Security Resource Center, which included links to Power Apps portal accounts with sensitive data exposed and methods to discover APIs that allowed anonymous data access. 

“The number of accounts exposing sensitive information, however, indicates that the risk of this feature– the likelihood and impact of its misconfiguration– has not been adequately appreciated,” the researchers wrote in the report. “Multiple governmental bodies reported performing security reviews of their apps without identifying this issue, presumably because it has never been adequately publicized as a data security concern before.” 

 On Monday, a Microsoft representative defended the product's security, noting that the firm worked directly with affected users to ensure that their data remained private and that consumers were notified if their data was made publicly available. “Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs," a Microsoft spokesperson said in a statement.

Database of 70 Million AT&T Users Being Sold on a Hacker Forum

 

The same threat actor is selling 70 million AT&T customers' records just days after the T-Mobile data leak. The data leak claim was refuted by the mobile service provider, who stated that the data did not emanate from any of their systems. ShinyHunters, the same threat actors that just days ago sold T-Mobile subscribers' data, is now selling 70 million records reportedly belonging to another mobile service provider – AT&T. AT&T consumers' full names, social security numbers, email addresses, and dates of birth are among the data for sale. 

ShinyHunters is a well-known organisation that has been linked to a number of high-profile data breaches. Mashable, 123RF, Minted, Couchsurfing, Animal Jam, and other companies have been targeted, according to HackRead. 

The revelation was first reported by Restore Privacy. According to them, the hacker is seeking $1 million for the full database (direct sell) and has given them exclusive information for this report.

"In the original post that we discovered on a hacker forum, the user posted a small sample of the data. We examined the sample and it appears to be authentic based on available public records. Additionally, the user who posted it has a history of major data breaches and exploits," said Restore Privacy. "While we cannot yet confirm the data is from AT&T customers, everything we examined appears to be valid." 

AT&T denied that the data had been leaked, claiming that it was either forged or obtained through other sources. “Based on our investigation today, information that appeared in an internet chat room does not appear to have come from our systems,” MarketWatch quoted the cell phone carrier. 

 AT&T has previously experienced a data breach. For an insider breach in 2015, the company agreed to pay a $25 million fine. In fact, a threat actor was looking to hire a T-Mobile and/or AT&T employee in May, presumably to assist them in staging an insider attack on their employer. 

T-Mobile was notified late last week about accusations in an online forum that a threat actor had compromised T-Mobile systems. The company announced that it had discovered and shut down the access point that might have been utilised to obtain unauthorised access to the company's servers.

Confidential Terrorist Watchlist With 1.9Mn Records Exposed Online

 

Cyber security researcher Bob Diachenko has unearthed an unsecured ElasticSearch server containing nearly two million terrorist watchlist records, including "no-fly" list indicators, which were left exposed for a period of three weeks between July 19th and August 09th. 

Earlier this week, Diachenko posted a message and said, “On July 19, I discovered a terrorist watchlist containing 1.9 million records online without a password or any other authentication required to access it." The unprotected server had a Bahrain IP address but it remains unclear whether the server was owned by the US or any other country.

Diachenko immediately reported his discovery to the US Department of Homeland Security, but the records weren't taken down until August 09. The leaked records contained passport details, full name, dates of birth, citizenship, gender, TSC watchlist, country of issuance, and no-fly indicator. 

“The watchlist came from the Terrorist Screening Center, a multi-agency group administered by the FBI, which maintains the country's no-fly list, a subset of the larger watchlist. A typical record in the list contains full name, citizenship, gender, date of birth, passport number, no-fly indicator, and more,” he informed. 

No-fly list

The exposed data belongs to the people who are suspected as terrorists but have not necessarily been charged with any crime. "If it falls in wrong hands, this list could be used to oppress, harass or persecute people mentioned on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list," Diachenko said. 

Prior to 2015, the terrorist watchlist was completely confidential. Then the US government modified its policy and began privately informing US citizens who were added to the list, but foreigners still often can't find out whether they're on the no-fly list until they try to board a plane. 

Several media reports suggest that the US officials are recruiting informants in exchange for keeping their names off the no-fly list. Some past or present informants' identities could have been exposed. The Terrorist Screening Center (TSC) was set up by the US Federal Bureau of Investigation (FBI) in 2003.

The discovery of the exposed records comes just a month after the DHS, the Department of Justice, and other federal agencies -- launched a new website with the sole motive of combating the threat of ransomware.

T-Mobile Acknowledged Breach of 100 Million Customers

 

T-Mobile announced a data breach on Monday after a hacking organization claimed to have gotten records of 100 million T-Mobile customers in the United States and sold some of the information on the dark web. The US wireless carrier said it couldn't say how many users were affected, but that it has started a "deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed."

T-Mobile is the brand name for the mobile communications companies of Deutsche Telekom AG, a German telecommunications firm. In the Czech Republic (T-Mobile Czech Republic), the Netherlands (T-Mobile Netherlands), Poland (T-Mobile Polska), and the United States (T-Mobile US). 

T-Mobile initially stated that it was investigating the hacker group's claim, but eventually admitted that at least some data had been acquired by the hackers. "We have determined that unauthorized access to some T-Mobile data occurred, however, we have not yet determined that there is any personal customer data involved," a company statement said. "We are confident that the entry point used to gain access has been closed."

T-Mobile said it was conducting its own investigation into the incident with the help of digital forensic experts and was collaborating with law enforcement. According to media sources citing postings on dark web forums, the enormous breach allegedly includes sensitive personal information such as social security and driver's license numbers. 

Motherboard was given access to some of the data, and the publication confirmed that it contained correct information on T-Mobile subscribers. The seller told Motherboard that they had hacked into various T-Mobile servers. A subset of the data, containing around 30 million social security numbers and driver's licenses, is being sold on the forum for six bitcoin, while the rest is being sold privately. At current exchange rates, six bitcoins are worth about $280,000. 

The seller told Motherboard, “I think they already found out because we lost access to the backdoored servers.” He was referring to T-Mobile’s potential response to the breach. T-Mobile appears to have thrown them out of the hacked systems, according to the seller, but they had already downloaded the data locally. They stated, "It's backed up in multiple places." 

The firm has also stated that once the situation is more understood, it would “proactively communicate” with customers and stakeholders, but that the investigation will “take some time.”

Nearly 2 Million Records From Terrorist Watchlist Exposed Online

 

A terrorist watchlist comprising 1.9 million data remained open and unsecured on the internet for three weeks between July 19th and August 9th. The Terrorist Screening Center (TSC), a multi-agency centre run by the Federal Bureau of Investigation, is believed to have compiled the watchlist. The list was left accessible to the public on an Elasticsearch cluster with no password. 

In July this year, Security Discovery researcher Bob Diachenko discovered various JSON documents in an unsecured Elasticsearch cluster, which grabbed his interest. 

The 1.9 million-strong record set includes sensitive information about people, such as their names, nation citizenship, gender, date of birth, passport data, and no-fly status. 

Search engines Censys and ZoomEye listed the exposed server, implying Diachenko was not the only one who came across the list. Given the nature of the open data (e.g. passport details and "no-fly indicator"), the researcher informed BleepingComputer that it seemed to be a no-fly or similar terrorist watchlist. 

“The exposed Elasticsearch cluster contained 1.9 million records. I do not know how much of the full TSC Watchlist it stored, but it seems plausible that the entire list was exposed,” he added.

In addition, the researcher observed specific enigmatic fields like "tag," "nomination kind," and "selectee indication" that were not understandable. Diachenko told BleepingComputer, as per the nature of the data and the presence of a specific field entitled 'TSC ID," was the only reasonable conclusion implying that the record set's source may be the Terrorist Screening Center (TSC). 

Multiple federal agencies use the FBI's TSC to manage and exchange integrated information for counterterrorism reasons. The Terrorist Screening Database, often known as the "no-fly list," is a secret watchlist managed by the agency. 

Such databases are regarded as extremely sensitive, given the critical role they play in assisting national security and law enforcement activities. Terrorists or reasonable suspicions who represent a national security threat at the government's discretion are "nominated" for inclusion on the secret watchlist. 

The list is cited by airlines and multiple agencies, like the Department of State, Department of Defense, Transportation Security Administration (TSA), and Customs and Border Protection (CBP), to check the list in order to determine whether a passenger is allowed to fly, impermissible to the United States, or to examine their risk for various activities. 

The unsecured database was discovered on July 19th on a server with a Bahrain IP address and disclosed the data leak to the US Department of Homeland Security on the same day (DHS). 

"I discovered the exposed data on the same day and reported it to the DHS. The exposed server was taken down about three weeks later, on August 9, 2021. It's not clear why it took so long, and I don't know for sure whether any unauthorized parties accessed it," writes Diachenko in his report. 

According to Diachenko, releasing such sensitive information might affect people whose data might be included on the list. 

“The terrorist watchlist is made up of people who are suspected of terrorism, but who have not necessarily been charged with any crime. In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list,” he alerted.

Cyber Firm: Ransomware Group Demanding $50M in Accenture Security Breach

 

The hacking group behind a ransomware attack on global solution provider powerhouse Accenture has demanded $50 million in ransom, as per the cybersecurity firm that saw the demand. 

According to a tweet from Cyble, a dark web and cybercrime monitoring company, the threat actor is seeking $50 million in return for more than 6 TB of data. 

On Thursday, Accenture responded it had no additional information to add to its statement, pointing CRN to a statement issued on Wednesday that claimed it had "contained the matter and isolated the affected servers" and that "there was no impact on Accenture's operations, or on our clients' systems." 

The hacking group apparently used LockBit ransomware to target Accenture, which is ranked No. 1 on CRN's Solution Provider 500 for 2021, in the attack revealed on Wednesday. 

As per Emsisoft, a cybersecurity firm located in New Zealand, LockBit is a ransomware strain that stops users from accessing infected devices until a ransom payment is completed. The incident arises after a ransomware assault on Kaseya in July, which involved a $70 million ransom demand to decrypt victim files. Kaseya later stated that it had acquired a decryptor for the REvil ransomware, but it had not paid the ransom. 

“At the end of the day, paying the ransom is never a good idea,” stated Douglas Grosfield, founder and CEO of Kitchener, Ontario-based Five Nines IT Solutions, in an interview with CRN. 

“The majority of folks that do end up paying the ransom don’t necessarily get all of their data back. And what you do get back, you can’t trust. There could be a payload there—a ticking time bomb—that will make it easier for the perpetrators to get in again.” 

He stated that ransomware groups targeting IT service companies such as Accenture is unsurprising. “The only surprise is that it took the bad guys this long to figure out that service providers are a pretty juicy target,” he added. 

According to Grosfield, the Accenture incident serves as a reminder of the proverb, "physician, heal thyself," which states that IT service providers must verify their own systems are safe to propose security solutions to their own clients. 

Accenture claims to have contained the assault, however, this is a questionable assertion. The firm confirmed the ransomware assault in an emailed response to a request for information from CRN but stated it had no impact on the organization. 

“Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers. We fully restored our affected servers from back up. There was no impact on Accenture’s operations, or on our clients’ systems,” Accenture wrote. 

However, a CNBC reporter spoke on Wednesday that the hackers behind the Accenture attack uploaded over 2,000 files to the dark web, including PowerPoint presentations and case studies. 

On Wednesday, VX Underground, which claims to possess the Internet's largest collection of malware source code, tweeted a timer allegedly from the hacking group, indicating how the time until the attack on Accenture's data would begin. The timer's timer ultimately ran out. The LockBit ransomware gang published 2,384 files for a short period, according to VX-Underground, however, those files were unavailable due to Tor domain issues, most likely due to excessive traffic. 

The LockBit attack clock was restarted with a new date of Aug. 12, 2021, 20:43 UTC, or 4:43 p.m. ET Thursday, according to the group. 

The Accenture incident, according to Ron Bradley, vice president of third-party risk management firm Shared Assessments, is "a perfect example of the distinction between business resiliency and business continuity," he told Threatpost on Wednesday. 

“This particular example with Accenture is interesting in the fact that it was a known/published vulnerability,” Bradley continued. “It highlights the importance of making sure systems are properly patched in a timely manner. The ability for Accenture to manage the repercussions of potentially stolen data will be an important lesson for many organizations going forward.” 

According to Hitesh Sheth, president, and CEO of cybersecurity firm Vectra, all organizations should expect such assaults, but especially a global consultancy firm with many links. 

“First reports suggest Accenture had data backup protocols in place and moved quickly to isolate affected servers,” he informed Threatpost on Wednesday. “It’s too soon for an outside observer to assess the damage. However, this is yet another reminder to businesses to scrutinize security standards at their vendors, partners, and providers. Every enterprise should expect attacks like this – perhaps especially a global consulting firm with links to so many other companies. It’s how you anticipate, plan for and recover from attacks that counts.” 

LockBit encrypts files with AES encryption and generally asks a high-five-figure ransom to decrypt the data. LockBit's procedures are mostly automated, allowing it to operate with little human monitoring once a victim has been hacked, according to Emsisoft. It may be used as the foundation for a ransomware-as-a-service business model, in which ransomware authors can utilize it in exchange for a share of the ransom payments.

Reindeer Leak Personal Data of 3,00,000 Users In A Breach

 

WizCase's cybersecurity group discovered a prominent breach impacting Reindeer, an American marketing company that previously worked with Tiffany & Co., Patròn Tequila, and other companies. Led by Ata Hakçil, the group revealed that the breach leaked customer names, DOB, email ids, phone numbers, address, etc. The cybersecurity experts found a misconfigured Amazing S3 bucket that belonged to Reindeer.

It contained around 50,000 files and a total of 32 GB of data. Reindeer is currently a defunct American advertising company. Being a defunct company, it owns the bucket, so researchers had to contact Amazon for information about the breach as it is the only source that could provide details about the attack. The team also informed US-Cert, in hopes that it would contact the previous company owner. The misconfigured S3 bucket contained data of around 3,00,000 customers of Reindeer clients. Patròn was the top client with the highest number of customer PII (Personal Identifiable Information) leaked, however, other Reindeer clients were also affected, such as Jack Wills, a UK clothing brand. It seems that it has become an easy task to misconfigure permission/access errors in cloud-based deployments. 

The companies that are set to work on cloud-based platforms should have a robust cybersecurity system that keeps an eye on such breaches and informs about any potential error in the cloud infrastructure. The leaked information contains details of around 3,60,009 customers and profit photos of 1400 users. PPI include customer names, address, DOB, e-mail ids, Facebook Ids, and hashed passwords. As per the experts, 35 countries' users were included in the breach, the top three being Canada, the US, and Britain, having around 2,80,000 affected users. 

"The leaked data dates from May 2007-February 2012. The public cloud brings a whole host of new issues to which organizations are still adapting. The case of the Reindeer breach raises serious questions about the shared responsibility model and certainly highlights the need for a layered defense. When it comes to PaaS services, like S3, organizations must implement network-based access controls and apply security policies to protect against sensitive data exfiltration,” said Valtix CEO Douglas Murray.

Despite Data Leak and Glitches, Foreigners able to Register on Vaccine Site

 

Thailand's new vaccination appointment registration website, expatvac.consular.go.th, has received mixed reviews since its launch. 

Many people reported that they had a variety of issues, and a few mentioned that they eventually received emails confirming their registration and upcoming appointments. Consequently, it resulted in a data breach.

The vaccination registration site went live at 11 a.m., and within minutes, users were complaining about crashes, glitches, and the fact that their personal information was accessible online. Screenshots of publicly accessible backdoors that disclosed the emails and personal information of over 20,000 applicants began to surface online, raising worries about safety and privacy. 

The data leak looks to have been rectified now. Many people reported that the system failed at the point where they typed their email address and the vaccination registration site started crashing or an error occurred prompting them to start over or refresh the page. When they did so, the system refused to accept their email address. The backend database recorded their information while the site went down, and as a result, the email address had already been used and was declined. 

Some others recommended that using the same email address they used for immigration was the workable option. Many people advised saving photos of the passport and visa, as well as any pertinent medical paperwork. People stated that they were able to attempt again and again despite the crashes, failures, and site outages, and eventually made it through the procedure. 

A user shared their confirmation email, stating the successful enrollment, and would receive another email later offering a vaccine appointment that must be confirmed within 24 hours. The message also stated that the site will schedule appointments for vaccination centers outside of the greater Bangkok area. 

The Ministry of Public Health will allocate a vaccination site in the region for people who live in areas other than Bangkok and neighboring provinces (Nakorn Pathom, Nonthaburi, Pathum Thani, Samut Prakan, and Samut Sakhon). The vaccine schedule will be defined by the Ministry of Public Health's priorities, which include age group, vulnerability, and high-risk zones, among other criteria. 

Despite several difficulties, officials appear to be working efficiently to fix concerns, and registrations appear to be proceeding. It is suggested that if foreigners find problems, they should keep attempting while the vaccination site opens and stabilizes.