The digital world is full of cyber threats that can affect any industry, and recent incidents have shown that even the most secure systems can be vulnerable. For example, Okta recently admitted to a security breach. Below you will also read about a sophisticated campaign called Magecart that stole credit card details by exploiting webpages. The impact of these breaches can be seen in various industries. For instance, five Canadian hospitals experienced disruptions in their services, and genetic testing company 23andMe had their data compromised. Even businesses in the hospitality and retail sectors are not safe, as shown by the data breach at Marina Bay Sands and Casio’s apology to its users. October’s breaches emphasize the importance of taking swift action and being transparent. As companies navigate through these challenges, it is crucial to strengthen cybersecurity measures and ensure the integrity of customer data.
Okta
Okta has expressed regret to its customers for a recent security breach, emphasizing its dedication to maintaining transparent communication with them. On October 19, Okta notified its customers about a security breach that occurred between September 28 and October 17, wherein unauthorized access was gained to the support system affecting files related to 134 customers, which is under 1% of Okta’s customer base. HAR files containing session tokens were accessed, which led to session hijacking for 5 customers, with 3 customers openly discussing their experiences. The breach was enabled through the misuse of a service account within the customer support system. This service account had been inadvertently synced with an employee’s personal Google account, potentially through the compromise of the employee’s personal Google account or device.
Okta faced challenges in detecting the breach due to the difference in log events when files were accessed directly rather than through case files, which was the method used by the threat actor. Upon receiving a suspicious IP address from BeyondTrust on October 13, Okta could trace and shut down the unauthorized access, revoke the stolen session tokens, and notify affected customers.
23andMe
23andMe, a genetic testing company, has reported unauthorized access to customer data. The incident did not result from a system breach, but from attackers who managed to guess user login details and subsequently scrape information from the “DNA Relatives” feature. This feature allows users to voluntarily share their genetic information to connect with relatives. A sample of the compromised data, affecting at least one million data points related to Ashkenazi Jewish ancestry and hundreds of thousands concerning individuals of Chinese descent, was put up for sale online. The available data includes personal identifiers and ancestry details, though not the raw genetic data.
The company has advised users to secure their accounts with strong, unique passwords and to enable two-factor authentication. They are still in the process of validating the leaked data, which includes profiles of public figures like Mark Zuckerberg, Elon Musk, and Sergey Brin. However, the legitimacy of this particular data remains unconfirmed, as there are inconsistencies, such as Musk and Brin having identical profile information in the leaked dataset.
The situation underscores the dangers of data breaches, especially with sensitive genetic information, and highlights the continuing issue of “credential stuffing”—where hackers use leaked login details from one breach to access accounts on other platforms. The motive behind targeting data related to Ashkenazi Jews and the extent of additional compromised data are yet to be fully understood. This breach raises significant concerns about the privacy and security risks associated with DNA databases and similar platforms that facilitate the sharing of personal data.
Marina Bay Sands
Marina Bay Sands has reported a data breach affecting approximately 665,000 members of its non-casino rewards program. The breach, which occurred on October 19-20, 2023, involved unauthorized access to customer data, including names, email addresses, phone numbers, countries of residence, and membership details. There is no indication that the casino rewards program was compromised or that the data has been misused. The company has apologized, initiated an investigation with cybersecurity experts, and is contacting affected customers. Authorities have been notified, and measures are being taken to enhance data security.
Casio
Casio Computer Co., Ltd. has recently extended an apology to its users following a security breach that compromised personal data on its educational web application, ClassPad.net on October 11. The breach came to light when a database malfunction was noticed within the development environment for ClassPad.net. Further investigation revealed that this issue was not isolated but part of a larger intrusion that occurred the following evening, leading to the compromise of data belonging to users from various countries.
It was determined that the breach occurred due to deactivated network security protocols within the development system, compounded by a lack of rigorous operational oversight. To address the breach, Casio has temporarily disabled the affected development databases to block any further unauthorized access and has been proactive in contacting the appropriate Japanese data protection authorities. The company is currently consulting with cybersecurity and legal experts to conduct an in-depth investigation and take appropriate measures, as well as cooperating with the police in their investigation.
The types of personal information accessed included customer names, email addresses, countries of residence, purchasing history, and usage details for the service. Casio has confirmed that credit card information was not retained in the database and therefore not at risk. The incident impacted data related to 91,921 Japanese customers, including individuals and educational institutions, along with 35,049 international customers spanning 148 countries.
Casio reiterates its deep regret for the breach and the resulting impact on its customers, pledging a steadfast effort to bolster its security systems to prevent such occurrences in the future.
D-Link
D-Link Corporation faced an alleged data breach after an unauthorized third party claimed on an online forum that they had stolen data. D-Link responded quickly, initiating an investigation and implementing precautionary measures. Their findings, supported by external experts from Trend Micro, indicated that the claim was largely exaggerated and misleading. The data in question was traced back to an obsolete D-View 6 system, decommissioned since 2015, and used for product registration. It did not include user IDs or financial details but contained some low-sensitivity information like contact names and office email addresses.
The breach is thought to have originated from a phishing attack that an employee inadvertently fell victim to, which led to the exposure of the outdated data. D-Link has reviewed its security measures and shut down the servers suspected to be involved, as well as disconnected the test lab from their network. The company reassures that the security systems meet the standards of the time and that they are committed to enhancing their security to prevent future incidents.
In summary, D-Link’s prompt response to the alleged data breach led to findings that contradicted the severity of the online claim. Measures have been taken to safeguard against similar occurrences, and customers have been advised on how to protect their information.
Online stores’ 404 pages stolen
The Akamai Security Intelligence Group has uncovered a novel Magecart web skimming campaign that’s infiltrating a broad range of websites, including those belonging to major players in the food and retail sectors. This particular campaign is notable for its innovative use of three advanced techniques to hide its malicious code, one of which involves exploiting the default 404 error pages of websites—a method previously unseen.
The campaign’s method of operation begins with the injection of a small piece of obfuscated JavaScript, known as a loader, into the website. This loader is responsible for setting up the full malicious attack by initiating a WebSocket channel for communication with the attackers’ command and control server. The attackers then deploy the main skimming code that targets sensitive pages, such as checkout pages, to steal personal and credit card information from unsuspecting users.
Three variations of the campaign have been identified, each showcasing the evolution of the attackers’ methods to evade detection. The first variation uses an image tag with a malformed source attribute to execute JavaScript, while the second mimics legitimate services like Facebook’s Meta Pixel to blend in. The third and most sophisticated variation involves inserting the skimmer within the HTML of the website’s 404 error page, making it extremely difficult to detect and remove. This third variation also employs a different tactic for data exfiltration, using a fake form that overlays the legitimate payment form. This technique captures the user’s data twice—once through the fake form and then again when the user is prompted to re-enter the information on the real form.
The Akamai team tested their Client-Side Protection & Compliance solution against this skimmer and found that it successfully detected and alerted them to the high-severity threat. This case serves as a critical reminder of the importance of advanced security measures to combat the increasingly sophisticated techniques used in web skimming attacks. This emphasizes the importance of vigilance and the adoption of advanced security measures for organizations to protect against these evolving threats. Additionally, it’s a call to action for companies to monitor their websites actively and to consider client-side protection solutions that can detect and mitigate such attacks in real time.
Air Europa
Air Europa, a Spanish airline headquartered in Madrid, is currently in the process of being acquired by International Consolidated Airlines Group, which owns British Airways. The airline has experienced a cyberattack targeting its online payment system, which resulted in some customers’ credit card details being compromised, as reported by the company. The airline has responded by contacting those customers whose information was potentially exposed and has informed the appropriate financial entities about the breach. The exact number of customers impacted and the financial repercussions of the incident have not been disclosed by Air Europa, and they stated that no other personal information was at risk.
In a previous incident in 2018, which affected 489,000 customers, Air Europa faced penalties for not reporting the breach within the mandated 72-hour period, taking 41 days instead. This past breach was highlighted by the OCU, emphasizing the airline’s obligation to timely report such incidents.
TransForm
A cyberattack on TransForm, a shared service provider, has disrupted operations across five hospitals in the Erie St. Clair region of Ontario, Canada. This attack led to system outages, affecting patient care and resulting in the rescheduling of appointments. TransForm, established by these hospitals to handle IT, supply chain, and accounts payable, acknowledged the cyberattack in a statement and indicated an ongoing investigation to ascertain the attack’s cause and reach. It is currently unclear whether patient information has been compromised.
The affected hospitals include:
Windsor Regional Hospital: A major healthcare facility with 642 beds.
Hotel Dieu Grace: Specializes in complex care, mental health, and rehabilitation with 313 beds.
Erie Shores Healthcare: A significant provider with 72 beds.
Hospice of Windsor-Essex: Offers end-of-life care with 23 beds.
Chatham-Kent Health Alliance: A community hospital with a 200-bed capacity.
Patients with upcoming appointments at these hospitals are being contacted for rescheduling. Meanwhile, the hospitals have advised individuals not requiring emergency care to seek alternatives such as primary care providers or local clinics to lessen the burden on hospital resources during this period.
As the specifics of the cyberattack are still under review, past patients of these institutions are encouraged to be vigilant, particularly regarding unsolicited communications that may be suspicious.
It’s clear that no entity, regardless of size or industry, is immune to the threat of digital incursions. The essential lesson here is not found in the recounting of breaches but in understanding the dynamic and persistent nature of cyber risks. To navigate this complex landscape, companies must adopt a posture of continuous monitoring and regular security assessments to stay ahead of threats. Utilizing automated tools for real-time analysis and proactive threat intelligence is no longer optional but a critical component of modern cybersecurity strategies. These practices, combined with a culture of security awareness and training, can form a robust defense against a tide of evolving digital dangers. As businesses forge ahead, the integration of advanced cybersecurity measures will be the beacon that guides them through the murky waters of potential cyberattacks, ensuring resilience and trust in the digital era.