Tag Archives: data breaches

Data Breaches and Cyber Attacks Round Up: June 2023

Findings.co data breaches and cyber attacks in review june 2023

In a world where technology reigns supreme and cyber crime lurks around every digital corner, organizations find themselves locked in a never-ending battle to protect their precious data. From the daring MOVEit vulnerability that left organizations trembling, to the turbulence in the airline industry caused by data breaches, and even a ransomware attack on a tech titan. Buckle up and get ready to explore these hair-raising incidents that prove cybersecurity is no joke in the fast-paced digital age. It’s time to dive into the data breaches and cyber attacks that organizations faced in June 2023. 



MOVEit:


Recently, a significant incident involving the MOVEit vulnerability and data extortion has had a global impact on numerous organizations. Exploiting a vulnerability in Progress Software’s widely-used MOVEit file transfer application, criminals targeted organizations, particularly those within supply chains utilizing the app, resulting in data breaches and the theft of customer and/or employee data.


In more detail, Progress Software Corporation, a company specializing in software and services for user interface development, devops, and file management, issued a warning to its customers regarding a critical vulnerability called CVE-2023-34362. The vulnerability affects the MOVEit Transfer and MOVEit Cloud products, which provide a secure and convenient way to store and share files within teams, departments, companies, and supply chains. MOVEit Transfer’s web-based front end, designed to simplify file sharing and management through a web browser, was discovered to have a SQL injection vulnerability. This vulnerability occurs when an HTTP request sent to a web server is improperly converted into a database query, leaving the server open to manipulation. Attackers can inject malicious commands through URLs, potentially leading to data loss or unauthorized access. Progress Software released patches for the affected versions of MOVEit, but unauthorized commands may have been injected before the patch, resulting in data compromise. To mitigate the risk, Progress recommends ensuring that all instances of MOVEit software are patched, disabling the web-based interfaces if patching is not immediately possible, monitoring logs for suspicious activities, and adopting secure programming practices such as input sanitization and parameterized queries to prevent SQL injection attacks.



Additional Victims of the MOVEit Hack:


The total number of impacted organizations has come to over 130, affecting over 16 million individuals. Brett Callow, a threat analyst at cybersecurity firm Emsisoft, has so far identified around 138 organizations that have fallen victim to the campaign, resulting in the compromise of personal information for over 15 million people. It is expected that these numbers will rise as more victims come forward. The cybercrime group, believed to have ties to Russia and known for their use of the Cl0p ransomware, has claimed responsibility for the attack. They boast being the sole threat actor aware of the MOVEit zero-day exploit before it was patched. Recently, they have started naming organizations that have refused to pay their ransom demands or engage in negotiations. 


Their list includes notable entities such as Shell, Siemens Energy, Schneider Electric, UCLA, Sony, EY, PwC, Cognizant, AbbVie, Kirkland & Ellis, and K&L Gates. Siemens Energy and Schneider Electric have confirmed being targeted. UCLA acknowledged the exploitation of the vulnerability but clarified that it does not classify the incident as a ransomware attack, likely because no file-encrypting malware was employed and there is no evidence of other system compromises on campus. Government organizations, including the US Department of Energy and the Health Department, have also been affected. The New York City Department of Education, the Oregon DMV, the National Student Clearinghouse, and associated schools have reported being victims as well. The cybercriminals, however, claimed on their website that they have deleted data from over 30 government-related organizations as their focus is purely financial and not interested in such entities. Gen Digital, the parent company of renowned cybersecurity brands including Avast, Avira, AVG, Norton, and LifeLock, has also officially acknowledged that the personal information of its employees was compromised during the recent MOVEit ransomware attack. 


As you can tell, this recent MOVEit data breach has had a domino effect.  The personal information of approximately 769,000 retired members of CalPERS, the California Public Employees’ Retirement System. The breach also affected 415,000 members and beneficiaries of CalSTRS, the California State Teachers’ Retirement System. The breach was reported by CalPERS after their third-party vendor, PBI Research Services, discovered a vulnerability in their MOVEit Transfer Application. The vulnerability allowed unauthorized access to sensitive data such as names, dates of birth, Social Security numbers, and even the names of family members of the affected members. CalPERS is the largest public pension fund in the United States, serving over 2 million members in its retirement system and more than 1.5 million in its health program. CalSTRS, on the other hand, is the second-largest public pension fund in the country and the largest retirement system for teachers, serving more than 947,000 members.


American Airlines:


American Airlines and Southwest Airlines, two major global airlines, have recently reported data breaches resulting from a security incident involving Pilot Credentials, a third-party vendor responsible for managing pilot applications and recruitment portals for multiple airlines. Both airlines were notified about the incident on May 3, clarifying that the breach was limited to the systems of the third-party vendor and did not impact their own networks or systems. The unauthorized individual behind the breach gained access to Pilot Credentials’ systems on April 30 and stole documents containing information submitted by certain applicants during the pilot and cadet hiring process.


American Airlines stated that the breach affected 5,745 pilots and applicants, while Southwest reported a total of 3,009 affected individuals. The compromised data included personal information such as names, Social Security numbers, driver’s license numbers, passport numbers, dates of birth, Airman Certificate numbers, and other government-issued identification numbers. It’s worth noting that American Airlines has experienced previous data breaches, including one in September 2022 resulting from a phishing attack and another in March 2021 due to a breach in SITA’s Passenger Service System, which affected multiple airlines globally.



Taiwan Semiconductor Manufacturing Company (TSMC):


The world’s largest contract chipmaker, has confirmed a data breach after being targeted by the LockBit ransomware gang. The gang, linked to Russia, listed TSMC as a victim and demanded a $70 million ransom. TSMC stated that the breach did not impact its business operations or compromise customer information. The incident originated from a cybersecurity breach at one of TSMC’s IT hardware suppliers, Kinmax Technology. TSMC terminated its data exchange with Kinmax and assured that customer information remains secure. Kinmax also apologized for the incident and indicated that other customers may have been affected. The breach follows recent arrests related to LockBit ransomware attacks. Taiwan Semiconductor Manufacturing Company (TSMC), a major semiconductor supplier for Apple, recently attributed a data breach and subsequent $70 million ransom demand from the LockBit ransomware group to a third-party IT hardware supplier. TSMC confirmed the security incident but refrained from disclosing the specific data accessed or held for ransom by LockBit actors. The company assured that the breach did not impact its business or customer information. TSMC identified the third-party supplier as Kinmax Technology, an Hsinchu-based systems integrator known to collaborate with various technology companies. It remains uncertain if other customers were affected by the attack.


The National Hazard Agency, a subgroup of LockBit, set a deadline of August 6 for TSMC to pay the ransom, threatening to publicly release the stolen data. The threat actors also claimed to possess “points of entry” to TSMC’s network, along with login credentials, which are valuable to cyberattackers. TSMC reported robust financial figures for 2022, making it an enticing target. Following the incident report, TSMC conducted a thorough review of its hardware components and security configurations, discontinuing data exchange with Kinmax and reinforcing security measures. The company emphasized its commitment to raising security awareness among suppliers and ensuring compliance with its security requirements.


Kinmax, the implicated IT supplier, downplayed the breach, stating that the intruder accessed system installation preparation information in the engineering test environment, which was unrelated to customers’ actual applications. Kinmax expressed regret and extended apologies to affected customers, mentioning enhanced security measures implemented to prevent future incidents.


TSMC’s breach highlights the growing trend of third-party compromises leading to data breaches in various organizations. It coincides with reports of organizations falling victim to the Cl0p ransomware gang due to a vulnerability in the widely used MOVEit Transfer app by Progress Software. The Biden administration’s cybersecurity executive order in May 2021 has underscored the significance of securing IT supply chains.


Microsoft:


In early June 2023, Microsoft encountered a surge in traffic that affected the availability of some services. To address this issue, Microsoft promptly launched an investigation and began monitoring ongoing Distributed Denial-of-Service (DDoS) activity conducted by a threat actor known as Storm-1359. These attacks seem to rely on the utilization of multiple virtual private servers (VPS), rented cloud infrastructure, open proxies, and DDoS tools. No evidence suggests that customer data has been accessed or compromised during these recent DDoS attacks. The focus of these DDoS attacks was primarily on layer 7 rather than layer 3 or 4. To enhance customer protection against similar DDoS attacks, Microsoft has fortified its layer 7 defenses by optimizing the Azure Web Application Firewall (WAF). While these measures have proven effective in mitigating most disruptions, Microsoft consistently evaluates the performance of its defenses and incorporates lessons learned to further refine and enhance their effectiveness.


Customers are advised to review the technical details and recommended actions provided in this blog to bolster the resilience of their environments and mitigate the impact of comparable attacks.


Technical Details:

Microsoft’s assessment reveals that Storm-1359 possesses a collection of botnets and tools that enable the threat actor to launch DDoS attacks from various cloud services and open proxy infrastructures. Storm-1359 appears to be primarily focused on causing disruption and gaining publicity.


Storm-1359 has been observed employing different types of layer 7 DDoS attack traffic, including:


HTTP(S) flood attack: This attack exhausts system resources by inundating them with a high volume of SSL/TLS handshakes and HTTP(S) requests. The attacker distributes a large number of HTTP(S) requests from different source IPs across the globe, overwhelming the application’s backend and depleting compute resources (CPU and memory).


Cache bypass: This attack attempts to bypass the Content Delivery Network (CDN) layer, potentially overwhelming the origin servers. The attacker sends a series of queries against generated URLs, causing the frontend layer to forward all requests to the origin instead of serving cached content.


Slowloris: In this attack, the client establishes a connection with a web server, requests a resource (e.g., an image), but intentionally fails to acknowledge or accepts the download slowly. This forces the web server to keep the connection open and retain the requested resource in memory.


Recommendations – Layer 7 DDoS Protection Tips:


To mitigate the impact of layer 7 DDoS attacks, Microsoft recommends that customers consider the following measures:


Utilize layer 7 protection services like Azure Web Application Firewall (WAF) (available with Azure Front Door, Azure Application Gateway) to safeguard web applications.


When using Azure WAF:


Employ the bot protection managed rule set, which provides defense against known malicious bots. For more information, refer to the configuration instructions for bot protection.

Block IP addresses and ranges that you identify as malicious. Examples of how to create and use custom rules can be found in the provided resources.

Consider blocking, rate limiting, or redirecting traffic from outside or within defined geographic regions to a static webpage. Refer to the examples in the provided resources for more information on creating and using custom rules.

Create custom WAF rules that automatically block and rate limit HTTP or HTTPS attacks with known signatures.


DMPS:


Des Moines Public Schools is currently contacting approximately 6,700 individuals to inform them about a data security event that occurred earlier this year. This incident, which occurred in January, involved a cyberattack on the school district and may have led to the potential exposure of personal information belonging to those affected. 


The cyberattack on DMPS also involved a ransom demand. However, in accordance with the advice of cybersecurity experts and considering the best interests of the school district and community, no ransom has been or will be paid in response to this attack.


And speaking of schools, the university of Manchester also recently disclosed a breach. In the week starting on June 6th, the University received news of a cyber incident, where unauthorized individuals gained access to certain systems and likely copied data. Our dedicated team of experts, both internal and external, is diligently working day and night to address this incident and determine the extent of the data accessed. Our main focus is to swiftly resolve this situation and promptly inform those affected. We are allocating all possible resources towards achieving these objectives.



Cybersecurity is Essential:


The incidents surrounding MOVEit, American Airlines, TSMC and Microsoft serve as stark reminders of the importance of cybersecurity in our fast-paced digital age. These incidents underscore the serious and ongoing nature of cybersecurity threats, reminding organizations to remain vigilant, strengthen their defenses, and prioritize the safeguarding of valuable data in the digital landscape. 





Discover How Findings Can Help



Top Cyber Attacks and Data Breaches: May 2023 Round Up

May 2023 data breaches

In an era dominated by digital connectivity, the frequency and impact of data breaches continue to escalate, leaving individuals and organizations vulnerable to devastating consequences. From state-sponsored hacking campaigns to opportunistic cybercriminals, the realm of data security is constantly under siege. Recent events have once again thrust data breaches into the spotlight, as major corporations and industry giants grapple with the aftermath of malicious intrusions. In this blog post, I will delve into a series of alarming incidents that have unfolded in May 2023, shedding light on the tactics employed, the extent of compromised information, and the potential ramifications for affected individuals and businesses. Brace yourself for an eye-opening exploration of the evolving threat landscape as we navigate the treacherous waters of data breaches and their far-reaching impact.


  1. On May 24,2023, Microsoft reported that it found targeted malicious activity by Volt Typhoon, a state-sponsored group from China, aiming to access unauthorized credentials and explore critical infrastructure networks in the US. This campaign supposedly  intends to disrupt communication infrastructure between the US and Asia during future crises. Volt Typhoon has been active since mid-2021, primarily targeting critical infrastructure organizations in Guam and other US regions across various sectors. They employ stealth techniques, living-off-the-land methods, and manipulate systems using command line instructions. The threat actor maintains persistent access and attempts to conceal their activities by routing network traffic through compromised SOHO network equipment. 


  1. Sysco, a major U.S. multinational food distribution corporation, recently revealed that approximately 126,243 current and former employees may have had their sensitive data accessed and acquired in a cyberattack that took place in January. According to notification letters sent to affected individuals, Sysco’s systems were initially breached on January 14, but the intrusion was only discovered nearly two months later. The company assured that its operational systems, business functions, and customer services remained unaffected by the breach. While specific details about the data accessed for each individual are yet to be confirmed, Sysco stated that the compromised information may include personal data provided for payroll purposes, such as names, Social Security numbers, account numbers, or similar information. 


  1. On May 26, 2023, Managed Care of North America (MCNA) Dental published a data breach notification on its website, informing approximately 9 million patients that their personal data was compromised. MCNA Dental is one of the largest government-sponsored (Medicaid and CHIP) dental care and oral health insurance providers in the U.S. On March 6, 2023, the insurance provider discovered unauthorized activity in their computer system. They took immediate action to halt the activity and initiated an investigation with the assistance of a specialized team. It was determined that an unauthorized user was able to access and make copies of certain information between February 26, 2023, and March 7, 2023. The potentially compromised information includes contact details such as first and last name, address, date of birth, phone number, and email address. Social Security numbers, driver’s license numbers or other government-issued ID numbers were also accessed. Additionally, health insurance information such as plan details, insurance company information, member numbers, and Medicaid-Medicare ID numbers may have been involved. Specific information related to dental care, including visits, dentist and doctor names, past treatments, x-rays/photos, prescribed medicines, and treatment details, as well as bills and insurance claims, were also potentially exposed. 


  1. NextGen Healthcare, a vendor of cloud-based electronic health records, has been informing over 1 million individuals about a data compromise that involves the unauthorized acquisition of login credentials. This incident marks at least the second alleged data security breach that the company has probed since January. The company explained an unknown third-party gained unauthorized access to a limited set of personal data between March 29, 2023, and April 14, 2023. The accessed information includes names, dates of birth, addresses, and social security numbers. Out of the 198 significant breaches of health data that have been reported on the Department of Health and Human Services’ HIPAA Breach Reporting Tool website in 2023, impacting a total of 17.4 million individuals, it has been disclosed that at least 75 of these incidents affecting 9.8 million individuals were reported to involve business associates. Approximately 38% of the major health data breaches reported on the HIPAA Breach Reporting Tool website in 2023 involved vendors and other business associates. Interestingly, despite accounting for a smaller proportion of breaches, these incidents were responsible for impacting 56% of the individuals affected by breaches in the healthcare sector.


  1. Luxottica, the world’s largest eyewear company known for brands like Ray-Ban, Oakley, and Chanel, has officially confirmed a data breach that occurred in 2021 via BleepingComputer. The breach exposed the personal information of approximately 70 million customers when a database was recently made available for free on hacking forums. Luxottica revealed that one of its partners experienced the breach, involving a security incident that affected a third-party contractor responsible for holding customer data. The exposed data includes sensitive details such as full customer names, email addresses, phone numbers, residential addresses, and dates of birth. Luxottica emphasized that financial information, social security numbers, login credentials, and other critical data that could endanger customer safety were not compromised. The FBI has made an arrest in connection with the incident, resulting in the shutdown of the website where the data was published. 


  1. On May 11, 2023, Brightly informed present and past SchoolDude users that a security incident occurred. SchoolDude is an online platform used by educational institutions for placing and tracking maintenance work orders. Information such as name, email address, account password, phone number, and school district name were potentially breached. 


  1. On May 8, 2023, Dragos, a company specializing in industrial cybersecurity, experienced a failed extortion scheme by a cybercriminal group. The group gained unauthorized access by compromising the personal email of a new sales employee, allowing them to impersonate a Dragos employee and access resources in SharePoint and the contract management system. Although they accessed a report with customer IP addresses, Dragos’ security controls prevented the threat actor from deploying ransomware or making further infrastructure changes. The cybercriminals resorted to extortion attempts, escalating their messages and contacting Dragos executives and known contacts. However, Dragos chose not to engage with the criminals and promptly activated their incident response retainer and involved their third-party MDR provider. The investigation is ongoing, but Dragos has implemented additional verification steps for their onboarding process and emphasizes identity and access management, multi-factor authentication, continuous monitoring, and incident response preparedness.


In other news, in May, it was discovered that Apple banned its employees from using generative AI tools like OpenAI’s ChatGPT and GitHub’s Copilot due to concerns about potential data leaks and disclosure of sensitive information. Apple’s decision is based on the fact that OpenAI stores all user interactions by default, including conversations with ChatGPT, which are used for training and subject to moderation. While OpenAI introduced an option to disable chat history, conversations are retained for 30 days for abuse review before permanent deletion. Apple worries that employees may unintentionally reveal confidential project information within ChatGPT, which could be accessed by OpenAI moderators. Similar restrictions have been implemented by other companies like JP Morgan, Verizon, and Amazon. Despite the ban, OpenAI recently launched an iOS app for ChatGPT, making Apple’s decision notable, considering the app’s availability and future expansion plans. 


As data breaches continue to make headlines, it becomes abundantly clear that the protection of sensitive information is of paramount importance. The incidents highlighted in this blog post serve as a stark reminder that no individual or organization is immune to the persistent and ever-evolving threats posed by cybercriminals. As we move forward, it is imperative for individuals and businesses alike to prioritize robust security measures, including stringent access controls, advanced encryption protocols, and employee education programs. By staying vigilant, proactive, and informed, companies can fortify their defenses and mitigate the risks associated with data breaches. 


Learn More About Findings



March Data Breach Round-Up

findings shares the top breaches that happened in March 2023

As we move forward, it’s becoming increasingly clear that even large corporations aren’t safe from cyber attacks. From Chick-fil-A and Dole Food Company to Acer and Procter & Gamble, the number of companies that have suffered data breaches continues to grow. Today, I’ll delve into some of the latest confirmed data breaches from March, and examine what they could mean for both these businesses and their customers. With personal data security on the line, it’s time to brace yourself for a rollercoaster ride into the realm of cybercrime!


  1. Attention all Chick-fil-A lovers! Unfortunately, Chick-fil-A has sent a notice to customers about a data security incident that may have involved their personal information. The company has taken measures to prevent unauthorized activity and engaged a national forensics firm to investigate the issue. Based on their investigation, it was discovered that unauthorized parties launched an automated attack against Chick-fil-A’s website and mobile application between December 18, 2022, and February 12, 2023, using account credentials obtained from a third-party source. The information that may have been involved includes name, email address, Chick-fil-A One membership number, mobile pay number, QR code, masked credit/debit card number, and the amount of Chick-fil-A credit on the account, as well as the month and day of the birthday, phone number, and address if saved to the account. Unauthorized parties were only able to view the last four digits of the payment card number. Chick-fil-A recommends affected customers change their password immediately and choose a strong, unique password. 


  1. While we all love fresh produce, it’s important to remember that cybersecurity is vital to ensuring that we can continue to enjoy our favorite fruits and veggies. Fresh produce provider, Dole Food Company, has confirmed that employee information was accessed by threat actors during a February ransomware attack. The number of employees affected was not disclosed, but Dole employs approximately 38,000 people worldwide. The company said the attack was sophisticated, but limited in impact on operations. However, Dole was forced to shut down production plants across North America and was unable to fulfill orders for a week, leading to complaints from customers. In response to the attack, Dole engaged cybersecurity experts and notified law enforcement. The incident has been disclosed in an annual report filed with the US Securities and Exchange Commission. The company very nicely explained the damage that a cyber attack can cause a company. In the report they write, “our information technology networks and systems, some of which rely on third-party service providers, may be vulnerable to service disruptions or system failures due to causes including intentional hacking, security breaches, intrusions, malware, denial of service attacks, phishing, or other cybersecurity attacks, as well as natural disasters, catastrophic events, power outages, or human error or malfeasance. If we are unable to prevent or adequately respond to and resolve these disruptions or failures, our operations may be impacted and any unauthorized access to, or acquisition of, customer, employee, or other confidential information could result in adverse consequences such as reputational damage, premature termination or reduction of existing contracts, reduction of operating revenue, remediation costs, ransomware payments, litigation, and/or penalties under various laws and regulations. Our customers could also refuse to continue to do business with us and prematurely terminate or reduce existing contracts, resulting in a significant reduction of our operating revenue.” This further shows that everyone in the supply chain is ultimately affected by cyber attacks. 


  1. The FBI just put the cuffs on the supposed mastermind behind a notorious cybercriminal hub that boasted stolen data from Congress members and countless other individuals. The founder of the BreachForums website, Conor Brian Fitzpatrick, has been arrested and charged with operating a hacking forum and marketplace for cybercriminals. Fitzpatrick, 20, allegedly created BreachForums in March 2022 to buy, sell and trade hacked or stolen data and other contraband, including personally identifying information, bank account details, and social security numbers. According to reports, Fitzpatrick is believed to have played a role as a mediator or intermediary for unlawful deals and personally offered access to legitimate breached databases using a credit-based system run by the online platform. The site’s various sections included “Cracking,” “Leaks,” and “Tutorials.” The FBI and the Department of Health and Human Services Office of Inspector General have conducted a disruption operation that caused BreachForums to go offline. Fitzpatrick’s alleged victims included millions of U.S. citizens and hundreds of U.S. and foreign companies, organizations, and government agencies. Deputy Attorney General Lisa O. Monaco has announced another successful crackdown on the cybercrime underworld, stating that the BreachForums platform – much like its predecessor RaidForums – facilitated the trade of stolen data between hackers and willing buyers. She warns all those involved in shady dealings on the dark web that they should take note: Law enforcement agencies are determined to dismantle these illicit forums and prosecute their administrators in U.S. courts. So if you’re operating in the shadows, you better watch out!


  1. On March 20th, Ferrari confirmed that Ferrari S.p.A., its wholly-owned Italian subsidiary, was recently contacted by a threat actor with a ransom demand related to certain client contact details. Twitter user Troy Hunt shared the breach letter sent to customers. Ferrari writes, “we regret to inform you of a cyber incident at Ferrari, where a threat actor was able to access a limited number of systems in our IT environment.” While the company explains that no no payment information or details of Ferrari cars owned or ordered had been stolen, hackers still accessed customers’ names, addresses, email addresses and telephone numbers. Let’s keep on dreaming about our favorite Italian sports cars and hope that Ferrari’s cybersecurity measures are strengthened to prevent any future incidents.


  1. After suffering at least two other hacking incidents in 2021, Acer, a Taiwanese electronics and computer manufacturer, has allegedly fallen victim to a ransomware attack, and the ransomware group, REvil, is claiming responsibility. The cybercriminals are demanding a staggering $50 million, the highest ransom on record to date. Acer is well-known for its laptops, desktops, and monitors, and employs around 7,000 people worldwide. The investigation is still ongoing, however Acer did confirm it suffered a breach. “We have recently detected an incident of unauthorized access to one of our document servers for repair technicians. While our investigation is ongoing, there is currently no indication that any consumer data was stored on that server,” the company told PCMag in a statement. In another statement made to BleepingComputer, the company explained, “Acer routinely monitors its IT systems, and most cyberattacks are well defensed. Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries. We have been continuously enhancing our cybersecurity infrastructure to protect business continuity and our information integrity.” It’s extremely important that companies continue to stay up to date with cybersecurity regulations and best practices.  


  1. Oh boy, it seems like GoAnywhere just can’t catch a break! This supposedly secure web file transfer solution has been at the center of a string of breaches, and the hits just keep on coming. Let’s take a closer look, shall we?


In early February, Fortra – a company that offers GoAnywhere as a secure managed file transfer (MFT) product – announced that it had identified a zero-day vulnerability in the system. This vulnerability could allow attackers to remotely execute code on vulnerable systems, and it was actively being exploited. The news was first reported by journalist Brian Krebs, and it set off a chain reaction of breaches affecting multiple companies.


One of the latest victims to come forward is Procter & Gamble, a consumer goods company that confirmed it was impacted by the GoAnywhere incident. The company’s GoAnywhere MFT platform was compromised, and an unauthorized third party was able to obtain some information about P&G employees. Fortunately, financial and social security information was not accessed, but some data was stolen. It’s believed that the Clop ransomware gang may be behind the attack, as they previously claimed to have stolen files from over 130 organizations.


And now, Crown Resorts – Australia’s largest gambling and entertainment company – has also fallen victim to the GoAnywhere breaches. Their secure file-sharing server was breached using a zero-day vulnerability, and a ransomware group has claimed to have illegally obtained a limited number of Crown files. Crown Resorts is just the latest in a long list of victims, including CHS, Hatch Bank, Rubrik, the City of Toronto, Hitachi Energy and Saks Fifth Avenue.


It’s safe to say that the GoAnywhere breaches have had a huge impact on multiple industries, and it’s important for companies to take extra precautions when it comes to data security. Stay vigilant, folks!



In recent years, cybercrime has affected not only small businesses but also large corporations. This blog post examined several data breaches that occurred in March 2023, including those affecting Chick-fil-A, Dole Food Company, Ferrari, and Acer. These breaches have impacted the personal information of customers and employees, leading to potential risks such as identity theft and fraud. With these incidents in mind, it is crucial for individuals and companies to prioritize cybersecurity measures and remain vigilant against cyber threats. 



SEE HOW FINDINGS CAN HELP YOUR BUSINESS

December Security Breach Round Up

December security breaches

2023 is here and while I would love nothing more than to say that everything is awesome in the security world, I would be lying to all of you if I said there were no data breaches in the month of December. 

While most people usually wind down and enjoy the holiday season with family in December, the top dogs at the companies below probably had nothing but stress on their minds. 

Let’s dig in and see what mistakes were uncovered this month.


  1. LastPass:

Well this is a little awkward, isn’t it? Given that LastPass is a password manager, one would think that they would have strong measures in place to protect their consumer’s privacy; however, that does not seem to be the case. In a company notice, LastPass writes: “we recently notified you that an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data.” The threat actor copied information from a backup source that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. The company continues to explain that “the threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.” It is important to note that many organizations and their employees use LastPass to store passwords. If you were not aware of this incident, it is time you look into protecting your accounts and changing your passwords.


  1. Uber:

When I found out about yet ANOTHER Uber breach, my reaction was a deep sigh of frustration. This time the breach resulted from a compromised third-party vendor. BleepingComputer reported about the incident and shared that “a threat actor named ‘UberLeaks’ began leaking data they claimed was stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches. One of the documents seen by BleepingComputer includes email addresses and Windows Active Directory information for over 77,000 Uber employees. While BleepingComputer initially thought this data was stolen during the September attack, Uber told BleepingComputer it believes it is related to a security breach on a third-party vendor.” After further investigations, Uber later shared with BleepingComputer that the threat actor stole its data in a recent breach on Teqtivity, which Uber uses for asset management and tracking services. Teqtivity informed that the threat actor was able to access device information such as serial number, make, models, and technical specs. Additionally, user information such as first name, last name, work email address, and work location details were accessed. 


  1. Five Guys:

I’ll be the first to admit that Five Guys is irresistible – especially on a cheat day. So of course I hate to be the bearer of bad news here, but alas, it has to be said. On December 29, 2022, Five Guys released a statement confirming a breach that occurred in September 2022 that exposed sensitive customer data by an unauthorized party who accessed a file server. The company writes: “The investigation identified unauthorized access to files on our file server that occurred on September 17, 2022. We conducted a careful review of those files and, on December 8, 2022, determined that the files contained information submitted to us in connection with the employment process.” Stolen data would include employee personally identifiable information (PII) such as names, social security numbers and driver’s license numbers. We see this time and time again where threat actors access sensitive information and companies do not inform victims until months later. In those months, the attackers can commit identity and credit fraud and sell user data on the dark web. That is one of the reasons why Findings is so useful – we continuously monitor your systems and the dark web to make sure that if an incident like this does ever occur, it will not take you months to find out.

 

  1. Sequoia:

For those who are unaware, Sequoia is a popular benefits and payroll management company. In a company notice, they stated: “Sequoia Benefits and Insurance Services LLC (“Company”) recently became aware that an unauthorized party may have accessed a cloud storage system that contained personal information provided in connection with the Company’s services to its clients, including your employer or, if you are a dependent, your family member’s employer.” Information accessed by the unauthorized party consists of personal information including demographic information such as name, address, date of birth, gender, marital status, employment status, social security number, work email address, member ID, wage data for benefits, attachments that may have been provided for advocate services, ID cards, and any COVID test results or vaccine card that may have been uploaded.

  1. Social Blade:

Social Blade is an analytics platform that provides statistical data for numerous social sites such as YouTube, Twitter, Twitch and Instagram. They confirmed that they suffered a data breach after their database was breached and put up for sale on a hacking forum. Social Blade monitors tens of millions of social media accounts and the hacker claims to have obtained 5.6 million records. The sample data that was posted by the hacker also suggests that many of the records contain user information. Users online were quick to share an email that was apparently sent privately to affected users. In the email, Social Blade confirms the breach and reports that the affected data includes email addresses, IP addresses, password hashes, client IDs and tokens for business API users, and authentication tokens for connected accounts. Other non-personal and internal data was also compromised. Roughly 0.1% of users also had their addresses leaked, but credit card information was not exposed. A similarity we see here in comparison to other breaches is that this was not Social Blade’s first breach. In 2016, the company also confirmed that it suffered a breach. Let’s see if the most recent breach will be the push they need to better protect their company and prevent future attacks. 

Image

source: twitter

Now that we are in 2023, we hope that companies will take the necessary steps to protect their systems. Findings has a few New Year’s resolutions we recommend companies take on to ensure that they are protecting their employees and consumers.

Attackers prey on those who don’t regularly change their passwords. In fact, it makes their jobs easier. Make sure your systems are secure with New Year’s Resolution # 1: Require your employees to change their passwords every 90 days.

With an increase in cyber attacks being committed against supply chains, it’s vital that every business implements mandatory cybersecurity training programs. Having employees that are aware of all things cyber security is beneficial in minimizing the risks associated with cyber attacks.

Staying vigilant and continuously assessing potential risks in your supply chain is an essential New Year’s Resolution that companies need to follow in 2023.

Updates are usually required for a reason, and many times it’s for security reasons. When systems are up to date, it makes it harder for hackers to attack and find loopholes in the system. 

If you haven’t heard of our continuous monitoring solution, you may want to consider looking into it.

Andddd that’s a wrap for this month!


Findings wishes you all a happy and healthy New Year.

 

We’re here for you. Learn more today.

November Security Breach Round Up

November Security Breaches

From grocery stores, to banks, and everything in between – November saw it all when it came to breaches. As I mentioned in September, hackers are not picky. Let’s just say, when an opportunity arises, they will swoop right in and overtake your systems and access any data they can get their e-hands on.

 

Be careful, and keep staying informed – our goal is to make sure no company ends up on this list next month. 

 

Let’s dive in. 

 

  1. WhatsApp


Whatsapp with this?! The app that we all know, love, and use, WhatsApp, has supposedly fallen victim to a massive data leak. And by massive, I mean nearly 500 million user records have been leaked online. So… what happened? On November 16, 2022, an ad on a well-known hacking community forum was posted by someone claiming to be selling a 2022 database of WhatsApp user mobile numbers. It is also claimed that 32 million users from the United States have been included. Although only phone numbers were leaked, it is important to note that leaked phone numbers are typically used for marketing purposes, phishing, impersonation, and fraud. 

 

  1. Bed Bath & Beyond

Ah, phishing at its finest. While almost anyone who enters Bed Bath & Beyond can get lost for hours browsing, no one likes hearing about breached data. The United States retail giant confirmed that unauthorized access to company data was accessed after an employee was phished. In an 8-K filing to the U.S Securities and Exchange Commission, Bed Bath & Beyond explained that data of the employee’s hard drive and other shared drives that the employee had access to were accessed. The company is still investigating whether the drives have any sensitive or personally identifiable information.

 

  1. DropBox


File hosting service, DropBox, also fell victim to a phishing incident. In a statement from the company, they explained the situation saying “We were recently the target of a phishing campaign that successfully accessed some of the code we store in GitHub. No one’s content, passwords, or payment information was accessed, and the issue was quickly resolved. Our core apps and infrastructure were also unaffected, as access to this code is even more limited and strictly controlled. We believe the risk to customers is minimal. Because we take our commitment to security, privacy, and transparency seriously, we have notified those affected.” The company goes on to explain that on October 14, GitHub alerted them that suspicious behavior was going on. DropBox found that a threat actor was pretending to be CircleCI and was able to access one of DropBox’s GitHub accounts. To date, their investigation has found that the code accessed by the threat actor contained some credentials, primarily, API keys used by Dropbox developers.

 

  1. TransUnion


Isn’t it ironic how an agency who determines your credit score, is the one that could be ruining your credit? There are three main credit bureaus in America – Experian, Equifax and TransUnion. Unfortunately, the consumer credit reporting agency, TransUnion, experienced a breach and began notifying individuals about the incident on November 7,2022. The company collects and assembles information on over 1 billion consumers worldwide, 200 million of those being Americans. The type of information that was exposed includes names, social security numbers, driver’s license numbers, and account numbers. 

 

  1. AirAsia


AirAsia, the largest airline in Malaysia with approximately 22,000 employees and worldwide operations, has unfortunately fallen victim to a supposed ransomware attack. The group behind this attack is known as the Daixin Ransomware Gang and they have supposedly stolen data of 5 million AirAsia passengers and employees. The Daixin team is known for disrupting operations with ransomware and stealing personally identifiable information. With this data, the cyber threat group threatens to release the stolen information unless a ransom is paid. In a tweet shared by Soufiane Tahiri, screenshots from the group can be seen that were posted on the dark web. The information applies to both employees and passengers. In these documents, information such as date of birth, country of birth, where the person is from, start of employment for employees and their secret question and answer used to secure their accounts could be found. 

 

  1. Sonder


In a company security update, Sonder, a hospitality company, notified the public that they became aware of unauthorized access to one of its systems that included guest records. Information that was accessed includes: 

  • Sonder.com username and encrypted password

  • Full name, phone number, date of birth, address, and email address

  • Certain guest transaction receipts, including the last 4 digits of credit card numbers and transaction amounts

  • Dates booked for stays at a Sonder property

  • Government issued identification such as driver’s licenses or passports

 

  1. Sobeys

This incident shows that ANY business can get breached. Even a supermarket. Incase you aren’t familiar, Sobeys is one of the two national grocery retailers in Canada. On November 7, 2022, Sobeys’ parent company wrote in a notice that the grocery stores were impacted by an IT systems issue. While the company hasn’t publicly confirmed a cyber attack on its systems, a local media outlet reported that “two provincial privacy watchdogs said they had received data breach reports from Sobeys. Both Quebec’s access to information commission and Alberta’s privacy commission have both been notified by the grocer about a “confidentiality incident.” 

 

  1. Whoosh

Russian scooter sharing company known as Whoosh has confirmed that it too was breached. Hackers started to sell a database containing the details of 7.2 million customers on a hacking forum. Alleged stolen data on the hacking forum allegedly contains promotion codes that would allow someone to access the service for free, as well as partial user identification and payment card data. Included were email addresses, phone numbers, and first names. A russian news outlet, RIA Novosti was told by Whoosh that, “The leak of some of the personal data of customers of the Russian scooter rental service Whoosh at the beginning of November did indeed occur, but did not affect sensitive user data, such as access to accounts, transaction information or travel details” 

 

  1. Coinsquare:


Cryptocurrency is a sexy industry to talk about, but this incident is a little less appealing. To round up the month, a Canadian cryptocurrency exchange, Coinsquare has become the latest victim of a security breach. Data such as customer names, email addresses, residential addresses, phone numbers, dates of birth, device IDs, public wallet addresses, transaction history, and account balances were compromised. According to customer reports, Coinsquare allegedly contacted them via email and let them know that it had identified an intrusion and a database containing personal information accessed by an unintended third party. In a Tweet responding to an account sharing about the hack, Coinsquare wrote, “We have no evidence any of this information was viewed by the bad actor, but in an abundance of caution, we wanted to make our users aware. We notified all clients, but only identified 3 clients whose accounts were accessed.” 



Companies can get careless when it comes to securing their systems, their employees, and their customers. And while we are here to help you, the first step begins with you staying informed. Which we see you are since you made it this far! 


We’re here to help you. Contact us today

October Security Breach Round Up

October security breach round up - findings.co

October was Cyber Security Awareness Month, and yet, another month, another breach. In a month that is geared towards helping organizations protect themselves, large companies have yet again fallen victim to these heinous attacks. One after the other, many companies and their consumers are now wondering when these breaches will stop. 

 

Here are our top October 2022 know-worthy incidents:

 

Toyota:

    • Toyota is no stranger to data breaches. And by the looks of it, it seems as though the company hasn’t learned from past mistakes (remember the 2019 breach that affected over 3 million of Toyota’s customers?). On October 7, 2022, Toyota issued an apology after nearly 300,000 people who used T-Connect, a telematics service that connects vehicles via a network, were exposed. The Japanese car giant explained that personal data was leaked when an access key was publicly made available on GitHub for almost five years. Email addresses and customer control numbers may have been exposed since 2017.


Microsoft:

    • Another tech giant hit yet again. On October 19, 2022, Microsoft addressed the public after security researchers at SOCRadar informed Microsoft of a misconfigured Microsoft endpoint. After the discovery, Microsoft explained that the researchers exaggerated the entire situation. This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers. Information about planning or potential implementation and provisioning of Microsoft services was involved. In addition, the data that was potentially compromised includes names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner. 


Verizon:

    • In a notice, the company confirms, “we determined that between October 6 and October 10, 2022, a third party actor accessed the last four digits of the credit card used to make automatic payments on your account. Using the last four digits of that credit card, the third party was able to gain access to your Verizon account and may have processed an unauthorized SIM card change on the prepaid line that received the SMS linking to this notice.” 


Carousell:

    • On October 14, Carousell Singapore disclosed that it experienced a breach. And this wasn’t a small breach either – almost 2 million accounts were compromised. The company explains, “it is unlikely that this incident will result in an identity theft as it does not include information like your NRIC number,” but it is believed that emails were compromised. 


Medibank:

    • Bad news for Medibank, one of the largest Australian private health insurance providers. On October 12, 2022 the company discovered that customer information may have been compromised after a hack on their systems. It was thought that the original hack only affected certain customers, but after this week, the company is assuming that all 3.9 million customers were affected. The company said it had received a series of files from the alleged hacker, and they found the files included 100 ahm policy records, which include personal and health claims data, plus another 1,000 policy records from ahm, and files which contain some Medibank, ahm and international student customer data. The records provided to the company include names, addresses, dates of birth, Medicare numbers, phone numbers and medical claims data, including information about diagnosis, procedures and location of medical services.


Twilio:

    • Sometimes companies just can’t catch a break. Cloud communications company, Twilio, disclosed a new data breach stemming from a June 2022 security incident. After a lengthy investigation, the company concluded that 209 customers and 93 Authy end users had accounts that were impacted by the incident. 

 

Don’t let your company end up on this list. See how findings can help you here.

September Security Breach Round Up

September Security Breach Round Up. An iPhone with a broken lock - signifying a breach.

Cybersecurity threats have become an integrated part of every company’s lifecycle. They are occurring now more than ever, and hackers are not selective – ultimately putting any company at risk for an attack. 

 

To keep your company safe and your cybersecurity team up to date with the latest trends, it’s important to learn from recent incidents to avoid the same mistakes that left even the world’s largest corporations exposed. 

 

Here are our top 5 September 2022 read-worthy incidents:

 

Uber:

Sneaking out of the house isn’t the only thing teens are getting good at and a recent breach proves this. On September 15, 2022, Uber fell victim to an attack. In this case, a suspected teen hacker, who Uber believes is a part of Lapsus$, was able to access Uber’s systems. In a company notice, Uber explains that the hacker likely purchased an Uber EXT contractor’s password off the dark web, and after many attempts, was successfully able to access this worker’s account. Several internal systems, internal slack messages, information from an internal tool the company uses to manage invoices, and their dashboard at HackerOne were all accessed. 


Samsung:

Most would think that one of the world’s biggest tech companies is heavily secure, right? Well… On September 2, 2022, Samsung confirmed a cybersecurity incident that affected customer data. Information such as name, contact and demographic information, date of birth, and product registration information may have been compromised. After further investigation, Samsung discovered that this incident stemmed from an unauthorized third party acquiring information from some of Samsung’s U.S. systems. 


Optus:

Optus, one of Australia’s largest telecommunication companies, suffered a cyberattack and confirmed it on September 22, 2022, through a company announcement. Customer names, dates of birth, phone numbers, email addresses, street addresses, medicare cards, and ID document numbers such as driver’s license and passport numbers of over 9 million people were potentially exposed.


American Airlines (Again?! Really?!):

On September 16, 2022, American Airlines informed customers that they experienced a security incident in July 2022. The notice explains the discovery of an unauthorized actor who compromised the email accounts of a limited number of American Airlines employees. Upon further investigation, they found that personal information such as name, date of birth, mailing address, phone number, email address, driver’s license number, passport number, and/or certain medical information were accessible through  the email accounts. 


Tap Air Portugal:

As aviation becomes a hot target, TAP Air Portugal released an important notice to customers on September 21, 2022, regarding a cyber attack discovered back in August. The notice reads, “Regretfully, we want to inform that the following categories of personal data from some customers of TAP have been disclosed: name, nationality, gender, date of birth, address, email, telephone contact, customer registration date and frequent flyer number. The information for each affected customer may vary. We are releasing this notice to make customers aware of this matter. There is no indication that payment data was exfiltrated from TAP’s network.” While the company did not disclose how many people were affected, it is believed that over 1.5 million TAP customers had their data stolen. 


While we’ve only listed 5 of the many incidents that occurred in September, it’s important to mention that breaches occur all the time, and hackers are getting more and more creative and sophisticated. 


As businesses, it’s even more important for you to find ways to prevent, detect, and respond to these attacks in a quick and effective manner. 


Keeping your supply chain secure is vital to keeping it functioning properly and that’s why we’ve put together a supply chain security enhancement checklist for companies to reference. 

 

 

                                                                      At Findings, we help secure your digital supply chain. Discover how we can benefit your business here.

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!