Monthly Breach Report: August 2020 Edition

From social media hacks across high-profile accounts to misconfigured server data from major genetics and genealogy services companies, these are the top data breaches to capture news headlines over the last month.

Singing Like a Canary

In an almost unfathomable series of data privacy events, Twitter went 3 for 3 in May, June, and now July 2020 for experiencing significant sensitive data breaches. On July 15, 2020, high-profile Twitter accounts of individuals and companies such as Bill Gates, Barack Obama, Joe Biden, Jeff Bezos, Warren Buffet, Mike Bloomberg, and even security giant Apple itself were hacked in a Bitcoin scam. While many of these seem unlikely to be offering to sell Bitcoin, some popular social media handles were amongst the 130 accounts hacked; people who bought the scam lost at least $121,000. Twitter itself was reported to have wiped out $1B in market valuation in 24 hours. The hackers seem to be an array of individuals involved in SIM swapping coveted social media accounts that confer status in their circles.

According to Engadget, “Twitter said some of its employees fell prey to a social engineering attack. “Social engineering” is a term with many connotations, but is generally taken to mean that one party has tricked or manipulated another to gain information or access to resources that otherwise would have been off-limits.” Whether or not any employee was bribed and actively participated has not yet been disclosed.

Sources:
Security Boulevard
Engadget
NBC News

Look, Dave, I can see you’re really upset about this.

Tech unicorn and banking app Dave confirmed July 26, 2020, a data breach affecting over 7.5 million users, publishing their personal data. The breach is reported to have started on a network of the analytics platform WayDev, a former third party of the company, as a blind SQL injection attack using compromised OAuth tokens. ShinyHunters is said to be the hacker group responsible. User data was then offered on RAID, a hacker forum.

“As soon as Dave became aware of this incident, the company immediately initiated an investigation, which is ongoing, and is coordinating with law enforcement, including with the FBI around claims by a malicious party that it has ‘cracked’ some of these passwords and is attempting to sell Dave customer data,” a Dave spokesperson said. CrowdStrike is also being brought in to investigate the incident.

Sources:
ZDnet
Informationsecurity Buzz

The Long Arm of the Law

On July 23, 2020, the New York State Department of Financial Services announced that First American Financial is the target of their first-ever cybersecurity enforcement case, and the regulator has filed charges against the company. Not only had 885 million records of mortgage transactions been breached over 16 years, but also the company had known about it nearly a year without addressing the vulnerability or announcing the breach to their customers or law enforcement. Personal data, including Social Security numbers and bank account information, were exposed for a decade and a half. The regulator considers “each instance of exposed personal information a separate violation, attracting a penalty of $1,000 each.” A company spokesperson said the company will contest the charges. The DFS hearing is set for October 26, 2020.

Sources:
Wall Street Journal
Krebs On Security

Who Else Might Be Interested in Your Genetics and Heritage Data?

Three different major genetics and genealogy services companies experienced sensitive personal data breaches in July 2020. Over 25GB of user data was leaked and made publicly available due to a misconfiguration on an ElasticSearch server hosting Ancestry.com user data. GEDmatch uses DNA to find relatives. The company goes to some lengths to keep private data hidden and protected, for a good reason. On Jul 21, 2020, more than a million DNA profiles that had been hidden from standard GEDmatch users—intended only for specific law enforcement users when looking for partial matches to crime scene DNA—were available to search. In addition, all law enforcement profiles were made visible to GEDmatch users. This breach was managed through an attack on a server containing user accounts. This breach had ripple effects as widespread as Israel when a genealogy company based there, MyHeritage, suffered a phishing scam to gain access to login information two days later, targeting email addresses obtained in the attack on GEDmatch.

Sources:
Buzzfeed News
Born City

Storefronts and PHI Shattered

Physical breaches are the cause and issue resulting in vast amounts of personal Protected Health Information (PHI) covered by HIPAA regulations from two of the largest pharmacy retailers in the US: CVS and Walgreens during vandalism and looting incidents. Unauthorized persons broke into various stores across the country. They took hard drives, automation devices, and other electronic sources of software containing personal information including names, addresses, dates of birth, prescriptions, medical provider information, passport numbers, driver’s license numbers, and email addresses. It is not clear how many tens of thousands of individuals’ PHI has been compromised. Walgreens serves eight million customers a day and CVS five million.

Sources:
HIPAA Journal

Heartbreaking Email

In another HIPAA regulated incident, a massive PHI data breach was reported in July. A US healthcare services firm, National Cardiovascular Partners (NCP), had been breached for weeks before recognizing the issue. The company provides IT services for cardiac catheterization and vascular labs. On July 27, 2020, it was reported that more than 78,000 patients’ personal data was obtained after attackers hacked into an employee’s email and accessed Excel spreadsheets. Names, mailing addresses, email addresses, and other sensitive PHI was compromised. NCP is sending a breach letter to its patients and has secured external cybersecurity experts to help in the case.

Sources:
The Daily Swig

Everywhere You Turn, More Breaches

Garmin, a giant in collecting GPS and fitness personal data of individuals, confirmed it had suffered an outage July 23, 2020, caused by ransomware, resulting in service disruption for millions of users. Garmin has not been forthcoming or definitive in reporting on any personal data exposure. According to Citizen Lab in Toronto, “For consumers, Garmin clearly represents a repository of really detailed information. These are all things that speak of who you are and what you do [when], where you live, and can all be quickly turned into identifying information.”

Examples of other July 2020 significant data breaches:

  • Storytelling platform Wattpad’s July 2020 data breach resulted in hackers accessing a vast database of over 200 million user records containing personal data including names, email addresses, usernames, hashed passwords, and geolocations
  • MobiFriends dating app’s data breach in July impacted almost 4 million individuals as their personal information was posted online and made available to download on multiple online forums
  • Cosmetic company Avon’s database leak exposed 19 million customers’ personal data July 28, 2020
  • Online alcohol delivery service Drizly communicated July 28, 2020, accounts of 2.5 million customers had been hacked, exposing personal data of the customers, including names, dates of birth, home addresses, and email addresses.

Companies across the full spectrum of industries, whether serving tens of thousands or millions of customers, benefit in first discovering where all their personal data sits and then protecting it effectively to avoid personal data exposure. The recent study and whitepaper by Osana take this point further: companies with poor privacy practices are 80% more likely to suffer a data breach. The study was based on a privacy scoring of the 11,000 most visible companies across industries based on website ranking—“Factors included policies about selling data to (or sharing it with) third parties, use of data for targeted advertising, end-user privacy policies that can be easily found and understood by the average person, and whether data on children under the age of 13 was collected among other factors.”—and then a correlation to having had a data breach in the past 15 years. Dataguise is the world’s leading technology for discovering personal data.

Sources:
Vice
Osana