Monthly Breach Report: February 2021 Edition

January started with an attack on the US Capitol, raising multiple security concerns, including how much personal information on Congress members may have been stolen and/or leaked during the rioting. Between this and the massive international SolarWinds leak we began reporting on in December, US and international governments both may consider far-reaching data lockdown actions. Here are some of the other top leaks that occurred in January.

Maintaining International Peace and Security Reveals a Vulnerability

While orchestrating the United Nations Sustainable Development Goals for 2030 (UN SDG 2030), the UN suffered an extensive personal data vulnerability. Hackers accessed over 100,000 private records of United Nations Environment Programme (UNEP) employees in January.

Two unusual facts make this breach even more interesting. The first is that the publicly reported findings came through a separate hacking group, ethical hacking and security group Sakura Samurai in January 2021. The second is that the UN had known since July 2019 about a hacking event that eventually led to January’s complex cyber-attack, yet was not required to report it. Under diplomatic immunity, the UN was not obliged to divulge what was obtained by the hackers or notify those affected. The obligation to report is currently under debate.

Using publicly accessible .git-credentials, the reporting researchers were able to exfiltrate over 100,000 UN employee records from multiple systems. The data set exposed travel history of UN staff containing employee ID, names, employee groups, travel justification, start and end dates, approval status, destination, and lengths of stay. At least 40 servers were breached.
An anonymous UN IT official said “much more data was stolen than the UN implied.” Estimating that some 400 GB of data was downloaded, the official said the UN’s answers downplayed the level of the breach. A UN spokesperson says the attack triggered a rebuild of multiple systems. An effort with a forensics company working with Microsoft had been engaged on the breach clean up.

Sources:
Security Magazine
The New Humanitarian
TechRadar

Health Provider Suffers from Fraudulent Email Access

A mid-January breach at Precision Spinal Care in Texas gave an intruder access to an employee email account. The hack was discovered November 20, 2020, and is likely an attempt at extorting the clinic, which has been reportedly unsuccessful. While it is too early to have all the forensics, there is a chance that information within the employees’ email account could have revealed unprotected personal data of up to 20,787 patients including names, addresses, dates of birth, and personal health information.

Precision Spinal Care notified the US Department of Health & Human Services’ Office for Civil Rights (OCR) of the breach on January 12, 2021. The company also issued an alert in January indicating the company has both taken steps to notify all potentially affected individuals and to provide resources to assist those affected.

Sources:
DataGuidance
Binary Defense

Legacy Accellion Product Holes Exploited Across the Globe

A third-party service utilized by large banks and by state and regional governments internationally exposed personal data of at least 1.6 million individuals. Accellion, a file transfer software vendor, is based in Palo Alto, CA.

The Reserve Bank of New Zealand, the country’s central bank also known as Te Pūtea Matua, was among the first to report being breached. “We are working closely with domestic and international cybersecurity experts and other relevant authorities as part of our investigation and response to this malicious attack,” Wellington’s Governor Adrian Orr said, declining to provide additional details of the attack.

By late January, the State of Washington Auditor, Pat McCarthy, released a statement pertaining to loss of personal data for those residents who had file unemployment claims:

“[We have] been looking into how Washington’s Employment Security Department lost hundreds of millions of dollars to fraudsters, including a Nigerian crime ring, who rushed to cash in on sweetened pandemic-related benefits by filing fake unemployment claims in the names of real state residents. This is completely unacceptable. We are frustrated and committed to doing everything we can to mitigate the harm caused by this crime.”
The data involves about 1.6 million claims and includes individuals’ name, Social Security Number and driver’s license or state identification number, bank information, and place of employment. The personal data of the Department of Children, Youth and Families also seems to have been impacted.

The compromised data in Washington had been collected during the auditor’s investigation into how the state Employment Security Department (ESD) lost $600 million to fraudulent unemployment claims. So that in itself indicates a double calamity: files the agency obtained from the Employment Security Department to investigate the fraud were subject to a breach, possibly opening victims to more fraud. People burdened by unemployment during the COVID-19 pandemic are now having to face the possibility of identity theft.

Sources:
Bank Info Security
GeekWire
The Tribune

Bonobos Has a Leak

Bonobos, a clothing store acquired four years ago by Walmart, reported a breach after a cloud backup copy of their database was downloaded by an intruder.

In January, the intruder ShinyHunters, notorious for hacking online services and selling stolen databases, posted the full Bonobos database to a free hacker forum. The 70 GB leaked SQL file contained various internal tables used by the Bonobos website that includes up to 7 million customers’ addresses, phone numbers, partial credit card numbers, order information, and password histories from as far back as 2014.

While cloud platforms are responsible for maintaining and securing the compute, network, and storage, they are not responsible for protecting the data stored within it. Discovering personal data and protecting it is the responsibility of each enterprise using cloud platforms to store their data.

Sources:
Tom’s Guide
RIS

Silicon Valley Cyber Security Company SonicWall Penetrated

SonicWall, which provides network, access, email, cloud, and endpoint security solutions, was hacked. It is not yet clear whether the attack on SonicWall is related to the SolarWinds attack from 2020. According to Security Week, “The attackers may have exploited zero-day vulnerabilities in some of its secure remote access products, namely its Secure Mobile Access (SMA) client version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance.“

Prior to the attack, Security Week received “an anonymous email claiming that SonicWall was hit by ransomware and that hackers managed to steal ‘all customer data.’” This and other claims by the anonymous emailer have not been substantiated by SonicWall.

The company announced it is providing mitigation recommendations to its channel partners and customers. Other cybersecurity companies reporting breach in January include Mimecast and Malwarebytes.

Grindr Drops the Ball—the GDPR Picks Up On It

Norway has fined Grindr, one of the top LGBTQ dating apps, up to $11.7 million for disclosing users’ sensitive private information to advertisers, resulting in GDPR noncompliance. While Norway is not part of the EU, the GDPR sets its data privacy guidelines.

Not only were users reportedly unclear what their blanket privacy permissions included, they were not informed how their personal data would be shared. Grindr is charged with sharing users’ GPS locations, sexual orientation, and other personal profile data elements. Depending on location and utilization of such personal data, individuals may be directly placed in harm’s way due to discrimination and recrimination.

“Grindr is seen as a safe space, and many users wish to be discrete. Nonetheless, their data have been shared with an unknown number of third parties, and any information regarding this was hidden away,” said Datatilsynet director-general Bjørn Erik Thon.

Sources:
The Daily Swig
AP News

Placing emphasis on building trust between a company and its consumers is a core benefit PKWARE advocates. When personally identifiable information is located and protected, customers can use a company’s services with confidence and grow its brand value.

Protect your data today to avoid being a breach headliner tomorrow. Get started here.