Monthly Breach Report: July 2020 Edition

June 2020 came just about about seven months into the assault of a coronavirus generating the pandemic of COVID-19. By then, state, local, and in some cases, entire nations ordered a mishmash of inconsistent steps to manage the virus. Shelter-in-place orders, lockdowns, and ultimately curfews were imposed. The world was tuned in to favorite streaming apps and social media while cyber intruders sought out sudden vulnerabilities.

During the week before June 2020, 25 May 2020, the city police assault and heartless killing of a Black citizen in Minneapolis, MN USA was watched, verbally protested, videoed, and published by numerous witnesses. The anguish and anger went off the charts around the world. The horror was met with outrage and together became the sparks of a global powder keg demanding racial justice. Black Lives Matter #BLM events and racial justice protests erupted in the thousands with a huge showing of millions of white, Black, and other People of Color peacefully participating in numerous countries. This all converged in an emotionally charged exposure linking the use of facial recognition technology to an invasion of privacy and racism in policing, exposing the technology with its racist taint.

Some communities’ police forces readily engaged initiatives to reduce police brutality. Other police departments sought more protections from their unions and greater access to facial recognition technology, with the expressed intent to identify protesters in gatherings and marches as well as a relatively smaller number of peripheral looters who were taking advantage of the atmosphere of unrest. “Automated facial-recognition software uses artificial intelligence, machine learning, and other forms of modern computing to capture the details of people’s faces and compare that information to existing photo databases with the goal of identifying, verifying, categorizing, and locating people.”

The issues are threefold: in part that the technology is biased and weak in recognizing facial features of Black or Asian people—relative to its strength in that of white people; in part because it can be unfairly skewed and targeted for predominant use in Black or other non-white majority residential areas; and in part because it invades our citizens’ privacy. Putting the three issues together, many privacy rights and racial justice groups, including the American Civil Liberty Union (ACLU), as well as cities themselves, are calling on a ban or moratorium on using the technologies.

Sources:
The Atlantic
Washington Post

Juneteenth Publishing of Hacks on FBI and Police Records

The hacker group Anonymous leaked a massive 269-gigabyte megatrove of documents to Distributed Denial of Secrets (DDoS), a collective that publishes caches of secret data. These files and documents expose US police excesses, including methods used to monitor Black Lives Matter (#BLM) protesters during the movement. DDoS dubbed the collection “Blue Leaks” and released them on Juneteenth, American emancipation day. The collection included sensitive files from the FBI, Fusion Centers, and estimated 200 police departments. The contents are searchable, for instance by police badge numbers, and seem to focus on recent government response to COVID-19 as well as racial justice BLM protests, though some files are a decade or more years old.

The National Fusion Center Association (NFCA) validated the leaked data in an alert noting that the dates of the files leaked cover about 24 years — from August 1996 through June 19, 2020 — and that the documents include “names, email addresses, phone numbers, PDF documents, images, and a large number of text, video, CSV and ZIP files. Additionally, the data dump contains emails and associated attachments. Our initial analysis revealed that some of these files contain highly sensitive information such as ACH routing numbers, international bank account numbers (IBANs), and other financial data as well as personally identifiable information (PII) and images of suspects listed in Requests for Information (RFIs) and other law enforcement and government agency reports.”

The incursion of privacy in the files does not only affect police rank and file. The outcomes “will likely inflict irreparable reputational, financial and even physical harm to suspects and people charged with crimes who later were acquitted in a court of law. The underlying motives of the publication are obscure for the time being.”

The files published on 19 June 2020 were initially taken following a security breach at Netsential, a Houston-based web development firm that handles websites for many police agencies, including collaborative Fusion Centers. The breach likely leveraged a compromised Netsential user account, then utilizing its upload feature, introducing malware that extricated the files and data.

Sources:
Krebs on Security
CBR Online
Forbes

Twitter Users Private Data Compromised—Twice in Two Consecutive Months and Twice in One Month

For the second time in two months, the social network behemoth reported on 23 June 2020 that advertisers and other business users on Twitter suffered exposure of their private, sensitive data due to a lapse in security: storing billing information in the customer browser’s cache. What data could be found due to the exposure? Email addresses, phone numbers, and the last four digits of credit card numbers used by the accounts. It was discovered by customers and reported to Twitter that when they returned view billing information on ads.twitter.com or analytics.twitter.com their billing information had been stored, likely in the browser’s cache.

Twitter declined to provide an estimate of the number of Twitter users and accounts were compromised, but a spokesperson offered, “As soon as we discovered this was happening, we resolved the issue and communicated to potentially impacted clients to make sure they were aware and informed on how to protect themselves moving forward.”

Separately, 32.8 million Twitter customer credentials were compromised according to early June 2020 reporting by LeakedSource, “Passwords were stolen directly from consumers; therefore, they are in plaintext with no encryption or hashing.” Some random checks by LeakedSource validated the credentials by contacting the Twitter customers directly. The intent of the criminals is reported to sell the credentials on the dark web. In this case, Twitter is confident it was not their systems that had been hacked.

Sources:
TechCrunch
Bankinfo Security

166 US School Districts Affected by Online Portal Data Breach

Aeries Student Information System (SIS), used by districts, schools, and teachers to communicate school events, schedules, and students’ assignments with parents and students, learned it had been hacked earlier in the 2019-2020 school year. Notices were going out to families in June. The problem had been identified as a zero-day vulnerability in the Aeries online portal that has since been patched. Aeries notified legal authorities to investigate.

The breach gave access to private student and parent information, including permanent student IDs, parent and student physical addresses, phone numbers, email addresses and password hashes. With access to a password hash, weak, common, or simple passwords can be deconstructed as a means to secure unauthorized access to parent and student accounts.

An Aeries statement asks all users affected by the unauthorized access to change their passwords frequently, and in case they notice anyone attempting to misuse their information to report it. It’s also anticipated phishing scams may target the users. “There is nothing to suggest that any data was accessed revealing Social Security numbers, credit card numbers, financial account information, or other information directly impacting your credit rating. You can contact all three major credit bureaus to request that your credit reports be sent to you. Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Thieves may hold stolen information to use at different times. Checking your credit reports periodically can help you spot problems and address them quickly.

We understand that the investigation by the authorities is ongoing and we are working closely with local law enforcement and federal authorities as well as the District to determine what transpired, by whom it was perpetrated, and what impact, if any, it may have had on data.”

Sources:
Aeries

Honda’s Perception of Reliability and Safety—Cyber Attacked

In what looks to have been an Ekans ransomware attack, Honda’s global operations were hit, confirmed by Honda 08 June 2020. Their manufacturing systems seem to have been disrupted as Honda was forced to put production on hold and send factory workers home.

With ransomware, hackers tend to encrypt data and lock victim companies like Honda out of some of their IT systems. While it’s not clear yet how the cybercriminals gained access in this case, ransomware attacks have been on a steady rise since the Coronavirus epidemic began. Hackers are using COVID-19 related lures to entice users to click or share links that grab information. One of Honda’s internal servers was attacked from the outside and spread a virus throughout its network.

With the majority of Honda’s business employees working from home, it’s possible that any of their machines with Remote Desktop Protocol access publicly exposed became an entry point for the attack. “It’s possible that this attack was connected to teleworking,” Oz Alashe, CEO of CybSafe, said. “The coronavirus pandemic has created a sizable remote workforce which has increased businesses’ attack surfaces and heightened existing vulnerabilities,” Alashe concluded.

Honda noted the problem affected its ability to access servers, use email, and other internal systems. There is no final assessment on whether files with personal data have been accessed or stolen.

Sources:
Forbes

Pandemic Times: Food Delivery Service Data Breach

Online food delivery service Delivery Hero reported in June 2020 that one of its brands, Foodoro, suffered a data breach affecting hundreds of thousands of customers who are located in over a dozen countries.

Delivery Hero reported that the exposed data includes “unique email addresses as well as certain customer details: encrypted password hashes, name, first name, delivery address, and phone number.” Delivery Hero found that the personal data belongs to users in Australia, Austria, Canada, France, Germany, Hong Kong, Italy, the Netherlands, Norway, Singapore, Spain, and the United Arab Emirates, and that leaking began as early as August 2015 and continued up to as recently as May 2020.

The company had reported strong growth, nearly doubling in Q1 2020. Q2 2020 results have not been posted, but the most recent news flash update on their site states that in COVID, their orders have again nearly doubled.

The company doesn’t yet know how the breach occurred. They said they’ve begun investigating and are “working closely with our security and data protection teams, as well as local authorities, to identify what caused the breach and inform the affected parties.”

Sources:
Infosecurity Magazine

Home Fitness Demand Soars: Customer Records Exposed

As pandemic shutdown orders spread across the world, gyms closed, and online orders of fitness home equipment skyrocketed. For the largest retailer of specialty exercise products and equipment in Canada, Fitness Depot, this was a boon—until an attack on their online e-commerce operation was discovered. Their site promotes you can shop with confidence, be a part of the community, and take part in fitness for life. What they found broke the promises and the veil of privacy for customers: the cybercriminals had placed a fraudulent form on the Fitness Depot website. When customers were redirected to the form starting February 18 through May 22, customers placing orders initially for home delivery, and later on, including in-store pick up were affected. The company reports that a great deal of sensitive data belonging to customers may have been included, such as names, addresses, phone numbers, email addresses, and credit card account information from any credit cards used in customers’ transactions. In attacks like this, personal information is scooped up by the intruder and moved to remote servers under their control without the victim company’s knowledge or authorization.

Fitness Depot notified the Office of the Privacy Commissioner of Canada. The company sent out a breach notification to potentially affected customers with general advice to be watchful for incidents of fraud and identity theft and an offer to answer questions posed to the privacy officer.

Fitness Depot seems to blame its internet service provider (ISP) for the data breach, saying, “Based on our preliminary findings, it appears our Internet Service Provider [ISP] neglected to activate the anti-virus software on our account.”

Sources:
Bleeping Computer