Monthly Breach Report: March 2019 Edition Mar 8, 2019
If it seems like words and phrases ‘data breach’, ‘compromised data’ and ‘data leak’ are constantly in the news, it’s not just you. There’s no denying that the frequency of data breaches is rising at an alarming rate. Talking about figures, according to a report by 4IQ, an identity intelligence company, 2018 had witnessed a shocking 424% jump in confirmed data breaches as compared to 2017. This proves the fact that cyber hackers are becoming increasingly smarter in their means of infiltrating companies’ network and accessing sensitive data despite businesses have placed certain security measure in place.
In fact, last month a handful of spectacularly bad security fails occurred at the hands of cybercriminals who took advantage of security issues with data storage, misconfigured security settings, overall absence of security solution to protect data. Here are a few of the nastiest and most damaging data breaches of February.
1. State Bank of India (SBI)
February 2, 2019 – Arguably the most talked about breach of last month, India’s largest public sector lender, State Bank of India (SBI), became a victim of a data breach when it left a server with the banking information of its customers unprotected for an unknown period of time.
Reports stated that the unprotected server of the banking institution, housed in a Mumbai data center, was not protected by a password and comprised two months of data from SBI Quick, a missed call banking service primarily designed for the non-smartphone users to get basic information about their account with the bank. Apart from storing the most recently dispatched information, the server also retained daily archives of nearly a month. With 740-million active accounts with the bank, a security researcher discovered the leak and said that the data server which opens for unauthorized access.
According to cyber experts, this appalling controversy underlines the fact that banking institutions must regularly update their password management systems and follow the white hacker approach to take care of data breach.
Ironically, a couple of days ago, SBI had informed the Unique Identification Authority of India (UIDAI) that the biometrics and logins of their operations were misused to generate unauthorized Aadhaar cards.
February 13, 2019 – Online photo-sharing website, 500px, announced last month that it faced a security breach that compromised the personal information of about 14.8-million users. The Toronto-based entity announced in an official statement that while the hackers breached the site last year on July 5, the breach was only discovered by its engineering team on February 8 this year.
Although 500px concluded that the data hack affected certain sensitive information (such as first and last names of the users, username, email address, password, birth date, addresses, gender details) provided by the users while filling out their profiles but it clarified that there has been no evidence of any misuse of the compromised data.
A press statement released by 500Ppx stated, “If you are a 500px user on or prior to July 5th, 2018, you have been affected”. As part of a precautionary drive, the Canadian photo sharing community owned by Visual China Group is notifying all of its affected users and urged them to change their passwords immediately.
Also, it announced its collaboration with a 3rd party security firm to investigate this hacking incident and is expected to conclude a year-long process to upgrade its network infrastructure to avoid such mishaps in the future.
Source: The Verge
February 04, 2019 – Home improvement startup Houzz was marred by a data breach, which allowed third parties to gain access to a file comprising private account and publicly visible user information.
The California-headquartered business, that has about 40-million members caters to home design aficionados, homeowners and home improvement professionals, first learned about the data breach in December 2018 and yet to find out if the file was accessed via an unsecured database, a rogue employee or through a hacked system.
The $4 billion-valued home improvement business has claimed that not all customers were affected and hence emailed only those users who may have been affected requesting them to reset their passwords. It also clearly mentioned that the unauthorized third party gained access to a file comprising user information (like user names, salted and hashed passwords, IP addresses and, for users who logged into Houzz using Facebook, their Facebook IDs.) and social security numbers or no payment related information were part of this data breach.
Keeping this incident in mind, cybersecurity experts stated that criminals use the stolen sensitive information they “harvested” from one breach to access other services or websites and Houzz should advise users to enable multi-factor authentication immediately to mitigate the effects of this data theft.
4. LandMark White (LMW)
February 12, 2019 – Property valuation service provider LandMark White (LMW) was found to be exposing data of up to 100,000 customers through an unprotected online service.
News reports suggest that the disclosed customer related directly to the valuations completed by the Australian property firm and includes customer name; contact details like the phone or email address, details related to valued property and banking data.
Data researchers and security analysts found files comprising LMW data on a Dark Web server and began indexing the information so that customers can be informed. On further investigation, it was revealed that the data was reportedly exposed from an internal file service at LMW, which may have been set up to facilitate information-sharing between agents and clients. Since the web service did not require authentication, it made the data vulnerable. Based on the present findings, it was concluded that the downloaded data has been from the past five years and appears to have been replicated from the company’s website.
While independent experts in data breaches and cybersecurity have been brought on board by LMW to assist with this incident’s investigation, a number of the company’s clients (such as Westpac, Commonwealth Bank of Australia (CBA) and ANZ Bank) have decided to suspended LandMark White services until the situation has been resolved.
Source: Dark Reading
5. Coffee Meets Bagel
February 14, 2019 – The users of Coffee Meets Bagel, a popular online dating app, were in for a rude shock this Valentine’s day when they woke up to the unsettling news that their personal information had been compromised.
The company alerted the users that they were hit by a data breach stating that an unauthorized party gained access to a partial list of user details that they found out on Feb 11, 2019. Although Coffee Meets Bagel didn’t divulge on who was responsible for it or when did it take place but it did inform that the data hack was part of a larger breach impacting 620-million accounts that got leaked across sixteen companies.
The free dating app also informed its users that the account details from other popular apps like Dubsmash, MyFitnessPal, etc were also dumped on the dark web for less than $20,000 in bitcoin and advised users to avoid clicking on links or downloading attachments from suspicious emails.
Founded by three sisters Arum Kang, Dawoon Kang and Soo Kang, the online dating community has resorted to measures to protect user data, comprising reviews of its infrastructure and systems by forensic security experts, audits of external systems and vendors, persistent monitoring of suspicious activity, collaborating with law enforcement authorities and boosting its system to identify and prevent breaches in the future.
6. Rutland Regional Medical Center
February 25, 2019 – While cyber-attacks have become a common thing for online businesses, even the healthcare industry wasn’t spared. Vermont’s largest community hospital, Rutland Regional Medical Centre, became a victim of a data breach as hackers gained access to the email accounts of nine employees and potentially accessed the patients’ protected health information.
One of the Rutland Regional Medical Centre’s employees on Dec 21, 2018, found that their email account had been misused to share large quantities of spam emails and seven days later on Dec 28, 2018, the medical center’s IT department was informed about a potential security breach.
On Dec 31 last year, the IT department confirmed that an unauthorized individual had remotely accessed the employee’s email account and called in a third-party forensic expert to conduct an investigation who stated that nine email accounts were compromised between November 2, 2018 and February 6, 2019.
The information in the compromised email accounts comprised of patients’ full names, dates of birth, contact details, patient ID numbers, medical record numbers, financial information, diagnoses, treatment information, Social Security numbers, and health insurance data.
It was confirmed by the hospital authorities that the breach was only limited to email accounts and the EMR system and other internal systems were not hit by the breach.
The Department for Health and Human Services’ Office for Civil Rights has already been informed about the breach and the Medical Center will be implementing additional safeguards to prevent further breaches of this nature in the future and also send notification letters to patients whose PHI may have been accessed in this incident. Reports suggest that over 70,000 patients have been affected by the attack.
Source: The Rutland Herald
7. University of Connecticut Health Center (UConn Health)
February 28, 2019 – The University of Connecticut Health center stated in an official statement that an unauthorized third party illegally accessed a limited number of employee email accounts comprising approximately 326,000 potentially impacted individuals, including some individuals’ names, dates of birth, addresses and medical information like billing and appointment information.
Although this attack may emerge as the second largest health data breach reported so far this year, the academic medical center has clarified that this incident had not affected its computer networks or electronic medical record systems. The attack on the University of Washington Medicine has been the largest health data breach revealed so far in 2019, resulting in a breach affecting 974,000 individuals.
Connecticut-based UConn Health is offering prepaid identity theft protection services to those 1,500 individuals whose Social Security numbers may be impacted. The organization has notified law enforcement officials and retained a forensics firm to investigate this happening.
Earlier in 2013, UConn Health informed over 1,550 patients that two former employees had accessed patient records inappropriately.
Dataguise understands the importance of data privacy and how frustrating data breaches can be for consumers and the businesses entrusted with their data. Although anyone can be a target, Dataguise DgSecure provides enterprise solutions for businesses small and large to combat these threats while ensuring all sensitive data across an organization is accounted for, protected, and compliant with industry and global data privacy laws. To learn more about Dataguise DgSecure, contact us for additional information.