Monthly Breach Report: November 2019 Edition on Nov 6, 2019
As data breaches continue to raise its ugly head all across the globe, let’s take a look at few of the most prominent ones that occurred last month.
October 25, 2019: California-based computer software enterprise Adobe publically acknowledged they unintentionally exposed the personal information of approximately 7.5 million Creative Clouds accounts to the public. This massive data breach jeopardizes the security of the affected users while increasing their threat of targeted phishing scams and hacking attempts.
News report suggests that a data repository containing sensitive user details (like email addresses, creation dates, products used, current subscription status’, Country/region information, Adobe Employee or Member ID status, last login info, and payment status) was available online and allowed access to anyone using a web browser without any password or authentication. This security mishap didn’t impact data related to payment details and account passwords.
Security researcher Bob Diachenko, who identified the leak, claims the data was available for unauthorized access for nearly a week till Adobe secured the database. On Oct 19, Diachenko found out about the leak and immediately informed Adobe about it.
Adobe after securing the database on the same day issued a statement which said, “Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability. The environment contained Creative Cloud customer information, including e-mail addresses, but did not comprise any passwords or financial information. This issue was not connected to, nor did it affect, the operation of any Adobe core products or services. We are reviewing our development processes to help prevent a similar issue occurring in the future.”
This isn’t for the first time that Adobe has been the victim of a data breach. In 2013, Adobe accidentally exposed credit card and login information for an unknown number of users.
2. Mercedes-Benz App
October 19, 2019: The Mercedes-Benz connected car app ‘MercedesMe app’ experienced an accidental security lapse last month when it failed to pull-in correct information from individual’s accounts and instead started displaying other car owners’ details like names, recent activity, phone numbers, etc. Soon after discovering the glitch, the app went offline citing maintenance issues.
‘MercedesMe app’ allows car owners to remotely locate, unlock and start their vehicles.
According to a statement issued by Donna Boland, a spokesperson for Daimler, the parent company of Mercedes-Benz, “There was a short interval [Friday] during which incorrect customer data was displayed on our MercedesMe app. The information displayed was cached information — not real-time access to the account, no financial info was viewable nor was it possible to interact with, or determine the location of, the vehicle associated with the account.”
October 28, 2019: Italy-based global banking and financial services company UniCredit disclosed its cybersecurity team identified a data breach that exposed personal records of 3 million domestic clients comprising names, telephone numbers, email addresses, etc.
The lender clarified that customers who created accounts in 2016 and after were not impacted by this breach. The financial institution further said in an online statement that the impacted records didn’t contain any banking related data that would allow hackers to access customer accounts or carry out unauthorized transactions.
UniCredit hasn’t shared the exact reason for the data hack. To avoid such incidents from happening in the future, the banking lender initiated an internal probe and informed relevant authorities about the incident.
Since 2016, the bank has spent 2.4 billion euros to enhance its IT systems and strengthen cybersecurity.
4. National Neurology Registry (NNeuR)
October 24, 2019: Personal information of over 17,000 patients was leaked on the government-linked National Neurology Registry (NNeuR) website. Created in 2008, the website aims to collect data about stroke and epilepsy in Malaysia. The Health Ministry blamed scripting errors for exposing the NRIC numbers, phone numbers, and addresses of affected patients.
The Health Ministry has already initiated an investigation along with National Cyber Security Agency (Nacsa), Malaysia Communications and Multimedia Commission (MCMC) and Cybersecurity Malaysia.
For the second time in 2019, Malaysia’s Health Ministry became victim to a data breach. In September this year, Germany’s security enterprise Greenbone Networks stated that data on 19,992 radiological reports from Malaysia was available online.
5. Kaiser Permanente
October 4, 2019: California-based healthcare provider Kaiser Permanente issued a data breach alert stating that about 1,000 of its patients in the Sacramento area were effected.
According to Kaiser Permanente, the email account of a Kaiser Permanente health care provider based in Sacramento comprising patients’ PHI became accessible to an unauthorized individual for 13 hours. Kaiser discovered the security breach in an IT security process and resolved it immediately after identifying it.
Angela B Anderson, Kaiser’s regional compliance director, and privacy and security officer for Northern California, said that the affected data did not comprise members’ social security numbers or financial information. She also added, “We do not have any evidence that the information was viewed, used or copied. Kaiser Permanente takes the protection of our member data very seriously.”
News Report suggests the breach occurred on August 12, 2019, with Kaiser becoming aware of it on August 19, 2019.
October 4, 2019: Customer support ticketing platform Zendesk discovered a security breach last month dating back to November 2016 that exposed the personal data of 15,000 users that had registered Zendesk Support and Chat accounts.
Zendesk software is the preferred choice of global organizations such as Uber, Shopify, Airbnb, and Slack. A security notice published by Zendesk claimed that a third party identified the breach and the compromised data included passwords, emails, names, phone numbers, and other relevant service data.
According to a statement issued by Zendesk, “As of September 24, 2019, we identified approximately 10,000 Zendesk Support and Chat accounts, including expired trial and accounts that are no longer active, whose account information was accessed without authorization.”
Soon after discovering about the security lapse, Zendesk alerted the impacted user, inked collaboration with a third party team, initiated an internal probe to find out how this breach happened and informed global regulatory bodies about the breach.
October 21, 2019: Panama-based virtual private network provider, NordVPN suffered a server breach last month when a hacker gained access to a Finland-based data center from which the company rented servers.
A statement from NordVPN, “The attacker gained access to the server by exploiting an insecure remote management system left by the data center provider while we were unaware that such a system existed.”
NordVPN did not divulge the details of the data center provider but stated that the breach occurred in March last year. While NordVPN came to know about the breach some time back, it decided to wait before going public about the breach to make sure that the servers were secure.
Nord VPN ended its contract with the Finnish server provider soon after discovering the breach. Post this security incident, NordVPN unveiled a stringent internal audit to review the complete infrastructure and follow strict rules before collaborating with data centers.
8. Home Group
October 22, 2019: Newcastle-based Home Group, one of the UK’s biggest housing association, became the target of a data breach when the personal details of approximately 4,000 of their customers were stolen. The breach compromised customer names, addresses and contact information, but didn’t include financial details.
Currently, the charity offers rented homes to over 116,000 people in 55,000 properties across England (including North East, North West, Yorkshire) and Scotland. Home Group stated that a third-party cybersecurity expert identified the breach.
John Hudson, chief financial officer at Home Group, said, “We have a robust incident response protocol in place to deal with situations such as this, which meant the vulnerability was identified and fixed extremely quickly.”
Despite resolving the issue within 90 minutes, the housing association issued a warning and contacted all customers affected by the breach.
October 21, 2019: Czech-based security software maker Avast became the target of a cyber-security breach after witnessing a malicious intrusion into its network. According to the antivirus giant, the cyberespionage campaign allowed hackers to access its network. Currently, Avast has over 400 million customers for its various antivirus and cybersecurity products.
Reports suggest that hackers accessed Avast’s network using a temporary VPN account and compromised credentials. While the security invasion witnessed minimal damage, Avast claimed it to be a sophisticated attempt where the hacker proceeded with utmost caution.
According to Avast Chief Information Security Officer Jaya Baloo, the company witnessed varied hacking attempts between May 14 and Oct 4. Post this security mishap, Avast collaborated with Czech-based Security Information Service (BIS), an intelligence agency, and an external forensics team to investigate the matter.
Avast hinted that the intrusion was likely aimed at compromising the releases of the popular CCleaner utility. In September 2017, Avast saw a similar incident when few versions of CCleaner was available for download on Piriform’s site.
Dataguise understands the importance of data privacy and how frustrating data breaches can be for consumers and the businesses entrusted with their data. Although anyone can be a target, Dataguise DgSecure provides enterprise solutions for businesses small and large to combat these threats while ensuring all sensitive data across an organization is accounted for, protected, and compliant with industry and global data privacy laws. To learn more about Dataguise DgSecure, contact us for additional information.