Monthly Breach Report: September 2019 Edition

Data hacks have become an unfortunate reality that’s happening all over the world. Despite the advances made by security experts, the breaches of last month show that organizations must do better when it comes to data security.

Here are some of the top trending breaches to hit news headlines last month.

NPP Australia

August 21, 2019: A fresh data breach involving PayID, a function of the New Payments Platform (NPP), records have put thousands of Australian bank customers at risk. Within two months, PayID suffered its second breach this year. In the past, Westpac became a target of a breach that affected PayID’s address lookup functionality.

PayID enacts the role of an online lookup where it allows users to create their own numbers and register them with their banks. Users need to share their PayID when they make and receive payments instead of sharing their BSB code and account number.

Official reports divulged that the online hackers broke into NPP database to access the personal banking details of tens of thousands of Australians – customer names, phone numbers, BSB and account numbers linked to PayID – to scam millions of dollars. According to NPP Australia, this unsavory activity impacted the clients of Australia’s four major banking institutions – the Commonwealth Bank, National Australia Bank, ANZ and Westpac.

Termed as the second major attack on the payment management system in recent times, the hack initiated from one of the NPP banks secured by Australia-based payments provider Cuscal Limited. The breach happened due to the customer-side technical issues.

As cybersecurity is of prime importance to NPP Australia, the payments platform immediately informed the impacted banking players so that they can resort to actions, comprising issuance of customer notification and due diligence.

Cuscal notified both the Australian Prudential Regulation Authority (APRA) and the Office of the Australian Information Commissioner (OAIC) about the mishap.

Source: Znet

Massachusetts General Hospital

August 23, 2019: A third-party privacy breach hit approximately 10,000 research participants at Massachusetts General Hospital (MGH) that exposed their test results, medical diagnoses and genetic details.

The leaked data comprises the first and last name, demographic data, date of birth, medical record number, genetic data, medical histories, etc. MGH has clarified that social security numbers and financial data were not impacted by this incident.

A detailed probe by third-party forensic investigation revealed that an unauthorized entity accessed MGH databases used by certain Neurology researchers between June 10-16. Apart from contacting federal law enforcement, the Boston-based hospital continues to review and strengthen processes for its research programs.

Cybersecurity strategists believe that medical data is of great value to hackers because it can be later used in varied types of identity theft, to blackmail patients and engage in impersonation attacks.

Source: Security Magazine

Arizona State University

August 20, 2019: Last month, Arizona State University became the target of a data mishap when it mistakenly revealed email addresses of about 4000 students in July this year.

The Tempe-based public research university notified the students mid last month about the incident when the University office sent bulk emails about health insurance coverage without hiding the identities of the recipients. The notification comprised details related to assistance resources provided to the students, faculty and staff.

Reports suggest that few of the email addresses displayed the names of the recipients. Under the Health Insurance Portability and Accountability Act (HIPAA), this incident is a data breach. Apart from the email addresses, the leak did not compromise other protected health information (PHI).

The University stated that it was able to restrict the release of data by deleting over 2,540 of the messages from ASU email inboxes, while over 1,130 of those emails were not read. ASU announced that it took measures to strengthen data protection by formulating more stringent review and approval levels for mass emails disbursements.

Source: Becker Hospital Review

Pearson

August 1, 2019: Educational software maker Pearson fell prey to a data breach that impacted the accounts of over 13,000 students, mainly affecting school and university AimsWeb accounts in the US.

A statement issued by the London-based enterprise said that the affected accounts stored details like first and last names, email addresses, and dates of birth. On July 31, Pearson started notifying the school districts about the hacking incident.

So far, Pearson has no proof of data misuse of compromised social security numbers or financial information. As a precautionary measure, the British publishing house will offer complimentary credit monitoring services.

Currently, Pearson is among one of the most prominent publishers of print and digital textbooks in the UK.

Source: Fast Company

StockX

August 3, 2019: Detroit-based e-commerce platform StockX encountered a data hack that exposed sensitive data of over 6.8 million users globally. The breached data comprised customer name, email address, shipping address, username, hashed passwords, and purchase history.

On Aug 1, the fashion and sneaker marketplace sent a password reset email to the users stating it to be “system update”. While many users claimed that the email appeared to be suspicious, the organization called it a planned activity.

According to a statement issued by StockX CEO Scott Cutler, in late July the organization came to know about the suspicious activity involving customer information, after which the company initiated a comprehensive forensic investigation.

This breach has put the US-based organization in a tight spot as it faces the danger of incurring a hefty fine (up to 4% of annual revenue) and other damages under the GDPR.

Besides offering 1 year of fraud protection to its users, StockX will also offer CyberScan monitoring, ID theft recovery services, a $1,000,000 insurance reimbursement policy, and 12 months of free credit monitoring.

Source: Tech Crunch

State Farm

August 8, 2019: US-based insurance company State Farm fell victim to a credential stuffing attack where the cyber miscreants take advantage of those users who use the same passwords across different online accounts.

In a credential stuffing attack, the attackers buy or take stolen user names and passwords from past data hack incidents to access victim’s account.

The insurance giant in a “Notice of Data Breach” email advised users to reset passwords of their State Farm online accounts on priority.

Although the exact count of customer accounts the attackers accessed is unclear, the property and casualty insurance provider services approximately 83 million policies and accounts in the US.

Source: Insurance Business

Astro

August 22, 2019: Eighteen months after a data breach hit Astro Malaysia Holdings’ which impacted 60,000 of its customers, the business suffered another one last month that exposed the customers’ MyKad data. The affected data comprised name, identity card number, date of birth, gender, race, and address.

According to the media group, the breach had a low to moderate impact as it impacted less than 0.2% of the customers and didn’t disclose their financial details.

Astro has informed the Malaysian Communications and Multimedia Commission (MCMC), the Department of Personal Data Protection and the police about the data mishap.

In June last year, the breach had compromised the Astro IPTV (Internet Protocol TV) customers’ details – names, installation addresses, IC numbers, mobile numbers, equipment and portal ID numbers, information on the subscribed package – and sold online at 45 sen per record.

Source: The Star

MoviePass

August 21, 2019: MoviePass, the US-based movie ticket subscription service player, reported a security lapse that exposed customers’ records online comprising credit card details. The breach occurred because a critical server was not password protected.

An official statement from MoviePass confirmed that soon after discovering the security lapse, they ramped up the security of impacted systems.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, identified the exposed database comprising about 161 million records. It further came to light that some of these records included sensitive user information, such as MoviePass customer card numbers, and details related to the service’s daily operations.

The MoviePass customer cards are like normal debit cards issued by Mastercard. They store a cash balance which the users can use to watch movies.

Source: Tech Crunch

Focus Brands Inc.

August 21, 2019: Atlanta-based restaurant franchising group Focus Brands Inc. announced that it suffered a data breach at the corporate and franchised locations for Moe’s Southwest Grill, McAlister’s Deli and Schlotzsky’s.

The company further revealed that an unauthorized computer activity came to light on the payment processing computers at different locations for three of its brands. After learning of the breach, Focus Brands initiated an investigation with the help of a cybersecurity player with emphasis on transactions that occurred from April 2019 into July 2019.

Focus Brands, which also owns Auntie Anne’s, Carvel, Cinnabon and Jamba Juice, has already notified payment card networks and law enforcement about the mishap.

Source: BizJournals

Luscious

August XX, 2019: vpnMentor’s research team confirmed that Adult website Luscious leaked the personal information of its 1.195 million users who are residing in France, Germany, Russia, Brazil, Italy, Canada, and Poland without their knowledge. The disclosed data mainly comprises usernames, country, gender, email addresses, user activity logs and some of the users’ full names.

While the breach detection happened on Aug 15, the adult web platform fixed the issue on Aug 19.

According to vpnMentor, the leak impacted 8,00,000 genuine accounts and actively used emails. This breach has also affected 20% of the accounts that used fake email addresses.

This hack could come as a serious blow for government agencies and departments since many users joined Luscious platform using their government email addresses.

Source: IT Pro

Dataguise understands the importance of data privacy and how frustrating data breaches can be for consumers and the businesses entrusted with their data. Although anyone can be a target, Dataguise DgSecure provides enterprise solutions for businesses small and large to combat these threats while ensuring all sensitive data across an organization is accounted for, protected, and compliant with industry and global data privacy laws. To learn more about Dataguise DgSecure, contact us for additional information.

Datasheets

DgSecure GDPR Datasheet