Monthly Breach Report: April 2020 Edition

While the world is battling the deadly outbreak of COVID-19, cybercriminals are capitalizing on the crisis to carry out data breaches unabatedly. The last month of Q1 recorded some of the year’s biggest data breaches to date. With businesses on the brink of pandemic-induced economic recession, falling victim to a data breach can be devastating.  Unfortunately, we are seeing coronavirus scams continue to grow as well, and the fact is, all organizations need to ensure they know where all their most sensitive data is in their ecosystem so they can properly protect that data.

Today, many organizations are still struggling to operationalize and automate privacy regulations such as  the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Whether it is risk management, regulatory compliance or simply the need for better analytics to grow revenue, organizations need to ensure they have implemented an effective privacy program that oversees the privacy strategy, data protection, and includes a breach response process.

Below, you will find some of last month’s data breaches so organizations can learn more about the different types of breaches taking place.

1. Data Deposit Box

MAR 25, 2020: Data Deposit Box, a cloud backup and recovery technology provider to individual and small businesses, reported a data breach last month that occurred in January of this year. The Canada-based company left a database comprising more than 270,000 customer private files on an unsecured Amazon S3 bucket. The exposed database also revealed Personally Identifiable Information (PII) of customers, admin login credentials, IP addresses, contact details and globally unique identifiers for resources (GUIDs).

Late last year, the Cybersecurity research team vpnMentor headed by Noam Rotem and Ran Locar discovered the breach. After the vpnMentor team shared their findings, Data Deposit Box acted immediately by undertaking a detailed risk assessment of the data.

Additionally, it enacted safety measures to protect user accounts, issued a notification to affected customers, and filed a PIPEDA breach report with the office of Privacy Commissioner of Canada. The company also clarified that the customer data files were safe as it was not stored with third-party service providers.

Data Deposit Box currently caters to a geographically-diverse customer base of over 350,000 spread across 84 countries and offers services including continuous backups of files in an unlimited number of devices.

Source: Security Magazine

2. Doxzoo

Mar 19, 2020: Doxzoo, a global document printing and binding company out of the U.K., became the target of a security breach exposing personal documents including copyrighted and sensitive work of its customers.

“The vpnMentor cybersecurity research team uncovered a leaking S3 Bucket with over 270k records and greater than 343GB in size on an Amazon server, belonging to Doxzoo. There are potentially over 100,000 users affected by this data leak, with implications not only for copyright violations, but also American and British military data exposure.” Security risks and reputational damage is amplified when government information has been leaked.

Source: SecurityMagazine

3. Finastra

MAR 20: A ransomware attack marred the world’s third-largest Fintech Finastra, impacting its global operations and forcing to shutter key systems.

According to an official statement issued by Finastra, “We wish to inform our valued customers that we are investigating a potential security breach. At 3:00 a.m. EST on March 20, 2020, we were alerted to anomalous activity on our network which risked the integrity of our data centers. As such, and to protect our customers, we have taken quick and strict remedial action to contain and isolate the incident while we investigate further.”

The banking fintech giant discovered the intrusion into its systems after the threat intelligence team detected “potentially anomalous activity.” The London-based conglomerate provides financial technology services to 90 top-rated banks across 130 countries globally and reported over $1.9 billion in revenues.

As Finastra probes the impact of the breach, the fintech major are reviewing systems to protect customer and employee data.

Source: CISO MAG

 

4. Marriott International

MAR 31, 2020: Marriott International fell victim to a major data breach, leaking personal data of an approximately 5.2 million guests worldwide including names, addresses, phone numbers, birthdays, and loyalty information for linked companies.

For the global hospitality company, this is the second data incident in less than two years. The hotel got off to a rocky start to 2020 as reports suggest that the breach started in January.  According to Marriott, an unusual amount of guest data was accessed using the login credentials of employees of a franchise hotel, that operates under the Marriott brand.

Recently, Marriot confirmed that it has created a web platform “mysupport.marriott.com” and set up a dedicated call center to help the affected customers.

Source: CNET

5. Visser Precision

MAR 1, 2020: Visser Precision, Colorado-based precision parts maker and defense contractor, acknowledged a security incident caused by DoppelPaymer ransomware. The breach exposed the customer names and published folders with customer names — comprising Tesla, SpaceX, Boeing, and Lockheed Martin.

“Security researchers say the attack was caused by the DoppelPaymer ransomware, a new kind of file-encrypting malware which first exfiltrates the company’s data. The ransomware threatens to publish the stolen files if the ransom is not paid.”

According to technology experts, DoppelPaymer made its first appearance in 2019 and bears similarities in code with BitPaymer ransomware.

Meanwhile, Visser Precision said, “The company continues its comprehensive investigation of the attack, and business is operating normally. Visser Precision will continue full cooperation with its customer partner companies but will make no further press comment at this time.”

Source: TechCrunch

6. Norwegian Cruise Line

MAR 20, 2020:  On March 13th, A team at DynaRisk found a stolen, breached database on the dark web from Norwegian Cruise Line containing 29,969 records.

The exposed data comprised log in credentials used by the travel agents to access the Norwegian Cruise Line travel agent portal. DynaRisk also revealed that the data breached was from the “agents.ncl.eu” portal and no guest data was impacted.

“Any travel agents concerned about whether their data was included or not can use its data breach scanner to check.”

Source: Forbes

7. Carnival Corp

MAR 2, 2020: March proved to be a tough month for the Cruise line industry. Besides Norwegian Cruise Line, Carnival Corp-owned Holland America Line and Princess Cruises also faced the wrath of cyberattacks last month when an unauthorized third party gained access to personal information of both passengers and crew.

The leaked data included names, email accounts, social security numbers, passport numbers, health-related information, government identification numbers, and credit card information.

Besides strengthening security and privacy protocols, both the units of Carnival Corp are investigating the matter in collaboration with a cybersecurity firm to prevent such incidents in the future.

Source: Gizmodo

8. TrueFire

Mar 17, 2020: A “Magecart-style” data breach incident rocked Truefire, an online guitar tutoring website with over 1 million users. The hacker gained access to the company’s web server and stole customers’ personal payment data from its website from August 2019 to mid-January 2020.

A notification from Truefire said, “We cannot state with certainty that your data was specifically accessed; however, you should know that the information that was potentially subject to unauthorized access includes your name, address, payment card account number, card expiration date, and security code.”

To gauge the extent of the breach, Truefire collaborated with a computer forensic specialist and recommended affected users keep a check on their payment card statement for any suspicious or unauthorized transaction.

The Florida-based company, that boasts of a library of over 900 courses and 40,000 video lessons, clarified that it does not store payment card data of customers and the hacker may have accessed this information in real time when users bought classes and courses online.

Source: Infosecurity Magazine

9. Entercom

MAR 11, 2020: Entercom, the second-largest radio company in the US, fell prey to a data breach that leaked the personal credentials of its Radio.com digital app users. The radio giant confirmed that the breach occurred in August of last year. The unauthorized party accessed the database backup files, containing Radio.com user credentials, stored on third-party cloud hosting services.

Entercom said in a statement, “Specifically, our investigation determined that for approximately three (3) hours on August 4, 2019, an unauthorized actor accessed information relating to Radio.com users contained in database backup files.”

Following the data security incident, the company took preventive security steps such as stronger password policies, cloud services multifactor authentication, and staff data security training to prevent similar incidents from occurring in the future.

This is the third time within a year that Entercom became the target of a data breach. The first one happened in September 2019 when a cyberattack affected all Entercom offices across the country. The second one came before Christmas that impacted internet connectivity, hampered email communication and access to files.

Source: BleepingComputer