week-07-2021-newsletter

Here’s your weekly data breach news roundup:

  • CD Projekt Red
  • Leon Medical Centers and Nocona General Hospital
  •  NoSupport Linux Hosting
  • Somerset Independent School
  •  Imobiliare – largest real estate portal in Romania
  •  Adorcam
  • Singtel
  • UK-based IPTV suppliers – SapphireSecure.net and KS-Hosting.com
  • Keepchange
  • Syracuse University
  • Wind River Systems
  • Yandex
  • Big Huge Games

CD Projekt Red

w6-2021-newsletter-cdprojektred

Polish game developer CD Projekt Red has been hit by hackers, who breached its internal network, stole data, encrypted some devices, and asked for a ransom to not sell of leak online sensitive company documents and the source code of some of their more popular games.

The company categorized the attack as targeted, and admitted that the attacker managed to access the company’s internal network and “collected certain data belonging to CD PROJEKT capital group.”

“Although some devices in out network have been encrypted, our backups remain intact. We have already secured out IT infrastructure and begun restoring the data,” the company noted.

“We will not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data. We are taking necessary steps to mitigate the consequences of such a release, in particular by approaching any parties that may be affected due to the breach.”

They have notified local law enforcement and the national data protection authority in Poland about the breach, and have called in IT forensic specialists to investigate. For the moment, it seems that no personal player or user data has been compromised.

Leon Medical Centers and Nocona General Hospital

Hackers have published extensive patient data from Leon Medical Centers in Miami and Nocona General Hospital in Texas in an apparent extortion attempt, reported NBC News this past Friday.

The tens of thousands of files reportedly include patients’ names, addresses and birthdays, in addition to their medical diagnoses.

As NBC News noted, releasing such enormous amounts of medical data is a somewhat unprecedented move, even in this time of increased ransomware.

The files reportedly comprise tens of thousands of scanned diagnostic results and letters to insurers, background checks on hospital employees and an Excel document with more than 100 patient names, dates, details of colonoscopy procedures, and notations about whether the patient has a “normal colon,” among other personal health information.

NoSupport Linux Hosting

w7-2021-newsletter-nslh

A web hosting company named No Support Linux Hosting announced today it was shutting down after a hacker breached its internal systems and compromised its entire operation.

According to a message posted on its official site [archived], the company said it was breached on Monday, February 8. The hacker appears to have “compromised” the company’s entire operation, including its official website, admin section, and customer database.

A No Support Linux Hosting (NSLH) spokesperson did not return a request for comment seeking details about the attack. But while details about the intrusion are unclear, the attack appears to have been destructive in its nature.

“We can no longer operate the No Support Linux Hosting business,” the company flatly acknowledged today.

Somerset Independent School

w7-2021-newsletter-somerset-school

The threat actors dumped an archive with 1,520 files in 27 folders. When uncompressed, there was more than 3 GB of data. Much of the data was from a few years ago, but there was a lot of personal and sensitive information about students.

As we’ve seen with other Texas k-12 districts, there were spread sheets with a lot of demographic information. The fields in just one of the plain text spread sheets consisted of:

  • campus_id
  • id
  • fname
  • lname
  • password
  • grade
  • tstate_id
  • tfname
  • tlname
  • email
  • gender
  • race
  • special_ed
  • econ_disadvan
  • eng_proficiency
  • disability
  • g/t
  • homeless
  • migrant
  • ethnicity
  • birthdate

There were more than 30 spreadsheets like the above from 2016-2020, with each spreadsheet having hundreds of rows/students.

Imobiliare - largest real estate portal in Romania

w7-2021-newsletter-imobiliare

The largest real estate portal in Romania, Imobiliare.ro, has suffered a data breach that could potentially affect its entire client database, reports Website Planet quoted by Profit.ro.

It remains unknown whether the company’s client information fell into nefarious hands, but the company’s bucket was found to be exposed, without password protection or encryption.

The exposed data was stored within 35,738 .PDF and 165,316 .JPG files, which included Personal Identifying Information (PII) such as full names, phone numbers, home address, emails, CNP (social security), and personal signatures.

The breach exposed more than 200,000 records, but the precise number of people affected by the breach remains unknown.

Adorcam

A webcam app installed by thousands of users left an exposed database packed with user data on the internet without a password.

The Elasticsearch database belonged to Adorcam, an app for viewing and controlling several webcam models including Zeeporte and Umino cameras. Security researcher Justin Paine discovered the data exposure and contacted Adorcam, which secured the database.

Paine said in a blog post shared with TechCrunch that the database contained about 124 million rows of data for the several thousand users, and included live details about the webcam — such as its location, whether the microphone was active and name of the WiFi network that the camera is connected to — and information about the webcam owner, such as email addresses.

Singtel

The Singapore Times reports that a third-party file-sharing system used by Singapore’s largest telco, Singtel, has been hacked and customer information may have been compromised.

The breach occurred on January 20 but, for now, the telco assured that its core operations are not affected. The hack was part of a wider global breach of the File Transfer Appliance (FTA) file-sharing system that recently affected other organisations including New Zealand’s central bank, the Australian Securities and Investments Commission and the Washington State Auditor’s Office in the US.

Singtel’s statement stated the company had been informed by a third-party vendor, Accellion, that unidentified hackers had illegally attacked its file-sharing system called FTA. This was a standalone system used to share information internally as well as with external stakeholders. Accellion said that the incident was part of a wider concerted attack against users of their file-sharing system.

UK-based IPTV suppliers – SapphireSecure.net and KS-Hosting.com

Two pirate IPTV services have become the latest victims in a growing line of services to be hacked by malicious actors. The platforms, which appear to be linked, have been ordered to pay a bitcoin ransom of around US$94,000. There is also a live threat to email customer data and banking information to the police and anti-piracy groups.

During the past two days, a pair of UK-based IPTV suppliers – SapphireSecure.net and KS-Hosting.com – became victims in what appears to be a series of hacks carried out by the same individual. Apparently connected by ownership, the platforms went down and began displaying similar messages on their homepages indicating that they had been seriously compromised.

The messages that appeared on both sites are similar and it seems from the timing that SapphireSecure was taken down first, displaying a “Down for Maintenance” error and the following text.

“Your IPTV provider from [redacted] in the United Kingdom has not secured your details and put you at huge risk. All the databases will be shared with the police and copyright protection agencies and posted online shortly.

[Name redacted] has the option to still protect his customers and himself and stop this and there are two ways of him doing this, this is his choice and likely depends on how much he cares about his customers data.”

The message on KS-Hosting goes a step further, again naming the individual allegedly behind both platforms while providing information relating to his current address, former address, and even his ISP. It also follows up with a threat to leak the personal information of staff members.

Keepchange

A bitcoin company is the latest victim of a data breach incident, where hackers managed to access customers’ full names and email addresses. Moreover, attackers sent withdrawal requests from the company customers’ accounts to addresses belonging to the hackers.

According to the announcement, Keepchange clarified that attackers stole part of their customers’ data, including trade counts, total traded amount, and passwords in the hashed form.

Although the company stated it’s “very unlikely” the hackers can retrieve the password from the hashed form, they recommend users change passwords.

However, the bitcoin (BTC) company clarified one of their control subsystems thwarted the hacker’s attempts to withdraw money from the user’s accounts affected in the data breach. No BTC was stolen during the cybersecurity incident.

As part of a series of security measures to be deployed, Keepchange says they’ve activated “Login Guard.” After each login, a user will receive an email with a link, which should be opened to access the account.

Syracuse University

The names and Social Security numbers of about 9,800 Syracuse University students, alumni and applicants have been exposed after someone gained unauthorized access to an employee’s email account.

The university has sent letters to affected students, alerting them that the university had investigated a data security breach involving some of their personal information. The unauthorized party accessed the employee’s email account between Sept. 24. and 28. 

Upon learning of the breach, SU secured the account and launched an investigation that determined in early January that emails or attachments in the account contained names and Social Security numbers, a letter sent to affected students reads. The investigation, which was conducted with the help of a computer forensics firm, was unable to determine whether the unauthorized party ever viewed the personal information in the account, according to the letter, which was signed by Steven Bennett, senior vice president for international programs and academic operations. 

QIMR Berghofer Medical Research Institute

w7-2021-newsletter-qimr

One of Queensland’s major medical research facilities has been caught up in an international data breach, with non-identifiable patient data believed to have been accessed.

QIMR Berghofer Medical Research Institute said it was investigating exactly how much data the third parties accessed as part of a wider breach of the Accellion file-sharing system.

Accellion is an external company that bills itself as provider of secure file sharing services for large organisations, with QIMR using the service to share data with collaborators in what it thought was a secure way.

The data accessed was estimated to be about 4 per cent of the nearly 16 gigabytes of QIMR Berghofer data on Accellion’s servers.

QIMR Berghofer director and chief executive Fabienne Mackay said they believed the data accessed was related to anti-malarial drug trials.

“Looking at [the data potentially accessed] we did find clinical trial files. Fortunately these files are totally de-indentified,” Professor Mackay said

“We don’t believe that any of the information in Accellion could be used to identify any of these participants, but nonetheless, I want to apologise sincerely that some of their de-identified information could potentially have been accessed.”

The drug trial data includes de-identified patient data such as date of birth, age, gender, and ethnic group of clinical trial participants.

The breach of QIMR’s data is believed to have occurred on Christmas Day, with Accellion advising the institute to install a security patch on January 4.

 

The company then advised QIMR that there had been a breach of its data on February 2.

Wind River Systems

w7-2021-newsletter-windriver

Wind River Systems is warning of a ‘security incident’ after one or more files was downloaded from its network.

Wind River Systems, which develops embedded system software, on Friday warned of a “security incident” that had exposed personnel records.

One or more files were downloaded from the company’s network on or around September 29, it said. Affected data included information maintained within the company’s personnel records – including critical data like Social-Security numbers, driver’s license numbers and passport numbers.

“We have been working with law enforcement and outside experts to investigate a security incident that occurred toward the end of September,” according to the security-incident notice, filed with California’s Attorney General as part of the state’s data-breach notification requirements. “We have no indication that any information in these files has been misused.”

Yandex

Yandex, one Russia’s largest internet companies, has disclosed a data breach today. In a breach notification put out, it revealed that one of its system admins has been selling access to Yandex employees’ email boxes to unauthorized parties for personal gain. Realizing the incident, Yandex terminated the access and informed the affected mailbox owners.

Yandex is available in several technology spaces from search engine to delivery and has been serving the world, with Russia and Europe as majors. The company has earlier been a target for Western intelligence groups since it is closely connected to the Russian Federation, and now, it has a new data breach incident reported.

In a notification shared today, Yandex revealed an internal data breach. One of its three system administrators was found to be selling email box access to unauthorized parties for personal motives. After the preliminary investigation, it was found that about 4,887 employees’ email boxes have been affected by this act.

Yandex has soon terminated this access and informed the owners of those affected email accounts about changing passwords. It also assured that no payment data held with Yandex was compromised in this incident. The company says to have informed the law enforcement and is taking steps to minimize the effect.

Big Huge Games

w7-2021-newsletter-bighuge-games

DomiNations and Rise of Nations developer (and one-time Kingdom of Amalur co-developer) Big Huge Games has been the victim of a cyber attack. The attack is said to have impacted company data but the personal information of players hasn’t been affected.

This news comes via a Big Huge Games press release. In the release, Big Huge says that it’s still in the process of investigating the attack. We don’t yet know if this was a ransomware attack; no perpetrators have been named, and Big Huge hasn’t disclosed whether the attackers are asking for a ransom in exchange for stolen data. The team says it’s notified the relevant authorities and is still working to figure out how much data has been compromised.

According to Big Huge Games, there’s no evidence that any personal player data has been impacted by this attack. This includes info such as addresses, real names, and email addresses, as well as financial data like credit card information. Big Huge says most personal player data is handled by third-party vendors or is stored away from the central Big Huge studio, so there’s no reason for hackers to have got their hands on it. The investigation is still ongoing, though, so there’s a chance Big Huge will discover more data that’s been affected by the attack.