Here’s your weekly data breach news roundup:
- Canadian Discount Car and Truck Rentals
- Jones Day
- Simon Fraser University (SFU)
- Kia Motors America
- Hoffman Construction Company’
- Law firm Charles J. Hilton & Associates P.C
- Grand River Medical Group
- Canada Revenue Agency
- Automatic Funds Transfer Services (AFTS)
- Sequoia Capital
- Florida Water Plant
Canadian Discount Car and Truck Rentals
Canadian Discount Car and Truck Rentals has been hit with a DarkSide ransomware attack where the hackers claim to have stolen 120GB of data.— DevaOnBreaches (@DevaOnBreaches) February 16, 2021
Exposed data includes including finance, marketing, banking, account, and franchisee data. #databreach https://t.co/HLd9yaZhq6
Canadian Discount Car and Truck Rentals has been hit with a DarkSide ransomware attack where the hackers claim to have stolen 120GB of data.
Discount Car and Truck Rentals is a leading Canadian car and truck rental company with 300 locations throughout Canada. Enterprise Holdings’ Canadian subsidiary acquired the company in 2020.
This month, the car rental company suffered a cyberattack by the DarkSide ransomware gang that has disrupted the company’s online rental services at discountcar.com.
“Discount Car and Truck Rentals was subject to a ransomware attack that impacted the Discount headquarters office. A fully-dedicated team isolated and contained the attack quickly. The team is working to investigate and restore service as quickly and safely as possible,” Discount Car and Truck Rentals confirmed in a statement to BleepingComputer.
The largest bank in Ukraine, ‘PrivatBank,’ has had an undisclosed data breach in the recent past, as the sensitive information of a large number of its clients has appeared on popular hacker forums in the form of a purchasable package. The database contains over 40 million records of the bank’s clients, exposing them to phishing, scamming, identity theft, bank fraud, and generally a wide range of exploitation potential.
More specifically, the seller advertises the following details:
- Full name
- Date of birth (DOB)
- Taxpayer identification number (TIN)
- Place of birth
- Passport details, including passport number, issue date, issuing department, etc.
- Family status
- Car availability
- Viber contacts, if available
- Mobile phone number
Considering that the entire population of Ukraine is 44 million, a significant portion of these records must be duplicates. Another possible explanation is that the bank serves foreigners too, but the seller isn’t mentioning anything like that, and it’s not very probable.
The long tail of Accellion has a new victim: Jones Day.— DevaOnBreaches (@DevaOnBreaches) February 17, 2021
The theft of an undisclosed amount of information came after a #databreach at the Palo Alto, California-based cloud computing provider Accellion, a Jones Day spokesperson said.https://t.co/2xIyWoXzHm
Last month hackers infiltrated a server used by Jones Day, one of the largest and most successful law firms in the world. After failed attempts to extort payment from the firm, the hackers have now uploaded gigabytes of of highly sensitive data that were stolen in the attack.
For its part, Jones Day denies that any of its own servers were compromised. There are indications that the firm’s data was stolen during a larger hack that impacted multiple clients of a major file sharing service provider. In a statement provided to The Wall Street Journal, a Jones Day spokesperson named Accellion as that provider.
The hackers appear to have exploited vulnerabilities in FTA, an Accellion application used to transfer large files. Accellion has issued a statement saying the company “is conducting a full assessment of the FTA data security incident with an industry-leading cybersecurity forensics firm.”
Simon Fraser University (SFU)
Simon Fraser University (SFU) issued a statement of a #databreach which exposed personal identifiable information.— DevaOnBreaches (@DevaOnBreaches) February 18, 2021
Exposed data includes personal information for current and former students, faculty, staff, and student applicants.https://t.co/sD03L3W5pn
A post-secondary institution in Metro Vancouver has been hit by a cyberattack, which could mean personal information may have been compromised.
Simon Fraser University (SFU) issued a statement today (February 16) to notify its community of a cyberattack on one of the school’s server, which thereby exposed personal identifiable information, that took place on February 5.
The university stated the server had spreadsheet data that contained personal information for current and former students, faculty, staff, and student applicants.
The information for each individual varied based on the type of information stored on the spreadsheet. In most cases, the information was the student or employee ID number and a minimum of one other data element. Other data elements included:
- admission or academic standing information, including students who applied for financial aid, academic probation, transcript requests, and student honour awards;
- student group data, including Indigenous students and student athletes;
- data about faculty active in 2018
- student course data, including courses for engineering science and math, and pre-calculus and calculus;
- students with international characters in their names or addresses;
The information did not include banking details, social insurance numbers, or passwords.
Kia Motors America
Kia Motors America has suffered a ransomware attack by the DoppelPaymer gang, demanding $20 million for a decryptor and not to leak stolen data.
Kia Motors America (KMA) is headquartered in Irvine, California, and is a Kia Motors Corporation subsidiary. KMA has nearly 800 dealers in the USA with cars and SUVs manufactured out of West Point, Georgia.
Yesterday, we reported that Kia Motors America was suffering a nationwide IT outage that has affected their mobile UVO Link apps, phone services, payment systems, owner’s portal, and internal sites used by dealerships.
US building contractor Hoffman Construction has gone public about a #databreach that affected an unspecified number of employees.— DevaOnBreaches (@DevaOnBreaches) February 18, 2021
Exposed data includes names, addresses, dates of birth, Social Security numbers, and benefits information.https://t.co/OwoqAk3who
Hoffman discovered in December that an unauthorized party had accessed data related to its self-insured health plan in early August.
A variety of sensitive information records were exposed as a result including employee names, addresses, dates of birth, Social Security numbers, and benefits information.
In a breach notification statement, Hoffman said that as soon as it discovered the problem it “disabled the affected systems, took steps to secure our network, and began an investigation”.
Computer forensics experts brought in by Hoffman are yet to uncover evidence that sensitive health plan-related data has actually viewed by an attacker, much less abused.
Nonetheless, as a precaution, Hoffman is advising current and former employees, plus their beneficiaries and dependents, to “review any statements that they receive from their healthcare providers or health insurer”.
Security lapse by a Jamaican government contractor has exposed immigration records and COVID-19 test results for hundreds of thousands of travelers who visited the island over the past year.
The Jamaican government contracted Amber Group to build the JamCOVID19 website and app, which the government uses to publish daily coronavirus figures and allows residents to self-report their symptoms. The contractor also built the website to pre-approve travel applications to visit the island during the pandemic, a process that requires travelers to upload a negative COVID-19 test result before they board their flight if they come from high-risk countries, including the United States.
But a cloud storage server storing those uploaded documents was left unprotected and without a password, and was publicly spilling out files onto the open web.
Many of the victims whose information was found on the exposed server are Americans.
Law firm Charles J. Hilton & Associates P.C
A cyber-attack on a Pennsylvania law firm Charles J. Hilton & Associates P.C. (CJH) has potentially exposed the personal health information (PHI) of more than 36,000 patients of University of Pittsburgh Medical Center (UPMC). #databreach https://t.co/HeGIuRZ3Ir— DevaOnBreaches (@DevaOnBreaches) February 20, 2021
A cyber-attack on a Pennsylvania law firm has potentially exposed the personal health information (PHI) of more than 36,000 patients of University of Pittsburgh Medical Center (UPMC).Law firm Charles J. Hilton & Associates P.C. (CJH), which provides legal services to UPMC, discovered suspicious activity in its employee email system in June 2020. An investigation determined that hackers had gained access to several employee email accounts between April 1, 2020, and June 25, 2020.
In December 2020, UPMC received a breach notification report from CJH confirming that whoever hacked into the email accounts may have accessed patient data. CJH is now in the process of writing to all the patients who may have been affected.Patient information compromised in the attack consisted of data used by CJH to provide its contracted billing-related legal services to UPMC.
Exposed data includes names, dates of birth, Social Security numbers, bank or financial account numbers, driver’s license numbers, state identification card numbers, electronic signatures, medical record numbers, patient account numbers, patient control numbers, visit numbers, and trip numbers.
Grand River Medical Group
As many as 34,000 patients of Grand River Medical Group could be affected by a potential data breach.
A letter was sent to all patients last week notifying them of the breach. GRMG says “an unauthorized individual gained access into an employee’s email account” allowing them to potentially view documents containing personal information, including name, social security number, date of birth, address, and more.
GRMG immediately terminated the individual’s access to their system and launched an investigation. They also changed all relevant passwords and isolated the compromised account from the system.
An analysis shows no evidence any data was accessed or downloaded, but it can’t be ruled out, which is why patients are being notified. All affected patients are being offered one year of complimentary identity theft protection.
Canada Revenue Agency
The Canada Revenue Agency had to suspend the accounts of more than 100,000 users of its online service because it detected troves of leaked login information on the dark web that could have led to data breaches.
If you received an unexpected and cryptic email on Feb. 16 from CRA warning you that your email had been deleted from the agency’s web platform, MyCRA, do not worry: your account has not been breached.
n fact, the agency says it means that their new early cyber security issue detection system is working (though the communication strategy will be reviewed and it “regrets the inconvenience.”)
But that also means your login data has probably been compromised through a third-party breach and you will need to contact CRA in order to regain access to your online account, particularly if you plan on filing your 2020 taxes online starting next week.
“To be clear, these accounts were not impacted by a cyber attack at the CRA. These accounts have not been compromised and the action taken to lock the accounts was a preventative measure,” agency spokesperson Christopher Doody said in an emailed statement.
Automatic Funds Transfer Services (AFTS)
A ransomware attack against the widely used payment processor ATFS has sparked #databreach notifications from numerous cities of the US.— DevaOnBreaches (@DevaOnBreaches) February 20, 2021
Automatic Funds Transfer Services(AFTS) is used by US states as a payment processor and address verification service. https://t.co/mL643DDZD7
A ransomware attack against the widely used payment processor ATFS has sparked data breach notifications from numerous cities and agencies within California and Washington.
Automatic Funds Transfer Services (AFTS) is used by many cities and agencies in Washington and other US states as a payment processor and address verification service. As the data is used for billing and verifying customers and residents is wide and varied, this attack could have a massive and widespread impact.
The attack occurred around February 3rd when a cybercrime gang known as ‘Cuba ransomware’ stole unencrypted files and deployed the ransomware.
The cyberattack has since caused significant disruption to AFTS’ business operations, making their website unavailable and impacting payment processing.
Sequoia Capital, one of the most prominent venture capital firms that focus on the technology industry, discloses a #databreach.— DevaOnBreaches (@DevaOnBreaches) February 21, 2021
Sequoia’s portfolio includes Airbnb, DoorDash, and Robinhood, it also invested in firms like FireEye and Carbon Black.https://t.co/at3yXcLulW
Sequoia Capital, one of the most prominent venture capital firms that focus on the technology industry, discloses a data breach. The company informed its investors that an unauthorized third party had access to their personal and financial information. Sequoia’s portfolio includes Airbnb, DoorDash, and Robinhood, it also invested in major cybersecurity firms like FireEye and Carbon Black.
The intrusion is the result of a successful phishing attack against one of its employees.
“Sequoia Capital told its investors on Friday that some of their personal and financial information may have been accessed by a third party, after a Sequoia employee’s email was successfully phished, Axios has learned.” reported the security firm Axios.
The venture capital firm told investors that it’s been monitoring the dark web, at the time of this writing it is not aware of threat actors trading the compromised data.
“We recently experienced a cybersecurity incident. Our security team responded promptly to investigate, and we contacted law enforcement and engaged leading outside cybersecurity experts to help remediate the issue and maintain the ongoing security of our systems.” a Sequoia spokesperson told Axios. “We regret that this incident has occurred and have notified affected individuals. We have made considerable investments in security and will continue to do so as we work to address constantly evolving cyber threats.”
Florida Water Plant
Researchers discovered credentials for the Oldsmar water treatment facility in the massive compilation of data from breaches posted just days before the attack.
Researchers at CyberNews said they found 11 credential pairs linked to the Oldsmar water plant, in a 2017 compilation of stolen breach credentials. Meanwhile, they also found 13 credential pairs in the more recent “compilation of many breaches”– COMB for short — that occurred just days before the attack.
This collection was leaked on the RaidForums English-language cybercrime community on Feb. 2 and contains a staggering 3.27 billion unique combinations of cleartext email addresses and passwords in an aggregate database.
Of note, officials have not publicly drawn any connection between the credentials discovered in the leaked credential breach databases and the attack last week.
The attack on the Oldsmar water-treatment facility in Florida occurred last Friday, when an attacker used remote access to the system to change the level of sodium hydroxide, more commonly known as lye, in the water from 100 parts per million to 11,100 parts per million.
The change was immediately detected by a plant operator, who changed the levels back before the attack had any impact on the system.
According to a Massachusetts security advisory published Wednesday, the attackers accessed the water treatment plant’s SCADA controls via TeamViewer, which is remote access software. TeamViewer was installed on computers by the water treatment plant, used by personnel to conduct system status checks and to respond to alarms or other issues that cropped up during the water treatment process.
“All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system,” according to the recent advisory. “Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.”
Another one in the line from Accellion.— DevaOnBreaches (@DevaOnBreaches) February 21, 2021
Kroger Co. says it was among the multiple victims of a #databreach involving a third-party vendor's file-transfer service and is notifying potentially impacted customers, offering them free credit monitoring.https://t.co/UAUpvYuQD2
Kroger Co. says it was among the multiple victims of a data breach involving a third-party vendor’s file-transfer service and is notifying potentially impacted customers, offering them free credit monitoring.
The Cincinnati-based grocery and pharmacy chain said in a statement Friday that it believes less than 1% of its customers were affected — specifically some using its Health and Money Services — as well as some current and former employees because a number of personnel records were apparently viewed.
Kroger said the breach did not affect Kroger stores’ IT systems or grocery store systems or data and there was no indication that fraud involving accessed personal data had occurred.
The company, which has 2,750 grocery retail stores and 2,200 pharmacies nationwide, did not immediately respond to questions including how many customers might have been affected.
Kroger said it was among victims of the December hack of a file-transfer product called FTA developed by Accellion, a California-based company, and that it was notified of the incident on Jan. 23, when it discontinued use of Accellion’s services. Companies use the file-transfer product to share large amounts of data and hefty email attachments.