Databreaches-week17-2021-min

Here’s your weekly data breach news roundup: ​

Montefiore Medical Center, University Of Colorado, OTP generating firm(Undiclosed), Phone House, Spotless, Geico, Eversource Energy, Douglas Elliman Property Management, and Click Studios – Passwordstate.

Montefiore Medical Center

Week-17-2021-montefiore

Patients of the Montefiore Medical Center in New York have received the fourth notice of a data breach that affects them in just seven months. The culprit is reportedly an employee who abused his access to the clinic’s systems. The data accessed by that person includes patient names, medical record numbers, physical addresses, email addresses, dates of birth, and the last four digits of their social security numbers (SSNs). Credit card details and clinical details weren’t accessed.

The Montefiore Medical Center states that this happened in violation of its privacy policies and that all employees access only what they need for work-related reasons. Upon discovering the abuse, the employee was immediately suspended and will face the relevant legal consequences. The clinic discovered the violation thanks to the ‘FairWarning’ software that is deployed on its systems, monitoring the type of access that its employees engage in and alerting the administration about risky cases.

University Of Colorado

week17-2021-universityofcolorado

The University of Colorado released new information on Friday about the Accellion data breach that compromised more than 310,000 university records. Officials say data accessed in the breach includes grades and transcript data, visa and disability status, medical and prescription information and in limited cases, Social Security numbers and university financial account information.

In February, CU announced it was investigating a cyberattack believed to be the largest in the university’s history. The attack targeted a vulnerability in the File Transfer Appliance from Accellion, a third-party vendor. Accellion says the hack impacted fewer than 100 clients, with 25 suffering significant data theft.

OTP generating firm(Undiclosed)

A hacker appears to be selling sensitive data they claim to have stolen from an OTP-generating company. This particular company has some of the most popular tech and business giants on its list of customers including Google, Facebook, Amazon, Emirates, Apple, Microsoft, Signal, Telegram, and Twitter accounts, etc.

The same hacker is also claiming to have real-time access to the one-time-password (OTP) system of the company. However, the InfoSec researcher behind the discovery of this alleged breach Rajshekar Rajaharia disagrees with the hacker. 

Phone House

week17-2021-phonehouse

The  freelance IT security consultant Sijmen Ruwhof discovered that personal info of more than 12 million Dutch mobile phone are open to cyber attacks. Ruwhof  detailed all the security issues he noticed in a blog post.

Basically, all Dutch citizens who own a mobile phone are at risk of attack, the Phone House is a Dutch phone retail company that is a dealer for all telecom operators in the country.

Phone House points of sale are located in the Media Markt stores across the country. Ruwhof went to a Phone House store in a Media Markt store in Utrecht to get information about his phone subscription, and made a disconcerting discovery; the employees at the Phone House had access to customer data of all Dutch telecoms via dealer portals, and this access seems to be very insecure.

Spotless

Trans-Tasman catering and cleaning firm Spotless has admitted to a huge data breach in which hackers may have obtained past and present staff members’ passport and IRD numbers, amongst other personal information.

Internet experts said the breach was very serious and there was enough personal information in the potential leak that meant a “very high risk” of identity theft.

Spotless told affected workers by email on Thursday.

One woman who received the email said she was deeply worried and had immediately visited her bank to change her credit cards. She was concerned her passport was compromised, and also that Spotless’ lower-waged cleaning staff, many of whom had English as a second language and perhaps poor access to email, would not necessarily receive the communication.

Geico

week17-2021-geico

Insurance company Geico suffered a data breach earlier this year that exposed customers’ driver’s license numbers for more than a month, according to a data breach notice filed with the attorney general of California. First reported by TechCrunch, Geico says in the notice that it has fixed the security issue that led to the breach.

“We recently determined that between January 21, 2021 and March 1, 2021, fraudsters used information about you – which they acquired elsewhere – to obtain unauthorized access to your driver’s license number through the online sales system on our website,” the notice reads. “We have reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.”

The notice does not indicate how many customers may have been affected or whether the breach was confined to California. But California law states that “any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach” must submit a copy of the notice to the attorney general’s office.

Eversource Energy

week17-2021-eversourceenergy

Eversource, the largest energy supplier in New England, has suffered a data breach after customers’ personal information was exposed on an unsecured cloud server.

Eversource Energy is the latest energy delivery company in New England, powering 4.3 million electric and natural gas customers throughout Connecticut, Massachusetts, and New Hampshire.

In a data breach notification shared with BleepingComputer, Eversource Energy is warning customers that the unsecured cloud storage server exposed their name, address, phone number, social security number, service address, and account number.

Douglas Elliman Property Management

week17-2021-douglasellimanpm

Thousands of New York residents who live in buildings run by Douglas Elliman’s property management arm may have had their personal information compromised this month.

Douglas Elliman Property Management’s three managing directors emailed hundreds of co-operative and condominium boards Monday to advise them that the company’s IT network — which contains data for its buildings’ residents and employees — was breached and their personal information may have been compromised.

 

In the message viewed by The Real Deal, executives said the firm detected “suspicious activity” on its IT systems April 7. After launching an investigation and contacting law enforcement, Elliman determined that an “unauthorized party” gained access to its IT network between April 5 and April 7 and including files containing owners’ and employees’ personal data. A source with knowledge of the situation said the Federal Bureau of Investigation is involved.

Click Studios - Passwordstate

week17-2021-clickstudios

For more than 24 hours this week, hackers had unfettered access to the update mechanism for a popular password manager that claims hundreds of thousands of IT professionals as clients, incident responders revealed on Friday.

The malicious code found in the Passwordstate software offered the unidentified attackers a potential foothold onto any customer network that downloaded the update during that time.

Click Studios, the Australian firm that owns the Passwordstate password manager, claims that 370,000 IT security professional around the world use the software. In addition, 29,000 organizations across sectors such as banking, manufacturing, defense and aerospace are customers, according to the Click Studios website.

“We assume this attack could have impacted a large number of these customers,” said CSIS Security Group, the Danish firm that responded to the intrusion.