week20-2021-banner

Here’s your weekly data breach news roundup: ​

Glovo, Veterans Administration, Pennsylvanians Coronavirus tracing app, Lemonade Renters & Home Insurance, Echelon Fitness, Toshiba, Guard.me, Air India , Mercari, Indonesia’s social security, and Domino’s Pizza.

Glovo

week20-2021-glovo

Glovo, a promising $2 billion delivery startup in Spain that aims to rival delivery giant Amazon in Europe in the coming years, grabbed unwanted attention after a hacker infiltrated an old administration panel interface and accessed customer and courier accounts.

The breach was first discovered by Hold Security, whose CEO and founder Alex Holden told Forbes that a hacker was sharing screenshots and videos on the Dark Web to demonstrate that they had gained access to Glovo accounts. The hacker was purportedly selling access to Glovo’s customer and courier accounts, but it is not clear how many customers or delivery agents were affected by the breach.

Glovo is a fast-growing delivery service headquartered in Barcelona, boasting over 2,000 employees, over 57,000 active couriers, over 3.5 million active customers, and connects over 74,000 local shops and restaurants with customers in over 20 countries. The company was founded in 2015 and is best known for its mobile app-enabled food delivery services.

Veterans Administration

A database filled with the medical records of nearly 200,000 U.S. military veterans was exposed online by a vendor working for the Veterans Administration, according to an analyst, who also presented evidence the data might have been exfiltrated by ransomware attackers.

The VA for it’s part said that the evidence may point to internal security work rather than a cyberattack.

The files were first discovered on April 18 by researcher Jeremiah Fowler, who found the database sitting exposed online without even basic password protection. Fowler said the files made several references to United Valor Solutions. United Valor is a North Carolina-based company which “provides disability evaluation services for the Veterans Administration and other federal and state agencies,” according to its site.

Insight Global - Pennsylvanians Coronavirus tracing company

Employees of a vendor paid to conduct COVID-19 contact tracing in Pennsylvania may have compromised the private information of at least 72,000 people, including their exposure status and their sexual orientation, the state Health Department said Thursday.

Workers at Atlanta-based Insight Global “disregarded security protocols established in the contract and created unauthorized documents” outside the state’s secure data system, Health Department spokesman Barry Ciccocioppo said.

“We are extremely dismayed that employees from Insight Global acted in a way that may have compromised this type of information and sincerely apologize to all impacted individuals,” Ciccocioppo said. He said state computer systems, including Pennsylvania’s contact tracing app, were not implicated.

Lemonade Renters & Home Insurance

An activist short seller has written a letter to the chief executive of insurance giant Lemonade with details of an “accidentally discovered” security flaw that exposes customers’ account data.

Carson Block, founder of investment research firm Muddy Waters Research, sent the letter to Lemonade co-founder and chief executive Daniel Schreiber on Thursday, describing the bug that allowed anyone to inadvertently access personally identifiable data from customers’ accounts as “unforgivably negligent.”

Block’s letter said: “By clicking on search results from public search engines, we shockingly found ourselves logged in to and able to edit Lemonade customers’ accounts without having to provide any user credentials whatsoever.”

Echelon Fitness

Researchers of the PenTestPartners team led by Ken Munro have discovered serious security problems with the API used by Echelon Fitness, a home indoor exercise bike and smart fitness equipment maker. According to the relevant report, Echelon was exposing the sensitive details of its customers, allowing anyone to access it through simple API requests. To make matters worse, the researchers report that these issues were discovered all the way back in January, but Echelon fixed them only last week.

This is very unfortunate when considering how many people relied on exercise machines of this kind during the pandemic and the associated lock-downs that forced people to remain indoors for extended periods of time.

Toshiba

A French business belonging to Toshiba has been hit by a ransomware attack which the company says is from the same group that carried out the Colonial Pipeline attack this week.

Toshiba Tec Corp, which makes office and electrical machinery, said today it had been hacked by DarkSide, according to Reuters. This is the same group that the FBI has blamed for the Colonial Pipeline attack in the US.

Little is known at this stage as to how much damage has been caused, however, the company said in a press release that the extent of the impact has been limited to some regions in Europe, but Toshiba Tec is still investigating whether customer-related information was leaked externally.

“As far as the investigation result shows, the group recognises that it is possible that some information and data may have been leaked by the criminal gang,” it said in a statement.

The group took actions to stop the networks and systems operating between Japan and Europe as well as those between European subsidiaries to prevent the spread of the damage. It also said that once its data backup is completed, it will deploy recovery measures.

Guard.me

week20-2021-guardme

Student health insurance carrier guard.me has taken their website offline after a vulnerability allowed a threat actor to access policyholders’ personal information.

guard.me is one of the world’s largest insurance carriers specializing in providing health insurance to students while traveling or studying abroad in another country.

On May 12th, Guard.me discovered suspicious activity on their website that led them to take down their website. When visiting the website, visitors are automatically redirected to a maintenance page warning that the site is down while the insurance provider increases security on the site.

“Recent suspicious activity was directed at the guard.me website and in an abundance of caution we immediately took down the site. Our IS and IT teams are reviewing measures to ensure the site has enhanced security in order to return the site to full service as quickly as possible.” reads the guard.me website.

Air India

week20-2021-airindia

Ten years’ worth of Air India customer data including credit cards, passports and phone numbers have been leaked in a massive cyber-attack on its data processor in February, the airline has announced.

The incident has affected around 45 lakh customers registered between 26th August 2011 and 3rd February 2021, Air India said, disclosing the scale of the breach nearly three months after it was first informed of it.

Names, date of birth, contact information and ticket information have also been compromised in the ‘highly sophisticated’ attack that targeted Geneva-based passenger system operator SITA that serves the Star Alliance of airlines including Singapore Airlines, Lufthansa and United besides Air India.

“SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers. This incident affected around 4,500,000 data subjects in the world,” Air India said in an email to customers.

“While we had received the first notification in this regard from our data processor on 25.02.2021, we would like to clarify that the identity of the affected data subjects was only provided to us by our data processor on 25.03.2021 and 5.04.2021,” it added.

Mercari

week20-2021-mercari

E-commerce platform Mercari has disclosed a major data breach incident that occurred due to exposure from the Codecov supply-chain attack.

Mercari is a publicly traded Japanese company and an online marketplace that has recently expanded its operations to the United States and the United Kingdom.

The Mercari app has scored over 100 million downloads worldwide as of 2017, and the company is the first in Japan to reach unicorn status.

As earlier reported by BleepingComputer, popular code coverage tool Codecov had been a victim of a supply-chain attack that lasted for two months.

During this two-month period, threat actors had modified the legitimate Codecov Bash Uploader tool to exfiltrate environment variables (containing sensitive information such as keys, tokens, and credentials) from Codecov customers’ CI/CD environments.

Using the credentials harvested from the tampered Bash Uploader, Codecov attackers reportedly breached hundreds of customer networks.

Indonesia's social security

A suspected breach of Indonesia’s social security data has put virtually all Indonesians exposed to digital attacks and frauds, authorities and digital security experts warned on Friday. 

The Communication and Information Technology Ministry said that it has suspected personal records of at least 100,000 individuals have been leaked from BPJS Kesehatan and asked the country’s national insurance company to notify the individuals about the breach. 

The records were part of a sample database offered for free by an individual, or group of individuals, using the username Kotz, at the database sharing forum Raidforum.

 

Since May 12, Kotz has been trying to sell for 0.15 bitcoins ($6,130) a larger set of the database they claimed to hold more than 279 million records, containing information ranging from national identity numbers, social security numbers, phone numbers, and tax identification numbers, to family members, blood type, and salaries.

BPJS Kesehatan reported it has 222.5 million users at the end of last year, covering about 82 percent of Indonesia’s 270.2 million people. 

“The ministry suspected the sample database is identical to BPJS Kesehatan’s database,” Dedy Permadi, the Communication and Information Technology spokesman, said. 

“The suspicion is based on records of social security number, office code, family records, and payment status [in the sample database], which are identical with BPJS Kesehatan’s records,” Dedy said. 

Domino's Pizza

Data related to 18 crore orders from Domino’s pizza and nearly 13TB of employee and customer details has resurfaced online. The group behind the hack has made the information public and has said that payment details and employee files will soon follow.

To know if your information is in the database, you first need to download the Tor Browser. Once you do that, click the link here. As of the time of this writing, the link works but the search engine is a little slow since it has to sift through nearly 13TB of data. The link does appear to crash from time to time as well, if that happens just try after some time.

 

As of the time of this writing, we have managed to get it working once but the search took a lot of time, so be patient. This is likely due to the high volume of people searching a very heavy database.