w21-2023

Here’s your weekly #databreach news roundup:

PillPack, Dish Network, R&B Corporation of Virginia, Zivame, SuperVPN, Apria Healthcare, and Tesla.

PillPack

PillPack

PillPack, an Amazon-owned online pharmacy, reported a data breach affecting over 19,000 customers, with over 3,600 accounts compromised to include prescription data. The breach exposed users’ email addresses, prescription information, and their providers’ contact details, but social security numbers and credit card information were not involved. The breach was detected on April 3, 2023, with unauthorized sign-ins occurring between April 2 and April 6, likely due to customers reusing their log-in credentials from another site. However, there’s no evidence that the accessed information has been misused. Amazon acquired PillPack in 2018 as part of its foray into healthcare, which includes the launch of Amazon Pharmacy and a generic drug subscription service. Notably, healthcare data breaches have surged over the past decade, with over 700 reported in 2022, more than triple the number in 2010. With the proliferation of digital health apps and wearable devices, regulatory bodies have increased their efforts to enforce data privacy rules and protect sensitive health information​1​.

Dish Network

Dish Network, an American television provider, likely paid a ransom following a ransomware attack in February, as indicated by the wording used in data breach notification letters sent to impacted employees. Although the company hasn’t confirmed that it paid, it did note that it received confirmation that the extracted data was deleted, a step typically taken by ransomware gangs after a ransom is paid. The attack affected 296,851 individuals, primarily current and former employees and their families, and the exposed information included names, driver’s license numbers or non-driver identification card numbers, health insurance information, and COVID-19 vaccination status. The ransomware group responsible for the attack remains unnamed but is suspected to be the notorious Black Basta gang. Since the attack, Dish Network has faced multiple class-action lawsuits alleging poor cybersecurity and IT infrastructure​1​.

R&B Corporation of Virginia

R&B Corporation of Virginia d/b/a Credit Control Corporation (“CCC”) filed a notice of data breach with the Maine Attorney General after learning that an unauthorized illegally copied certain files from the company’s computer network. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names and Social Security numbers. After confirming that consumer data was leaked, CCC began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.

Zivame

Zivame

 

The recent data breach concerning Zivame, an Indian online women’s intimate apparel store, has led to the exposure of customers’ personal information. The leaked information includes full names, phone numbers, email addresses, shipment addresses, and details about individual purchases, excluding any payment-related data​1​.

The data, which was allegedly sold by hackers on multiple forums, was found to match the personal information of some Zivame customers. The information was shared by a broker claiming to sell the data on behalf of a primary hacker​1​. Later, the data was pulled offline, apparently at the hacker’s request​1​.

Zivame has declined to comment on the apparent breach, and its chief technology and product officer, Monish Kaul, has not responded to queries regarding the incident​1​. The cybersecurity startup Technisanct first reported the availability of the exposed data on May 11. The company’s founder and CEO, Nandakishore Harikumar, conducted a manual verification of a sample of 50 email addresses and phone numbers from the data dump, and confirmed that the data belonged to Zivame customers​1​.

The complete set of leaked details and the full extent of the threat have yet to be determined​1​. India’s Computer Emergency Response Team (CERT-In) has been informed about the data breach and has stated that it is in the process of taking appropriate action with the concerned authority​1​.

Founded in 2011, Zivame was acquired by Reliance Retail, a subsidiary of Indian conglomerate Reliance Industries and the largest retailer in India in terms of revenues, in 2020​1​.

SuperVPN

Supervpn

In a recent cybersecurity incident, security researcher Jeremiah Fowler discovered a significant data breach in a non-password-protected database associated with a popular free VPN service.

The exposed database contained a staggering 360,308,817 records, totalling 133 GB in size. These records included a wide range of sensitive information, including user email addresses, original IP addresses, geolocation data, and server usage records.

Additionally, the breach revealed secret keys, Unique App User ID numbers, and UUID numbers, which can be utilized to identify further useful information.

Other information found in the database encompassed phone or device models, operating systems, internet connection types, and VPN application versions. Furthermore, refund requests and paid account details were also present in the breach.

Apria Healthcare

Apria Healthcare

On 1st September 2021, Apria Healthcare, a leading provider of home healthcare equipment, was notified (PDF) that unauthorized access had been detected in its computer network, compromising the personal and confidential information of up to 1.8 million individuals.

On May 22, 2023, Apria Healthcare filed a notice with the Maine Attorney General regarding a data breach that occurred on its systems. An unauthorized party successfully accessed files containing confidential patient information, including names, Social Security numbers, personal details, medical records, health insurance information, and financial data.

The financial data accessed includes account numbers, credit/debit card numbers, account security codes, access codes, passwords, and PINs. The breach spanned two periods: from 5th April to 7th May 2019, and from 27th August to 10th October 2021.

Tesla

Tesla

A Tesla whistleblower has leaked 100GB of data to the German outlet Handelsblatt containing thousands of customer complaints that raise serious concerns about the safety of Tesla’s Full Self-Driving (FSD) features.

The complaints, which were reported across the US, Europe, and Asia, span from 2015 to March 2022. During this period, Handelsblatt says Tesla customers reported over 2,400 self-acceleration issues and 1,500 braking problems, including 139 reports of “unintentional emergency braking” and 383 reports of “phantom stops” from false collision warnings.