week-24-2021-banner

Here’s your weekly data breach news roundup: ​​

Cosmolog Kozmetik, Wegmans, French ISP ‘Free’, Baby Clothes Giant Carter, US truck and military vehicle maker Navistar, Eggfree Cake Box, Cruise operator Carnival, Invenergy, CVS Health, and Intuit.

Cosmolog Kozmetik

week22-2021-cosmolog

WizCase’s security team, led by Ata Hakçıl, has found a major breach in popular online retailer Cosmolog Kozmetik’s database. This breach exposed users’ names, email addresses, physical addresses, phone numbers, order details, and more. Hundreds of thousands of users were compromised in the breach. There was no need for a password or login credentials to access this information, and the data was not encrypted.

Cosmolog Kozmetik’s data breach made accessible over 5400 Excel files which exposed over 637,000 unique orders made by over 567,000 unique users on multiple e-commerce websites. The leaked order records revealed customers’ names, surnames, physical addresses, and purchase details such as items purchased and quantity of items. However, no payment information such as credit card numbers were found in the data breach.

Wegmans

Wegmans Food Markets notified customers that some of their information was exposed after the company became aware that two of its databases were publicly accessible on the Internet because of a configuration issue.

Wegmans is a 106-store major regional supermarket chain with stores in the mid-Atlantic and Northeastern regions (i.e., New York, Pennsylvania, New Jersey, Virginia, Maryland, Massachusetts, and North Carolina).

The store chain was founded in 1916, and it is one of the largest private companies in the US, employing more than 50,000 people.

We recently became aware that, due to a previously undiscovered configuration issue, two of our cloud databases, which are used for business purposes and are meant to be kept internal to Wegmans, were inadvertently left open to potential outside access,” the supermarket chain said in a press release.

“This issue was first brought to our attention by a third-party security researcher and we then confirmed the configuration problem, beginning on or about April 19, 2021.”

After the data breach was discovered, Wegmans hired a leading forensics firm to investigate the incident and correct the database misconfiguration.

Customer information exposed in the data breach included names, addresses, phone numbers, birth dates, Shoppers Club numbers, and Wegmans.com account e-mail addresses and passwords.

However, according to Wegmans, the databases contained only salted password hashes were both hashed and salted, with the actual passwords not being stored in the unsecured databases.

“Social security numbers were not impacted (Wegmans does not collect this information from its customers) nor was any payment card or banking information involved,” the company added.

French ISP ‘Free’

week22-2021-free

A hacker has gained access to the database of ‘Free,’ a Paris-based telecommunications provider – which is actually a subsidiary of Iliad. Having failed to receive a response from the company when he alerted them about the SQL injection, the hacker proceeded to list the database access for sale on a popular forum, setting the price to $2,000 for anyone interested.

If the seller’s claims are true, the buyer could gain access to a trove of valuable and sensitive data, potentially causing great troubles for the French firm and its customers.

Baby Clothes Giant Carter

week22-2021-carter

Baby clothes retailer Carter’s inadvertently exposed the personal data of hundreds of thousands of its customers, dating back years, according to a new disclosure.

The issue started with Linc, which is a vendor the company used to automate purchases online, according to analysts with vpnMentor who first discovered the issue. The Linc system was delivering customers shortened URLs with Carter’s purchase and shipping details without basic security protections. The links contained everything from purchase details to tracking information and more.

“Furthermore, by modifying the Linc URLs (to which the shortened URLs were redirecting), it was possible to access backend JSON data, which revealed even more personal information about customers that wasn’t exposed by the confirmation pages, such as: Full names delivery addresses and phone numbers,” the report explained.

US truck and military vehicle maker Navistar

Navistar International Corporation (Navistar), a US-based maker of trucks and military vehicles, says that unknown attackers have stolen data from its network following a cybersecurity incident discovered on May 20, 2021.

The company disclosed the attack in an 8-K report filed with the Securities and Exchange Commission (SEC) on Monday.

Navistar says that its operations haven’t been affected despite the security breach as its IT systems are fully operational.

The company also took a series of measures designed to mitigate the potential impact of the May security breach.

“Upon learning of the cybersecurity threat, the Company launched an investigation and undertook immediate action in accordance with its cybersecurity response plan, including employing containment protocols to mitigate the impact of the potential threat, engaging internal and third-party information technology security and forensics experts to assess any impact on the Company’s IT System, and utilizing additional security measures to help safeguard the integrity of its IT System’s infrastructure and data contained therein,” Navistar said.

Eggfree Cake Box

week22-2021-cakebox

Eggfree Cake Box has disclosed a data breach after threat actors hacked their website to stole credit card numbers.

Cake Box is a UK chain of stores selling fresh cream celebration cakes made without eggs. There are currently 164 Cake Box stores located throughout the United Kingdom.

In emails sent to customers this week, Cake Box disclosed that their website was hacked in 2020 to include malicious scripts that stole customer information, including credit cards, submitted to the site.

Cruise operator Carnival

Cruise operator Carnival Corp (CCL.N) said  it had detected unauthorized access to its computer systems in March, after which it alerted regulators and hired a cybersecurity firm to investigate the breach.

The company, whose shares were down over 2%, noticed the suspicious activity on March 19 and acted quickly to “to shut down the event and prevent further unauthorized access”, it said in an emailed statement.

The breach affected personal information of some guests, employees and crew for Carnival Cruise Line, Holland America Line, Princess Cruises and medical operations, Carnival said.

“There is evidence indicating a low likelihood of the data being misused,” the company added.

 

Miami-based Carnival also said it alerted individuals whose data had been compromised and set up a call center to respond to their queries.

Invenergy

week22-2021-invenergy

Ransomware group REvil has claimed responsibility for a recent cyber-attack on a multinational renewable energy company based in the United States.

Invenergy LLC, which is headquartered in Chicago, launched an investigation after unauthorized activity was detected on some of its systems.

In a statement issued on Friday, the company said that “At no time were Invenergy’s operations impacted, and no data was encrypted.” 

Invenergy added that it was complying with data breach disclosure regulations and that it “has not paid and does not intend to pay any ransom.”

Ransomware group REvil declared on its dark website that it had carried out the cyber-attack on Invenergy. The gang claims to have compromised the company’s computer systems and exfiltrated four terabytes of data. 

Among the information allegedly taken by REvil are contracts and project data. The gang further claims to have obtained “very personal and spicy” information regarding Invenergy’s chief executive officer, Michael Polsky. 

REvil says it has accessed Polsky’s personal emails, sensitive details about his divorce from his first wife, Maya, and photographs in which the billionaire magnate is compromised. 

CVS Health

week22-2021-cvshealth

In another example of misconfigured cloud services impacting security, over a billion records belonging to CVS Health have been exposed online.

On Thursday, WebsitePlanet, together with researcher Jeremiah Fowler, revealed the discovery of an online database belonging to CVS Health. The database was not password-protected and had no form of authentication in place to prevent unauthorized entry.

Upon examination of the database, the team found over one billion records that were connected to the US healthcare and pharmaceutical giant, which owns brands including CVS Pharmacy and Aetna. 

The database, 204GB in size, contained event and configuration data including production records of visitor IDs, session IDs, device access information — such as whether visitors to the firm’s domains used an iPhone or Android handset — as well as what the team calls a “blueprint” of how the logging system operated from the backend. 

Search records exposed also included queries for medications, COVID-19 vaccines, and a variety of CVS products, referencing both CVS Health and CVS.com.

“Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails,” the report states. 

Intuit

week22-2021-intuit

Financial software company Intuit has notified TurboTax customers that some of their personal and financial information was accessed by attackers following what looks like a series of account takeover attacks.

In a breach notification letter sent to affected customers earlier this month, the company said that this was not a “systemic data breach of Intuit.”

In account takeover attacks, cybercriminals gain access to their victims’ accounts using credentials stolen from other online services following past data breaches.

This type of attack works incredibly well against targets who use the same login credentials for multiple sites or services.

“We have more than 100 million customers and see billions of transactions per year with ATO notifications going to less than .0003% of customers and some of those confirmed by the customer after the fact as their activity (not an ATO),” Rick Heineman, Intuit Corporate Communications Vice President, told BleepingComputer.