week25-2021-banner-min

Here’s your weekly data breach news roundup: ​​

Renown, Mercedes-Benz, Aultman Health Foundation, DreamHost, New York state government’s IT department, Medicaid Contractor, French Connection (FCUK), Made in Oregon, Workforce West Virginia, Patari, Wolfe Eye Clinic, Cybersecurity firm Cognyte, Reproductive Biology Associates(RBA)- fertility clinic, and Korea Atomic Energy Research Institute (KAERI).

Renown Health

week25-2021-renownhealth

Renown announced  a data breach involving health information of patients residing in Nevada and neighboring states.

Officials say in the first week of April, Elekta’s first-generation cloud-based storage system experienced a data breach.

Following the breach, Elekta hired a forensic investigator to launch an investigation to determine the nature and scope of the suspicious activity.

On April 22, the forensic investigation confirmed that there was access to protected health information(PHI) as a result of the breach.

Officials say the following types of PHI belonging to Renown Health patients residing in Nevada or neighboring states may have been involved in the incident:

  • full name
  • social security number
  • address
  • date of birth
  • height
  • weight
  • medical diagnosis
  • medical treatment details
  • appointment confirmations
  • other information

Mercedes-Benz

week25-2021-mercedez-benz

Mercedes-Benz USA has just disclosed a data breach impacting some of its customers.

The company assessed 1.6 million customer records which included customer names, addresses, emails, phone numbers, and some purchased vehicle information to determine the impact.

It appears the data breach exposed credit card information, social security numbers, and driver license numbers of under 1,000 Mercedes-Benz customers and potential buyers.

On June 11th, a Mercedes-Benz vendor informed the company that the personal information of select customers was exposed due to an insufficiently secured cloud storage instance.

According to the company, the breach affects some customers and potential vehicle buyers who had entered sensitive information on Mercedez-Benz company and dealer websites between 2014 and 2017:

“It is our understanding the information was entered by customers and interested buyers on dealer and Mercedes-Benz websites between January 1, 2014 and June 19, 2017.”

“No Mercedes-Benz system was compromised as a result of this incident, and at this time, we have no evidence that any Mercedes-Benz files were maliciously misused.”

“Data security is a serious matter for MBUSA. Our vendor confirmed that the issue is corrected and that such an event cannot be replicated.”

“We will continue our investigation to ensure that this situation is properly addressed,”  said Mercedes-Benz in a press release.

Aultman Health Foundation

week25-2021-aultmanhealth

More than 7,000 Aultman Health Foundation patients may have had their private records accessed by a former worker as part of a privacy breach, the hospital system announced Friday.

The former Aultman employee accessed patient information outside the scope of his or her job duties between Sept. 14, 2009, and April 26, 2021.

The employee may have accessed patients’ names, addresses, birthdays, Social Security numbers, insurance information, and diagnosis and treatment information, the hospital system said.

“Upon discovering this, the employee’s access to Aultman’s electronic health record system was suspended, and an investigation was conducted to determine the nature and scope of the incident,” Aultman said.

DreamHost

A huge database belonging to one of the world’s largest web hosts, Los Angeles-based DreamHost, was left open online earlier this year, leaking names, usernames and email addresses of its customers, a cybersecurity researcher has warned. 

The data, wrapped up in a database containing 815 million records, also included administrator and user information for DreamPress, DreamHost’s widely used service for WordPress websites. The data appeared to date back at least three years to 2018, though it’s unclear how long the database was openly accessible. Combined, the data could have been used in attempts to break into users’ accounts, warned Jeremiah Fowler, an independent cybersecurity researcher who partnered with Website Planet, a website for web developers, to disclose the leak. 

“All a criminal would have to do is send an email saying please update your password and send them to a cloned page and capture any password the victim would enter,” Fowler told Forbes. “Also domain theft is another dangerous issue and once a criminal has private information about the account they could try to steal the domain. This information should only be known by the registrar or hosting provider and the client, so to have this information leaked creates another challenge.”

New York state government’s IT department

week25-2021-nys-it

A code repository used by the New York state government’s IT department was left exposed on the internet, allowing anyone to access the projects inside, some of which contained secret keys and passwords associated with state government systems.

The exposed GitLab server was discovered on Saturday by Dubai-based SpiderSilk, a cybersecurity company credited with discovering data spills at Samsung, Clearview AI and MoviePass.

Organizations use GitLab to collaboratively develop and store their source code — as well as the secret keys, tokens and passwords needed for the projects to work — on servers that they control. But the exposed server was accessible from the internet and configured so that anyone from outside the organization could create a user account and log in unimpeded, SpiderSilk’s chief security officer Mossab Hussein told TechCrunch.

Medicaid Contractor

Maximus Corp., a global provider of government health data services, says a data breach exposed the personal information of more than 334,000 Medicaid healthcare providers nationwide.

The company says in a statement provided to Information Security Media Group that on May 19, it discovered an unauthorized party had accessed one of its applications related to Medicaid provider credentialing and licensing with the Ohio Department of Medicaid between May 17 and May 19.

“This incident did not affect patient or Medicaid beneficiary information. Some personal information about healthcare providers may have been impacted, including names, dates of birth and Social Security numbers,” the company states.

A breach notification provided to the Montana attorney general’s office says Medicaid providers’ Drug Enforcement Agency numbers also may have been exposed in the breach.

French Connection (FCUK)

week25-2021-frenchconnection

Cheeky clothing firm French Connection, also known as FCUK, has become the latest victim of ransomware, with a gang understood to be linked to REvil having penetrated its back-end – making off with a selection of private internal data.

Founded in 1972 by current chief executive Stephen Marks, French Connection made a name for itself when it adopted the not-actually-rude-honest slogan “FCUK” in its advertising in the early 2000s. Originally founded as a mid-market women’s fashion brand, the company has since expanded into menswear, watches, toiletries, and even glasses.

Sadly, attackers understood to be related to the REvil ransomware gang needed no such optical enhancements to spot a security vulnerability in the company’s back-end systems. As a result, they’ve made off with a trove of internal company data.

Passport and identification card scans seen by The Register have been used by the gang as proof-of-breach, covering a range of staff members – including founder and chief executive Marks, chief financial officer Lee Williams, and chief operating officer Neil Williams.

Made in Oregon

Made in Oregon,’ the Portland-based online gift retailer that operates on the “madeinoregon.com” domain, has disclosed a massive security breach that involves highly sensitive data of its customers. More specifically, “magecart” actors have planted a data skimmer on its website and siphoned everything that customers entered on the order forms between the first week of September 2020 and the last week of March 2021. That’s a lot of time, and it should correspond to a voluminous set of stolen data.

As per the details provided in the notice of the data breach that was shared with the relevant data protection authorities in the U.S., clients of ‘Made in Oregon’ should consider the following exposed:

  • Full name
  • Billing address
  • Shipping address
  • Email address
  • Credit Card information used for purchases

Workforce West Virginia

West Virginia Governor Jim Justice confirmed a new data breach at Workforce West Virginia.

Constituents have told 13 News they have received letters stating their information could be at risk for identity theft. Workforce West Virginia says they have concluded their investigation into the “potential security incident.” They say it involved the Mid Atlantic Career Consortium Employment Services database, which is the MACC website.

According to Workforce WV, they learned on April 13, 2021, an “unauthorized individual” had accessed the job seekers database. The organization says they immediately took the system offline, took steps to make sure the network was secure and began an investigation. The investigation also included hiring a computer forensic firm to help determine what had happened and what information may have been accessed.

“Mitigating any potential risk for constituents continues to be our top priority,” said Scott Adkins, acting commissioner of WorkForce West Virginia. “Constituents should follow the guidance provided in the letter they received from WorkForce if they have any questions.”

Patari

week25-2021-patari

Patari or Patari.pk, a Pakistani music streaming site has suffered a data breach in which its database containing personal data and login credentials of over 257,000 registered users has been leaked on English and Russian language hacker forums.

The exact date of the data breach remains unknown however the database was dumped online on June 13th, 2021.

It is worth noting that Patari claims to be the home to “the largest music streaming service in Pakistan.”

According to Hackread.com’s analysis, the database contains the following records:

  • Full names/Usernames
  • Email addresses
  • Password hashes (unsalted md5)
  • Playlists
  • Avatar links

Wolfe Eye Clinic

week25-2021-wolfeyeclinic

A data breach at US healthcare provider Wolfe Eye Clinic has potentially exposed the personal data of half a million past and present patients, including protected medical information in some cases.

In a security advisory released yesterday (June 22), the clinic said it had been the target of a “cyber-attack”, but did not release further details about the system compromise.

The incident happened on February 8, 2021, said the organization, but “given the complexity and scale of the cyber-attack detected, the full scope of information potentially impacted was not fully realized until May 28, 2021.”

Wolfe Eye Clinic, based in Iowa, is now in the process of notifying the 500,000 individuals whose personal data may be at risk.

For some, this information may include their name, mailing address, date of birth, and Social Security number – for others it could also include protected medical and health information.

Cybersecurity firm Cognyte

week25-2021-cognyte

In recent news, a cybersecurity analytics firm, Cognyte was found to be responsible for leaving a huge database unsecured which led to more than 5 billion records being exposed online.

The database could be accessed by anyone and did not require any sort of authorization or authentication. It appears to be rather ironic that the database was made for the purpose of cross-checking whether the personal information of any client was present in the known breaches that were stored there. However, that database itself turned out to be exposed. 

This discovery was made by researchers at Comparitech who found out that the information leaked included:

  • Names
  • Passwords
  • Email addresses
  • Original source of the leak.

The data was stored on an Elasticsearch cluster and in total, there were 5,085,132,102 records. This data may or may not have been accessed by a number of third parties, there really is no way of telling.

Reproductive Biology Associates(RBA)- fertility clinic

week25-2021-rba

A Georgia-based fertility clinic has disclosed a data breach after files containing sensitive patient information were stolen during a ransomware attack.

Reproductive Biology Associates, LLC, (RBA) is a fertility clinic that recruits egg donors, retrieves eggs, and stores them for later use by recipients, including those using the MyEggBank service.

MyEggBank works with multiple fertility centers around the USA, including RBA, to recruit egg donors and create an egg bank where potential recipients can search for a matching egg donor.

In a data breach notification issued by both RBA and its affiliate MyEggBank, RBA states that they first learned that they were hit by a ransomware attack on April 16th, 2021, when “a file server containing embryology data was encrypted and therefore inaccessible.”

However, they believe the attackers first gained access to their systems on April 7th and a server containing health information on April 10th.

When ransomware attacks occur, threat actors usually breach a particular system on the network and spend a few days to a week quietly spreading throughout the network while stealing files and deleting backups.

Korea Atomic Energy Research Institute (KAERI)

week15-2021-kaeri

South Korea’s ‘Korea Atomic Energy Research Institute’ disclosed yesterday that their internal networks were hacked last month by North Korean threat actors using a VPN vulnerability.

The Korea Atomic Energy Research Institute, or KAERI, is the governement-sponsored institute for the research and application of nuclear power in South Korea.

The breach was first reported earlier this month when South Korean media Sisa Journal began covering the attack. At the time, KAERI initially confirmed and then denied that the attack occurred.

In a statement and press conference held yesterday by KAERI, the institute has officially confirmed the attack and apologized for attempting to cover up the incident.