Facebook
Week25-2022-min-min

Here’s your weekly #databreach news roundup:​

Flagstar Bank, Amagasaki Residents, Yodel, Yale New Haven Hospital, BeanVPN, Weller Truck Parts, Baptist Health System, Simpson University, and Memorial University.

Amagasaki Residents

It’s unlikely that one Japanese man will join his colleagues for after-work drinks again following their last night out, when officials said he lost a USB stick containing the personal data of nearly half a million people.

The man, who has not been named, transferred the data Tuesday and then went to a restaurant with three colleagues, according to Yuji Takeuchi, president of Tokyo-based Biprogy Inc., which was contracted by the Amagasaki city government to manage its financial aid program during the coronavirus pandemic. In a statement on Sunday, Biprogy said the man worked for a company that had been subcontracted by Biprogy’s own subcontractor.

 

The USB contained the home addresses and bank account details of every one of the 460,000 residents of Amagasaki, officials in the small industrial city in Japan’s Hyogo prefecture said in a statement Thursday. It also identified households receiving public assistance, they said.

Yodel

week25-2022-yodel

Delivery company Yodel has found itself the latest victim of a cyber “incident” that has disrupted services.

Rooted firmly to the bottom of the table of best and worst courier firms by consumer campaigner Which? Yodel has gained popularity and, perhaps, a bit of notoriety in recent years as consumers turned to courier companies rather than venture into physical stores.

Exactly when security problems began is difficult to ascertain, since Yodel’s social media voicebox is crammed full of disgruntled customers wondering where their products are (indeed, this writer had the joy of a piece of hardware being lifted from one of the company’s depots back in 2019, but that’s another story…).

However, by June 21 the company changed its customer service narrative to “Yodel is currently experiencing operational disruption affecting our delivery service.”

Yodel’s website was also updated to reflect that its services were not at all well.

Yale New Haven Hospital

week25-2022-yahe-newhaven-hospital

June 22, 2022 – Yale New Haven Hospital (YNHH) informed an undisclosed number of individuals of a healthcare data breach that involved a radiology file. The file was created for research and was accidentally posted on a public-facing website.

YNHH said that the file “may have been accessed by a small number of people.”

After discovering the breach on April 18, YNHH immediately took the file off the website and engaged a third-party forensic firm. The investigation revealed that the file was accessible on the internet between December 16, 2021, and April 18, 2022.  

“The file was made accessible through human error, was inadvertent in nature and was not due to intentional or malicious actions,” the notice stated.

“A review of the file determined it included name, telephone number, email address, age range, preferred language, medical record number, procedure type, and date and location of service.”

YNHH said it has since reviewed its security permissions and will “provide training and guidance to remind employees of their continued need to safeguard patient health information.”

BeanVPN

week2-2022-beanvpn

ree VPN software provider BeanVPN has reportedly left almost 20GB of connection logs accessible to the public, according to an investigation by Cybernews.

The cache of 18.5GB connection logs allegedly contained more than 25 million records, which included user device and Play Service IDs, connection timestamps, IP addresses and more.

Cybernews said it found the database using an ElasticSearch instance during a routine checkup, which the company has now reportedly closed. 

Still, if picked up by malicious actors, the information could be exploited to de-anonymize and thus identify BeanVPN’s users and their approximate location.

“The Play Service ID could also be used to find out the user’s email address that they are signed in to their device with,” explained Aras Nazarovas, a security researcher from Cybernews.

Weller Truck Parts

week25-2022-weller-truckparts

Weller Truck Parts confirmed that the company experienced a data breach after discovering it was the victim of a malware attack. According to Weller, the names and Social Security numbers of 6,675 individuals were compromised as a result of the breach. On June 10, 2022, Weller filed an official notice of the breach and sent data breach letters to all affected parties.

According to the official notice filed by the company, on October 7, 2021, Weller first became aware of a malware incident when employees noticed that some systems were not working properly. In response, the company secured its systems and then launched a comprehensive investigation into the incident. This investigation confirmed that some information was accessible and may have been copied between October 1, 2021 and October 7, 2021.

Baptist Health System

week25-2022-baptisthealthsystem

Baptist Health System confirmed that the company experienced a data breach stemming from an incident in which an unauthorized party gained access to the company’s computer network after installing a line of malicious code on the System’s website. According to the Baptist Medical Center, the breach resulted in the full names, dates of birth, addresses, Social Security numbers, health insurance information, medical information and billing information of affected patients being compromised. On June 16, 2022, Baptist Medical Center filed official notice of the breach and sent out data breach letters to all affected parties. The Baptist Health breach affected more than 1.2 million patients in Texas alone.

Simpson University

week2-2022-simpson-university

Recently, Simpson University discovered that it experienced a data breach in which the sensitive personal identifiable information and protected health information of individuals in its system may have been accessed. Simpson University investigated the breach and determined that employee email accounts were accessed between July 29, 2021, and September 12, 2021. On June 9, 2022, Simpson University began notifying individuals whose information may have been impacted. The type of information exposed includes:

  • Name
  • Social Security number
  • Date of birth
  • Passport number
  • Driver’s license number or state identification number
  • Student ID number
  • Financial account number
  • Debit or credit card number
  • Username or email address with password
  • Health insurance information
  • Medical treatment or diagnosis information
  • Education record

Memorial University

week2-2022-memorial-university

The personal information of about 15,000 students at Memorial University was accidentally shared with other students in an inadvertent data breach, the university said Friday.

The breach happened on Thursday as part of an email campaign from the school’s career development email.

About 1,000 students received emails that contained other students’ personal information, according to a statement from Memorial.

Leaked details included names, email addresses, student numbers and programs of study, according to an email that was sent to affected students and which CBC News has obtained.

Affected students were immediately contacted when the breach was discovered, and were instructed to delete any emails they had been sent.

The university says other sensitive information like health information, social insurance numbers and financial information wasn’t a part of the breach.

Flagstar Bank

week25-2022-flagstar-bank

Flagstar Bank, one of the largest financial service providers in the United States, has notified more than 1.5 million customers of a data breach in which Social Security numbers were stolen — its second incident in two years.

In a letter sent to those affected, Michigan-headquartered Flagstar revealed that hackers breached its corporate network between December 3 and December 4, 2021. After an investigation, the bank discovered on June 2, 2022 that the threat actors accessed sensitive customer details.

“Flagstar recently experienced a cyber incident that involved unauthorized access to our network,” the company said in the letter. “Upon learning of the incident, we promptly activated our incident response plan, engaged external cybersecurity professionals experienced in handling these types of incidents and reported the matter to federal law enforcement.”