Here’s your weekly data breach news roundup: ​​

Iran rail network, Dotty’s, Classic Football Shirts, Practicefirst Medical Management Solutions, CNA Financial Corporation, Coursera, Morgan Stanley, GETTR, Republican National Committee, MasMovil, and Arthur J. Gallagher (AJG).

Iran rail network

Train services in Iran were delayed by apparent cyberattacks on Friday, with hackers posting the phone number of the country’s supreme leader as the number to call for information, state-affiliated news outlets reported.
Trains were delayed or canceled as ticket offices, the national railway’s website and cargo services were disrupted, with “unprecedented chaos at railway stations across the country,” the state broadcaster IRIB reported.
A notice on electronic boards at stations asked travelers to call a number which in fact belonged to the office of Supreme Leader Ayatollah Ali Khamenei, IRIB and the semi-official news agency Fars said.
“Long delays due to cyberattacks,” said another notice on station boards, Fars added.
IRIB later quoted a state railway company spokesman as saying technicians were checking the disruptions and denying that there were major delays.



Dotty’s is informing affected customers that it was recently the victim of a cyberattack. The company says personal information, including names, dates of birth, and driver’s license numbers were stolen.

Dotty’s operates about 120 gaming taverns in Nevada that feature slots and video poker. The chain is owned by Craig Estey and his Nevada Restaurant Services (NRS).

“In January 2021, NRS identified the presence of malware on certain computer systems in our environment. We immediately commenced an investigation to determine the full nature and scope of the incident and to secure our network,” a letter to impacted patrons explains.

Classic Football Shirts


A firm selling retro football team shirts and merchandise has apologised to customers after a cyber-security attack accessed their data.

Classic Football Shirts said customers’ details had been accessed through one of its third party providers’ systems.

Some customers complained of receiving emails offering cashback on their previous orders.

The firm is now telling customers not to follow the link if they have received the cashback phishing email.

Classic Football Shirts said it became aware of the cashback emails at 20:30 on Thursday night – half an hour after they were sent.

The firm believes password data and payment information has not been compromised.


But in a Twitter post, the company urged customers to be “vigilant” and contact their bank to cancel their cards if they supplied their card information on the link from the cashback form.

Practicefirst Medical Management Solutions


Practicefirst Medical Management Solutions and PBS Medcode recently notified 1.2 million patients that their data was accessed and stolen from its network, ahead of a ransomware attack deployed on Dec. 25, 2020.

Praticefirst is a medical management company tasked with data processing, billing, and coding services for health care providers.

On Dec. 30, the vendor discovered an attacker attempting to deploy ransomware on its system. Officials said they shut down the system, performed a system-wide password reset, alerted law enforcement, and contracted with an outside privacy and security firm.

A review found the actors copied files from the network during the hack, including patient and employee information.

The stolen information varied by patient and could include names, contact details, dates of birth, Social Security numbers, driver’s license numbers, medical information, patient identification numbers, bank account details, credit card information, and employee usernames, passwords, and security questions and answers, among other sensitive data.

CNA Financial Corporation


CNA Financial Corporation, a leading US-based insurance company, is notifying customers of a data breach following a Phoenix CryptoLocker ransomware attack that hit its systems in March.

CNA is considered the seventh-largest commercial insurance firm in the US based on stats from the Insurance Information Institute.

The company provides an extensive array of insurance products, including cyber insurance policies, to individuals and businesses across the US, Canada, Europe, and Asia.

“The investigation revealed that the threat actor accessed certain CNA systems at various times from March 5, 2021 to March 21, 2021,” CNA said in breach notification letters mailed to affected customers today.

“During this time period, the threat actor copied a limited amount information before deploying the ransomware.”

The data breach reported by CNA affected 75,349 individuals, according to breach information filed with the office of Maine’s Attorney General.

After reviewing the files stolen during the attack, CNA discovered that they contained customers’ personal information such as names and Social Security numbers.


Researchers have discovered multiple application programming interface (API) issues in Coursera, the online learning platform used by 82 million learners and hundreds of Fortune 500 companies.

On Thursday, the Checkmarx Security Research Team published a report on its findings, which included user and account enumeration via the reset password feature, lack of resources limiting on both a GraphQL and REST API, a GraphQL misconfiguration, and the whopper of them all: a Broken Object Level Authorization (BOLA) issue that affects users’ preferences.

BOLA is at the top of OWASP’s Top 10 list of API security issues, given how easy these issues are to exploit and how tough it is to defend against the threat “in an organized way.”

Coursera’s BOLA issue, now fixed, meant that “anonymous users” could retrieve, and change, user preferences, according to the report, written by security researcher Paulo Silva. Some of the user preferences, such as recently viewed courses and certifications, also leaked some metadata: for example, activity date and time.

Morgan Stanley

Morgan Stanley suffered a data breach that exposed sensitive customer data, and it became the latest known casualty of hackers exploiting a series of now-patched vulnerabilities in Accellion FTA, a widely used third-party file-transfer service.

The data obtained included names, addresses, dates of birth, Social Security numbers, and affiliated corporate company names, Morgan Stanley said in a letter first reported by Bleeping Computer. A third-party service called Guidehouse, which provides account maintenance services to the financial services company, was in possession of the data at the time. Unknown hackers obtained the data by exploiting a series of hacks that came to light in December and January.



Newly launched social site GETTR suffered a data breach after a hacker claimed to use an unsecured API to scrape the private information of almost 90,000 members and then shared the data on a hacking forum.

GETTR is a new pro-Trump social media platform created by former Trump advisor Jason Miller as an alternative to Twitter.

As first seen by Alon Gal, co-founder and CTO of cybersecurity firm Hudson Rock, a group of hackers found an unsecured application programming interface (API) that allowed them to scrape the data for 87,973 GETTR members.

After compiling the information, the data was published to a well-known hacking forum commonly used to share databases stolen during data breaches.

Republican National Committee

Russian government hackers breached the computer systems of the Republican National Committee last week, around the time a Russia-linked criminal group unleashed a massive ransomware attack, according to two people familiar with the matter.

The government hackers were part of a group known as APT 29 or Cozy Bear, according to the people. That group has been tied to Russia’s foreign intelligence service and has previously been accused of breaching the Democratic National Committee in 2016 and of carrying out a supply-chain cyberattack involving SolarWinds Corp., which infiltrated nine U.S. government agencies and was disclosed in December.



Spain’s 4th largest telecom operator MasMovil Ibercom or MasMovil is the latest victim of the infamous Revil ransomware gang (aka Sodinokibi)

On its official blog accessible via Tor browser, as seen by Hackread.com, the ransomware operator claims to have “downloaded databases and other important data” belonging to the telecom giant.

As proof of its hack, the group has also shared screenshots apparently of the stolen MasMovil data that shows folders named Backup, RESELLERS, PARLEM, and OCU, etc.

It is worth noting that at the time of publishing this article; MasMovil had acknowledged the ransomware attack however, there was no demand for ransom from the Revil gang.

Arthur J. Gallagher (AJG)


Arthur J. Gallagher (AJG), a US-based global insurance brokerage and risk management firm, is mailing breach notification letters to potentially impacted individuals following a ransomware attack that hit its systems in late September.

“Working with the cybersecurity and forensic specialists to determine what may have happened and what information may have been affected, we determined that an unknown party accessed or acquired data contained within certain segments of our network between June 3, 2020 and September 26, 2020,” AJG said.

As one of the largest insurance brokers in the world, AJG has over 33,300 employees and its operations span 49 countries.

The company is also ranked 429 on the Fortune 500 list, and it reportedly provides insurance services to customers from more than 150 countries.