Facebook
week27-2022-min-min

Here’s your weekly #databreach news roundup:​

Proud Makatizen, Woolworths, Customer.io, WellDyneRx, Benefit Plan Administrators, Chinese Citizens, and Dodo Point.

Proud Makatizen

week27-2022-proudmakatizen

THE Makati City government said that no personal information of its residents was compromised in the data breach that occurred on its website, Proud Makatizen.

“It is highly irresponsible to claim such a breach and then proceed to make a sweeping conclusion that the city government has been remiss in its responsibility to protect personal data,” Makati City spokesman Michael Camiña said in a statement on Wednesday.

Camiña said the alleged system that has been breached was a former development server containing fictitious test data that is no longer online.

Woolworths

week27-2022-woolworths

Supermarket giant Woolworths has reiterated its claim that there have been no security breaches surrounding user data in its Everyday Rewards loyalty program, stressing scammers are the likely culprits behind a growing number of complaints of hackers accessing accounts.

Speaking with Yahoo News Australia, a spokesperson for Everyday Rewards said he believes fraudsters are accessing valid login or account details from online scams and other sources.

This comes amid complaints by members of a Facebook group who claim their accounts were hacked and points stolen.

Customer.io

week27-2022-customer.io

A data breach involving online contact information for millions of individuals tied to a rogue employee at an email delivery vendor is even larger than initially believed, the vendor is disclosing.

Customer.io says a now-fired senior engineer transferred to an unnamed external party email addresses gathered by six clients.

The company is not revealing how many emails are now at heightened risk of phishing attempts as a result of the “deliberate actions” of the former employee.

Non-fungible token marketplace platform OpenSea partially divulged the incident late last month when it warned anyone who had ever shared an email address with it about the unauthorized transfer of contact information. Approximately 1.9 million users have made at least one transaction on the platform, shows data from blockchain market firm Dune Analytics.

Customer.io did not identify the other affected companies to Information Security Media Group or specify the sectors in which they operate. The affected parties have been alerted, the company says.

WellDyneRx

week27-2022-welldynerx

WellDyneRx, LLC reported a data breach after the company discovered unauthorized activity within one of the company’s email accounts. As a result of the breach, the names, dates of birth, Social Security numbers, driver’s license numbers, treatment information, health insurance information, contact information, prescription information, and other medical and healthcare-related information of certain individuals was accessible to an unauthorized party. More recently, on July 1, 2022, WellDyneRx, LLC filed notice with the U.S. Department of Health and Human Services Office for Civil Rights regarding a December 2021 data breach, indicating that the company estimates the breach affected 38,401 individuals.

Benefit Plan Administrators

week27-2022-bpa

Benefit Plan Administrators, Inc. confirmed that the company experienced a data breach after an unauthorized party gained access to the company’s computer network and the sensitive consumer data contained on the network. According to the BPA, the breach resulted in the full names, Social Security numbers, addresses, dates of birth, gender classification, claims information, medication information, and medical diagnosis/conditions information being compromised. On June 15, 2022, BPA filed an official notice of the breach and sent out data breach letters to all affected parties.

Chinese Citizens

A prominent Chinese tech CEO has cited human error as the likely reason hackers got their hands on the personal data of 1 billion people in China from a Shanghai police database and then put some of it up for sale on illicit online markets.

A government developer wrote a blog post on the China Software Developer Network (CSDN) that accidentally included the credentials to the system where the data was stored, Zhao Changpeng, CEO of cryptocurrency exchange Binance, said on Twitter Monday. CSDN is one of the largest developer networks in China.

“Apparently, this exploit happened because the gov developer wrote a tech blog on CSDN and accidentally included the credentials,” Changpeng, who goes colloquially and on Twitter by the moniker “CZ,” wrote in the tweet. His post included a screenshot of the offending code that was included in the blog post.

Dodo Point

According to the Website Planet security team, a recent incident affected the Dodo Point loyalty point service platform and resulted in a huge exposure of personal data.

Dodo Point is operated by Yanolja Cloud in South Korea. The service is based on users’ phone numbers. Customers enter their phone numbers in restaurants or stores via a tablet (Figure A) and are then credited with their rewards.

An Amazon bucket used by the company was not secured: No authentication protocol had been deployed, and no data encryption had been used on the storage, resulting in the exposure of around 73,000 files, representing over 38GB of data.

Amazon is not responsible for the misconfiguration of Dodo Point’s bucket, as the security of a bucket is the responsibility of the Amazon customer.

WeWork India

WeWork India has fixed a security lapse that exposed the personal information and selfies of tens of thousands of people who visited WeWork India’s coworking spaces.

Security researcher Sandeep Hodkasia found visitor data spilling from the check-in app on WeWork India’s website, used by visitors to sign-in at the dozens of WeWork India locations across the country. A bug in the app meant it was possible to access the check-in record of any visitor by increasing or decreasing the user’s sequential user ID by a single digit.

Because the check-in tool was internet-facing, the bug allowed anyone on the internet to cycle through thousands of records, exposing names, phone numbers, email addresses and selfies. Hodkasia said there were no obvious controls in place to prevent someone from accessing the data in bulk.