week-32-2021

Here’s your weekly data breach news roundup:

University Medical Center, Electromed, Murata, SeniorAdvisor, Chanel, StarHub, University of Kentucky, Tea Party Patriots, Calgary Parking Authority, and OneMoreLead.

University Medical Center

week-32-2021-umc

University Medical Center is notifying patients of a data breach that occurred in mid-June, and offering free identity protection services for those who were affected.

The data breach was “by a well-known group of cybercriminals that seek to use the information for commercial gain,” according to UMC.

Letters received this week in the Las Vegas valley indicate that the breach occurred in June 14 and was shut down the following day, according to UMC officials.

UMC says it notified the FBI and Metro police of the breach.

8NewsNow first reported the breach on June 30, but the hospital denied the breach occurred at that time.

“We have no evidence to date that UMC’s clinical systems, including those interfaced with our electronic health record, were accessed,” the letter says. “However, we have determined that certain files on our network servers were compromised.”

Among the information exposed during the cyberattack: names, addresses, dates of birth and social security numbers. UMC also says “certain protected health information” was compromised, although, “We have no direct evidence of the misuse of your specific information.”

Electromed

week-32-2021-electromed

An unauthorized person or group jacked into systems at Electromed Inc., a maker of products that relieve chronic respiratory conditions, and obtained data on customers and employees.

In disclosing the data breach, Electromed said Monday it has no indication that any customer information has been used inappropriately.

“We have not received any reports of identity theft associated with this incident,” the company said in a statement. “We are beginning to notify involved individuals so they can take steps to help protect their information.”

The New Prague-based company said it would provide credit monitoring and identity theft protection services to the people whose data was obtained. It told customers and employees to closely review statements from health care providers and insurers.

Murata

week-32-2021-murata

An official with Japanese electronic components manufacturer Murata has released an apology for the leak of thousands of files in June that contained bank account information for employees and business partners of the company.

Norio Nakajima, CEO of Murata Manufacturing, released a statement apologizing for an incident on June 28 when a subcontractor downloaded a project management data file containing 72 460 pieces of information. 

More than 30,000 documents contained business partner information like company name, address, associated names, phone numbers, email addresses and bank account numbers. The companies are based in Japan, China, the Philippines, Malaysia, Singapore, the US and the EU, but the enterprises “subject to customer information are only China and the Philippines.”

Over 41,00 documents about employees were in the leak as well, similarly containing names, addresses and bank account numbers. The employees were based in the company’s offices in Japan, China, the Philippines, Singapore, the US and the EU.

SeniorAdvisor

Millions of senior citizens in North America have had their personal information compromised following a breach at senior care review website SeniorAdvisor, according to WizCase.

The researchers, led by Ata Hakcil, discovered a misconfigured Amazon S3 bucket owned by Senior Advisor, a company that displays consumer ratings and reviews for senior care services across the US and Canada.

The misconfigured bucket left over the personal data of more than three million people, labeled “leads,” exposed. This included names, emails, phone numbers and dates contacted. In total, it contained more than one million files and 182GB of data, none of which was encrypted and did not require a password or login credentials to access.

WizCase believes the files are from 2002-2013 based on the contact dates, although the files were timestamped in 2017.

Chanel

week32-2021-chanel

Chanel Korea, the local seller of Chanel-branded goods, has issued an apology towards its customers over a data breach incident that unfortunately exposed their sensitive information. The notice claims that hackers managed to break into data centers managed by Chanel Korea between August 5 and August 6, 2021. Since this is where customer data is stored, it is possible that sensitive information was accessed or even copied.

The types of data that were held by Chanel include the following:

  • Full name
  • Birthday
  • Phone number
  • Product purchase list
  • Physical address (optional)
  • Gender (optional)
  • Email address (optional)

StarHub

StarHub says personal data of its customers, including email addresses and mobile numbers, have been found on a dump site. The Singapore telco, however, insists none of its customer database or data systems has been breached. 

The data breach was discovered during a “proactive online surveillance” on July 6 by its cybersecurity team, StarHub said in a statement late-Friday unveiling the breach.

On its website informing customers of the incident, the telco said it needed “time” to investigate the incident and assess the impact before confirming the breach publicly. The relevant authorities, however, were informed of the breach. 

According to its statement to local media, StarHub said an illegally uploaded file containing the leaked data was found on a third-party data dump website. It added that the information appeared to date back to 2007. 

University of Kentucky

week32-2021-uok

The University of Kentucky said it discovered a security breach of one of its test-taking platforms during a scheduled security penetration test carried out by a third party in early June.

The breach affected the university’s Digital Driver’s License platform, a web-based portal the university developed in the early 2000s part of an education program called Open-source Tools for Instructional Support (OTIS).

The DDL’s primary purpose is to provide free online teaching and test-taking capabilities to K-12 schools and colleges in Kentucky and other US states. The platform is also used by the university for some of its own test-taking capabilities.

The DDL breach was discovered in early June when the university carried out scheduled penetration tests of its platforms with the help of a third party.

The test uncovered a vulnerability in the DDL platform, which when the university investigated further it discovered that it had been exploited earlier in the year.

Tea Party Patriots

Tea Party Patriots, a major conservative organization that bills itself as one of the largest grassroots groups on the right, was in fact heavily backed by three ultra-wealthy individuals in recent years, according to internal data reviewed by The Intercept.

The largest donor was Texas billionaire Christopher Goldsbury, who made his fortune selling the salsa company Pace Foods to Campbell Soup in 1994. On September 11, 2019, Goldsbury donated $1 million to the TPP Foundation via wire transfer. According to tax documents, the TPP Foundation took in $1.2 million in revenue that year. Goldsbury had been a TPP member since 2014 and had already donated $20,000 to TPP’s three separate organizations in previous years. Goldsbury did not respond to a request for comment.

Meanwhile, activity by the group’s members appears to have waned. The Intercept found just 144,000 members marked “active” in the online data, versus claims on the TPP website of a “network of 3 million activists,” of “more than 3 million supporters,” and of “over 3 million patriots.” Data from local chapters show members are clustered in fast-growing areas like Colorado and all along the Sun Belt, from California through Arizona, Texas, Georgia, and Florida.

Calgary Parking Authority

In total, CPA exposed 502 GB worth of data without any security authentication.

 

Anurag Sen, a security researcher identified a data leak in which a server belonging to the Calgary Parking Authority (CPA) was found exposing the private information of thousands of drivers across Calgary, including some user passwords.

SEE: Database with millions of Instagram influencers’ info leaked

It is worth noting that CPA oversees around 14% of the region’s paid parking spots and allows drivers to park their cars after paying the charges and booking a spot online or via the phone app where they are required to enter their payment details and vehicle’s license plate number.

OneMoreLead

OneMoreLead,’ a B2B sales and marketing SaaS company, has exposed an ElasticSearch instance online without securing it properly, essentially leaking away 34 GB of data containing 126 million records. If no duplicates are to be found in the data set, the total number of people who may have been exposed due to this incident is 126 million citizens, mostly from the United States. The leaked data was discovered by the vpnMentor team, led by R. Locar and N. Rotem, who have shared their report with TechNadu prior to publication.