fbpx
week35-2021-min

Here’s your weekly data breach news roundup:

Microsoft’s Power Apps,Nokia subsidiary, T-Mobile, Navalny Supporters, AT&T, city of Rolle, Fujitsu, EskyFun – developer of Android games, The University Medical Center Southern Nevada,
, and Ryan Specialty Group.

City of Rolle

Local officials with the city of Rolle, located near Lake Geneva in Switzerland, have acknowledged that they initially misjudged the impact of a recent ransomware attack that reportedly led to the leak of residents’ data on the darknet.

Monique Choulat Pugnale, the administrative chief of Rolle, initially downplayed the impact, saying in a statement given to news agency 24 heures that it had been a “weak attack.”

But after the Swiss news agency Watson reported that cybercriminals had posted a large number of confidential documents from the leak on a darknet extortion site, officials acknowledged last week that they had “underestimated the severity” of the incident.

The city issued a press release Aug. 25 saying it “regrets having underestimated the seriousness of the attack, the potential misuse of data and the importance of transparency for the population of Rolle. The administration recognizes with humility a certain naivete towards the stakes,” according to Swiss news agency Le Temps.

The release of the data is the work of a ransomware gang known as Vice Society, according to the Watson report, which cited the work of an independent security researcher who worked with the publication and analyzed the data posted on the darknet.

Fujitsu

week35-2021-fujitsu-min

Japanese tech giant Fujitsu has reportedly confirmed that the stolen data being sold on the dark web relates to its customers, even as it appears to downplay the incident.

 

ZDNet reports that the data has been posted by the Marketo group, which breaks into corporate networks much like a ransomware operator, but only exfiltrates the data without encrypting the systems.

Marketo claims it has over 4GB of confidential Fujitsu data, such as customer information, company data, budget data, reports and other company documents including information on projects.

EskyFun - developer of Android games

The Chinese developers of popular Android gaming apps exposed information belonging to users through an unsecured server.

In a report shared with ZDNet, vpnMentor’s cybersecurity team, led by Noam Rotem and Ran Locar, revealed EskyFun as the owner of a 134GB server exposed and made public online.

EskyFun is the developer of Android games including Rainbow Story: Fantasy MMORPG, Adventure Story, The Legend of the Three Kingdoms, and Metamorph M.

On Thursday, the team said that users of the following games were involved in the data leak: Rainbow Story: Fantasy MMORPG, Metamorph M, and Dynasty Heroes: Legends of Samkok. Together, they account for over 1.6 million downloads.  

In total, the team said that an alleged 365,630,387 records contained data from June 2021 onward, leaking user data collected on a seven-day rolling system.

The team says that the developers impose “aggressive and deeply troubling tracking, analytics, and permissions settings” when their software is downloaded and installed, and as a result, the variety of data collected was, perhaps, far more than you would expect mobile games to require. 

The University Medical Center Southern Nevada

The University Medical Center Southern Nevada has reported that a ransomware attack earlier this summer affected the data of 1,300,000 people.  

The organization said in a statement that the incident only lasted a day, but the bad actors were able to compromise some files on network servers.  

“Out of an abundance of caution, UMC will directly notify every person potentially affected by the June cyberattack and provide them with complimentary access to identity protection services,” said UMC in a statement in late July.  

Analysts pointed to REvil, a Russia-linked ransomware group, as the culprit.  

The group has reportedly extorted upwards of $12 million from victims in 2021. But in mid-July, just after the UMC incident, it appeared to vanish from the Internet.

UMC says it has no evidence to date that cybercriminals accessed any clinical systems, including those connected to its electronic health records.  

However, the compromised files did contain protected health information and personally identifiable information, potentially including:  

  • Demographic information (name, address, date of birth and Social Security Number)
  • Clinical information (history, diagnosis and test results) 
  • Financial information (insurance number)

Just after the attack, REvil posted images of driver’s licenses, passports and Social Security cards of around half a dozen alleged victims on its website, according to local outlets.

Microsoft's Power Apps

week35-2021-powerapps

More than 38 million records from 47 different entities that rely on Microsoft’s Power Apps portals platform were inadvertently left exposed online, bringing into sharp focus a “new vector of data exposure.”

“The types of data varied between portals, including personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses,” UpGuard Research team said in a disclosure made public on Monday.

Governmental bodies like Indiana, Maryland, and New York City, and private companies such as American Airlines, Ford, J.B. Hunt, and Microsoft are said to have been impacted. Among the most sensitive information that was left in the open were 332,000 email addresses and employee IDs used by Microsoft’s own global payroll services, as well as more than 85,000 records related to Business Tools Support and Mixed Reality portals.

Ryan Specialty Group

Newly public brokerage firm Ryan Specialty Group reported today on a data security incident that happened in April.

The firm said that on or about April 17, 2021, it became aware of “unusual activity” related to certain employee email accounts and began an investigation. On April 27, 2021, it determined that certain employee email accounts were accessed without authorization between April 4, 2021 and April 20, 2021.

The company then conducted a manual review of the emails to determine whether they contained sensitive information. This process, completed on June 30, 2021, showed that certain personal information for a limited number of individuals was accessible although not necessarily actually accessed or viewed by unauthorized individuals.

The information that was accessible included certain individuals’ names, driver’s license numbers, Social Security numbers, financial account information, passport numbers, medical information, health insurance information, government issued identification numbers, tax identification numbers, username/email and password, and dates of birth.

Navalny Supporters

About 2.2 million email addresses, home addresses, and names provided to the “Умное голосование” (Smart Voting) platform have been leaked, irreversibly exposing the identity of Navalny’s supporters. Unfortunately, according to local media reports, the Moscow police has already visited hundreds coercing them into signing statements of personal data theft by Alexei Navalny himself. Those who refuse are threatened with additional actions for offering financial support to the currently detained politician who is recognized by Amnesty International as a prisoner of conscience.

The data leak appeared on the Telegram channel “Data1eaks” where the hackers accused the FBK, a Russian non-profit organization established by Navalny with the purpose to fight corruption in the country, of holding people’s personal details without permission. “Smart Voting,” the platform that required the email addresses for registration, is a tactical voting strategy project aimed at depriving the nominees of Putin’s political party of votes in regional and federal elections, targeting their fixed monopoly in the country. FBK is the entity behind the Smart Voting project, and it already achieved an improvement of 5.6% in the 2019 Moscow City Duma elections for opposition representatives.

AT&T

AT&T says that they did not suffer a data breach after a well-known threat actor claimed to be selling a database containing the personal information of 70 million customers.

The threat actor, known as ShinyHunters, began selling this database yesterday on a hacking forum with a starting price of $200,000 and incremental offers of $30,000. The hacker states that they are willing to sell it immediately for $1 million.

From the samples shared by the threat actor, the database contains customers’ names, addresses, phone numbers, Social Security numbers, and date of birth.

A security researcher who wishes to remain anonymous told BleepingComputer that two of the four people in the samples were confirmed to have accounts on att.com.

Other than these few details, not much is known about the database, how it was acquired, and whether it is authentic.

However, ShinyHunters is a well-known threat actor with a long history of compromising websites and developer repositories to steal credentials or API keys. This authentication is then used to steal databases, which they then sell directly to other threat actors or utilize a middle-man data breach seller.

In many cases, when a database is not sold, ShinyHunters will release it for free on hacker forums.

Chase bank

Chase Bank has admitted to the presence of a technical bug on its online banking website and app that allowed accidental leakage of customer banking information to other customers.

Personal details of Chase bank customers including statements, transaction list, names, and account numbers were potentially exposed to other Chase banking members.

The issue is believed to have lasted between May 24th and July 14th this year, and impacted both online banking and Chase Mobile app customers who shared similar information.

In a copy of the data incident notice seen by BleepingComputer, shown below, Chase blamed a “technical issue” for this mishap.

“We learned of a technical issue here that may have mistakenly allowed another customer with similar personal information to see your account information on chase.com or in the Chase Mobile app, or receive your account statements,” states the notice.

Nokia subsidiary

SAC Wireless, a US-based Nokia subsidiary, has disclosed a data breach following a ransomware attack where Conti operators were able to successfully breach its network, steal data, and encrypt systems.

The wholly-owned and independently-operating Nokia company, headquartered in Chicago, IL, works with telecom carriers, major tower owners, and original equipment manufacturers (OEMs) across the US.

SAC Wireless helps customers design, build and upgrade cellular networks, including 5G, 4G LTE, small cell and FirstNet.

T-Mobile

w1-2021-newsletter-tmobile

T-Mobile has confirmed that attackers who recently breached its servers stole files containing the personal information of tens of millions of individuals.

The massive breach impacts roughly 7.8 million T-Mobile postpaid customers, 850,000 T-Mobile prepaid users, and approximately 40 million former or prospective ones.

Adding it all up, the attackers stole records belonging to 48.6 million individuals, including current, former, or prospective T-Mobile customers.

“Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers,” T-Mobile said.

“Some of the data accessed did include customers’ first and last names, date of birth, SSN, and driver’s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers.”

Luckily, according to the US mobile carrier, the file stolen during the incident did not contain phone numbers, account numbers, PINs, passwords, or financial information belonging to current or prospective T-Mobile customers.