week37-2021-min

Here’s your weekly data breach news roundup:

Blick Art, United Nations, HealthReach Community Health Center, MyRepublic, GetHealth, Dallas Independent School District, and South African National Space Agency.

Blick Art

week-37-2021-blickart
  • The popular art supplies market ‘Blick Art’ has had a nasty and lengthy card skimmer infection on its online shop.
  • The actors managed to grab credit and debit card numbers, CVVs, full names, and expiration dates.
  • ‘Metabolic Maintenance’ has disclosed a similar Magecart incident that lasted for over a year.

If you’ve bought any supplies from the Blick Art website (dickblick.com) between March 11, 2020, and December 15, 2020, chances are that your credit card details are in the hands of Magecart actors. The company that operates the popular online shop has discovered that someone had planted a skimming code on the payment/checkout page. Skimmers are small and nasty snippets of code that can capture what customers enter on payment forms and exfiltrate it to actor-controlled infrastructure.

United Nations

week-37-2021-UN

A spokesperson for the United Nations has confirmed that the organization was breached by hackers in early 2021, and that attacks tied to that breach on various branches of the UN are ongoing. The data breach appears to stem from an employee login that was sold on the dark web. The attackers used this entry point to move farther into the UN’s networks and conducted reconnaissance between April and August. Information gleaned from this activity appears to have been put to use in further attacks, with attempts made on at least 53 accounts.

The UN hack began with acquisition of an employee username and password from a dark web forum, very likely as part of another data breach. This allowed the attackers to walk in and immediately begin scouting the network and attempting to escalate privileges, with the first incident taking place in April. A number of security researchers have reported seeing the accounts of UN employees listed among large packs of usernames and passwords sold on underground forums, in this case as part of a package going for only $1,000.

HealthReach Community Health Center

week-37-2021-healthreach

HealthReach Community Health Centers is reporting a data breach affecting more than 100,000 Mainers.

HealthReach Community Health Centers is a system of 11 federally-funded community health centers throughout Central and Western Maine. It’s based in Waterville.

HealthReach found out about the breach in May and notified the Maine Attorney General’s Office last week.

In a letter to the AG, an attorney representing HealthReach says hard drives containing personal information belonging to patients and employees were improperly disposed of by an employee at a third-party data storage facility.

MyRepublic

week-372021-myrepublic

The personal data of approximately 80,000 MyRepublic mobile subscribers was accessed without authorization last month.

The Singaporean communications services provider released a statement on Friday (September 10) claiming that the breach took place on August 29 via a third-party data storage platform used to store customer data.

The unauthorized access reportedly affected 79,388 mobile subscribers based in Singapore. The customer data contained personal information, including scanned copies of NRICs, proof of residential address documents and names and mobile numbers. 

MyRepublic added that there is no reason to believe other sensitive data, such as payment information, was breached. The communications service provider has since secured and contained the incident. 

The telco stressed that the unauthorized access had no operational impact on its services. Nevertheless, it has informed the Infocomm Media Development Authority and the Personal Data Protection Commission of the incident. 

MyRepublic also activated its cyber incident response team, comprising a group of external expert advisors to work closely with its internal IT and Network teams. 

GetHealth

An unsecured database containing over 61 million records related to wearable technology and fitness services was left exposed online.

On Monday, WebsitePlanet, together with cybersecurity researcher Jeremiah Fowler, said the database belonged to GetHealth. 

Based in New York, GetHealth describes itself as a “unified solution to access health and wellness data from hundreds of wearables, medical devices, and apps.” The firm’s platform is able to pull health-related data from sources including Fitbit, Misfit Wearables, Microsoft Band, Strava, and Google Fit. 

On June 30, 2021, the team discovered a database online that was not password protected. 

The researchers said that over 61 million records were contained in the data repository, including vast swathes of user information — some of which could be considered sensitive — such as their names, dates of birth, weight, height, gender, and GPS logs, among other datasets. 

While sampling a set of approximately 20,000 records to verify the data, the team found that the majority of data sources were from Fitbit and Apple’s HealthKit.

Dallas Independent School District

The Dallas Independent School District (Dallas ISD) has disclosed a data breach exposing sensitive personal data belonging to students and employees enrolled or employed since 2010.

“An unauthorized third party accessed our network, downloaded data, and temporarily stored it on an encrypted cloud storage site,” Dallas ISD said in a data breach notice published yesterday (September 2).

Upon learning of the incident on August 8, Dallas ISD said it launched an investigation, implemented “additional security measures” and “addressed specific vulnerabilities that were exploited during this event”.

It added: “We confirmed that the unauthorized third party removed the data from the encrypted cloud storage site and has informed us the data was not disseminated or sold to anyone.”

The public school district said that although no evidence of data misuse or fraud had surfaced so far, it could not be “100 percent certain until additional forensic analysis is completed”.

South African National Space Agency

The South African National Space Agency (SANSA) has become the latest government entity to suffer a cyber attack.

In a statement, SANSA says on 6 September, it was notified of a possible breach of its IT systems.

According to the government agency responsible for the promotion and development of aeronautics and aerospace space research in SA, a file consisting of SANSA information was dumped in the public domain.

Although the space agency’s data was found on the public domain, it says its network was not compromised. It says an internal investigation was conducted and it was determined that no network breach occurred.