Week 37 - 2022

Here’s your weekly #databreach news roundup:​​​


Starbucks, Uber, Common Ground Healthcare Cooperative & Medical Mutual of Ohio, Eurocell, Andover Public Schools, Medical Associates of the Lehigh Valley, U-Haul, and Philippine Airlines (PAL).

Starbucks

starbucks

The Singapore division of Starbucks, the popular American coffeehouse chain, has admitted that it suffered a data breach incident impacting over 219,000 of its customers.

The first clue that they were breached came on September 10, when a threat actor offered to sell a database containing sensitive details of 219,675 Starbucks customers on a popular hacking forum.

The hacking forum’s owner, “pompompurin,” joined the discussion to back the validity of the stolen data, saying that the provided samples contain substantial proof of authenticity.

Today, Starbucks Singapore sent out letters to notify its customers of a data breach, explaining that hackers may have stolen the following details:

  • Name
  • Gender
  • Date of birth
  • Mobile number
  • Email address
  • Residential address

Common Ground Healthcare Cooperative and Medical Mutual of Ohio

 Common Ground Healthcare Cooperative and Medical Mutual of Ohio each submitted reports regarding the OneTouchPoint (OTP) data breach to the HHS Office for Civil Rights (OCR) recently.

OTP originally reported the breach to OCR in July, noting that it had impacted 1,073,316 individuals. However, the third-party mailing and printing vendor recently provided an updated breach notice to the Maine Attorney General’s Office stating that the breach actually impacted more than 2.6 million individuals.

“OTP is providing this notice on its own behalf as the individuals notified in this round of notice are current or former employees,” OTP stated in the updated notification.

Uber

uber

Uber says it’s investigating a “cybersecurity incident” amidst reports that the company’s internal systems have been breached. The alleged hacker, who claims to be an 18-year old, says they have administrator access to company tools including Amazon Web Services and Google Cloud Platform. The New York Times reports that the ride-hailing business has taken multiple internal systems, including Slack, offline while it investigates the breach.

When contacted for comment by The Verge, a spokesperson for the company declined to answer additional questions, and pointed to its statement on Twitter. “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available,” the statement reads.

Eurocell

eurocell

The company sent out a letter to employees, explaining that an unauthorised third party was able to gain access to their systems following an IT security incident.

Eurocell have confirmed that the cyber-attack led to employee data being copied from its IT systems. The data that was exposed in the breach included:

  • Employment terms and conditions
  • Personal information (date of birth, next of kin, bank account and national insurance, tax-reference numbers)
  • Right to work documentation
  • Health and wellbeing related documents
  • Learning and development records
  • Disciplinary and grievance related documents

While Eurocell have claimed that there is ‘no evidence’ of this data being misused, there is no guarantee that this is the case, or will continue to remain the case in the future. There is a real concern the data will be exposed on the Dark Web.

Eurocell have noted that they have informed the Information Commissioner’s Office and the police about the incident.

Andover Public Schools

Andover Public Schools said it has pulled the popular messaging app, Seesaw after the app was hacked.

According to the Seesaw website, the app is used by 10 million teachers, students and family members, but the company declined to say how many users were affected by the hack.

In a letter to parents, Andover schools said some parents across the country had received explicit pictures through the messenger service.

The school district said it pulled Seesaw from all student and staff accounts as it works with the company on the issue. Anyone who receives an e-mail notification from Seesaw is advised not to open it.

Medical Associates of the Lehigh Valley

malv

Medical Associates of the Lehigh Valley (“MATLV”) filed notice of a data breach with the U.S. Department of Health and Human Services Office for Civil Rights following a ransomware attack in which an unauthorized party was able to gain access to sensitive consumer data contained on MATLV’s network. According to MATLV, the breach resulted in the names, addresses, email addresses, dates of birth, Social Security numbers, driver’s license numbers, state ID numbers, health insurance providers, medical diagnoses, medical treatment information, medications, and lab results of certain patients being compromised. Recently, MATLV sent out data breach letters to the 75,628 patients affected by the breach, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.

U-Haul

uhaul

Moving and storage giant U-Haul International (U-Haul) disclosed a data breach after a customer contract search tool was hacked to access customers’ names and driver’s license information.

Following an incident investigation started on July 12 after discovering the breach, the company found on August 1 that attackers accessed some customers’ rental contracts between November 5, 2021, and April 5, 2022.

“After an in-depth analysis, our investigation determined on September 7, 2022, the accessed information includes your name and driver’s license or state identification number,” U-Haul told affected customers in notification letters sent to impacted individuals on Friday.

The attacker accessed the U-Haul rental contracts search portal after compromising two “unique passwords.”

Philippine Airlines (PAL)

pal

Flag carrier Philippine Airlines (PAL) has become a victim of a cyberattack after criminals targeted its information technology (IT) service provider and exposed the personal data of Mabuhay Miles members.

In a statement, the airline confirmed that Accelya, the third-party IT provider for PAL’s frequent flyer program, was affected by “a cybersecurity incident.”

PAL assured the public that the data breach only involved “limited information” of customers who became Mabuhay Miles members from 2015-2017.

Compromised information included members’ names, birth dates, nationality, gender, join date, tier level, and points balance.