week39-2021-min

Here’s your weekly data breach news roundup:

Neiman Marcus, JVCKenwood, Horizon House, JPN, Colombian Real Estate, CMA CGM, Simon Eye, and Thailand Visitors.

Neiman Marcus

week39-2021-neiman

American luxury retailer Neiman Marcus Group (NMG) has just disclosed a major data breach impacting approximately 4.6 million customers. The breach occurred sometime in May 2020 after “an unauthorized party” obtained the personal information of some Neiman Marcus customers from their online accounts. Neiman Marcus is working with law enforcement agencies and has selected cybersecurity company Mandiant to assist with the investigation.

Neiman Marcus disclosed that its 2020 data breach impacted about 4.6 million customers with Neiman Marcus online accounts. The personal information of these customers was potentially compromised during the incident. The bits of information include:

  • Names, addresses, contact information
  • usernames and passwords of Neiman Marcus online accounts
  • Payment card numbers and expiration dates (although no CVV numbers)
  • Neiman Marcus virtual gift card numbers (without PINs)
  • Security questions of Neiman Marcus online accounts

For the millions of customers being notified about the incident, “approximately 3.1 million payment and virtual gift cards were affected, more than 85% of which are expired or invalid,” said the company in a statement released Thursday. No active Neiman Marcus-branded credit cards were impacted. As of now, there’s also no indication that online customer accounts at Bergdorf Goodman or Horchow were impacted.

JVCKenwood

JVCKenwood has suffered a Conti ransomware attack where the threat actors claim to have stolen 1.7 TB of data and are demanding a $7 million ransom.

JVCKenwood is a multinational electronics company based out of Japan that employs 16,956 people and has a 2021 revenue of $2.45 billion. The company is known for its brands JVC, Kenwood, and Victor, which manufacture car and home audio equipment, healthcare and radio equipment, professional and in-vehicle cameras, and portable power stations.

Yesterday, JVCKenwood disclosed that servers belonging to its sales companies in Europe were breached on September 22nd, and the threat actors may have accessed data during the attack.

“JVCKENWOOD detected unauthorized access on September 22, 2021 to the servers operated by some of the JVCKENWOOD Group’s sales companies in Europe. It was found that there was a possibility of information leak by the third party who made the unauthorized access,” JVCKENWOOD announced in a press statement.

“Currently, a detailed investigation is being conducted by the specialized agency outside the company in collaboration with the relevant authorities. No customer data leak has been confirmed at this time. The details will be announced on the company website as soon as they become available.”

Horizon House

A Philadelphia-based mental health services provider has begun to notify 35,000 individuals that their health and personal information was potentially viewed or stolen by hackers in a data security incident discovered more than six months ago.

In a Sept. 17 statement, Horizon House says that it is informing staff and participants of a data security incident detected on March 5 that “may impact the privacy” of their personal information.

Horizon House provides services for patients with behavioral health needs and intellectual and developmental disabilities, as well as emergency housing for the homeless.

The U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals, shows that Horizon House reported the hacking/IT incident involving a network server on Sept. 17 as affecting nearly 28,000 individuals.

But in a breach report filed that same day to the state of Maine’s attorney general, Horizon House said the “external system breach/hack” affected more than 35,000 individuals, including one Maine resident.

JPN Database

It is alleged that almost four million citizens’ data secured at the National Registration Department (JPN) has been breached and the information is currently up for sale for about RM35,500

The database leak was first highlighted by Twitter user Adnan Mohd Shukor, who Lowyat.NET reported is an intrusion analyst.

The data is currently listed for sale on a “database sharing and marketplace forum”. The website is only accessible after using a virtual private network (VPN).

“Malaysia citizen data fresh from Jabatan Pendaftaran Negara (JPN), leaked from hasil.gov.my through myIDENTITY API,” read the forum post, which was published on 24 September.

“Total data is almost 4 million equal to 31.8GB, group by birth year from 1998 to 1979.”

Colombian Real Estate

More than one terabyte of data containing 5.5 million files has been left exposed, leaking personal information of over 100,000 customers of a Colombian real estate firm, according to cybersecurity company WizCase.

The breach was discovered by Ata Hakçıl and his team in a database owned by Coninsa Ramon H, a company that specializes in architecture, engineering, construction, and real estate services. “There was no need for a password or login credentials to see this information, and the data was not encrypted,” the researchers said in an exclusive report shared with The Hacker News.

CMA CGM

French shipping company CMA CGM has announced it has suffered a data breach.

The container transportation and maritime giant, based in Marseille, revealed in a security advisory that customers’ names, email addresses, phone numbers, and employment information have been leaked.

It has not yet been confirmed how many individuals were affected by the incident, but CMA CGM said that its operations were not affected.

The announcement comes almost a year after the company was hit by a ransomware attack.

Services across several of the organization’s offices in China were impacted and its internal networks were shut down to contain the spread of malware.

Simon Eye

Simon Eye, a US chain of optometry clinics, has reported a data breach potentially impacting more than 144,000 individuals.

The possible compromise of sensitive personal data arose from unauthorized access to employee email accounts over a seven-day period between May 12-18, 2021, according to a data breach notice on the Simon Eye website.

Simon Eye said the attackers “attempted to engage in wire transfer and invoice manipulation attacks against the company, none of which were successful”.

However, a review of the breached mailboxes’ contents revealed that patients’ names, medical histories, treatment and diagnosis information, health insurance policy and/or subscriber information, and insurance application and/or claims information may have been exposed.

A subset of individuals may have also had their Social Security numbers, dates of birth, and/or financial account information exposed.

“Importantly, to date, we have no evidence of any misuse of any data as a result of this incident,” said Simon Eye.

Thailand Visitors

An unsecure Elasticsearch database containing the personal data of 106 million visitors to Thailand was discovered on August 22, 2021 by Bob Diachenko, a cybersecurity researcher at Comparitech. 

According to Infosecurity Magazine, the database was publicly accessible, and contained “full names, arrival dates, gender, residency status, passport numbers, visa information and Thai arrival card numbers” dating back to 10 years ago. 

In a surprising twist, the data breach hit close to home as the cybersecurity researcher stumbled upon his own personal data in the database.

While researchers were unable to determine how long the data had been exposed for, Thai authorities acted swiftly to secure the database within 24 hours of receiving word of the vulnerability. As a second line of defense, the index has been replaced with a digital booby trap such that any visitor who attempts to access the database is shown the message, “This is a honeypot, all access were logged [sic].”

According to the report, “any foreigner who traveled to Thailand in the last decade or so probably has a record in the database.” With Dasera, Thai authorities could have prevented this vulnerability by detecting and correcting database misconfigurations, to protect the privacy of these impacted individuals.