week43-2021-min

Here’s your weekly data breach news roundup:

National Rifle Association (NRA), Centara Hotels, Pinelands Regional School District, UMass Memorial Health, Moscow drivers,
Fullerton Health, Società Italiana degli Autori ed Editori (SIAE), CoinMarketCap, and Visible network.

Pinelands Regional School District

week43_2021_Pineland

The Pinelands Regional School District recently concluded its investigation regarding a data breach that happened in mid-March, which affected both employees and students. The breach occurred through accessing former board president Thomas Williams’ email account. Williams was reported undergoing a medical procedure at the time while log-ins showed multiple ISPs and areas in a short period of time.

While the ex-board director was hospitalized, the school district’s technology department and the Superintendent of Schools were alerted about suspicious login activity on Williams’s email, besides the common and consistent employee access from home. Thus, the school board started a complete forensic audit to find potential security breaches.

There were multiple log-ins through many ISPs and from different areas like the Hess School Complex (Mays Landing) or the Ocean County Library where Williams’s wife worked. Records also show that his email was accessed in New Jersey at the same time as from Philadelphia during the time period the man was hospitalized there.

Centara Hotels

week43_2021_centarahotels

Centara Hotels and Resorts, the luxury chain in Thailand, confirmed a data breach this month at the hands of the infamous hacker Desorden Group. The CEO, Thirayuth Chirathivat, said the hack was detected October 14 and an investigation confirmed that guest details had been compromised.

Names and ID photos, booking information, email addresses, phone numbers and home addresses have all been exposed, with fears that the ID photos could be of passports as hotels often ask for a copy at check-in. Centara’s CEO confirmed that the leak has been contained and the data breach secured, the extent and cause of the breach are still under investigation.

 

Guests of the Centara chain are urged to change their passwords and keep an eye out for any suspicious phishing emails or phone calls that may take advantage of the data to try to gather more personal information. Thirayuth confirmed that the hotel staff will not be directly contacting any customers requesting personal information, so any such contact is fraudulent.

Desorden Group claimed responsibility for the Centara data breach after recently attacking laptop brand Acer twice, and they claim to have also breached the servers of Centara’s parent company, Central Group that owns more than 2,000 restaurants and hotels in Thailand. The Chirathivat family that controls that group maintains restaurants, hotels, properties, fashion companies and building materials and is worth US $11.6 billion.

UMass Memorial Health

week43_2021_umassmemorial

Thousands of patients at UMass Memorial Health have been notified of a data breach involving the health system’s email system.

Some of the emails accessed by hackers included patient information, such as Social Security numbers and medical-related data.

The breach affected more than 209,048 individuals, according to the U.S. Department of Health and Human Services, which documents such incidents.

UMass Memorial Health, in an Oct. 15 notice to patients, said an unauthorized person accessed the accounts between June 2020 and January 2021.

“Our investigation to determine the nature and scope of the incident determined on January 27, 2021, that a limited number of UMass employees’ email accounts may have been accessed by an unauthorized person,” the notice said.

The health system said it was unable to determine to what extent the unauthorized person viewed the emails. The breach did not involve all UMass Memorial patients, only those whose information was contained in the accessed emails.

National Rifle Association (NRA)

The National Rifle Association (NRA) has released a statement today after a ransomware gang claimed to have attacked the organization. 

The Grief ransomware gang — which has ties to the prolific Russian cybercrime group Evil Corp — posted about the NRA on its leak site, setting off hours of headlines and concerns from group members. 

By Wednesday afternoon, NRA Public Affairs managing director Andrew Arulanandam took to Twitter to say the group is doing what it can to protect the data of its members.

“NRA does not discuss matters relating to its physical or electronic security. However, the NRA takes extraordinary measures to protect information regarding its members, donors, and operations — and is vigilant in doing so.” Arulanandam said. 

Cybersecurity researchers began posting about the incident on Wednesday after Grief said it had 13 files allegedly from the NRA’s databases. Analysis of the released documents shows it is minutes from a recent NRA board meeting as well as documents related to grants. It threatened to leak more files if the NRA did not pay an undisclosed ransom. 

Moscow drivers

Hackers are selling a stolen database containing 50 million records of Moscow driver data on an underground forum for only $800.

According to Russian media outlets that purchased the database, the data appears to be valid and contains records collected between 2006 and 2019

Russian news publisher Kommersant called a small sample of the exposed individuals and confirmed that the stolen data is accurate, even if outdated in some cases.

The database contains the following details on Moscow car owners:

  • Full names
  • Dates of birth
  • Phone numbers
  • VIN codes
  • License plate numbers
  • Car brand and model
  • Car year of registration

As a bonus to buys, the seller provides an additional file containing information collected in 2020, which stops when Russia moved from regional databases to a central storage system in the Federal Information System (FIS) of the State Traffic Safety Inspectorate.

Fullerton Health

Personal details of Fullerton Health customers were stolen by hackers and hawked online, after a vendor of the private healthcare group suffered a breach earlier this month.

The data was put up for sale on hacking forums from Oct 11, and could be bought for US$600 (S$810) in Bitcoin. However, checks by The Straits Times showed that the hackers took down the posts on the data sale last Friday (Oct 22).

The hackers claimed they managed to steal the data of some 400,000 people, including the insurance policy details of Singaporeans.A sample of the data uploaded by the unidentified hackers included customer names and identity card numbers, as well as information about bank accounts, employers and medical history.

It also had the personal details of the customers’ children.

A sample document shared by the hackers bore the letterheads of Fullerton Health and Singapore Airlines.

The breach was of a server used by Agape Connecting People, a social enterprise that provides contact centre services.

Agape was engaged as a vendor to handle bookings by Fullerton Health customers.

Società Italiana degli Autori ed Editori (SIAE)

The Italian data protection authority Garante per la Protezione dei Dati Personali (GPDP) has announced an investigation into a data breach of the country’s copyright protection agency.

Società Italiana degli Autori ed Editori (SIAE) is a government agency responsible for protecting the intellectual property rights of copyright holders’ creative works.

Yesterday, the GPDP announced that they are investigating whether hackers stole the personal data of registered members and employees of SIAE during a ransomware attack.

“In relation to the data breach suffered by Siae, the Guarantor for the protection of personal data informs that it has opened an investigation.

The Italian Society of Authors and Publishers had yesterday notified the Authority, within the terms set by the privacy legislation, of the violation of its servers due to a hacker attack for extortion purposes.

The Guarantor is currently evaluating the information received from the Company, reserving the right to carry out the appropriate investigations.” – GPDP.

CoinMarketCap

Data of over three million CoinMarketCap (CMC) users was leaked earlier in October, the crypto tracker confirmed. Every day, over 27 million people from the US, India, and Japan among other nations visit the platform to price-track and stay updated on cryptocurrency, a report by statistics firm HypeStat claimed recently. This data breach comes at a time when cyber-attacks specifically targeting the crypto-community are rising in numbers, worldwide. Despite several nations still being sceptical about legalising cryptocurrencies, the crypto space is witnessing rapid expansion in many parts of the world.

Registered email addresses of 3,117,548 CMC users were unlawfully obtained and uploaded on hacking forums by nefarious cyber criminals on October 12, CryptoPotato reported earlier this week. These email ids are now being traded on the dark web.

CMC has acknowledged this data breach while noting that the passwords of these leaked email addresses remain safe. The platform has also denied possibility of this leak via their servers.

Visible network

Visible is a “digital” carrier owned by Verizon, with a greater emphasis on fair pricing and shared plans. The company has gained popularity for its relatively low pricing for unlimited data plans, and earlier this year, Visible introduced 5G service and eSIM support. However, Visible subscribers are now experiencing something a lot less fun than saving money — many accounts are being hijacked, often to purchase phones for whoever obtained access.

Social media sites, especially the Visible subreddit, are currently flooded with reports of Visible accounts being hijacked. In most cases, the email address associated with the account is reset by an unknown attacker, then the payment method on the account is used to order a phone.

It’s not clear if Visible itself suffered a data breach, or if the attackers are using usernames and passwords obtained from other data breaches to log in — a tactic known as credential stuffing. Some Visible subscribers claim to have used randomly generated passwords for their accounts that were not used elsewhere, which would indicate Visible itself had a security breach, but it’s probably still too early to tell. Visible also does not support two-factor authentication, which may have limited the damage from any security breaches.