Here’s your weekly data breach news roundup:
- BTC Markets
- Cayman Islands-based investment fund
- NTreatment, a technology company
- Marketing giant Maropost
- Absa bank
- U.S. healthcare provider AspenPointe
Major Australian cryptocurrency exchange BTC Markets accidentally exposed the full name and email addresses of all of its customers in a marketing email sent to each affected individual on Dec. 1.
The emails were sent in batches of 1,000, meaning that each customer was sent the name and email address of 999 other users.
BTC Markets is in the process of reporting the incident to the Office of the Australian Information Commissioner, with Bowler noting the exchange will be “taking guidance from the OAIC” on how to respond to the breach moving forward.
Roughly a week ago, the OGUsers homepage was defaced with a message stating the forum’s user database had been compromised. The hack was acknowledged by the forum’s current administrator, who assured members that their passwords were protected with a password obfuscation technology that was extremely difficult to crack.
But unlike in previous breaches at OGUsers, the perpetrators of this latest incident have not yet released the forum database. In the meantime, someone has been taunting forum members, saying they can have their profiles and private messages removed from an impending database leak by paying between $50 and $100.
Cayman Islands investment fund
A Cayman Islands-based investment fund has exposed its entire backups to the internet after failing to properly configure a secure Microsoft Azure blob.
Details of the fund’s register of members and correspondence with its investors could be freely read by anyone with the URL to its Azure blob, the Microsoft equivalent of an Amazon Web Services S3 storage bucket.
As well as publicly exposing who its shareholders are, how many shares they hold, and the value of those holdings, the fund – which The Register is not naming after it agreed to talk in depth about its incident response process – had also saved a scanned copy of its online banking PIN to the blob. The Register viewed a subset of files from the blob to confirm their ownership and authenticity.
Read more at : https://www.theregister.com/2020/12/01/investment_fund_data_breach/
NTreatment, a technology company that manages electronic health and patient records for doctors and psychiatrists, left thousands of sensitive health records exposed to the internet because one of its cloud servers wasn’t protected with a password.
The cloud storage server was hosted on Microsoft Azure and contained 109,000 files, a large portion of which contained lab test results from third-party providers like LabCorp, medical records, doctors’ notes, insurance claims and other sensitive health data for patients across the U.S., a class of data considered protected health information under the Health Insurance Portability and Accountability Act (HIPAA). Running afoul of HIPAA can result in steep fines.
The CyberNews research team discovered an exposed database belonging to Maropost, a marketing automation platform that operates offices in the US, Canada, and India.
Maropost provides solutions including email “marketing, commerce, service, clienteling, and referral” to companies across the world. The company’s 10,000+ clients include such big names as the New York Post, Shopify, Fujifilm, Hard Rock Café, and Mother Jones.
The database in question contains what appears to be close to 95 million individual customer email records and email logs left on a publicly accessible server.
Absa has suffered a data breach affecting a number of its clients, exposing their personal information to external parties.
The bank sent an email to affected clients on Monday 30 November, warning them that their personal information had been shared with third parties.
“We regret to notify you that Absa has identified an isolated internal data leak whereby personal information of a limited number of Absa customers was shared with parties external to the bank,” Absa told clients.
“Unfortunately, some of your personal information formed part of this data which included your identity number, contact details, address and account numbers.”
U.S. healthcare provider AspenPointe notified patients of a data breach stemming from a September 2020 cyberattack that enabled attackers to steal protected health information (PHI) and personally identifiable information (PII).
AspenPointe is a nonprofit funded by Medicaid, state, federal, and local government contracts, as well as donations, that manages 12 organizations serving over 50,000 individuals and families every.