Facebook
Week 51-2022

Here’s your weekly #databreach news roundup:​​​​​

BetMGM, DraftKings, McGraw Hill, SevenRooms, Centers for Medicare & Medicaid Services, Shiseido, Social Blade, and Gemini.

BetMGM

BetMGM

Sports betting service BetMGM said on Wednesday personal information of its customers were obtained in an unauthorized manner, but did not specify the number of users affected.

The issue affected customer information such as name, contact information, date of birth, hashed Social Security number, account identifiers and information related to transactions with BetMGM, the company said.

BetMGM did not immediately respond when asked about the number of customers impacted by to the breach, which it believes occurred in May this year.

DraftKings

Sports betting firm DraftKings says the personal data of 68,000 individuals has been compromised in a recent data breach.

The incident, initially disclosed in November, was the result of a credential stuffing attack and not a breach of DraftKings’ systems, the company says.

Credential stuffing involves the use of leaked credentials (usernames, email addresses, and passwords) obtained from a third-party source to access an account on a different service. Such attacks are successful only because some individuals use the same credentials for accounts on different services.

McGraw Hill

McGraw Hill

Student data of McGraw Hill, an education publishing company based in the USA, mistakenly exposed records of over 100,000s students online. The data could be accessed by anyone with a web browser. This breach exposed students from several universities across the US and Canada.

A team of researchers at vpnMentor discover two misconfigured Amazon Web Services (AWS) S3 buckets that belonged to McGraw Hill. One was the production bucket with more than 47 million files and 12TB+ of data. The non-production bucket contained more than 69 million files and 10TB+ of data.

SevenRooms

SevenRooms

SevenRooms, a “guest experience and retention platform” for food establishments and hospitality organisations, has confirmed it has fallen victim to a third party vendor data breach. Mostly known for its customer management platform, Seven Rooms’ breach came to light after stolen data was seen for sale on an underground forum.

Centers for Medicare & Medicaid Services (CMS)

Centers for Medicare & Medicaid Services (CMS)

The Centers for Medicare & Medicaid Services (CMS) is responding to a data breach at Healthcare Management Solutions, LLC (HMS) – a subcontractor to CMS – that may have exposed personally identifiable information of up to 254,000 Medicare beneficiaries.

In a press release, CMS said the subcontractor was subject to a ransomware attack on its corporate network on Oct. 8, 2022. However, no CMS systems were breached and no Medicare claims data were involved.

Shiseido

Shiseido

Employees and former employees of the UK business of Japanese cosmetics firm Shiseido who found their personal information had been exposed in a data breach are being asked to come forward to take part in a proposed group legal action against the company.

The breach took place in the spring of 2022 and was notified to the Information Commissioner’s Office (ICO) in mid-April. This was supposedly in line with reporting regulations, which require the ICO to be told of impactful breaches within 72 hours, but according to reports at the time, employees had alleged that Shiseido was aware of the incident a month earlier than that.

Social Blade

Social Blade

Social media analytics platform Social Blade has confirmed being impacted by a data breach after a database claimed to have been stolen from the company was offered for sale on a hacker forum, reports SecurityWeek. Social Blade had its purportedly stolen database, which is claimed by the attacker to contain 5.6 million records, offered for sale on Dec. 12, with the posted sample of table names and content indicating the presence of user information in many of the compromised records. Only up to two people could purchase the database, which has already been verified to be authentic by a known hacker.

Gemini

Gemini

A third-part vendor related to Gemini appeared to have suffered a data breach on or before Dec. 13. According to documents obtained by Cointelegraph, hackers gained access to 5,701,649 lines of information pertaining to Gemini customers’ email addresses and partial phone numbers. In the case of the latter, hackers apparently did not gain access to the full phone numbers, as certain numeric digits were obfuscated. After the news came to light, Gemini has since clarified in a blog post that the breach appeared to be “result of an incident at a third-party vendor” but also warned of ongoing “phishing campaigns” as a result of the data leak.