This week Capcom discovers ransomware isn’t a game, Magecart hackers strike gold from JM Bullion, and healthcare cyberattack warnings come to fruition.
The Week in Breach News: Dark Web ID’s Top Threats This Week
- Top Source Hits: ID Theft Forum
- Top Compromise Type: Domain
- Top Industry: Finance & Insurance
- Top Employee Count: 501+
The Week in Breach News – United States
United States – JM Bullion
https://www.bankinfosecurity.com/precious-metal-trader-jm-bullion-admits-to-data-breach-a-15294
Exploit: Skimming (Magecart)
JM Bullion: Precious Metals Dealer
Risk to Business: 1.772 = Severe
This Texas precious metals trader discovered that someone was cashing in on their clients’ transactions and it wasn’t them. In a recent regulatory filing, the company disclosed that malicious payment skimming code was present and active on their website from February 18, 2020, to July 17, 2020.
Individual Risk: 1.624 = Severe
The information stolen in this attack includes customers’ names, addresses, and payment card information, including the account number, expiration date, and security codes. Customers should be alert to potential identity theft and spear phishing attempts.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Failing to notice a payment card skimmer operating on your site for 6 months does not speak well to your company’s commitment to keeping client data secure.
United States – University of Vermont Medical Center
https://www.idagent.com/passly-digital-risk-protection
Exploit: Ransomware
University of Vermont Medical Center: Hospital System
Risk to Business: 1.402 = Extreme
In the wake of recent warnings from US government agencies about increased ransomware risk for healthcare targets, University of Vermont Medical Center (UVM) has landed in that trap. A ransomware attack has led to significant, ongoing tech problems for the University of Vermont Health Network, affecting its six hospitals in Vermont and New York. The Vermont National Guard and the FBI have been working with the tech team at UVM to restore service since the attack first began affecting systems on October 30th. Damage assessment and recovery are ongoing, and some systems are still offline. The hospital says that urgent patient care was not impacted.
Individual Risk: No personal or consumer information was reported as impacted in this incident.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business Healthcare targets are in increasing danger from money-hungry cybercriminals who know that medical targets don’t have time for a long, complex recovery procedure, but they do have money.
United States – GrowDiaries
Exploit: Misconfiguration
GrowDiaries: Industry Blogging Platform
Risk to Business: 2.237 = Severe
Leading cannabis industry blogging platform GrowDiaries may need to clear its head after a configuration error in Kibana apps left two Elasticsearch databases unlocked and leaking data. Those open gates allowed attackers to dive into two sets of Elasticsearch databases, with one storing 1.4 million user records and the second holding more than two million user data points.
Individual Risk: 2.612 = Moderate
One open database exposed usernames, email addresses, and IP addresses for platform users, and the other exposed user articles posted on the GrowDiaries site and users’ account passwords. Users should be aware of spear phishing and blackmail risks.
Customers Impacted: 1.4 million
How it Could Affect Your Customers’ Business: Cyberattacks can have cascading consequences, with information stolen in cyberattacks coming back to haunt businesses months or years later. Data like login credentials can live on in Dark Web data dumps to haunt you later.
United States – Mattel
https://www.bleepingcomputer.com/news/security/leading-toy-maker-mattel-hit-by-ransomware/
Exploit: Ransomware
Mattel: Toymaker
Risk to Business: 2.327 = Severe
In a recent regulatory filing, Mattel told regulators that it suffered a ransomware attack in July 2020 that shut down some systems but did not include a significant data loss. Only business systems were impacted, production and distribution were not affected. Experts believe that TrickBot ransomware was used in the incident.
Individual Risk: No personal or consumer information was reported as impacted in this incident.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Cybersecurity awareness starts with phishing resistance. It’s the most likely delivery system for ransomware, but training only sticks if it’s refreshed at least every 4 months.
United States – GEO Group
https://www.natlawreview.com/article/geo-group-hit-ransomware-attack
Exploit: Ransomware
GEO Group: Private Prison Developer
Risk to Business: 2.066 = Severe
GEO Group has begun informing impacted individuals and facilities that the Florida-based prison developer was struck by ransomware in July 2020. The company notes that some personally identifiable information and protected health information for some inmates and residents was exposed in the incident. The impacted people connected to the South Bay Correctional and Rehabilitation Facility in Florida, a youth facility in Marienville Pennsylvania, and an unnamed defunct facility in California. Employee data was also obtained in the incident.
Individual Risk: 2.221 = Severe
Residents and former residents of the impacted facilities should be alert to spear phishing, identity theft, or blackmail attempts using the stolen data. Employees of GEO group should also be on the lookout for similar activity.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: failure to stop ransomware attacks from landing on your business is a fast track to a long, messy, and expensive recovery.
The Week in Breach News – Canada
Canada – Saskatchewan Polytechnic
https://globalnews.ca/news/7450319/saskatchewan-polytechnic-cyberattack-online-classes/
Exploit: Ransomware
Saskatchewan Polytechnic: Institution of Higher Learning
Risk to Business: 1.317 = Extreme
Classes were canceled for a week at Saskatchewan Polytechnic after a suspected ransomware attack on October 30th rocked the school’s systems. Students and staff lost access to O365 functions, Zoom, and learning platforms. Online classes have been partially restored, but the recovery for impacted systems is ongoing with law enforcement involved. Saskatchewan Polytechnic operates campuses in 4 locations.
Individual Risk: No personal or consumer information was reported as impacted in this incident so far, but it is still being remediated.
Customers Impacted: 14,176 students, unknown staff
How it Could Affect Your Customers’ Business: Ransomware isn’t just about capturing data anymore, it can also be intended to shut down your business. Security awareness training prevents up to 70% of cybersecurity incidents.
The Week in Breach News – United Kingdom & European Union
United Kingdom – Flagship Group
https://www.theregister.com/2020/11/06/revil_sodinokibi_ransomware_gang_flagship_group_housing/
Exploit: Ransomware
Flagship Group: Rental Housing Facilitator
Risk to Business: 1.862 = Severe
Social housing platform Flagship Group got an unwelcome visitor – REvil ransomware. The company announced that one of their data centers was infected by the ransomware, “compromising some personal staff and customer data”. Operations were not impacted. The attack took place on November 1, 2020, and authorities are investigating as recovery continues.
Individual Risk: 1.613 = Severe
Clients and employees should be aware of the possibility that their personally identifiable or financial data was compromised and be alert to spear phishing and identity theft attempts.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: As the company noted in their report, REvil came calling as part of a phishing email, the biggest cybersecurity threat your business is facing in 2020.
Sweden- Folksam Insurance Group
https://www.pymnts.com/news/security-and-risk/2020/sweden-folksam-insurance-data-breach-big-tech/
Exploit: Accidental Data Sharing
Folksam Insurance Group: Insurance Company
Risk to Business: 2.801 = Moderate
Swedish insurer Folksam made a misstep last week, when employees accidentally shared access to sensitive client data with Facebook, Google, Microsoft, LinkedIn, and Adobe. There are no indications that the data was used. The data was generated as part of an internal marketing analysis.
Individual Risk: 2.654 = Moderate
Folksam has not said precisely what data was shared, but data they maintain includes financial, personal, and professional information about clients.
Customers Impacted: 1.000,000
How it Could Affect Your Customers’ Business: Accidental data sharing is often a result of sloppy data handling and security practices. Clients will lose trust in companies that promise to secure their sensitive data and fail.
Spain – Prestige Software
https://www.hackread.com/hotel-reservation-platform-data-leak-online-booking-sites/
Exploit: Misconfiguration
Prestige Software: Travel Industry Software Developer
Risk to Business: 1.613 = Severe
International booking software provider Prestige is in hot water for a misconfiguration incident that led to the exposure of personally identifiable data for potentially millions of travelers worldwide. An AWS S3 bucket was left open with free access to 24.4 GB of information, about 10 million files. Clients of Prestige Software include Booking.com, Expedia, Agoda, Amadeus, Hotels.com, Hotelbeds, Omnibees, Sabre, and several others. Credit card data for businesses including travel agents and hotel customers was also stored in this database without any security measures.
Risk to Business: 1.624 = Severe
Travelers from as far back as 2013 who have used Booking.com, Expedia, Agoda, Amadeus, Hotels.com, Hotelbeds, Omnibees, Sabre, and smaller service providers may be impacted. The information exposed includes travelers’ full names, NIC numbers, email addresses, phone numbers, hotel reservation number, date and duration of stay, credit card numbers including owner’s name, CVV code, and card expiration date.
Customers Impacted: Unknown, 10 million files were exposed
How it Could Affect Your Customers’ Business: This egregious data handling and security error isn’t just a PR disaster – it’s also going to cost a pretty penny in fines and penalties once regulators get finished, including an anticipated large GDPR bill.
Italy – Campari Group
Exploit: Ransomware
Campari Group: Beverage Vendor
Risk to Business: 2.607 = Severe
The Ragnar Locker ransomware gang stopped by Italian beverage maker Campari Group, leaving a sticky situation in its wake. The company, creators of brands including Campari, Cinzano, and Appleton, had a large part of its IT systems encrypted leading to a business disruption. Campari has announced that it was able to restore affected systems and no sensitive data was impacted. The ransom demand is currently set for $15 million
Individual Risk: No personal or consumer information was reported as impacted in this incident
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Backup and restoration is an important tool in ransomware recovery – but training your staff to not be fooled by the phishing email that launches a ransomware attack is an effective mitigation strategy.
The Week in Breach News – Asia Pacific
India – Lupin
Exploit: Ransomware
Lupin: Drugmaker
Risk to Business: 1.806 = Severe
As the race to find a vaccine or treatment for COVID-19 heats up, Mumbai-based Lupin became the second major Indian pharmaceutical company to be hit by a suspected ransomware attack in the last few weeks. The company was forced to shut down operations and production at several of its facilities for a brief period, but systems have been restored.
Individual Impact: No personal data was exposed in this incident.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Snarling systems and impacting production are two goals that we’re seeing on the rise on cybercriminal hit lists, and frequently ransomware is the tool that they prefer to shut down businesses.
Japan – Capcom Inc. Ltd.
Exploit: Ransomware
Capcom Inc. Ltd.: Videogame Company
Risk to Business: 2.070 = Severe
Ragnar Locker ransomware is on the case again, this time in an incident at legendary Japanese game company Capcom. The gang claims to have scored 1TB of sensitive data from Capcom, including data from corporate networks in the US, Japan, and Canada. Industry sources report that Ragnar Locker claims to have encrypted 2,000 devices on Capcom’s networks and are demanding $11,000,000 in bitcoins for the key.
Individual Risk: No individual information was reported as impacted in this incident, although the extent and type of the stolen data is still unclear.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Even giant corporations can become victims of the humble phishing attack, and huge amounts of data like what was captured here help fuel the spear phishing attacks that often lead to ransomware events.
The Week in Breach – Soth America
Brazil – Superior Court of Justice
https://www.hackread.com/ransomware-attack-brazil-top-court-encrypts-backups/
Exploit: Ransomware
Superior Court of Justice: Judiciary Body
Risk to Business: 1.227 = Extreme
A ransomware attack savaged the Brazilian judiciary system last week, encrypting or disrupting all major services including the official website. Outlets are also reporting that the system cannot be easily restored because the backups have also been encrypted, which squares with the demands made by cybercriminals for a ransom payment. The Court is collaborating with the Brazilian Army’s Cyber Defense Command and other relevant authorities for investigations. Court actions are suspended pending the restoration of required services.
Individual Risk: While it’s clear that a great deal of information has been stolen or encrypted, there are no specifics on the type.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Ransomware is also becoming a favored weapon of nation-state hackers, and is being more frequently used to disrupt government and essential service operations.
The Week in Breach News Guide to Our Risk Scores
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
Risk scores for The Week in Breach are calculated using a formula that considers a wide range of factors related to the assessed breach.
The Week in Breach: Featured Briefing
Credential Stuffing Attacks Disproportionately Target Certain Industries
Many types of cyberattacks are more common in some industries than others, while ransomware has been a consistently dangerous across-the-board offender, things like business email compromise scams and corporate espionage tend to cluster. That seems to be the case with credential stuffing attacks in 2020, as certain industries have seen more than their share.
In recent reporting, cybersecurity researchers have uncovered a trend that doesn’t bode well for three already beleaguered industries. In the analysis period, July 1 2018 to June 30, 2020, researchers counted over 100 billion credential stuffing attempts against myriad targets. and discovered that cybercriminals are playing favorites.
More than 60% of the credential stuffing attacks recorded in the last 12 months have targeted businesses in the retail, hospitality, and travel sectors, led by 64 billion attempts at cracking open user accounts in just those verticals. While every company carries some risk for credential stuffing, retail is the clear favorite of cybercriminals, with more than 80% of credential stuffing attacks directed at retail targets.
Analysts suspect that additional online shopping traffic spurred on by worldwide COVID-19 lockdowns added as an extra incentive to go after retailers this year. That explosion in shopping brought some users who hadn’t been shopping online much back into the fold, enabling cybercriminals to get new mileage out of old lists of compromised credentials in Dark Web data dumps.
So, how can you secure your clients and your business against credential stuffing threats? It turns out that a few simple tools pave the way to enhanced protection from this growing threat:
- Find exposed credentials that could put your clients at risk. Millions of passwords from millions of sources are easily acquired on the Dark Web, even for free. Make sure that employee credentials aren’t floating around on any of those lists.
- Eliminate flimsy barriers that let cybercriminals walk right in. One of the universally recommended mitigations for credential stuffing risk is multi-factor authentication for a good reason – it works.
Protecting your clients from credential stuffing attacks isn’t a magic trick, and it’s not an expensive proposition. It’s a smart move that will prevent data breaches, enhance your MRR, and build your clients’ trust in your expertise. By adding efficient, affordable protection, your clients can have confidence that you’re making sure they’ve got their shield in place against credential stuffing.
The Week in Breach: Need to Know
Compliance Essentials Save You Money in More Ways Than One
As we head into the last weeks of 2020 (finally!), businesses are starting to take stock of what they’ve accomplished this year and what they need to get done in Q1 2021. When you’re making your review list, don’t forget to include “compliance”, because failing to maintain data and system security is a nasty misstep that no business can afford.
Take a moment to review how compliance requirements may have changed in your industry. Japan’s 2005 Protection of Personal Information law received a major update in 2020. Plus, new GDPR updates and clarifications can add additional complications and additional penalties for failure. India and Hong Kong are also set to enact and enforce updated data privacy regulations.
In the US, data privacy bills were put before legislatures in at least 30 states and Puerto Rico in 2020, and new regulations were enacted in Virginia and Michigan. The newly enacted California Consumer Privacy Act could also impact your business, California voters also just passed Proposition 24 on November 3, 2020, allowing consumers to stop businesses from selling or sharing their personal information, including race, religion, genetic details, geographic location, and sexual orientation.
One data security best practice that is required or encouraged in many industry compliance regulations is multi-factor authentication (MFA). Protect your data with more than one lock: a password and MFA.
Compliance is a tricky field, and it’s always best to consult with an expert to ensure that you’re safe. Your managed services provider can help you find out exactly what you need to do to ensure that your company’s data handling and storage are on track with industry best practices and compliance requirements, giving you peace of mind as you head into the end of a challenging year.
Follow us on social media to find out about breach news, new blog posts, product updates, and other important news!