The Week in Breach: 11/04/20-11/10/20

This week Capcom discovers ransomware isn’t a game, Magecart hackers strike gold from JM Bullion, and healthcare cyberattack warnings come to fruition.

The Week in Breach News: Dark Web ID’s Top Threats This Week


  • Top Source Hits: ID Theft Forum
  • Top Compromise Type: Domain
  • Top Industry: Finance & Insurance
  • Top Employee Count: 501+

The Week in Breach News – United States 


United States –  JM Bullion

https://www.bankinfosecurity.com/precious-metal-trader-jm-bullion-admits-to-data-breach-a-15294

Exploit: Skimming (Magecart)

JM Bullion: Precious Metals Dealer

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.772 = Severe

This Texas precious metals trader discovered that someone was cashing in on their clients’ transactions and it wasn’t them. In a recent regulatory filing, the company disclosed that malicious payment skimming code was present and active on their website from February 18, 2020, to July 17, 2020.

cybersecurity news represented by agauge showing severe risk

Individual Risk: 1.624 = Severe

The information stolen in this attack includes customers’ names, addresses, and payment card information, including the account number, expiration date, and security codes. Customers should be alert to potential identity theft and spear phishing attempts.

Customers Impacted: Unknown

How it Could Affect Your Customers’ Business: Failing to notice a payment card skimmer operating on your site for 6 months does not speak well to your company’s commitment to keeping client data secure.


United States – University of Vermont Medical Center

https://www.idagent.com/passly-digital-risk-protection

Exploit: Ransomware

University of Vermont Medical Center: Hospital System 

cybersecurity news gauge indicating extreme risk

Risk to Business: 1.402 = Extreme

In the wake of recent warnings from US government agencies about increased ransomware risk for healthcare targets, University of Vermont Medical Center (UVM) has landed in that trap. A ransomware attack has led to significant, ongoing tech problems for the University of Vermont Health Network, affecting its six hospitals in Vermont and New York. The Vermont National Guard and the FBI have been working with the tech team at UVM to restore service since the attack first began affecting systems on October 30th. Damage assessment and recovery are ongoing, and some systems are still offline. The hospital says that urgent patient care was not impacted.

Individual Risk: No personal or consumer information was reported as impacted in this incident.

Customers Impacted: Unknown

How it Could Affect Your Customers’ Business Healthcare targets are in increasing danger from money-hungry cybercriminals who know that medical targets don’t have time for a long, complex recovery procedure, but they do have money.


United States – GrowDiaries

https://www.zdnet.com/article/configuration-snafu-exposes-passwords-for-two-million-marijuana-growers/

Exploit: Misconfiguration

GrowDiaries:  Industry Blogging Platform 

cybersecurity news represented by agauge showing severe risk

Risk to Business: 2.237 = Severe

Leading cannabis industry blogging platform GrowDiaries may need to clear its head after a configuration error in Kibana apps left two Elasticsearch databases unlocked and leaking data. Those open gates allowed attackers to dive into two sets of Elasticsearch databases, with one storing 1.4 million user records and the second holding more than two million user data points.

cybersecurity news represented by a gauge indicating moderate risk

Individual Risk: 2.612 = Moderate

One open database exposed usernames, email addresses, and IP addresses for platform users, and the other exposed user articles posted on the GrowDiaries site and users’ account passwords. Users should be aware of spear phishing and blackmail risks.

Customers Impacted: 1.4 million

How it Could Affect Your Customers’ Business: Cyberattacks can have cascading consequences, with information stolen in cyberattacks coming back to haunt businesses months or years later. Data like login credentials can live on in Dark Web data dumps to haunt you later.


United States – Mattel

https://www.bleepingcomputer.com/news/security/leading-toy-maker-mattel-hit-by-ransomware/

Exploit: Ransomware

Mattel: Toymaker

cybersecurity news represented by agauge showing severe risk

 

Risk to Business: 2.327 = Severe

In a recent regulatory filing, Mattel told regulators that it suffered a ransomware attack in July 2020 that shut down some systems but did not include a significant data loss. Only business systems were impacted, production and distribution were not affected. Experts believe that TrickBot ransomware was used in the incident.

Individual Risk: No personal or consumer information was reported as impacted in this incident.

Customers Impacted: Unknown

How it Could Affect Your Customers’ Business: Cybersecurity awareness starts with phishing resistance. It’s the most likely delivery system for ransomware, but training only sticks if it’s refreshed at least every 4 months.


United States – GEO Group

https://www.natlawreview.com/article/geo-group-hit-ransomware-attack

Exploit: Ransomware

GEO Group: Private Prison Developer 

cybersecurity news represented by agauge showing severe risk

 

Risk to Business: 2.066 = Severe

GEO Group has begun informing impacted individuals and facilities that the Florida-based prison developer was struck by ransomware in July 2020. The company notes that some personally identifiable information and protected health information for some inmates and residents was exposed in the incident. The impacted people connected to the South Bay Correctional and Rehabilitation Facility in Florida, a youth facility in Marienville Pennsylvania, and an unnamed defunct facility in California. Employee data was also obtained in the incident.

cybersecurity news represented by agauge showing severe risk

 

Individual Risk: 2.221 = Severe

Residents and former residents of the impacted facilities should be alert to spear phishing, identity theft, or blackmail attempts using the stolen data. Employees of GEO group should also be on the lookout for similar activity.

Customers Impacted: Unknown

How it Could Affect Your Customers’ Business: failure to stop ransomware attacks from landing on your business is a fast track to a long, messy, and expensive recovery.



The Week in Breach News – Canada


Canada – Saskatchewan Polytechnic

https://globalnews.ca/news/7450319/saskatchewan-polytechnic-cyberattack-online-classes/

Exploit: Ransomware

Saskatchewan Polytechnic: Institution of Higher Learning 

cybersecurity news represented by a gauge indicating moderate risk

 

Risk to Business: 1.317 = Extreme

Classes were canceled for a week at Saskatchewan Polytechnic after a suspected ransomware attack on October 30th rocked the school’s systems. Students and staff lost access to O365 functions, Zoom, and learning platforms. Online classes have been partially restored, but the recovery for impacted systems is ongoing with law enforcement involved. Saskatchewan Polytechnic operates campuses in 4 locations.

Individual Risk: No personal or consumer information was reported as impacted in this incident so far, but it is still being remediated.

Customers Impacted: 14,176 students, unknown staff

How it Could Affect Your Customers’ Business: Ransomware isn’t just about capturing data anymore, it can also be intended to shut down your business. Security awareness training prevents up to 70% of cybersecurity incidents.



The Week in Breach News – United Kingdom & European Union


United Kingdom –  Flagship Group

https://www.theregister.com/2020/11/06/revil_sodinokibi_ransomware_gang_flagship_group_housing/

Exploit: Ransomware

Flagship Group: Rental Housing Facilitator 

cybersecurity news represented by agauge showing severe risk

 

Risk to Business: 1.862 = Severe

Social housing platform Flagship Group got an unwelcome visitor – REvil ransomware. The company announced that one of their data centers was infected by the ransomware, “compromising some personal staff and customer data”. Operations were not impacted. The attack took place on November 1, 2020, and authorities are investigating as recovery continues.

cybersecurity news represented by agauge showing severe risk

 

Individual Risk: 1.613 = Severe

Clients and employees should be aware of the possibility that their personally identifiable or financial data was compromised and be alert to spear phishing and identity theft attempts.

Customers Impacted: Unknown

How it Could Affect Your Customers’ Business: As the company noted in their report, REvil came calling as part of a phishing email, the biggest cybersecurity threat your business is facing in 2020.


Sweden- Folksam Insurance Group

https://www.pymnts.com/news/security-and-risk/2020/sweden-folksam-insurance-data-breach-big-tech/

Exploit: Accidental Data Sharing

Folksam Insurance Group: Insurance Company

cybersecurity news represented by a gauge indicating moderate risk

Risk to Business: 2.801 = Moderate

Swedish insurer Folksam made a misstep last week, when employees accidentally shared access to sensitive client data with Facebook, Google, Microsoft, LinkedIn, and Adobe. There are no indications that the data was used. The data was generated as part of an internal marketing analysis.

cybersecurity news represented by a gauge indicating moderate risk

Individual Risk: 2.654 = Moderate

Folksam has not said precisely what data was shared, but data they maintain includes financial, personal, and professional information about clients.

Customers Impacted: 1.000,000

How it Could Affect Your Customers’ Business: Accidental data sharing is often a result of sloppy data handling and security practices. Clients will lose trust in companies that promise to secure their sensitive data and fail.


Spain – Prestige Software

https://www.hackread.com/hotel-reservation-platform-data-leak-online-booking-sites/

Exploit: Misconfiguration

Prestige Software: Travel Industry Software Developer 

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.613 = Severe

International booking software provider Prestige is in hot water for a misconfiguration incident that led to the exposure of personally identifiable data for potentially millions of travelers worldwide. An AWS S3 bucket was left open with free access to 24.4 GB of information, about 10 million files. Clients of Prestige Software include Booking.com, Expedia, Agoda, Amadeus, Hotels.com, Hotelbeds, Omnibees, Sabre, and several others. Credit card data for businesses including travel agents and hotel customers was also stored in this database without any security measures.

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.624 = Severe

Travelers from as far back as 2013 who have used Booking.com, Expedia, Agoda, Amadeus, Hotels.com, Hotelbeds, Omnibees, Sabre, and smaller service providers may be impacted. The information exposed includes travelers’ full names, NIC numbers, email addresses, phone numbers, hotel reservation number, date and duration of stay, credit card numbers including owner’s name, CVV code, and card expiration date. 

Customers Impacted: Unknown, 10 million files were exposed

How it Could Affect Your Customers’ Business: This egregious data handling and security error isn’t just a PR disaster – it’s also going to cost a pretty penny in fines and penalties once regulators get finished, including an anticipated large GDPR bill.


Italy – Campari Group

https://www.zdnet.com/article/italian-beverage-vendor-campari-knocked-offline-after-ransomware-attack/

Exploit: Ransomware

Campari Group: Beverage Vendor 

cybersecurity news represented by agauge showing severe risk

Risk to Business: 2.607 = Severe

The Ragnar Locker ransomware gang stopped by Italian beverage maker Campari Group, leaving a sticky situation in its wake. The company, creators of brands including Campari, Cinzano, and Appleton, had a large part of its IT systems encrypted leading to a business disruption. Campari has announced that it was able to restore affected systems and no sensitive data was impacted. The ransom demand is currently set for $15 million

Individual Risk: No personal or consumer information was reported as impacted in this incident

Customers Impacted: Unknown

How it Could Affect Your Customers’ Business: Backup and restoration is an important tool in ransomware recovery – but training your staff to not be fooled by the phishing email that launches a ransomware attack is an effective mitigation strategy.


The Week in Breach News – Asia Pacific


India – Lupin

https://www.businesstoday.in/sectors/pharma/lupin-hit-by-cyberattack-threat-increases-for-pharma-firms-amid-covid-19/story/421348.html

Exploit: Ransomware

Lupin: Drugmaker

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.806 = Severe

As the race to find a vaccine or treatment for COVID-19 heats up, Mumbai-based Lupin became the second major Indian pharmaceutical company to be hit by a suspected ransomware attack in the last few weeks. The company was forced to shut down operations and production at several of its facilities for a brief period, but systems have been restored.

Individual Impact: No personal data was exposed in this incident.

Customers Impacted: Unknown

How it Could Affect Your Customers’ Business: Snarling systems and impacting production are two goals that we’re seeing on the rise on cybercriminal hit lists, and frequently ransomware is the tool that they prefer to shut down businesses.


Japan – Capcom Inc. Ltd.

https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/

Exploit: Ransomware

Capcom Inc. Ltd.: Videogame Company

cybersecurity news represented by agauge showing severe risk

 

Risk to Business: 2.070 = Severe

Ragnar Locker ransomware is on the case again, this time in an incident at legendary Japanese game company Capcom. The gang claims to have scored 1TB of sensitive data from Capcom, including data from corporate networks in the US, Japan, and Canada. Industry sources report that Ragnar Locker claims to have encrypted 2,000 devices on Capcom’s networks and are demanding $11,000,000 in bitcoins for the key.

Individual Risk: No individual information was reported as impacted in this incident, although the extent and type of the stolen data is still unclear.

Customers Impacted: Unknown

How it Could Affect Your Customers’ Business: Even giant corporations can become victims of the humble phishing attack, and huge amounts of data like what was captured here help fuel the spear phishing attacks that often lead to ransomware events.


The Week in Breach – Soth America


Brazil – Superior Court of Justice

https://www.hackread.com/ransomware-attack-brazil-top-court-encrypts-backups/

Exploit: Ransomware

Superior Court of Justice: Judiciary Body 

cybersecurity news gauge indicating extreme risk

 

Risk to Business: 1.227 = Extreme

A ransomware attack savaged the Brazilian judiciary system last week, encrypting or disrupting all major services including the official website. Outlets are also reporting that the system cannot be easily restored because the backups have also been encrypted, which squares with the demands made by cybercriminals for a ransom payment. The Court is collaborating with the Brazilian Army’s Cyber ​​Defense Command and other relevant authorities for investigations. Court actions are suspended pending the restoration of required services.

Individual Risk: While it’s clear that a great deal of information has been stolen or encrypted, there are no specifics on the type.

Customers Impacted: Unknown

How it Could Affect Your Customers’ Business: Ransomware is also becoming a favored weapon of nation-state hackers, and is being more frequently used to disrupt government and essential service operations.


The Week in Breach News Guide to Our Risk Scores


1 – 1.5 = Extreme Risk

1.51 – 2.49 = Severe Risk

2.5 – 3 = Moderate Risk

 

Risk scores for The Week in Breach are calculated using a formula that considers a wide range of factors related to the assessed breach.


The Week in Breach: Featured Briefing


Credential Stuffing Attacks Disproportionately Target Certain Industries


Many types of cyberattacks are more common in some industries than others, while ransomware has been a consistently dangerous across-the-board offender, things like business email compromise scams and corporate espionage tend to cluster. That seems to be the case with credential stuffing attacks in 2020, as certain industries have seen more than their share.

In recent reporting, cybersecurity researchers have uncovered a trend that doesn’t bode well for three already beleaguered industries. In the analysis period, July 1 2018 to June 30, 2020, researchers counted over 100 billion credential stuffing attempts against myriad targets. and discovered that cybercriminals are playing favorites.

More than 60% of the credential stuffing attacks recorded in the last 12 months have targeted businesses in the retail, hospitality, and travel sectors, led by 64 billion attempts at cracking open user accounts in just those verticals. While every company carries some risk for credential stuffing, retail is the clear favorite of cybercriminals, with more than 80% of credential stuffing attacks directed at retail targets.

Analysts suspect that additional online shopping traffic spurred on by worldwide COVID-19 lockdowns added as an extra incentive to go after retailers this year. That explosion in shopping brought some users who hadn’t been shopping online much back into the fold, enabling cybercriminals to get new mileage out of old lists of compromised credentials in Dark Web data dumps.

So, how can you secure your clients and your business against credential stuffing threats? It turns out that a few simple tools pave the way to enhanced protection from this growing threat:

  • Find exposed credentials that could put your clients at risk. Millions of passwords from millions of sources are easily acquired on the Dark Web, even for free. Make sure that employee credentials aren’t floating around on any of those lists.
  • Eliminate flimsy barriers that let cybercriminals walk right in. One of the universally recommended mitigations for credential stuffing risk is multi-factor authentication for a good reason – it works.

Protecting your clients from credential stuffing attacks isn’t a magic trick, and it’s not an expensive proposition. It’s a smart move that will prevent data breaches, enhance your MRR, and build your clients’ trust in your expertise. By adding efficient, affordable protection, your clients can have confidence that you’re making sure they’ve got their shield in place against credential stuffing.

The Week in Breach: Need to Know


Compliance Essentials Save You Money in More Ways Than One


As we head into the last weeks of 2020 (finally!), businesses are starting to take stock of what they’ve accomplished this year and what they need to get done in Q1 2021. When you’re making your review list, don’t forget to include “compliance”, because failing to maintain data and system security is a nasty misstep that no business can afford.

Take a moment to review how compliance requirements may have changed in your industry. Japan’s 2005 Protection of Personal Information law received a major update in 2020. Plus, new GDPR updates and clarifications can add additional complications and additional penalties for failure. India and Hong Kong are also set to enact and enforce updated data privacy regulations.

In the US, data privacy bills were put before legislatures in at least 30 states and Puerto Rico in 2020, and new regulations were enacted in Virginia and Michigan. The newly enacted California Consumer Privacy Act could also impact your business, California voters also just passed Proposition 24 on November 3, 2020, allowing consumers to stop businesses from selling or sharing their personal information, including race, religion, genetic details, geographic location, and sexual orientation.

One data security best practice that is required or encouraged in many industry compliance regulations is multi-factor authentication (MFA). Protect your data with more than one lock: a password and MFA. 

Compliance is a tricky field, and it’s always best to consult with an expert to ensure that you’re safe. Your managed services provider can help you find out exactly what you need to do to ensure that your company’s data handling and storage are on track with industry best practices and compliance requirements, giving you peace of mind as you head into the end of a challenging year.

Follow us on social media to find out about breach news, new blog posts, product updates, and other important news!

View All News & Articles

Ready to customize an IT solution that fits YOUR business goals? Get free guidance from our CEO.

Ready to customize an IT solution that fits YOUR business goals?

Get free guidance from CloudSmart IT.