GDPR Services report 24 Private Data breaches – Week 28, 2019

• MongoDB Database Exposed 188 Million Records: Researchers
  • Security researchers have found yet another unsecured database that left personal data exposed to the internet. In this latest case, a MongoDB database containing about 188 million records, mostly culled from websites and search engines, was exposed, researchers say. Data Apparently Originated in a GitHub Repository

• K12.com, an online education platform, inadvertently exposed the personal information of nearly seven million students
  • The exposed database contained full names, email addresses, birthdates and gender identities, as well as the school that the students attend, authentication keys for accessing their accounts and other internal data. The information was available online for more than one week, and it’s unclear if the database was at any point accessed by malicious actors. Engadget reached out to K12.com for additional information regarding the data exposure and will update this story if we hear back. K12.com exposed 7 million student records for a week

• Huawei continues to have issues.
  • First are reports of strong links between Huawei employees and Chinese intelligence agencies. Huawei says this is extremely common. So why did the company try to hide these credentials? Next are reports about three major vulnerabilities found in its web application products from Swascan. These include out of bounds exploits and command injections. The two companies worked together to fix the issues. Finally, the researchers at Finite State identified other bugs in various firmware images. “In virtually all categories we studied, we found Huawei devices to be less secure than comparable devices from other vendors,”. Huawei staff CVs reveal alleged links to Chinese intelligence agencies and Swascan uncovers Huawei ‘s vulnerabilities (pdf)

• GDPR Services: British Airways has been hit with a massive £183 million (equivalent to $229 million) fine by the U.K. regulatory agency ICO.
  • This was for a data leak that took place from May to September last year. More than half a million customers’ Private Data was compromised, resulting in GDPR violations. Intention to fine British Airways £183.39m under GDPR for data breach

• The FBI and the Immigration and Customs Enforcement agencies have been using driver’s license photos to feed data to thousands of facial recognition searches.
  • This is without the drivers’ consent, according to this report. This means that these photos of many people are collected even though they haven’t been charged with a crime. Given that this is being done without any explicit legal approval, Congress is gearing up for legislation to regulate these activities. Both San Francisco and Somerville, Massachusetts, have banned police and other municipal agencies from using any facial recognition software. FBI, ICE find state driver’s license photos are a gold mine for facial-recognition searches

• Hackers have compromised the credentials of the GitHub account of Canonical.
  • The company maintains one of the most popular Linux distributions, Ubuntu, and this account is used to post updates to portions of the OS and related apps. No source code was affected and the credentials were swiftly removed. Ubuntu-Maker Canonical’s GitHub Account Gets Hacked

• Perhaps one of the more audacious vulnerabilities was found by a researcher on the Mac Zoom video conferencing client.
  • This is used by 4 million people currently. It turns on your video camera by default, and can be easily exploited by a hacker. The post discusses the issues, why Zoom made the decisions it did and how you can minimize your exposure (pun intended). Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!

• Researchers found a phony malware-infested Google Android app on 25 million phones, with half of them in India.
  • Dubbed Agent Smith, it can be very intrusive and stealthy, stealing user credentials. Google has removed the apps from the Play Store. Agent Smith: A New Species of Mobile Malware

• The agency that manages Greece’s top-level internet domain has suffered another breach.
  • It appears to be caused by state-sponsored actors dubbed Sea Turtle. This post describes the current attack, which used DNS hijacking techniques. Hackers breached Greece’s top-level domain registrar and Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques

• A new type of FinSpy mobile implants has been found and linked to the Gamma hacking Group.
  • This malware is an info stealer and its mobile versions have been around since 2012. The latest version can steal data from more smartphone apps on both iOS and Android devices, including recording voice calls. New FinSpy iOS and Android implants revealed ITW

• The Buhtrap hacking group has stepped up its game and is now using a zero-day privilege escalation bug (CVE-2019-1132) for the first time.
  • This post reviews the group’s history and how it has evolved from simple financial crimes into more spying activities. Buhtrap group uses zero‑day in latest espionage campaigns

• Glamoriser hair straighteners have a Bluetooth connection.
  • The smartphone app that connects to the device can be compromised to literally burn down your house with the right code injection. Burning down the house with IoT

Discover trending and viral stories about Private Data breaches Worldwide. The remaining Security breaches made news headlines. All these happened just last week.

• Phishing Attack on California Vendor Breaches Data of 14,500 Patients
  • An employee of vendor California Reimbursement Enterprises fell victim to a phishing attack in March, which potentially breached the data of 14,500 patients, including those from Los Angeles County DHS. Nemadji Research Corporation, or California Reimbursement Enterprises is notifying 14,591 patients that their data was potentially breached after an employee fell victim to a phishing attack in March.

• DNA Test Service Exposed Thousands of Client Records Online
  • DNA-testing service Vitagene Inc. left thousands of client health reports exposed online for years, the kind of incident that privacy advocates have warned about as gene testing has become increasingly popular. DNA Test Service Exposed Thousands of Client Records Online

• Federal Workers Can Sue Over Data Breach, Court Says
  • Two class action lawsuits, in which federal workers claimed they were harmed when the U.S. Office of Personnel Management (OPM) exposed the personal data of 21.5 million people in 2014, can proceed, the D.C. Circuit Court of Appeals has ruled. The case could have a significant impact on other cyber attacks that have targeted the federal government and involve the personal data of employees.

• Fortune 100 company data exposed by misconfigured Attunity AWS instance
  • The exposed data, which totaled at least 1 terabyte, included a large collection of internal business documents, email correspondence, system passwords, sales and marketing contact information and project specifications. That data also included documents from Attunity clients, including Ford Motor Co., Netflix Inc. and Toronto-Dominion Bank. Data relating to a range of Fortune 100 companies has been found exposed on three Amazon Web Services Inc. S3 storage instances belonging to Attunity Inc., a data integration and big data management firm acquired by QlikTech International AB in February.

• US Customs and Border Protection reportedly suspends subcontractor over cyberattack
  • The US Customs and Border Protection has reportedly suspended a subcontractor following a “malicious cyberattack” in May that caused it to lose photos of travelers into and out of the country. Perceptics, which makes license plate scanners and other surveillance equipment for CBP, has been suspended from contracting with the federal government. A surveillance equipment provider may have been blacklisted by the federal government.

• Gay dating app Jack’d fined $240k for exposing private photos
  • The parent company, Online Buddies, fixed the problem after one year they were informed by a cyber-security researcher Oliver Hough. The researcher informed the company about the flaw in February 2018, but the firm paid heed to the problem only in February 2019. A gay dating app Jack’d will have to pay $240,000 to its users after they exposed private intimate photos on the internet for at least a year.

• GDPR Services: Mercyhealth recently announced it learned of a data breach involving the same third party vendor used by Beloit Health System, which reported a data breach earlier this year.
  • Mercyhealth and Beloit Health System used OS Inc. for claims processing and updating services. Both health systems say that on or about Dec. 21, 2018, OS Inc. learned of the suspicious activity and the company confirmed there was unauthorized access to employees’ email accounts from Oct. 15, 2018 through Dec. 21, 2018. MERCYHEALTH EXPERIENCES DATA BREACH

• Largest private provider Eurofins hands over undisclosed fee to regain control of systems
  • Britain’s largest private forensics provider has paid a ransom to hackers after its IT systems were brought to a standstill by a cyber-attack, it has been reported. Eurofins, which is thought to carry out about half of all private forensic analysis, was targeted in a ransomware attack on 2 June, which the company described at the time as “highly sophisticated”. Three weeks later the company said its operations were “returning to normal”, but did not disclose whether or not a ransom had been paid. Hacked forensic firm pays ransom after malware attack

• Security researchers have discovered another major digital skimming campaign, this time compromising over 960 e-commerce sites in just a day.
  • It described the discovery as “the largest automated campaign to date” – with 962 sites infected with the infamous Magecart code. That’s far higher than the previous number of 700 online stores and indicates a highly automated operation, as the attacks happened in a 24-hour period with victims located around the world. Magecart Blitz Stuns 962 E-commerce Sites in 24 Hours

• Sensitive private and financial information of hundreds of Credit Card users were discovered to be stored in a database that lay unsecured.
  • The researchers running a simple scanning program discovered a database exposed on the Internet owned by Fieldwork Software. Shockingly, the data contained extensive financial details belonging to business clients. In addition to the Credit Card details, other highly sensitive information such as associated names, GPS tags, and even communication between the client and the service provider could be potentially accessed and exploited. The troubling aspect is that the scanning projects that exposed the leaky database is rather easy to deploy and is being increasingly used by professional hacking groups to exploit financial information or plant malware. Credit Card Details Including Personal Information, IP Addresses, And Other Communication Found Exposed Of Fieldwork Software

• The U.K. data protection authority said it will serve hotel giant Marriott with a £99 million ($123 million) fine for a data breach that exposed up to 383 million guests.
  • Marriott revealed last year that its acquired Starwood properties had its central reservation database hacked, including five million unencrypted passport numbers and eight million credit card records. The breach dated back to 2014 but was not discovered until November 2018. Marriott later pulled the hacked reservation system from its operations. Marriott to face $123 million fine by UK authorities over data breach

• A lawsuit claims FedEx violated federal securities laws after a cyber attack.
  • The suit, which impacts people who purchases FedEx stock in a 15-month period starting in September 2017, alleges that FedEx misguided investors about how fast it would be able to cover costs from the cyber attack that impacted one of its subsidiaries, TNT Express. Lawsuit claims FedEx misled investors after cyber attack