to the public in a serious breachAttack.Databreachof security and student privacy protocol . In a post-breach letter to parents , WAHS principal , Darah Bonham , explained that the school ’ s Peer Nomination Survey “ asks students to identify peers who either have been victims of bullying or have been responsible for bullying others. ” Bonham continued by revealing that a change to the survey exposedAttack.Databreachpresumed confidential names of students listed on the survey : The survey is administered electronically and this morning , a change was made to add questions having to do with student needs around technology . Regrettably , this change inadvertently altered the security settings , making publically accessible , some survey information reported by students . It did not make public the names of students who provided that information . While WAHS has given assurances that the names of those submitting data to the survey were not exposedAttack.Databreach, concerned parents , students , and teachers were not assuaged .
VILLAGE OF NASHOTAH - The village recently paidAttack.Ransoman unidentified hacker a $ 2,000 ransomAttack.Ransomto decrypt its computer system after a hackAttack.Databreachin late November that left some residents ' personal information exposedAttack.Databreach. Village President Richard Lartz said Thursday , Dec 7 , that the hack `` totally encrypted '' Nashotah 's computer files , making them inaccessible to staff . He said the only information that was exposedAttack.Databreachduring the breachAttack.Databreachwere citizens ' names and driver 's license numbers , and possibly their addresses . Social Security numbers and other sensitive information was not compromisedAttack.Databreach. `` The only information that got outAttack.Databreachwas voter rolls , '' Lartz said , emphasizing that neither he nor village staff know whether that information was used or dispersedAttack.Databreachby the hacker .
Austal , which is based in Henderson , Western Australia , is one of the country 's largest shipbuilders ; it has built vessels for the U.S. Navy . The company , which is listed on Australia 's ASX stock exchange , announced the breach late Thursday . The announcement came just a day after a security researcher in France postedAttack.Databreachscreenshots on Twitter of the purported stolen data . Austal says the material is neither sensitive nor classified and that it has taken steps to secure its data systems. `` The data breachAttack.Databreachhas had no impact on Austal 's ongoing operations , '' the company says . Austal 's business in the United States is unaffected by this issue , as the computer systems are not linked . A spokesman for Austal contacted on Friday says he could n't offer further information on the incident . The breachAttack.DatabreachexposedAttack.Databreachship design drawings that are distributed to customers , fabrication subcontractors and suppliers , Austal says . It also exposedAttack.Databreach`` some staff email addresses and mobile phone numbers . '' Those individuals have been informed as well as a `` small number '' of other stakeholders directly impacted by the breach , the company reports . Austal has contacted the Australian Cyber Security Center and the Australian Federal Police . The Office of the Australian Information Commissioner , which enforces the country 's data protection regulations `` will be involved as required , '' Austal says . Companies are increasingly being subjected to ransomsAttack.Ransomby hackers after their networks have been breachedAttack.Databreach. RansomsAttack.Ransomput companies in tough positions : risk public exposure of potentially embarrassing data , or risk paying a ransomAttack.Ransomand still face a chance the data could be released anyway . Security experts and law enforcement generally advise against paying ransomsAttack.Ransom, even after incidents of file-encrypting malware . But some companies have viewed the situation as either a cost of doing business or a shorter route to recovery . Late last month in the U.S , the city of West Haven , Connecticut , paidAttack.Ransom$ 2,000 to unlock 23 servers that had been infected with ransomware ( see : Connecticut City Pays RansomAttack.RansomAfter Crypto-Locking Attack ) . The city 's attorney , Lee Tiernan , was quoted by the Associated Press as saying `` research showed it was the best course of action . '' If the city did n't have a backup file , it may have had little choice .
Austal , which is based in Henderson , Western Australia , is one of the country 's largest shipbuilders ; it has built vessels for the U.S. Navy . The company , which is listed on Australia 's ASX stock exchange , announced the breach late Thursday . The announcement came just a day after a security researcher in France postedAttack.Databreachscreenshots on Twitter of the purported stolen data . Austal says the material is neither sensitive nor classified and that it has taken steps to secure its data systems. `` The data breachAttack.Databreachhas had no impact on Austal 's ongoing operations , '' the company says . Austal 's business in the United States is unaffected by this issue , as the computer systems are not linked . A spokesman for Austal contacted on Friday says he could n't offer further information on the incident . The breachAttack.DatabreachexposedAttack.Databreachship design drawings that are distributed to customers , fabrication subcontractors and suppliers , Austal says . It also exposedAttack.Databreach`` some staff email addresses and mobile phone numbers . '' Those individuals have been informed as well as a `` small number '' of other stakeholders directly impacted by the breach , the company reports . Austal has contacted the Australian Cyber Security Center and the Australian Federal Police . The Office of the Australian Information Commissioner , which enforces the country 's data protection regulations `` will be involved as required , '' Austal says . Companies are increasingly being subjected to ransomsAttack.Ransomby hackers after their networks have been breachedAttack.Databreach. RansomsAttack.Ransomput companies in tough positions : risk public exposure of potentially embarrassing data , or risk paying a ransomAttack.Ransomand still face a chance the data could be released anyway . Security experts and law enforcement generally advise against paying ransomsAttack.Ransom, even after incidents of file-encrypting malware . But some companies have viewed the situation as either a cost of doing business or a shorter route to recovery . Late last month in the U.S , the city of West Haven , Connecticut , paidAttack.Ransom$ 2,000 to unlock 23 servers that had been infected with ransomware ( see : Connecticut City Pays RansomAttack.RansomAfter Crypto-Locking Attack ) . The city 's attorney , Lee Tiernan , was quoted by the Associated Press as saying `` research showed it was the best course of action . '' If the city did n't have a backup file , it may have had little choice .
Yahoo , Adult Friend Finder , LinkedIn , Tumblr and Daily Motion all have something in common : in 2016 , details of massive hacks perpetrated against the companies were disclosed . The firms represent a handful of the companies and public bodies around the world that suffered at the hands of hackers last year . Data compromisedAttack.Databreachusually included names , emails , and physical addresses , and even personal bank details , ethnicity data , and phone numbers . And the hacks aren ’ t stopping anytime soon . 2017 has already been dominated by numerous data breachesAttack.Databreachand the most recent affects the Association of British Travel Agents , commonly known as ABTA . To keep you in the loop on data breachesAttack.Databreachthis year , WIRED will keep a running tally of successful hacks . The abta.com web server for the Association of British Travel Agents ( ABTA ) was recently hackedAttack.Databreachby “ an external infiltrator ” who exposedAttack.Databreachthe details of 43,000 individuals . Around 1,000 of these included files that could include personal identity information of customers of ABTA members uploaded since 11 January 2017 , while around 650 may also include personal identity information of ABTA members . As the UK ’ s largest travel association , ABTA ’ s members include travel agents and tour operators . The unauthorised accessAttack.Databreachwas said to be possible due to a system vulnerability “ that the infiltrator exploited ” to accessAttack.Databreachsome data provided by some customers of ABTA Members and by ABTA Members themselves . On immediate investigation , ABTA saidVulnerability-related.DiscoverVulnerabilityit identifiedVulnerability-related.DiscoverVulnerabilitythat although ABTA ’ s own IT systems remained secure , there was a vulnerability to the web server managed for ABTA through a third-party web developer and hosting company . “ This , unfortunately , means some documentation uploaded to the website , as well as some information provided by customers , may have been accessedAttack.Databreach, ” ABTA ’ s CEO , Mark Tanzer said . As a precautionary measure , it has taken steps to warn its members and customers of ABTA members who have the potential to be affected . The group has also alerted the relevant authorities , including the Information Commissioner ( ICO ) and the police .
Investigators with Hold Security , a Wisconsin-based security consultancy , on Tuesday afternoon discovered an unsecure internal customer service portal for the company 's Argentinian operations . The national ID numbers for at least 14,000 Argentinians have been exposedAttack.Databreach, but the leakAttack.Databreachcould potentially affect tens of thousands more people . The website held thousands of credit-related dispute records , faxes and national identity numbers for Argentinians who had filed complaints . It also stored the usernames and passwords in plaintext for about 100 of the company 's customer service representatives . The findings were first reported by cybersecurity blogger Brian Krebs , who notified Equifax . The website has now been shut down . The findings will put further pressure on Equifax , which has been criticized for its haphazard and slow response to a breachAttack.Databreachthat exposedAttack.Databreachthe personal details of 143 million U.S. consumers , as well as an as-yet-unspecified number of British and Canadian residents . Alex Holden , founder and CTO of Hold Security , tells Information Security Media Group that the Equifax website for Argentina `` could be exploited by a 3-year-old . '' He says he did n't use any advanced hacking techniques to uncover the breach . Holden - a veteran investigator credited with discovering the massive Adobe Systems and Target data breaches in 2013 - says he still found the Equifax findings `` completely unexpected and surprising . '' Equifax says it acted immediately to halt the leak , which is unrelated to the breach it announced Sept 7 , says Meredith Griffanti , the company 's spokeswoman for Latin America . The data was a `` limited amount of public information strictly related to consumers who contacted our customer service center and the employees who managed those interactions , '' she says . `` We have no evidence at this time that any consumers , customers , or information in our commercial and credit databases were negatively affected , and we will continue to test and improve all security measures in the region , '' Griffanti says .
Six million of Verizon 's US customers had their personal and account information exposedAttack.Databreach, including PIN numbers . Verizon Communications suffered a major data leakAttack.Databreachdue to a misconfigured cloud server that exposedAttack.Databreachdata on 6 million of its customers . The leak was the result of its third-party provider NICE Systems incorrectly configuring Verizon 's cloud-based file repository housed in an Amazon Web Services S3 bucket on NICE 's cloud server , according to UpGuard , which issued a report on the breach today . Verizon customer names , addresses , account information , including account personal identification numbers ( PINs ) , were compromisedAttack.Databreach. UpGuard in its data estimated that up to 14 million customer records were exposedAttack.Databreach, but Verizon stated that data on 6 million of its users was affected . In one file alone , there were 6,000 PINs that were publicly exposedAttack.Databreach, according to Dan O'Sullivan , a cyber resilience analyst for UpGuard . What 's unique about this leakAttack.Databreachis that it was not just personal data that was publicly exposedAttack.Databreachbut also PINs , according to O'Sullivan . `` The PINs are used to identify a customer to a customer care person , '' O'Sullivan says , noting that an attacker could impersonate the user by using the PIN and then gain access to that individual 's account . Verizon issued a statement acknowledging the public exposureAttack.Databreachof its customer data , but stressed that no loss or theftAttack.Databreachof Verizon or Verizon customer information occurred . The telecom giant also noted : `` To the extent PINs were included in the data set , the PINs are used to authenticate a customer calling our wireline call center , but do not provide online access to customer accounts , '' Verizon stated . `` An employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access , '' Verizon said . How it Went Down NICE was hired to help Verizon improve its residential and small business wireline self-service call center portal , according to Verizon 's statement . As part of this project , NICE needed certain data that included a limited amount of personal and cell phone number information . None of the information stored for the project included social security numbers , according to Verizon . Meanwhile , on June 8 , UpGuard 's cyber risk research director Chris Vickery came across the AWS S3 data repository and its subdomain `` verizon-sftp . '' The repository held six folders with titles spanning `` Jan-2017 '' to `` June-2017 '' and a number of other files with a .zip format . Vickery was able to fully download the repository because it was configured to be publicly accessible to anyone entering the S3 URL . Following the discovery , UpGuard contacted Verizon on June 13 to inform the telecom giant of the data leakageAttack.Databreachand then on June 22 the exposure was sealed up , according to UpGuard 's report . `` There was a fairly long duration of time before it was fixed , which is troubling , '' O'Sullivan says . Verizon is not the first company to encounter data leakageAttack.Databreachas a result of permissions set to public rather than private on Amazon 's S3 bucket . Earlier this year , UpGuard also discovered a similar situation that involved the Republican National Committee ( RNC ) , which left millions of voter records exposedAttack.Databreachon the cloud account . As in the Verizon case , the RNC relied on a third party vendor to handle its cloud storage needs and it too used Amazon 's AWS S3 . That third-party also improperly set the database to public rather than private . `` The number one thing to keep in mind if you are a CISO is evaluating your third-party vendors . You can have the best security in the world and the best visibility into your systems , but if you pass it onto a third-party vendor without checking out how well they handle their security , then you have done that all in vain , '' O'Sullivan says . `` Verizon did not own the server that was involved here , but it will own the consequences . '' Rich Campagna , CEO of Bitglass , stressed the importance of security teams ensuring services used are configured securely . `` This massive data leakAttack.Databreachcould have been avoided by using specific data-centric security tools , which can ensure appropriate configuration of cloud services , deny unauthorized accessAttack.Databreach, and encrypt sensitive data at rest , '' Campagna said in a statement .
Six million of Verizon 's US customers had their personal and account information exposedAttack.Databreach, including PIN numbers . Verizon Communications suffered a major data leakAttack.Databreachdue to a misconfigured cloud server that exposedAttack.Databreachdata on 6 million of its customers . The leak was the result of its third-party provider NICE Systems incorrectly configuring Verizon 's cloud-based file repository housed in an Amazon Web Services S3 bucket on NICE 's cloud server , according to UpGuard , which issued a report on the breach today . Verizon customer names , addresses , account information , including account personal identification numbers ( PINs ) , were compromisedAttack.Databreach. UpGuard in its data estimated that up to 14 million customer records were exposedAttack.Databreach, but Verizon stated that data on 6 million of its users was affected . In one file alone , there were 6,000 PINs that were publicly exposedAttack.Databreach, according to Dan O'Sullivan , a cyber resilience analyst for UpGuard . What 's unique about this leakAttack.Databreachis that it was not just personal data that was publicly exposedAttack.Databreachbut also PINs , according to O'Sullivan . `` The PINs are used to identify a customer to a customer care person , '' O'Sullivan says , noting that an attacker could impersonate the user by using the PIN and then gain access to that individual 's account . Verizon issued a statement acknowledging the public exposureAttack.Databreachof its customer data , but stressed that no loss or theftAttack.Databreachof Verizon or Verizon customer information occurred . The telecom giant also noted : `` To the extent PINs were included in the data set , the PINs are used to authenticate a customer calling our wireline call center , but do not provide online access to customer accounts , '' Verizon stated . `` An employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access , '' Verizon said . How it Went Down NICE was hired to help Verizon improve its residential and small business wireline self-service call center portal , according to Verizon 's statement . As part of this project , NICE needed certain data that included a limited amount of personal and cell phone number information . None of the information stored for the project included social security numbers , according to Verizon . Meanwhile , on June 8 , UpGuard 's cyber risk research director Chris Vickery came across the AWS S3 data repository and its subdomain `` verizon-sftp . '' The repository held six folders with titles spanning `` Jan-2017 '' to `` June-2017 '' and a number of other files with a .zip format . Vickery was able to fully download the repository because it was configured to be publicly accessible to anyone entering the S3 URL . Following the discovery , UpGuard contacted Verizon on June 13 to inform the telecom giant of the data leakageAttack.Databreachand then on June 22 the exposure was sealed up , according to UpGuard 's report . `` There was a fairly long duration of time before it was fixed , which is troubling , '' O'Sullivan says . Verizon is not the first company to encounter data leakageAttack.Databreachas a result of permissions set to public rather than private on Amazon 's S3 bucket . Earlier this year , UpGuard also discovered a similar situation that involved the Republican National Committee ( RNC ) , which left millions of voter records exposedAttack.Databreachon the cloud account . As in the Verizon case , the RNC relied on a third party vendor to handle its cloud storage needs and it too used Amazon 's AWS S3 . That third-party also improperly set the database to public rather than private . `` The number one thing to keep in mind if you are a CISO is evaluating your third-party vendors . You can have the best security in the world and the best visibility into your systems , but if you pass it onto a third-party vendor without checking out how well they handle their security , then you have done that all in vain , '' O'Sullivan says . `` Verizon did not own the server that was involved here , but it will own the consequences . '' Rich Campagna , CEO of Bitglass , stressed the importance of security teams ensuring services used are configured securely . `` This massive data leakAttack.Databreachcould have been avoided by using specific data-centric security tools , which can ensure appropriate configuration of cloud services , deny unauthorized accessAttack.Databreach, and encrypt sensitive data at rest , '' Campagna said in a statement .
Six million of Verizon 's US customers had their personal and account information exposedAttack.Databreach, including PIN numbers . Verizon Communications suffered a major data leakAttack.Databreachdue to a misconfigured cloud server that exposedAttack.Databreachdata on 6 million of its customers . The leak was the result of its third-party provider NICE Systems incorrectly configuring Verizon 's cloud-based file repository housed in an Amazon Web Services S3 bucket on NICE 's cloud server , according to UpGuard , which issued a report on the breach today . Verizon customer names , addresses , account information , including account personal identification numbers ( PINs ) , were compromisedAttack.Databreach. UpGuard in its data estimated that up to 14 million customer records were exposedAttack.Databreach, but Verizon stated that data on 6 million of its users was affected . In one file alone , there were 6,000 PINs that were publicly exposedAttack.Databreach, according to Dan O'Sullivan , a cyber resilience analyst for UpGuard . What 's unique about this leakAttack.Databreachis that it was not just personal data that was publicly exposedAttack.Databreachbut also PINs , according to O'Sullivan . `` The PINs are used to identify a customer to a customer care person , '' O'Sullivan says , noting that an attacker could impersonate the user by using the PIN and then gain access to that individual 's account . Verizon issued a statement acknowledging the public exposureAttack.Databreachof its customer data , but stressed that no loss or theftAttack.Databreachof Verizon or Verizon customer information occurred . The telecom giant also noted : `` To the extent PINs were included in the data set , the PINs are used to authenticate a customer calling our wireline call center , but do not provide online access to customer accounts , '' Verizon stated . `` An employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access , '' Verizon said . How it Went Down NICE was hired to help Verizon improve its residential and small business wireline self-service call center portal , according to Verizon 's statement . As part of this project , NICE needed certain data that included a limited amount of personal and cell phone number information . None of the information stored for the project included social security numbers , according to Verizon . Meanwhile , on June 8 , UpGuard 's cyber risk research director Chris Vickery came across the AWS S3 data repository and its subdomain `` verizon-sftp . '' The repository held six folders with titles spanning `` Jan-2017 '' to `` June-2017 '' and a number of other files with a .zip format . Vickery was able to fully download the repository because it was configured to be publicly accessible to anyone entering the S3 URL . Following the discovery , UpGuard contacted Verizon on June 13 to inform the telecom giant of the data leakageAttack.Databreachand then on June 22 the exposure was sealed up , according to UpGuard 's report . `` There was a fairly long duration of time before it was fixed , which is troubling , '' O'Sullivan says . Verizon is not the first company to encounter data leakageAttack.Databreachas a result of permissions set to public rather than private on Amazon 's S3 bucket . Earlier this year , UpGuard also discovered a similar situation that involved the Republican National Committee ( RNC ) , which left millions of voter records exposedAttack.Databreachon the cloud account . As in the Verizon case , the RNC relied on a third party vendor to handle its cloud storage needs and it too used Amazon 's AWS S3 . That third-party also improperly set the database to public rather than private . `` The number one thing to keep in mind if you are a CISO is evaluating your third-party vendors . You can have the best security in the world and the best visibility into your systems , but if you pass it onto a third-party vendor without checking out how well they handle their security , then you have done that all in vain , '' O'Sullivan says . `` Verizon did not own the server that was involved here , but it will own the consequences . '' Rich Campagna , CEO of Bitglass , stressed the importance of security teams ensuring services used are configured securely . `` This massive data leakAttack.Databreachcould have been avoided by using specific data-centric security tools , which can ensure appropriate configuration of cloud services , deny unauthorized accessAttack.Databreach, and encrypt sensitive data at rest , '' Campagna said in a statement .
Six million of Verizon 's US customers had their personal and account information exposedAttack.Databreach, including PIN numbers . Verizon Communications suffered a major data leakAttack.Databreachdue to a misconfigured cloud server that exposedAttack.Databreachdata on 6 million of its customers . The leak was the result of its third-party provider NICE Systems incorrectly configuring Verizon 's cloud-based file repository housed in an Amazon Web Services S3 bucket on NICE 's cloud server , according to UpGuard , which issued a report on the breach today . Verizon customer names , addresses , account information , including account personal identification numbers ( PINs ) , were compromisedAttack.Databreach. UpGuard in its data estimated that up to 14 million customer records were exposedAttack.Databreach, but Verizon stated that data on 6 million of its users was affected . In one file alone , there were 6,000 PINs that were publicly exposedAttack.Databreach, according to Dan O'Sullivan , a cyber resilience analyst for UpGuard . What 's unique about this leakAttack.Databreachis that it was not just personal data that was publicly exposedAttack.Databreachbut also PINs , according to O'Sullivan . `` The PINs are used to identify a customer to a customer care person , '' O'Sullivan says , noting that an attacker could impersonate the user by using the PIN and then gain access to that individual 's account . Verizon issued a statement acknowledging the public exposureAttack.Databreachof its customer data , but stressed that no loss or theftAttack.Databreachof Verizon or Verizon customer information occurred . The telecom giant also noted : `` To the extent PINs were included in the data set , the PINs are used to authenticate a customer calling our wireline call center , but do not provide online access to customer accounts , '' Verizon stated . `` An employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access , '' Verizon said . How it Went Down NICE was hired to help Verizon improve its residential and small business wireline self-service call center portal , according to Verizon 's statement . As part of this project , NICE needed certain data that included a limited amount of personal and cell phone number information . None of the information stored for the project included social security numbers , according to Verizon . Meanwhile , on June 8 , UpGuard 's cyber risk research director Chris Vickery came across the AWS S3 data repository and its subdomain `` verizon-sftp . '' The repository held six folders with titles spanning `` Jan-2017 '' to `` June-2017 '' and a number of other files with a .zip format . Vickery was able to fully download the repository because it was configured to be publicly accessible to anyone entering the S3 URL . Following the discovery , UpGuard contacted Verizon on June 13 to inform the telecom giant of the data leakageAttack.Databreachand then on June 22 the exposure was sealed up , according to UpGuard 's report . `` There was a fairly long duration of time before it was fixed , which is troubling , '' O'Sullivan says . Verizon is not the first company to encounter data leakageAttack.Databreachas a result of permissions set to public rather than private on Amazon 's S3 bucket . Earlier this year , UpGuard also discovered a similar situation that involved the Republican National Committee ( RNC ) , which left millions of voter records exposedAttack.Databreachon the cloud account . As in the Verizon case , the RNC relied on a third party vendor to handle its cloud storage needs and it too used Amazon 's AWS S3 . That third-party also improperly set the database to public rather than private . `` The number one thing to keep in mind if you are a CISO is evaluating your third-party vendors . You can have the best security in the world and the best visibility into your systems , but if you pass it onto a third-party vendor without checking out how well they handle their security , then you have done that all in vain , '' O'Sullivan says . `` Verizon did not own the server that was involved here , but it will own the consequences . '' Rich Campagna , CEO of Bitglass , stressed the importance of security teams ensuring services used are configured securely . `` This massive data leakAttack.Databreachcould have been avoided by using specific data-centric security tools , which can ensure appropriate configuration of cloud services , deny unauthorized accessAttack.Databreach, and encrypt sensitive data at rest , '' Campagna said in a statement .
Six million of Verizon 's US customers had their personal and account information exposedAttack.Databreach, including PIN numbers . Verizon Communications suffered a major data leakAttack.Databreachdue to a misconfigured cloud server that exposedAttack.Databreachdata on 6 million of its customers . The leak was the result of its third-party provider NICE Systems incorrectly configuring Verizon 's cloud-based file repository housed in an Amazon Web Services S3 bucket on NICE 's cloud server , according to UpGuard , which issued a report on the breach today . Verizon customer names , addresses , account information , including account personal identification numbers ( PINs ) , were compromisedAttack.Databreach. UpGuard in its data estimated that up to 14 million customer records were exposedAttack.Databreach, but Verizon stated that data on 6 million of its users was affected . In one file alone , there were 6,000 PINs that were publicly exposedAttack.Databreach, according to Dan O'Sullivan , a cyber resilience analyst for UpGuard . What 's unique about this leakAttack.Databreachis that it was not just personal data that was publicly exposedAttack.Databreachbut also PINs , according to O'Sullivan . `` The PINs are used to identify a customer to a customer care person , '' O'Sullivan says , noting that an attacker could impersonate the user by using the PIN and then gain access to that individual 's account . Verizon issued a statement acknowledging the public exposureAttack.Databreachof its customer data , but stressed that no loss or theftAttack.Databreachof Verizon or Verizon customer information occurred . The telecom giant also noted : `` To the extent PINs were included in the data set , the PINs are used to authenticate a customer calling our wireline call center , but do not provide online access to customer accounts , '' Verizon stated . `` An employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access , '' Verizon said . How it Went Down NICE was hired to help Verizon improve its residential and small business wireline self-service call center portal , according to Verizon 's statement . As part of this project , NICE needed certain data that included a limited amount of personal and cell phone number information . None of the information stored for the project included social security numbers , according to Verizon . Meanwhile , on June 8 , UpGuard 's cyber risk research director Chris Vickery came across the AWS S3 data repository and its subdomain `` verizon-sftp . '' The repository held six folders with titles spanning `` Jan-2017 '' to `` June-2017 '' and a number of other files with a .zip format . Vickery was able to fully download the repository because it was configured to be publicly accessible to anyone entering the S3 URL . Following the discovery , UpGuard contacted Verizon on June 13 to inform the telecom giant of the data leakageAttack.Databreachand then on June 22 the exposure was sealed up , according to UpGuard 's report . `` There was a fairly long duration of time before it was fixed , which is troubling , '' O'Sullivan says . Verizon is not the first company to encounter data leakageAttack.Databreachas a result of permissions set to public rather than private on Amazon 's S3 bucket . Earlier this year , UpGuard also discovered a similar situation that involved the Republican National Committee ( RNC ) , which left millions of voter records exposedAttack.Databreachon the cloud account . As in the Verizon case , the RNC relied on a third party vendor to handle its cloud storage needs and it too used Amazon 's AWS S3 . That third-party also improperly set the database to public rather than private . `` The number one thing to keep in mind if you are a CISO is evaluating your third-party vendors . You can have the best security in the world and the best visibility into your systems , but if you pass it onto a third-party vendor without checking out how well they handle their security , then you have done that all in vain , '' O'Sullivan says . `` Verizon did not own the server that was involved here , but it will own the consequences . '' Rich Campagna , CEO of Bitglass , stressed the importance of security teams ensuring services used are configured securely . `` This massive data leakAttack.Databreachcould have been avoided by using specific data-centric security tools , which can ensure appropriate configuration of cloud services , deny unauthorized accessAttack.Databreach, and encrypt sensitive data at rest , '' Campagna said in a statement .
Hard Rock Hotels & Casinos alongside Loews Hotels have warned customers that a security failure may have resulted in the theft of their information . Both incidents appear to have been linked to a third-party reservation platform , SynXis , which only begun informing client hotels of the security breach in June , months after the attacks took place . Hard Rock Hotels & Casinos issued a statement informing customers of the data breachAttack.Databreachlast week , which took place due to the Sabre Hospitality Solutions SynXis third-party reservation system . The hotel chain , which operates 176 cafes , 24 hotels and 11 casinos in 75 countries , said SynXis , the backbone infrastructure for reservations made through hotels and travel agencies , provided the avenue for data theftAttack.Databreachand the exposureAttack.Databreachof customer information . `` The unauthorized party first obtained accessAttack.Databreachto payment card and other reservation information on August 10 , 2016 , '' the hotel chain said. `` The last accessAttack.Databreachto payment card information was on March 9 , 2017 . '' Hard Rock Hotel & Casino properties in Biloxi , Cancun , Chicago , Goa , Las Vegas , Palm Springs , Panama Megapolis , Punta Cana , Rivera Maya , San Diego and Vallarta are all affected . According to Sabre , an `` unauthorized party gained accessAttack.Databreachto account credentials that permitted unauthorized accessAttack.Databreachto payment card information , as well as certain reservation information '' for a `` subset '' of reservations . The attacker was able to grabAttack.Databreachunencrypted payment card information for hotel reservations , including cardholder names , card numbers , and expiration dates . In some cases , security codes were also exposedAttack.Databreach, alongside guest names , email addresses , phone numbers , and addresses . In May , Sabre said an investigation into a possible breach was underway . In a quarterly SEC filing , the company said , `` unauthorized access has been shut off , and there is no evidence of continued unauthorized activity at this time . '' While Sabre has not revealed exactly how the system was breached , the company has hired third-party cybersecurity firm Mandiant to investigate . Loews Hotels also appears to be a victim of the same security failure . According to NBC , Sabre was also at fault and cyberattackers were able to slurpAttack.Databreachcredit card , security code , and password information through the booking portal . In some cases , email addresses , phone numbers , and street addresses were also allegedly exposedAttack.Databreach. According to Sabre , its software is used by roughly 36,000 hotel properties . `` Not all reservations that were viewed included the payment card security code , as a large percentage of bookings were made without a security code being provided , '' Sabre said in a statement . `` Others were processed using virtual card numbers in lieu of consumer credit cards . Sabre has notified law enforcement and the credit card brands as part of our investigation . '' If you stayed in one of these properties on the dates mentioned above , you may be at risk of identity theft should the attackers choose to sell their stolen cache of data . Sabre suggests signing up for a free credit report -- available to US consumers once a year for free -- and notify their bank of any stolen activity . However , no compensation has yet been made available . These hotel chains are far from the only ones that have suffered a data breachAttack.Databreachin recent years . Back in April , InterContinental admitted that a data breachAttack.Databreachfirst believed to be isolated to 12 properties actually harmed roughly 1,200 , resulting in the exposureAttack.Databreachof customer credit card data .
Hard Rock Hotels & Casinos alongside Loews Hotels have warned customers that a security failure may have resulted in the theft of their information . Both incidents appear to have been linked to a third-party reservation platform , SynXis , which only begun informing client hotels of the security breach in June , months after the attacks took place . Hard Rock Hotels & Casinos issued a statement informing customers of the data breachAttack.Databreachlast week , which took place due to the Sabre Hospitality Solutions SynXis third-party reservation system . The hotel chain , which operates 176 cafes , 24 hotels and 11 casinos in 75 countries , said SynXis , the backbone infrastructure for reservations made through hotels and travel agencies , provided the avenue for data theftAttack.Databreachand the exposureAttack.Databreachof customer information . `` The unauthorized party first obtained accessAttack.Databreachto payment card and other reservation information on August 10 , 2016 , '' the hotel chain said. `` The last accessAttack.Databreachto payment card information was on March 9 , 2017 . '' Hard Rock Hotel & Casino properties in Biloxi , Cancun , Chicago , Goa , Las Vegas , Palm Springs , Panama Megapolis , Punta Cana , Rivera Maya , San Diego and Vallarta are all affected . According to Sabre , an `` unauthorized party gained accessAttack.Databreachto account credentials that permitted unauthorized accessAttack.Databreachto payment card information , as well as certain reservation information '' for a `` subset '' of reservations . The attacker was able to grabAttack.Databreachunencrypted payment card information for hotel reservations , including cardholder names , card numbers , and expiration dates . In some cases , security codes were also exposedAttack.Databreach, alongside guest names , email addresses , phone numbers , and addresses . In May , Sabre said an investigation into a possible breach was underway . In a quarterly SEC filing , the company said , `` unauthorized access has been shut off , and there is no evidence of continued unauthorized activity at this time . '' While Sabre has not revealed exactly how the system was breached , the company has hired third-party cybersecurity firm Mandiant to investigate . Loews Hotels also appears to be a victim of the same security failure . According to NBC , Sabre was also at fault and cyberattackers were able to slurpAttack.Databreachcredit card , security code , and password information through the booking portal . In some cases , email addresses , phone numbers , and street addresses were also allegedly exposedAttack.Databreach. According to Sabre , its software is used by roughly 36,000 hotel properties . `` Not all reservations that were viewed included the payment card security code , as a large percentage of bookings were made without a security code being provided , '' Sabre said in a statement . `` Others were processed using virtual card numbers in lieu of consumer credit cards . Sabre has notified law enforcement and the credit card brands as part of our investigation . '' If you stayed in one of these properties on the dates mentioned above , you may be at risk of identity theft should the attackers choose to sell their stolen cache of data . Sabre suggests signing up for a free credit report -- available to US consumers once a year for free -- and notify their bank of any stolen activity . However , no compensation has yet been made available . These hotel chains are far from the only ones that have suffered a data breachAttack.Databreachin recent years . Back in April , InterContinental admitted that a data breachAttack.Databreachfirst believed to be isolated to 12 properties actually harmed roughly 1,200 , resulting in the exposureAttack.Databreachof customer credit card data .
Sensitive information related to the United States Air Force has been found exposed publiclyAttack.Databreachon the internet , allowing anyone with a web connection to peruse them without authorisation and no need for a password . The discoveryVulnerability-related.DiscoverVulnerabilitywas made by security researchers at MacKeeper who said that they had foundVulnerability-related.DiscoverVulnerabilitygigabytes of files on an internet-connected backup drive that was not password-protected : The most shocking document was a spreadsheet of open investigations that included the name , rank , location , and a detailed description of the accusations . The investigations range from discrimination and sexual harassment to more serious claims . One example is an investigation into a Major General who is accused of accepting $ 50k a year from a sports commission that was supposedly funneled into the National Guard . As ZDNet reports , the names and addresses , ranks , and social security numbers of more than 4000 US Air Force officers were included in the stash of personal information . Further documents included phone numbers and contact information for workers and their spouses . Clearly some of the details exposedAttack.Databreachthrough the security lapse would be of value to foreign intelligence agencies and criminal gangs , and could lead to blackmail attempts or identity theft . What we don ’ t know is how long the information has been accessibleAttack.Databreachonline , and we also do not know if anyone other than the security researchers had managed to stumble acrossAttack.Databreachthe exposed information . But the truth of the matter is that we shouldn ’ t ever have to find ourselves in a question to ask such questions . Whenever you decide to store information on the internet , particularly sensitive data , you should be doing your utmost to ensure that you have minimised the risk of it falling into the wrong hands . That means always keeping your computer patchedVulnerability-related.PatchVulnerabilityand running an up-to-date anti-virus , using encryption , enabling passwords and ensuring that the password chosen is a strong one , turning on additional authentication checks such as two-step verification and restricting the range of trusted IP addresses from where users can login from
2016 brought massive password dumpsAttack.Databreach, resulting from the highly publicized Yahoo and LinkedIn breachesAttack.Databreachthat exposedAttack.Databreachmillions of users ’ passwords to the public and for sale on the dark web . Research has revealed that about 35 % of the leaked LinkedIn passwords were already known from previous password dictionaries , making them vulnerable to other accounts . Researchers at behavioral firewall company Preempt took a look at the LinkedIn credentials and also found that 65 % of the leaked passwords can be easily cracked with brute force using standard off-the-shelf cracking hardware . The study also looked at general password intelligence and found that password rules , which many enterprises employ , can allow users to create weak passwords that can easily be cracked—and many individuals use the same password for multiple accounts , signaling a password epidemic amongst organizations and their users . “ One thing is certain , any person that used the same password for Linkedin as they did for their work account ( or other account ) , is currently vulnerable within these other accounts , ” said Preempt researcher Eran Cohen , in a blog . “ Unfortunately , there are many users that don ’ t make that connection . Their LinkedIn account was breachedAttack.Databreach, so they just change their LinkedIn password , not realizing that if they are using that same password elsewhere , they are actually exposedAttack.Databreachin all of those places as well . For IT security teams , this is an unknown vulnerability they have to deal with. ” Overall , the examination showed that low-complexity passwords can be cracked in less than a day , medium-complexity passwords are cracked in less than a week and high-complexity password are cracked in less than a month . “ Users reuse passwords . They rotate them . Add a digit to them . And even use identical or share passwords with others , ” said Cohen . “ As data scientists , it is our job to go deeper , and identify the common human behavior . For example , we ’ ve seen how local culture impacts passwords , where local football team names are commonly used as passwords . The problem is that only about 1 % of people care and are aware that passwords are based on patterns and these patterns can be tracked or broken. ” To stay safe , companies should use a password policy to enforce complexity and password expiration ; require longer passwords ( 8 bad , 10 ok , 12 good ) ; implement a context-based solution to train and enforce password policy based on users ' activity ; add additional factors to authenticate users ; and educate people to avoid sharing passwords with other employees and cloud services . They should also avoid the use of simple patterns , personal data or common words ; and employees shouldn ’ t repeat passwords when a password expires ( enumeration included ) .
2016 brought massive password dumpsAttack.Databreach, resulting from the highly publicized Yahoo and LinkedIn breachesAttack.Databreachthat exposedAttack.Databreachmillions of users ’ passwords to the public and for sale on the dark web . Research has revealed that about 35 % of the leaked LinkedIn passwords were already known from previous password dictionaries , making them vulnerable to other accounts . Researchers at behavioral firewall company Preempt took a look at the LinkedIn credentials and also found that 65 % of the leaked passwords can be easily cracked with brute force using standard off-the-shelf cracking hardware . The study also looked at general password intelligence and found that password rules , which many enterprises employ , can allow users to create weak passwords that can easily be cracked—and many individuals use the same password for multiple accounts , signaling a password epidemic amongst organizations and their users . “ One thing is certain , any person that used the same password for Linkedin as they did for their work account ( or other account ) , is currently vulnerable within these other accounts , ” said Preempt researcher Eran Cohen , in a blog . “ Unfortunately , there are many users that don ’ t make that connection . Their LinkedIn account was breachedAttack.Databreach, so they just change their LinkedIn password , not realizing that if they are using that same password elsewhere , they are actually exposedAttack.Databreachin all of those places as well . For IT security teams , this is an unknown vulnerability they have to deal with. ” Overall , the examination showed that low-complexity passwords can be cracked in less than a day , medium-complexity passwords are cracked in less than a week and high-complexity password are cracked in less than a month . “ Users reuse passwords . They rotate them . Add a digit to them . And even use identical or share passwords with others , ” said Cohen . “ As data scientists , it is our job to go deeper , and identify the common human behavior . For example , we ’ ve seen how local culture impacts passwords , where local football team names are commonly used as passwords . The problem is that only about 1 % of people care and are aware that passwords are based on patterns and these patterns can be tracked or broken. ” To stay safe , companies should use a password policy to enforce complexity and password expiration ; require longer passwords ( 8 bad , 10 ok , 12 good ) ; implement a context-based solution to train and enforce password policy based on users ' activity ; add additional factors to authenticate users ; and educate people to avoid sharing passwords with other employees and cloud services . They should also avoid the use of simple patterns , personal data or common words ; and employees shouldn ’ t repeat passwords when a password expires ( enumeration included ) .
Here are five best practices that can help you boost end-user experiences , simplify performance management , and reduce the cost of your AWS environment . The number of successful cyberattacks per year per company has increased by 46 % over the last four years . But what really needs to be considered when exploring a solution ? The leaked database weighs in at 52.2GB , and according to ZDNet comes via business services firm Dun & Bradstreet , which sells it to marketers that send targeted email campaigns . After examining the data , Hunt has revealed that the data dumpAttack.Databreachcontains details belonging exclusively to US-based companies and government agencies . California is the most represented demographic with over four million records , followed by New York with 2.7 million records and Texas with 2.6 million records . The leading organisation by records is the Department of Defense , with 101,013 personnel records exposed in the dumpAttack.Databreach. It is followed by the United States Postal Service ( USPS ) with 88,153 leaked employee records and AT & T with 67,382 . Other firms affected by the leakAttack.Databreachincludes CVS with 40,739 records , Citigroup with 35,292 and IBM with 33,412 . The database contains dozens of fields , some including personal information such as names , job titles and functions , work email addresses , and phone numbers . While the database does n't contain more sensitive information , such as credit card numbers or SSNs , Hunt says it 's an `` absolute goldmine for targeted spear phishingAttack.Phishing. '' `` From this data , you can piece together organisational structures and tailor messagingAttack.Phishingto create an air of authenticity and that 's something that 's attractive to crooks and nation-state actors alike , '' he said . `` I often work with companies attempting to mitigate the damage of their organisational data being publicly exposedAttack.Databreach( frequently due to data breachesAttack.Databreach) , and I can confidently say that knowing this information is out there circulating would concern many of them . '' Dun & Bradstreet has denied responsibility for the leakAttack.Databreachand said it could have come from come from any of its thousands of clients . `` Based on our analysis , it is our determination that there has been no exposureAttack.Databreachof sensitive personal information from , and no infiltration of our system . The information in question is data typically found on a business card . `` As general practice , Dun & Bradstreet uses an agile security process and evaluates and evolves security controls to protect the integrity of our data , '' a spokesperson told the INQUIRER
Three appears to have made a blunder , after customers logging into the British mobile phone company ’ s website found themselves looking at other customers ’ accounts - including the names , addresses , call histories and data usage of complete strangers . The Guardian describes how one customer , Andy Fidler , found the Three app on his mobile phone wasn ’ t working - and so he decided to log into Three ’ s website instead : “ I managed to successfully download a complete stranger ’ s phone bill . All I did was click on the link to bring up my bill . It included the name , address , how much they were paying , the phone numbers they had rung and texted. ” Fortunately , bank details were not accessible . He wasn ’ t the only one to stumble across the problem - which appears to be more of a technical screw-up than a malicious hack - as posts on Three ’ s official Facebook page reveal . A Three spokesperson says that they are aware of the problem and are investigating . But one has to wonder how many customers could have been put at risk of having their private data exposedAttack.Databreach, and for how long the problem has been present . The Information Commissioner ’ s Office has confirmed it will be “ looking into this potential incident involving Three ” , and if they find the company has been sloppy with its securing customer details it is unlikely to be impressed . Last November , in what appears to be an unconnected incident , Three revealed that its upgrade database had been breachedAttack.Databreach, exposingAttack.Databreachthe names , phone numbers , addresses and dates of birth of over 130,000 customers .
On April 14 , the company disclosed to the California attorney general that a December 2015 breachAttack.DatabreachcompromisedAttack.Databreachmore sensitive information than first thought . It also disclosed new attacksAttack.Databreachfrom earlier this year that exposedAttack.Databreachnames , contact information , email addresses and purchase histories , although the retailer says it repelled most of the attacks . The dual notifications mark the latest problems for the company , which disclosed in early 2014 that its payment systems were infected with malware that stoleAttack.Databreach350,000 payment card details . Over the past few years , retailers such as Target , Home Depot and others have battled to keep their card payments systems malware-free ( see Neiman Marcus Downsizes Breach Estimate ) . The 2015 incident started around Dec 26 . In a notification to California about a month later , the retailer said it was believed attackers cycled through login credentials that were likely obtainedAttack.Databreachthrough other data breachesAttack.Databreach. A total of 5,200 accounts were accessedAttack.Databreach, and 70 of those accounts were used to make fraudulent purchases . Although email addresses and passwords were not exposedAttack.Databreach, the original notification noted , accessAttack.Databreachto the accounts would have revealed names , saved contact information , purchase histories and the last four digits of payment card numbers . The affected websites included other brands run by Neiman Marcus , including Bergdorf Goodman , Last Call , CUSP and Horchow . According to its latest notification , however , Neiman Marcus Group now says full payment card numbers and expiration dates were exposedAttack.Databreachin the 2015 incidentAttack.Databreach. The latest attack disclosed by Neiman Marcus Group , which occurred around Jan 17 , mirrors the one from December 2015 . It affects the websites of Neiman Marcus , Bergdorf Goodman , Last Call , CUSP , Horchow and a loyalty program called InCircle . Again , the company believes that attackers recycled other stolen credentials in an attempt to see which ones still worked on its sites . It appears that some of the credentials did unlock accounts . The breachAttack.DatabreachexposedAttack.Databreachnames , contact information , email addresses , purchase histories and the last four digits of payment card numbers . It did n't specify the number of accounts affected . The attackers were also able to accessAttack.Databreachsome InCircle gift card numbers , the company says . Web services can slow down hackers when suspicious activity is noticed , such as rapid login attempts from a small range of IP addresses . Those defensive systems can be fooled , however , by slowing down login attempts and trying to plausibly geographically vary where those attempts originate . For those affected by the January incident , Neimen Marcus Group is enforcing a mandatory password reset . It 's an action that 's not undertaken lightly for fear of alienating users , but it 's a sign of how serious a service feels the risk is to users or customers . The company also is offering those affected a one-year subscription to an identity theft service .
On April 14 , the company disclosed to the California attorney general that a December 2015 breachAttack.DatabreachcompromisedAttack.Databreachmore sensitive information than first thought . It also disclosed new attacksAttack.Databreachfrom earlier this year that exposedAttack.Databreachnames , contact information , email addresses and purchase histories , although the retailer says it repelled most of the attacks . The dual notifications mark the latest problems for the company , which disclosed in early 2014 that its payment systems were infected with malware that stoleAttack.Databreach350,000 payment card details . Over the past few years , retailers such as Target , Home Depot and others have battled to keep their card payments systems malware-free ( see Neiman Marcus Downsizes Breach Estimate ) . The 2015 incident started around Dec 26 . In a notification to California about a month later , the retailer said it was believed attackers cycled through login credentials that were likely obtainedAttack.Databreachthrough other data breachesAttack.Databreach. A total of 5,200 accounts were accessedAttack.Databreach, and 70 of those accounts were used to make fraudulent purchases . Although email addresses and passwords were not exposedAttack.Databreach, the original notification noted , accessAttack.Databreachto the accounts would have revealed names , saved contact information , purchase histories and the last four digits of payment card numbers . The affected websites included other brands run by Neiman Marcus , including Bergdorf Goodman , Last Call , CUSP and Horchow . According to its latest notification , however , Neiman Marcus Group now says full payment card numbers and expiration dates were exposedAttack.Databreachin the 2015 incidentAttack.Databreach. The latest attack disclosed by Neiman Marcus Group , which occurred around Jan 17 , mirrors the one from December 2015 . It affects the websites of Neiman Marcus , Bergdorf Goodman , Last Call , CUSP , Horchow and a loyalty program called InCircle . Again , the company believes that attackers recycled other stolen credentials in an attempt to see which ones still worked on its sites . It appears that some of the credentials did unlock accounts . The breachAttack.DatabreachexposedAttack.Databreachnames , contact information , email addresses , purchase histories and the last four digits of payment card numbers . It did n't specify the number of accounts affected . The attackers were also able to accessAttack.Databreachsome InCircle gift card numbers , the company says . Web services can slow down hackers when suspicious activity is noticed , such as rapid login attempts from a small range of IP addresses . Those defensive systems can be fooled , however , by slowing down login attempts and trying to plausibly geographically vary where those attempts originate . For those affected by the January incident , Neimen Marcus Group is enforcing a mandatory password reset . It 's an action that 's not undertaken lightly for fear of alienating users , but it 's a sign of how serious a service feels the risk is to users or customers . The company also is offering those affected a one-year subscription to an identity theft service .
HipChat has reset all its users ' passwords after what it called a security incident that may have exposedAttack.Databreachtheir names , email addresses and hashed password information . In some cases , attackers may have accessedAttack.Databreachmessages and content in chat rooms , HipChat said in a Monday blog post . But this happened in no more than 0.05 percent of the cases , each of which involved a domain URL , such as company.hipchat.com . HipChat did n't say how many users may have been affected by the incident . The passwords that may have been exposedAttack.Databreachwould also be difficult to crack , the company said . The data is hashed , or obscured , with the bcrypt algorithm , which transforms the passwords into a set of random-looking characters . For added security , HipChat `` salted '' each password with a random value before hashing it . HipChat warned that chat room data including the room name and topic may have also been exposedAttack.Databreach. But no financial or credit information was takenAttack.Databreach, the company said . HipChat is a popular messaging service used among enterprises , and an attackAttack.Databreachthat exposedAttack.Databreachsensitive work-related chats could cause significant harm . The service , which is owned by Atlassian , said it detected the security incident last weekend . It affectedVulnerability-related.DiscoverVulnerabilitya server in the HipChat Cloud and was caused by a vulnerability in an unnamed , but popular , third-party library that HipChat.com used , the company said . No other Atlassian systems were affected , the company said . “ We are confident we have isolated the affected systems and closed any unauthorized access , ” HipChat said in its blog post . This is not the first time the messaging service has faced problems keeping accounts secure . In 2015 , HipChat reset user passwords after detecting and blocking suspicious activity in which account information was stolenAttack.Databreachfrom less than 2 percent of its users . When breaches occur , security experts advise users to change their passwords for any accounts where they used the same login information . Users can consider using a password manager to help them store complex , tough-to-memorize passwords . HipChat has already sent an email to affected users , informing them of the password reset . In 2015 , rival chat application Slack reported its own breach , and as a result rolled out two-factor authentication to beef up its account security . HipChat does not offer two-factor authentication .
A California auto loan company left the names , addresses , credit scores and partial Social Security numbers of up to 1 million people exposedAttack.Databreachon an insecure online database . The company behind the database is Alliance Direct Lending Corporation , according to Kromtech Security Research Center , which discovered the data earlier this week . It said the data was found on an unprotected Amazon server and that the data could have been exposedAttack.Databreachfor up to two years . According to Alliance Direct Lending ’ s website , the company works with individuals and auto dealership partners to help car owners refinance existing auto loans . Data stored in the cloud was in clear text , according Diachenko . He said data also included several dozen recorded voice conversations with customers that disclosed full Social Security numbers of loan applicants . Sample data included the names of 114 car dealerships . According to Kromtech , it estimated between 550,000 to 1.1 million loan records from those dealers were exposedAttack.Databreachonline . Dealers were located across the United States from California , Colorado , Florida and Massachusetts . Kromtech said it was unsure if additional third parties may have accessedAttack.Databreachthe data . Privacy experts said the data in the hands of the wrong person would be a nightmare for victims . A criminal that knows the data comes from people who have refinanced their car loan and may have less than stellar credit , coupled with partial Social Security numbers , would be a dream come true . “ Things could go wrong on a variety of levels . The data could be used to phish additional dataAttack.Phishingvia email or phone scams . That ’ s not even mentioning the reputational damage to those in the database with bad credit scores , ” said Adam Levin , chairman and founder of CyberScout . The data found by Kromtech was on an Amazon ’ s AWS S3 server . AWS S3 is marketed as an easy-to-use web service that allows businesses to store and retrieve data at a moment ’ s notice . Data is stored in what Amazon calls buckets . “ The Kromtech Security Research Center has seen an increase in vulnerable AWS S3 buckets recently due to misconfigurations or public settings , ” Diachenko said . “ We have identified hundreds of misconfigured instances and we have been focused on helping to secure them as soon as we identify who the data belongs to. ” He said companies should consider Alliance Direct Lending ’ s example a sobering reminder that companies and individuals need to make sure their data is secure . For Diachenko , this is the latest in a string of insecure database he has helped uncover . In January , he was part of a research team that found 400,000 audio files associated with a Florida company ’ s telemarketing efforts were stored insecurely online . In February , Kromtech researchers found tens of thousands of sensitive documents insecurely stored online belonging to a print and marketing firm . Thousands of resumes and job applications from U.S. military veterans , law enforcement , and others were leakedAttack.Databreachby a recruiting vendor in an unsecured AWS S3 bucket .
A California financing company exposedAttack.Databreachup to 1 million records online that contained names , addresses , fragments of Social Security numbers and data related to vehicle loans , according to a researcher 's report . The data comes from Alliance Direct Lending , which is based in Orange , California , writes Bob Diachenko , who works with the security research team at Kromtech Alliance Corp. of Germany . Alliance Direct Lending specializes in refinancing auto loans at a lower interest rate , and it also has partnerships with dealers across the country . `` It is unclear if anyone other than security researchers accessed it or how long the data was exposedAttack.Databreach, '' Diachenko writes in a blog post . Security researchers , as well as hackers , have had a field day lately exposing configuration mistakes organizations have made when setting up databases . Despite a string of well-publicized findings , the errors are still being made , or at least , not being caught . Aside from breachesAttack.Databreach, other organizations have seen their data erased and held for ransomAttack.Ransom, with notes left inside the databases asking for bitcoinsAttack.Ransom( see Database Hijackings : Who 's Next ? ) . Kromtech notified Alliance , which has since taken the data offline , Diachenko writes . Information Security Media Group 's efforts to reach Alliance officials were not immediately successful . Under California 's mandatory data breachAttack.Databreachnotification law , Alliance would be required to report the breachAttack.Databreach. `` The IT administrator claimed that it had only recently been leakedAttack.Databreachand was not was not up for long , '' Diachenko writes . `` He thanked us for the notification and the data was secured very shortly after the notification call . '' Researchers came across the data while looking into Amazon Web Services Simple Storage Service ( S3 ) `` buckets , '' which is the term for storage instances on the popular cloud hosting service . They were specifically hunting for buckets that had been left online but required no authentication . The bucket contained 1,000 items , of which 210 were public . The leaked data included .csv files listed by dealerships located around the country . The number of consumer details leaked ranges between 550,000 up to 1 million , Diachenko writes . A screenshot posted on Kromtech 's blog shows a sampling of the dealerships affected . Kromtech shared with ISMG a data sample pertaining to a dealership in Michigan . It shows full names , addresses , ZIP codes , what appear to be FICO credit scores , an annual percentage rate and the last four digits of Social Security numbers . `` The danger of this information being leakedAttack.Databreachis that cybercriminals would have enough to engage in identity theft , obtainAttack.Databreachcredit cards or even file a false tax return , '' Diachenko writes . While full Social Security numbers weren't exposedAttack.Databreach, there 's still a risk in leakingAttack.Databreachthe last four digits . When trying to verify customers ' identities , companies will sometimes ask for a fragment of data . So for fraudsters compiling dossiers , every bit , however incomplete , helps . Also exposedAttack.Databreachwere 20 phone call recordings with customers who were negotiating auto loan deals . `` These consent calls were the customers agreeing that they understood they were getting an auto loan , confirming that the information was correct and true , '' Diachenko writes . `` They included the customer 's name , date of birth , social security numbers , and phone numbers . '' The bucket was last modified on Dec. 29 , 2016 , Kromtech writes . Amazon has strong security built around S3 storage , so it would appear that whomever created the bucket might have disabled its controls . According to Amazon 's guidance , `` only the bucket and object owners originally have access to Amazon S3 resources they created . '' Amazon also has identity and access management controls that can be used to carefully restrict who can access and change data . Buckets can also be made off-limits based on HTTP referrers and IP addresses . Managing Editor , Security and Technology , ISMG Kirk is a veteran journalist who has reported from more than a dozen countries . Based in Sydney , he is Managing Editor for Security and Technology for Information Security Media Group . Prior to ISMG , he worked from London and Sydney covering computer security and privacy for International Data Group . Further back , he covered military affairs from Seoul , South Korea , and general assignment news for his hometown paper in Illinois .
A California financing company exposedAttack.Databreachup to 1 million records online that contained names , addresses , fragments of Social Security numbers and data related to vehicle loans , according to a researcher 's report . The data comes from Alliance Direct Lending , which is based in Orange , California , writes Bob Diachenko , who works with the security research team at Kromtech Alliance Corp. of Germany . Alliance Direct Lending specializes in refinancing auto loans at a lower interest rate , and it also has partnerships with dealers across the country . `` It is unclear if anyone other than security researchers accessed it or how long the data was exposedAttack.Databreach, '' Diachenko writes in a blog post . Security researchers , as well as hackers , have had a field day lately exposing configuration mistakes organizations have made when setting up databases . Despite a string of well-publicized findings , the errors are still being made , or at least , not being caught . Aside from breachesAttack.Databreach, other organizations have seen their data erased and held for ransomAttack.Ransom, with notes left inside the databases asking for bitcoinsAttack.Ransom( see Database Hijackings : Who 's Next ? ) . Kromtech notified Alliance , which has since taken the data offline , Diachenko writes . Information Security Media Group 's efforts to reach Alliance officials were not immediately successful . Under California 's mandatory data breachAttack.Databreachnotification law , Alliance would be required to report the breachAttack.Databreach. `` The IT administrator claimed that it had only recently been leakedAttack.Databreachand was not was not up for long , '' Diachenko writes . `` He thanked us for the notification and the data was secured very shortly after the notification call . '' Researchers came across the data while looking into Amazon Web Services Simple Storage Service ( S3 ) `` buckets , '' which is the term for storage instances on the popular cloud hosting service . They were specifically hunting for buckets that had been left online but required no authentication . The bucket contained 1,000 items , of which 210 were public . The leaked data included .csv files listed by dealerships located around the country . The number of consumer details leaked ranges between 550,000 up to 1 million , Diachenko writes . A screenshot posted on Kromtech 's blog shows a sampling of the dealerships affected . Kromtech shared with ISMG a data sample pertaining to a dealership in Michigan . It shows full names , addresses , ZIP codes , what appear to be FICO credit scores , an annual percentage rate and the last four digits of Social Security numbers . `` The danger of this information being leakedAttack.Databreachis that cybercriminals would have enough to engage in identity theft , obtainAttack.Databreachcredit cards or even file a false tax return , '' Diachenko writes . While full Social Security numbers weren't exposedAttack.Databreach, there 's still a risk in leakingAttack.Databreachthe last four digits . When trying to verify customers ' identities , companies will sometimes ask for a fragment of data . So for fraudsters compiling dossiers , every bit , however incomplete , helps . Also exposedAttack.Databreachwere 20 phone call recordings with customers who were negotiating auto loan deals . `` These consent calls were the customers agreeing that they understood they were getting an auto loan , confirming that the information was correct and true , '' Diachenko writes . `` They included the customer 's name , date of birth , social security numbers , and phone numbers . '' The bucket was last modified on Dec. 29 , 2016 , Kromtech writes . Amazon has strong security built around S3 storage , so it would appear that whomever created the bucket might have disabled its controls . According to Amazon 's guidance , `` only the bucket and object owners originally have access to Amazon S3 resources they created . '' Amazon also has identity and access management controls that can be used to carefully restrict who can access and change data . Buckets can also be made off-limits based on HTTP referrers and IP addresses . Managing Editor , Security and Technology , ISMG Kirk is a veteran journalist who has reported from more than a dozen countries . Based in Sydney , he is Managing Editor for Security and Technology for Information Security Media Group . Prior to ISMG , he worked from London and Sydney covering computer security and privacy for International Data Group . Further back , he covered military affairs from Seoul , South Korea , and general assignment news for his hometown paper in Illinois .
A report released on Monday by The Centre for Internet and Society reveals that over 135 million records from India 's Aadhaar national ID systems have already leakedAttack.Databreachonline . The leaksAttack.Databreachdid n't take place because of a flaw in the national Aadhaar system , but through government agencies that handle Aadhar data . According to the report , just four government programs are responsible for leakingAttack.Databreacha whopping number of 135 million records . The programs mentioned in the report are India 's National Social Assistance Programme ( NSAP ) , the National Rural Employment Guarantee Scheme ( NREGA ) , the Govt . of Andhra Pradesh 's Chandranna Bima Scheme , and the Govt . of Andhra Pradesh 's Daily Online Payment Reports of NREGA . The prevalence of Aadhaar data is how The Centre for Internet and Society has discovered the leakAttack.Databreach. Improperly configured systems exposedAttack.Databreachthe details of program participants on the Internet . While the full Aadhaar database was never exposedAttack.Databreach, details in the government program databases allow a fraudster to tie a person 's leaked details ( names , addresses , phone numbers ) to an Aadhaar 12-digit ID . If enough of these details leakAttack.Databreachin different places , fraudster can build comprehensive profiles on Indian citizens , even recreating the Aadhaar database themselves . For its part , the Indian government has admitted that some of the Aadhaar database has leakedAttack.Databreachonline through its ministries , said it started investigations , and is already preparing changes to Aadhaa'rs security policies . Right now , because of the massive leakAttack.Databreachof 135 million details , including Aadhaar IDs , Indians stand to become victims of financial fraud . In the future , as other government programs leakAttack.Databreachmore data , including biometrics , the problem will pass the point where the government could do anything to fixVulnerability-related.PatchVulnerabilityit .
Developers are once again being blamedVulnerability-related.DiscoverVulnerabilityfor cloud back-end security vulnerabilities , this time in a new reportVulnerability-related.DiscoverVulnerabilityfrom Appthority . The company published investigation results that found nearly 43 TB of enterprise data was exposedAttack.Databreachon cloud back-ends , including personally identifiable information ( PII ) . This comes just shortly after a similar report from a different security company . In the new `` 2017 Q2 Enterprise Mobile Threat Report '' report ( free upon providing registration info ) , Appthority found `` data leakageAttack.Databreach`` from mobile apps that send data to unsecured cloud back-ends . While security concerns typically focus on a triad of other factors -- apps , device threats and network threats -- this data leakageAttack.Databreachon the back-end was dubbed the `` HospitalGown '' threat because of that garment 's open back-end . `` In total , we foundVulnerability-related.DiscoverVulnerabilityalmost 43 TB of data exposedAttack.Databreachand 1,000 apps affectedVulnerability-related.DiscoverVulnerabilityby the HospitalGown vulnerability , '' Appthority saidVulnerability-related.DiscoverVulnerabilityin a blog post last week . `` Looking at a subset of 39 apps , we still found 280 million records exposedAttack.Databreach, a total of about 163 GB of data . This is a staggering amount of leaked information , and in some cases represents the entirety of customer or operational data for an enterprise . '' The reportVulnerability-related.DiscoverVulnerabilityechoes the findings of an earlier reportVulnerability-related.DiscoverVulnerabilityby RedLock Inc. , which revealedVulnerability-related.DiscoverVulnerabilitymany security issues primarily caused by user misconfigurations on public cloud platforms . RedLock claimed it found 82 percent of hosted databases remain unencrypted , among many other problems . As with the RedLock reportVulnerability-related.DiscoverVulnerability, developers were blamedVulnerability-related.DiscoverVulnerabilityfor the HospitalGown vulnerabilities. `` HospitalGown is a vulnerability to data exposure caused , not by any code in the app , but by the app developers ' failure to properly secure the back-end ( hence its name ) servers with which the app communicates and where sensitive data is stored , '' Appthority said . Unsecured Elasticsearch servers and MongoDB databases were prime targets of a series of ransomware attacksAttack.Ransomearlier this year that generated widespread publicity in the security field . However , that publicity apparently was n't enough to significantly alleviate the issue . `` As our findings show , weakly secured back-ends in apps used by employees , partners and customers create a range of security risks including extensive data leaksAttack.Databreachof personally identifiable information ( PII ) and other sensitive data , '' the report states . `` They also significantly increase the risk of spear phishingAttack.Phishing, brute force login , social engineering , data ransomAttack.Ransom, and other attacks . And , HospitalGown makes data accessAttack.Databreachand exfiltrationAttack.Databreachfar easier than other types of attacks . '' Key findings of the report as listed by the company include : Affected apps are connecting to unsecured data stores on popular enterprise services , such as Elasticsearch and MySQL , which are leakingAttack.Databreachlarge amounts of sensitive data . Apps using just one of these services revealed almost 43TB of exposed data . Multiple affected apps leakedAttack.Databreachsome form of PII , including passwords , location , travel and payment details , corporate profile data ( including employees ' VPN PINs , emails , phone numbers ) , and retail customer data . Enterprise security teams do not have visibility into the risk due to the risk 's location in the mobile app vendor 's architecture stack . In multiple cases , data has already been accessedAttack.Databreachby unauthorized individuals and ransomedAttack.Ransom. Even apps that have been removed from devices and the app stores still pose an exposureAttack.Databreachrisk due to the sensitive data that remains stored on unsecured servers . The company saidVulnerability-related.DiscoverVulnerabilityits Mobile Threat Team identifiedVulnerability-related.DiscoverVulnerabilitythe HospitalGown vulnerabilities with a combination of its dynamic app analysis tool and a new back-end scanning method , looking at the network traffic on more than 1 million enterprise mobile apps , both iOS and Android . As with the misconfiguration problems identifiedVulnerability-related.DiscoverVulnerabilityin the RedLock reportVulnerability-related.DiscoverVulnerability, Appthority emphasizedVulnerability-related.DiscoverVulnerabilitythat all cases of HospitalGown vulnerabilities were caused by human errors , not malicious intent or inherent infrastructure problems . That human error was especially prevalent in two app implementations investigated by Appthority : Pulse Workspace ( for accessing enterprise network and Web applications ) and Jacto apps ( from an agricultural machinery company ) .
Developers are once again being blamedVulnerability-related.DiscoverVulnerabilityfor cloud back-end security vulnerabilities , this time in a new reportVulnerability-related.DiscoverVulnerabilityfrom Appthority . The company published investigation results that found nearly 43 TB of enterprise data was exposedAttack.Databreachon cloud back-ends , including personally identifiable information ( PII ) . This comes just shortly after a similar report from a different security company . In the new `` 2017 Q2 Enterprise Mobile Threat Report '' report ( free upon providing registration info ) , Appthority found `` data leakageAttack.Databreach`` from mobile apps that send data to unsecured cloud back-ends . While security concerns typically focus on a triad of other factors -- apps , device threats and network threats -- this data leakageAttack.Databreachon the back-end was dubbed the `` HospitalGown '' threat because of that garment 's open back-end . `` In total , we foundVulnerability-related.DiscoverVulnerabilityalmost 43 TB of data exposedAttack.Databreachand 1,000 apps affectedVulnerability-related.DiscoverVulnerabilityby the HospitalGown vulnerability , '' Appthority saidVulnerability-related.DiscoverVulnerabilityin a blog post last week . `` Looking at a subset of 39 apps , we still found 280 million records exposedAttack.Databreach, a total of about 163 GB of data . This is a staggering amount of leaked information , and in some cases represents the entirety of customer or operational data for an enterprise . '' The reportVulnerability-related.DiscoverVulnerabilityechoes the findings of an earlier reportVulnerability-related.DiscoverVulnerabilityby RedLock Inc. , which revealedVulnerability-related.DiscoverVulnerabilitymany security issues primarily caused by user misconfigurations on public cloud platforms . RedLock claimed it found 82 percent of hosted databases remain unencrypted , among many other problems . As with the RedLock reportVulnerability-related.DiscoverVulnerability, developers were blamedVulnerability-related.DiscoverVulnerabilityfor the HospitalGown vulnerabilities. `` HospitalGown is a vulnerability to data exposure caused , not by any code in the app , but by the app developers ' failure to properly secure the back-end ( hence its name ) servers with which the app communicates and where sensitive data is stored , '' Appthority said . Unsecured Elasticsearch servers and MongoDB databases were prime targets of a series of ransomware attacksAttack.Ransomearlier this year that generated widespread publicity in the security field . However , that publicity apparently was n't enough to significantly alleviate the issue . `` As our findings show , weakly secured back-ends in apps used by employees , partners and customers create a range of security risks including extensive data leaksAttack.Databreachof personally identifiable information ( PII ) and other sensitive data , '' the report states . `` They also significantly increase the risk of spear phishingAttack.Phishing, brute force login , social engineering , data ransomAttack.Ransom, and other attacks . And , HospitalGown makes data accessAttack.Databreachand exfiltrationAttack.Databreachfar easier than other types of attacks . '' Key findings of the report as listed by the company include : Affected apps are connecting to unsecured data stores on popular enterprise services , such as Elasticsearch and MySQL , which are leakingAttack.Databreachlarge amounts of sensitive data . Apps using just one of these services revealed almost 43TB of exposed data . Multiple affected apps leakedAttack.Databreachsome form of PII , including passwords , location , travel and payment details , corporate profile data ( including employees ' VPN PINs , emails , phone numbers ) , and retail customer data . Enterprise security teams do not have visibility into the risk due to the risk 's location in the mobile app vendor 's architecture stack . In multiple cases , data has already been accessedAttack.Databreachby unauthorized individuals and ransomedAttack.Ransom. Even apps that have been removed from devices and the app stores still pose an exposureAttack.Databreachrisk due to the sensitive data that remains stored on unsecured servers . The company saidVulnerability-related.DiscoverVulnerabilityits Mobile Threat Team identifiedVulnerability-related.DiscoverVulnerabilitythe HospitalGown vulnerabilities with a combination of its dynamic app analysis tool and a new back-end scanning method , looking at the network traffic on more than 1 million enterprise mobile apps , both iOS and Android . As with the misconfiguration problems identifiedVulnerability-related.DiscoverVulnerabilityin the RedLock reportVulnerability-related.DiscoverVulnerability, Appthority emphasizedVulnerability-related.DiscoverVulnerabilitythat all cases of HospitalGown vulnerabilities were caused by human errors , not malicious intent or inherent infrastructure problems . That human error was especially prevalent in two app implementations investigated by Appthority : Pulse Workspace ( for accessing enterprise network and Web applications ) and Jacto apps ( from an agricultural machinery company ) .
PhishingAttack.Phishingand other hacking incidents have led to several recently reported large health data breachesAttack.Databreach, including one that UConn Health reports affected 326,000 individuals . In describing a phishing attackAttack.Phishing, UConn Health says that on Dec 24 , 2018 , it determined that an unauthorized third party illegally accessedAttack.Databreacha limited number of employee email accounts containing patient information , including some individuals ' names , dates of birth , addresses and limited medical information , such as billing and appointment information . The accounts also contained the Social Security numbers of some individuals . Several other healthcare entities also have recently reported to federal regulators data breachesAttack.Databreachinvolving apparent phishingAttack.Phishingand other email-related attacks . `` All of these incidents speak to the rampant attacks we are seeing across healthcare , and yet organizations are still not investing enough in protection or detection , '' says Mac McMillan , CEO of security consulting firm CynergisTek . UConn Health , an academic medical center , says in a media statement that it identified approximately 326,000 potentially impacted individuals whose personal information was contained in the compromisedAttack.Databreachemail accounts . For approximately 1,500 of these individuals , this information included Social Security numbers . `` It is important to note that , at this point , UConn Health does not know for certain if any personal information was ever viewed or acquiredAttack.Databreachby the unauthorized party , and is not aware of any instances of fraud or identity theft as a result of this incident , '' the statement notes . `` The incident had no impact on UConn Health 's computer networks or electronic medical record systems . '' UConn Health is offering prepaid identity theft protection services to individuals whose Social Security numbers may be impacted . The organization says it has notified law enforcement officials and retained a forensics firm to investigate the matter . Once the U.S.Department of Health and Human Services confirms the details , the attackAttack.Databreachon UConn Health could rank as the second largest health data breachAttack.Databreachreported so far this year , based on a snapshot of its HIPAA Breach Reporting Tool website on Monday . The largest health data breachAttack.Databreachrevealed so far this year , but not yet added to the tally , affected University of Washington Medicine . UW Medicine says a misconfigured database left patient data exposedAttack.Databreachon the internet for several weeks last December , resulting in a breachAttack.Databreachaffecting 974,000 individuals . Several other phishingAttack.Phishingand hacking incidents have been added to the HHS `` wall of shame '' tally in recent weeks . Among those is a hacking incident impacting 40,000 individuals reported on Feb 1 by Minnesota-based Reproductive Medicine and Infertility Associates . In a statement , the organization notes that on Dec 5 , 2018 , it discovered it had been the target of a `` criminal malware attack . '' An RMIA practice manager tells Information Security Media Group that independent computer forensics experts removed the malware , but did not definitively determine how the malware infection was launched . The practice suspects the malware was likely embedded in an email attachment , he says . RMIA 's statement notes that while the investigation did not identify any evidence of unauthorized accessAttack.Databreachto anyone 's personal information , `` we unfortunately could not completely rule out the possibility that patients ' personal information , including name , address , date of birth , health insurance information , limited treatment information and , for donors only , Social Security number , may have been accessibleAttack.Databreach. '' In the aftermath of the incident , RMIA says it 's adding another firewall , requiring changes to user credentials/passwords , implementing dual-factor authentication and providing additional staff training regarding information security . '' Also reporting a hacking incident in recent weeks was Charleston , S.C.-based Roper St.Francis Healthcare , which operates several hospitals in the region . The attack was reported as impacting nearly 35,300 individuals . In a Jan 29 statement , the entity says that on Nov 30 , 2018 , it learned that an unauthorized actor may have gained accessAttack.Databreachto some of its employees ' email accounts between Nov 15 and Dec 1 , 2018 , `` Our investigation determined that some patient information may have been contained in the email accounts , patients ' names , medical record numbers , information about services they received from Roper St.Francis , health insurance information , and , in some cases , Social Security numbers and financial information , '' the statement says . For those patients whose Social Security number was potentially exposedAttack.Databreach, the organization is offering prepaid credit monitoring and identity protection services . `` To help prevent something like this from happening again , we are continuing education with our staff on email protection and enhancing our email security , '' Roper St. Francis says . As phishingAttack.Phishingcontinues to menace healthcare entities , covered entities and business associates need to keep up with their defenses , some experts note . `` Phishing techniques have become more sophisticated than in the past , '' note Kate Borten , president of security and privacy consulting firm The Marblehead Group . `` Workforce training should include simulated phishing attacksAttack.Phishingto make people better prepared to recognize and thwart a real attack . '' To help mitigate breach risks , organizations should be deploying next-generation firewalls and multifactor authentication , plus employing advanced malware detection solutions , McMillan says . Too many organizations are overlooking the value of multifactor authentication , Borten adds . `` Two-factor user authentication was intended to be required over the internet and public networks in the proposed HIPAA Security Rule , '' she notes . `` Unfortunately , since that requirement was dropped in the final rule , healthcare is lagging on multifactor authentication , which is easier now than ever to implement . '' But McMillan advises healthcare organizations to avoid using multifactor authentication systems that use SMS to transmit a one-time password because those messages can be interceptedAttack.Databreach. `` The software- or hardware-based solutions are preferred , '' McMillan says . So what other technologies or best practices should covered entities and business associates consider to prevent falling victim to phishingAttack.Phishingand other attacks ? `` Unfortunately we have n't seen any silver bullets here yet , but one thing we might want to begin exploring is just what an attacker has accessAttack.Databreachto when they compromiseAttack.Databreacha user 's account , '' McMillan notes . `` All too often , we hear that the accounts compromisedAttack.Databreachhad incredibly large numbers of emails immediately accessibleAttack.Databreachto the attacker . The question is , are their better ways to deal with retention that mitigate risk as well ? ''
PhishingAttack.Phishingand other hacking incidents have led to several recently reported large health data breachesAttack.Databreach, including one that UConn Health reports affected 326,000 individuals . In describing a phishing attackAttack.Phishing, UConn Health says that on Dec 24 , 2018 , it determined that an unauthorized third party illegally accessedAttack.Databreacha limited number of employee email accounts containing patient information , including some individuals ' names , dates of birth , addresses and limited medical information , such as billing and appointment information . The accounts also contained the Social Security numbers of some individuals . Several other healthcare entities also have recently reported to federal regulators data breachesAttack.Databreachinvolving apparent phishingAttack.Phishingand other email-related attacks . `` All of these incidents speak to the rampant attacks we are seeing across healthcare , and yet organizations are still not investing enough in protection or detection , '' says Mac McMillan , CEO of security consulting firm CynergisTek . UConn Health , an academic medical center , says in a media statement that it identified approximately 326,000 potentially impacted individuals whose personal information was contained in the compromisedAttack.Databreachemail accounts . For approximately 1,500 of these individuals , this information included Social Security numbers . `` It is important to note that , at this point , UConn Health does not know for certain if any personal information was ever viewed or acquiredAttack.Databreachby the unauthorized party , and is not aware of any instances of fraud or identity theft as a result of this incident , '' the statement notes . `` The incident had no impact on UConn Health 's computer networks or electronic medical record systems . '' UConn Health is offering prepaid identity theft protection services to individuals whose Social Security numbers may be impacted . The organization says it has notified law enforcement officials and retained a forensics firm to investigate the matter . Once the U.S.Department of Health and Human Services confirms the details , the attackAttack.Databreachon UConn Health could rank as the second largest health data breachAttack.Databreachreported so far this year , based on a snapshot of its HIPAA Breach Reporting Tool website on Monday . The largest health data breachAttack.Databreachrevealed so far this year , but not yet added to the tally , affected University of Washington Medicine . UW Medicine says a misconfigured database left patient data exposedAttack.Databreachon the internet for several weeks last December , resulting in a breachAttack.Databreachaffecting 974,000 individuals . Several other phishingAttack.Phishingand hacking incidents have been added to the HHS `` wall of shame '' tally in recent weeks . Among those is a hacking incident impacting 40,000 individuals reported on Feb 1 by Minnesota-based Reproductive Medicine and Infertility Associates . In a statement , the organization notes that on Dec 5 , 2018 , it discovered it had been the target of a `` criminal malware attack . '' An RMIA practice manager tells Information Security Media Group that independent computer forensics experts removed the malware , but did not definitively determine how the malware infection was launched . The practice suspects the malware was likely embedded in an email attachment , he says . RMIA 's statement notes that while the investigation did not identify any evidence of unauthorized accessAttack.Databreachto anyone 's personal information , `` we unfortunately could not completely rule out the possibility that patients ' personal information , including name , address , date of birth , health insurance information , limited treatment information and , for donors only , Social Security number , may have been accessibleAttack.Databreach. '' In the aftermath of the incident , RMIA says it 's adding another firewall , requiring changes to user credentials/passwords , implementing dual-factor authentication and providing additional staff training regarding information security . '' Also reporting a hacking incident in recent weeks was Charleston , S.C.-based Roper St.Francis Healthcare , which operates several hospitals in the region . The attack was reported as impacting nearly 35,300 individuals . In a Jan 29 statement , the entity says that on Nov 30 , 2018 , it learned that an unauthorized actor may have gained accessAttack.Databreachto some of its employees ' email accounts between Nov 15 and Dec 1 , 2018 , `` Our investigation determined that some patient information may have been contained in the email accounts , patients ' names , medical record numbers , information about services they received from Roper St.Francis , health insurance information , and , in some cases , Social Security numbers and financial information , '' the statement says . For those patients whose Social Security number was potentially exposedAttack.Databreach, the organization is offering prepaid credit monitoring and identity protection services . `` To help prevent something like this from happening again , we are continuing education with our staff on email protection and enhancing our email security , '' Roper St. Francis says . As phishingAttack.Phishingcontinues to menace healthcare entities , covered entities and business associates need to keep up with their defenses , some experts note . `` Phishing techniques have become more sophisticated than in the past , '' note Kate Borten , president of security and privacy consulting firm The Marblehead Group . `` Workforce training should include simulated phishing attacksAttack.Phishingto make people better prepared to recognize and thwart a real attack . '' To help mitigate breach risks , organizations should be deploying next-generation firewalls and multifactor authentication , plus employing advanced malware detection solutions , McMillan says . Too many organizations are overlooking the value of multifactor authentication , Borten adds . `` Two-factor user authentication was intended to be required over the internet and public networks in the proposed HIPAA Security Rule , '' she notes . `` Unfortunately , since that requirement was dropped in the final rule , healthcare is lagging on multifactor authentication , which is easier now than ever to implement . '' But McMillan advises healthcare organizations to avoid using multifactor authentication systems that use SMS to transmit a one-time password because those messages can be interceptedAttack.Databreach. `` The software- or hardware-based solutions are preferred , '' McMillan says . So what other technologies or best practices should covered entities and business associates consider to prevent falling victim to phishingAttack.Phishingand other attacks ? `` Unfortunately we have n't seen any silver bullets here yet , but one thing we might want to begin exploring is just what an attacker has accessAttack.Databreachto when they compromiseAttack.Databreacha user 's account , '' McMillan notes . `` All too often , we hear that the accounts compromisedAttack.Databreachhad incredibly large numbers of emails immediately accessibleAttack.Databreachto the attacker . The question is , are their better ways to deal with retention that mitigate risk as well ? ''
A maker of Internet-connected stuffed animal toys has exposedAttack.Databreachmore than 2 million voice recordings of children and parents , as well as e-mail addresses and password data for more than 800,000 accounts . He said searches using the Shodan computer search engine and other evidence indicated that , since December 25 and January 8 , the customer data was accessedAttack.Databreachmultiple times by multiple parties , including criminals who ultimately held the data for ransomAttack.Ransom. The recordings were available on an Amazon-hosted service that required no authorization to access . The data was exposedAttack.Databreachby Spiral Toys , maker of the CloudPets line of stuffed animals . The toys record and play voice messages that can be sent over the Internet by parents and children . The MongoDB database of 821,296 account records was stored by a Romanian company called mReady , which Spiral Toys appears to have contracted with . Hunt said that , on at least four occasions , people attempted to notify the toy maker of the breachAttack.Databreach. In any event , evidence left behind by the ransom demanders made it almost certain company officials knew of the intrusionsAttack.Ransom. Hunt wrote : It 's impossible to believe that CloudPets ( or mReady ) did not know that firstly , the databases had been left publicly exposedAttack.Databreachand secondly , that malicious parties had accessedAttack.Databreachthem . Obviously , they 've changed the security profile of the system , and you simply could not have overlooked the fact that a ransom had been leftAttack.Ransom. So both the exposed databaseAttack.Databreachand intrusionAttack.Ransomby those demanding the ransomAttack.Ransommust have been identified yet this story never made the headlines . Further ReadingInternet-connected Hello Barbie doll gets bitten by nasty POODLE crypto bugThe breach is the latest to stoke concerns about the privacy and security of Internet-connected toys . In November 2015 , tech news site Motherboard disclosed the hackAttack.Databreachof toy maker VTech in a breachAttack.Databreachthat exposedAttack.Databreachthe names , e-mail addresses , passwords , and home addresses of almost 5 million adults , as well as the first names , genders and birthdays of more than 200,000 kids . A month later , a researcher foundVulnerability-related.DiscoverVulnerabilitythat an Internet-connected Barbie doll made by Mattel contained vulnerabilities that might allow hackers to intercept real-time conversations . In addition to storing the customer databases in a publicly accessible location , Spiral Toys also used an Amazon-hosted service with no authorization required to store the recordings , customer profile pictures , children 's names , and their relationships to parents , relatives , and friends . In Monday 's post , Hunt acknowledged the help of Motherboard reporter Lorenzo Franceschi-Bicchierai , who published this report . Oddly enough , for a product with such lax security , the service used the ultra-secure bcrypt hashing function to protect passwords . Unfortunately , CloudPets had one of the most permissive password policies ever . It allowed , for instance , a passcode of the single character `` a '' or the short keyboard sequence `` qwe . '' `` What this meant is that when I passed the bcrypt hashes into [ password cracking app ] hashcat and checked them against some of the world 's most common passwords ( 'qwerty , ' 'password , ' '123456 , ' etc . ) along with the passwords 'qwe ' and 'cloudlets , ' I cracked a large number in a very short time , '' Hunt wrote . Further ReadingHow to search the Internet of Things for photos of sleeping babiesThe lesson that emerged long ago is that the security of so-called Internet of things products is so poor that it often outweighs any benefit afforded by an Internet-connected appliance . As the CloudPets debacle underscores , the creep factor involved in Internet-connected toys makes the proposition even worse
A maker of Internet-connected stuffed animal toys has exposedAttack.Databreachmore than 2 million voice recordings of children and parents , as well as e-mail addresses and password data for more than 800,000 accounts . He said searches using the Shodan computer search engine and other evidence indicated that , since December 25 and January 8 , the customer data was accessedAttack.Databreachmultiple times by multiple parties , including criminals who ultimately held the data for ransomAttack.Ransom. The recordings were available on an Amazon-hosted service that required no authorization to access . The data was exposedAttack.Databreachby Spiral Toys , maker of the CloudPets line of stuffed animals . The toys record and play voice messages that can be sent over the Internet by parents and children . The MongoDB database of 821,296 account records was stored by a Romanian company called mReady , which Spiral Toys appears to have contracted with . Hunt said that , on at least four occasions , people attempted to notify the toy maker of the breachAttack.Databreach. In any event , evidence left behind by the ransom demanders made it almost certain company officials knew of the intrusionsAttack.Ransom. Hunt wrote : It 's impossible to believe that CloudPets ( or mReady ) did not know that firstly , the databases had been left publicly exposedAttack.Databreachand secondly , that malicious parties had accessedAttack.Databreachthem . Obviously , they 've changed the security profile of the system , and you simply could not have overlooked the fact that a ransom had been leftAttack.Ransom. So both the exposed databaseAttack.Databreachand intrusionAttack.Ransomby those demanding the ransomAttack.Ransommust have been identified yet this story never made the headlines . Further ReadingInternet-connected Hello Barbie doll gets bitten by nasty POODLE crypto bugThe breach is the latest to stoke concerns about the privacy and security of Internet-connected toys . In November 2015 , tech news site Motherboard disclosed the hackAttack.Databreachof toy maker VTech in a breachAttack.Databreachthat exposedAttack.Databreachthe names , e-mail addresses , passwords , and home addresses of almost 5 million adults , as well as the first names , genders and birthdays of more than 200,000 kids . A month later , a researcher foundVulnerability-related.DiscoverVulnerabilitythat an Internet-connected Barbie doll made by Mattel contained vulnerabilities that might allow hackers to intercept real-time conversations . In addition to storing the customer databases in a publicly accessible location , Spiral Toys also used an Amazon-hosted service with no authorization required to store the recordings , customer profile pictures , children 's names , and their relationships to parents , relatives , and friends . In Monday 's post , Hunt acknowledged the help of Motherboard reporter Lorenzo Franceschi-Bicchierai , who published this report . Oddly enough , for a product with such lax security , the service used the ultra-secure bcrypt hashing function to protect passwords . Unfortunately , CloudPets had one of the most permissive password policies ever . It allowed , for instance , a passcode of the single character `` a '' or the short keyboard sequence `` qwe . '' `` What this meant is that when I passed the bcrypt hashes into [ password cracking app ] hashcat and checked them against some of the world 's most common passwords ( 'qwerty , ' 'password , ' '123456 , ' etc . ) along with the passwords 'qwe ' and 'cloudlets , ' I cracked a large number in a very short time , '' Hunt wrote . Further ReadingHow to search the Internet of Things for photos of sleeping babiesThe lesson that emerged long ago is that the security of so-called Internet of things products is so poor that it often outweighs any benefit afforded by an Internet-connected appliance . As the CloudPets debacle underscores , the creep factor involved in Internet-connected toys makes the proposition even worse
The toys -- which can receive and send voice messages from children and parents -- have been involved in a data breachAttack.Databreachdealing with more than 800,000 user accounts . The breachAttack.Databreach, which grabbed headlines on Monday , is drawing concerns from security researchers because it may have given hackers accessAttack.Databreachto voice recordings from the toy 's customers . But the company behind the products , Spiral Toys , is denying that any customers were hackedAttack.Databreach. Absolutely not , '' said Mark Meyers , CEO of the company . Security researcher Troy Hunt , who tracks data breachesAttack.Databreach, brought the incidentAttack.Databreachto light on Monday . Hackers appear to have accessedAttack.Databreachan exposed CloudPets ' database , which contained email addresses and hashed passwords , and they even sought to ransomAttack.Ransomthe information back in January , he said in a blog post . The incidentAttack.Databreachunderscores the danger with connected devices , including toys , and how data passing through them can be exposedAttack.Databreach, he added . In the case of CloudPets , the brand allegedly made the mistake of storing the customer information in a publicly exposedAttack.Databreachonline MongoDB database that required no authentication to access . That allowed anyone , including hackers , to view and stealAttack.Databreachthe data . On the plus side , the passwords exposedAttack.Databreachin the breachAttack.Databreachare hashed with the bcrypt algorithm , making them difficult to crack . Unfortunately , CloudPets placed no requirement on password strength , meaning that even a single character such as letter `` a '' was acceptable , according to Hunt , who was given a copy of the stolen data last week . As a result , Hunt was able to decipher a large number of the passwords , by simply checking them against common terms such as qwerty , 123456 , and cloudpets . `` Anyone with the data could crack a large number of passwords , log on to accounts and pull down the voice recordings , '' Hunt said in his blog post . Security researcher Victor Gevers from the GDI Foundation said he also discovered the exposed database from CloudPets and tried to contact the toy maker in late December . However , both Gevers and Hunt said the company never responded to their repeated warnings . On Monday , California-based Spiral Toys , which operates the CloudPets brand , claimed the company never received the warnings . `` The headlines that say 2 million messages were leakedAttack.Databreachon the internet are completely false , '' Meyers said . His company only became aware of the issue after a reporter from Vice Media contacted them last week . `` We looked at it and thought it was a very minimal issue , '' he said . A malicious actor would only be able to accessAttack.Databreacha customer 's voice recording if they managed to guess the password , he said . `` We have to find a balance , '' Meyers said , when he addressed the toy maker 's lack of password strength requirements . He also said that Spiral Toys had outsourced its server management to a third-party vendor . In January , the company implemented changes MongoDB requested to increase the server 's security . Spiral Toys hasn ’ t been the only company targeted . In recent months , several hacking groups have been attackingAttack.Databreachthousands of publicly exposed MongoDB databases . They ’ ve done so by erasing the data , and then saying they can restore it , but only if victims pay a ransom feeAttack.Ransom. In the CloudPets incident , different hackers appear to have deleted the original databases , but leftAttack.Ransomransom notes on the exposed systems , Hunt said . Although the CloudPets ’ databases are no longer publicly accessible , it appears that the toy maker hasn ’ t notified customers about the breachAttack.Databreach, Hunt said . The danger is that hackers might be using the stolen information to break into customer accounts registered with the toys . But Meyers said the company found no evidence that any hackers broke into customer accounts . To protect its users , the company is planning on a password reset for all users . `` Maybe our solution is to put more complex passwords , '' he said .
That ’ s a key question swirling around Spiral Toys , a company behind a line of smart stuffed animals that security researchers worry can be easily hacked . On Tuesday , Spiral Toys said the breachAttack.Databreach, which affects 800,000 user accounts , only came to its attention last week on Feb 22 . One researcher named Victor Gevers began contacting the toymaker about the problem in late December , when he noticed that a company MongoDB database storing customer information was publicly exposedAttack.Databreach. Gevers has even documented his efforts to contact Spiral Toys , which involved email , sending a message to its CEO over a LinkedIn invite , and working with a journalist from Vice Media to try and warn the company about the breach . Despite those attempts , he never received a response . The breach only managed to grab headlines on Monday when another security researcher named Troy Hunt blogged about it . The toys in question , which are sold under the CloudPets brand , can allow parents and their children to send voice messages through the stuffed animals over the internet . However , Hunt found evidence that hackers lootedAttack.Databreachthe exposed MongoDB database that stored the toys ' customer login information . “ Anyone with the data could crackAttack.Databreacha large number of passwords , log on to accounts and pull downAttack.Databreachthe voice recordings , ” he said . Its CEO Mark Meyers said on Tuesday that the company has checked its email inboxes , but didn ’ t find any messages from security researchers warning about the breach . It appears that several hackers have lootedAttack.Databreachthe exposed database from Spiral Toys , according to Hunt . Although the passwords exposedAttack.Databreachin the breachAttack.Databreachare hashed , cracking them can be easy , because many of them were created with guessable terms such as 123456 , qwerty and cloudpets , he said .
That ’ s a key question swirling around Spiral Toys , a company behind a line of smart stuffed animals that security researchers worry can be easily hacked . On Tuesday , Spiral Toys said the breachAttack.Databreach, which affects 800,000 user accounts , only came to its attention last week on Feb 22 . One researcher named Victor Gevers began contacting the toymaker about the problem in late December , when he noticed that a company MongoDB database storing customer information was publicly exposedAttack.Databreach. Gevers has even documented his efforts to contact Spiral Toys , which involved email , sending a message to its CEO over a LinkedIn invite , and working with a journalist from Vice Media to try and warn the company about the breach . Despite those attempts , he never received a response . The breach only managed to grab headlines on Monday when another security researcher named Troy Hunt blogged about it . The toys in question , which are sold under the CloudPets brand , can allow parents and their children to send voice messages through the stuffed animals over the internet . However , Hunt found evidence that hackers lootedAttack.Databreachthe exposed MongoDB database that stored the toys ' customer login information . “ Anyone with the data could crackAttack.Databreacha large number of passwords , log on to accounts and pull downAttack.Databreachthe voice recordings , ” he said . Its CEO Mark Meyers said on Tuesday that the company has checked its email inboxes , but didn ’ t find any messages from security researchers warning about the breach . It appears that several hackers have lootedAttack.Databreachthe exposed database from Spiral Toys , according to Hunt . Although the passwords exposedAttack.Databreachin the breachAttack.Databreachare hashed , cracking them can be easy , because many of them were created with guessable terms such as 123456 , qwerty and cloudpets , he said .
Spiral Toys , the parent company behind CloudPets , yesterday sent the California Attorney General a breach notification that on many fronts contradicts what experts have said about a database breachAttack.Databreachthat exposedAttack.Databreachuser data and private voice messages , many of which were made by children . The notification says that the company was not aware of a breach until Feb 22 when it received an inquiry from a Motherboard reporter who was informed by researchers Troy Hunt and Victor Gevers of a serious issue involving the toymaker ’ s customer data . This runs contrary to timelines provided by Hunt and Gevers showing both reached out to a number of Spiral Toys contacts , including its ZenDesk ticketing system , around Dec 30 . The data was copied and deleted from an exposed MongoDB instance found online . It ’ s unknown how many times the database was accessedAttack.Databreachbefore its contents were deleted and a ransom note left behindAttack.Ransom, symptomatic of other attacks against poorly protected MongoDB databases . The recordings were not stored in the database , but the database did contain references to file paths to the messages , which were stored on an Amazon Web Services AWS S3 storage bucket . The database , Spiral Toys said in its notification , did include emails and encrypted passwords , which Hunt counters were not encrypted , but were hashed with bcrypt . Combined with a nonexistent password strength rule on Spiral Toys ’ part , the hashed passwords could easily be cracked , Hunt said . The company meanwhile said it would notify 500,000 affected users , force a password reset , and implement new password strength requirements . Hunt and Gevers said there were actually more than 800,000 registered users exposed in the breachAttack.Databreach. “ The breach has been addressed and from our best knowledge no images or messages were leakedAttack.Databreachonto the internet , ” Spiral Toys said . “ A hacker could getAttack.Databreachto that data if they started ‘ guessing ’ simple passwords ” . Which is exactly what a hacker would do , Hunt said . “ This is what hash cracking is and it ’ s a highly automated process that ’ s particularly effective against databases that had no password rules , ” Hunt said . Hunt points out that simple passwords such as qwe—a sample password shown during a CloudPets setup video—combined with the stolen email addresses pose a serious privacy risk . CloudPets are teddy bears that can send and receive messages using Bluetooth Low Energy connectivity to a mobile app , which sends the messages . The most typical use case is where a child can remotely send a message to a parent or authorized adult through the bear . “ If this product was secure , it would have been a nice contribution to the IOT/gadget/toy market , ” Gevers said . The best thing is that they learn from this and start making a new secure product line ” .
The most recent breachAttack.Databreachof smart teddy bears -- which can receive and send voice messages from children and parents -- have been involved in a data breachAttack.Databreachdealing with more than 800,000 user accounts . The company behind the products , Spiral Toys , is denying that any customers were hacked . Zach Lanier , director of research at Cylance , went through the more famous incidents involving toys and breaches and offers a tip with each case . This may have given attackers accessAttack.Databreachto voice recordings from the toy 's customers , by allegedly making the mistake of storing the customer information in a publicly exposedAttack.Databreachonline MongoDB database that required no authentication process . Thus anyone , including the attackers , was able to view and stealAttack.Databreachthe data . CloudPets placed no requirement on password strength , making it much easier to decipher passwords . Tip : Always create a secure password , no matter the strength requirement . Include lowercase and uppercase letter , symbols and numbers . Use a password manager to help create and store unique passwords for sites and services . A line of stuffed animals , these connected toys combine with a mobile application that was vulnerableVulnerability-related.DiscoverVulnerabilitydue to a number of weak APIs , which didn ’ t verify who sent messages . This meant that an attacker could guess usernames , or email addresses , and ask Fisher-Price for server return details about associated accounts and children ’ s profiles , which provides their name , birthdate , gender , language and toys they have played with . Tip : If the IoT device connects to a mobile app or desktop computer , it is important to examine how it connects . If the start of the URL address is http rather than https , which is the secure version of HTTP , then your device is making a less secure connection . The doll has a microphone and accesses the internet to answer your child 's questions . Moreover , criminals could have the ability collectAttack.Databreachyour personal information . Tip : If the toy does require Wi-Fi , make sure it supports modern , more secure Wi-Fi capabilities like WAP2 . Their speech-recognition software maker Nuance Communications violated federal rules by listening to children and saving the recordings . It ’ s valuable to know how they are using your data . Don ’ t provide personal information that seems extra or unnecessary . VTech had its app store database , Learning Lodge , hacked . As a result of the breachAttack.Databreach, over 11.6 million accounts were compromisedAttack.Databreachin a cyberattackAttack.Databreach, exposingAttack.Databreachphotos of children and parents as well as chat logs . The profile data leaked included their names , genders and birth dates . Tip : Check to see if the manufacturer has had any cybersecurity issues in the past , and if so , how they responded . Alternatively , if the company is relatively new , your device is definitely at greater risk . The interactive toy has the ability to communicate and record conversations . Those conversations are sent to the company ’ s servers , analyzed and then stored in the cloud . The toy was criticized for spying on kids by recording their conversations . Through Wi-Fi , attackers can hijack the connection to spy on your children , stealAttack.Databreachpersonal information , and turn the microphone of the doll into a surveillance device . Tip : Since the device is Wi-Fi enabled , confirm if the device supports modern security protocols . If the device only uses WEP or WPA ( but not WPA2 ) security standards , it may be too risky to use . Those versions are older and over time have become almost entirely insecure from attack
A security lapse at content distribution network provider Cloudflare that resulted in customer data being leakedAttack.Databreachpublicly for several months was bad - but had the potential to be much worse . That 's Cloudflare 's initial postmortem conclusion after a twelve-day review of log data related to the breachAttack.Databreach. The review showed no evidence that attackers had exploitedVulnerability-related.DiscoverVulnerabilitythe flaw prior to it being discoveredVulnerability-related.DiscoverVulnerabilityand patchedVulnerability-related.PatchVulnerability, Cloudflare CEO and founder Matthew Prince said in a blog Wednesday . A `` vast majority '' of Cloudflare 's customers also did not appear to have had any of their data leakedAttack.Databreach. Cloudflare ’ s inspection of tens of thousands of pages that were leakedAttack.Databreachfrom its reverse-proxy servers and cached by search engines revealed a `` large number '' of instances of internal Cloudflare cookies and headers . But so far , according to Prince , there ’ s no evidence that passwords , credit card numbers , and other personal data were compromised as was initially feared . The Cloudflare security snafu stemmed from the manner in which a stream parser application that the company uses to modify content passing through its edge servers handled HTTP requests . The bug caused the parser to read memory not only from the HTML page that was being actually parsed , but also from adjacent memory that contained data in response to HTTP requests made by other customers . The flaw was triggered only when pages with certain specific attributes were requested through Cloudflare ’ s CDN . `` If you had accessed one of the pages that triggered the bug you would have seen what likely looked like random text at the end of the page , '' Prince said . A lot of the leaked data ended up getting cached by search engines and Web scrapers . A security researcher from Google ’ s Project Zero threat hunting team alertedVulnerability-related.DiscoverVulnerabilityCloudfare to the bug last month . The company claimed it fixedVulnerability-related.PatchVulnerabilitythe problem in a matter of hours after being notifiedVulnerability-related.DiscoverVulnerabilityof the problem . Some have compared the breach to Heartbleed and have even called it Cloudbleed . In his blog , Prince compared the threat posed by the bug to that posed by a stranger eavesdropping on a random conversation between two employees . Most of the time , the stranger would likely hear nothing of value , but occasionally might pick upAttack.Databreachsomething confidential . The same would have been true for a malicious attacker , who had somehow known aboutVulnerability-related.DiscoverVulnerabilitythe bug and exploitedVulnerability-related.DiscoverVulnerabilityit before Cloudflare ’ s fixVulnerability-related.PatchVulnerability, he said . The customers most at risk of having their data exposedAttack.Databreachwere those that sent the most requests through Cloudflare ’ s CDN . Cloudflare ’ s detailed postmortem and mea culpa evoked a mixed response from security experts . Ilia Kolochenko , CEO of Web security firm High-Tech Bridge praised Prince ’ s effort to be transparent about what went down . `` Even if we can not verify the accuracy of all the numbers inside – for the moment , I don ’ t have a valid reason to question either its content , or conclusion , '' Kolochenko says . In fact , until someone can come up with a credible rebuttal of Cloudflare ’ s internal investigation , it ’ s inappropriate to compare what happened at the company to Heartbleed . `` I ’ d say it ’ s inappropriate even to call this particular incident a 'Cloudbleed , ' '' he says . `` In the Heartbleed case , almost every company in the world , many software vendors including cybersecurity companies , were seriously impacted by the vulnerability . '' Heartbleed also resulted in multiple breachesAttack.Databreachand many organizations continue to be exposedAttack.Databreachto the threat . Neither of those situations applies to the Cloudflare security lapse . `` All avenues of Cloudflare ’ s vulnerability exploitation seems to be mitigatedVulnerability-related.PatchVulnerabilityby now , '' he says . But Kunal Anand , CTO of application security vendor Prevoty , says the details Cloudflare has shared are n't exactly reassuring . If no sensitive information like credit numbers and Social Security Numbers were leakedAttack.Databreachand the leaked dataset itself was relatively small , there is no reason why Cloudflare should n't share it with a third-party for an unbiased review , he says . `` CloudFlare needs to realize that HTTP headers , including cookies , contain sensitive information like session identifiers , authorization tokens and IP addresses , '' Anand says . `` All of these data points should count as private data . '' CloudFlare has been working with various search engines to purge their caches , but in the process , any evidence of the data that was leakedAttack.Databreachis being deleted as well . That makes it hard to quantify the scope of the data breachAttack.Databreachoutside of CloudFlare 's own logs . `` There 's a lot of speculation if nation-state sponsored engines will actually purge the data or copy it for further analysis , '' Anand says .
WikiLeaks is postingAttack.Databreachthousands of files Tuesday the organization says detail the CIA ’ s efforts to surveil overseas targets by tapping otherwise ordinary devices that are connected to the Internet . The anti-secrecy group launched a “ new series of leaks , ” this time taking aim at the CIA ’ s Center for Cyber Intelligence , which falls under the agency ’ s Digital Innovation Directorate . The group maintains the CIA ’ s center lost control of its hacking arsenal , including malware , viruses , trojans , weaponized `` zero day '' exploits , malware remote control systems and associated documentation , and is posting what it calls the `` largest-ever publication of confidential documents on the agency . '' The dumpAttack.Databreachcomprises 8,761 documents and files from a network of the Center for Cyber Intelligence . A CIA spokeswoman declined to comment specifically . “ We do not comment on the authenticity or content of purported intelligence documents , ” says Heather Fritz Horniak . The authenticity of the posted documents in links from the WikiLeaks site could not be independently verified . Last year , WikiLeaks disseminatedAttack.Databreachinternal email communications following a hackAttack.Databreach—purportedly aided by the Russian government—of the Democratic National Committee and the Hillary Clinton campaign . The group says the Center for Cyber Intelligence's archive was circulated in an '' unauthorized manner '' among former U.S. government hackers and contractors , one of whom providedAttack.DatabreachWikiLeaks with portions of the archive . “ This extraordinary collection , which amounts to more than several hundred million lines of code , gives its possessor the entire hacking capacity of the CIA , ” WikiLeaks states . “ Once a single cyber 'weapon ' is 'loose ' it can spread around the world in seconds , to be used by rival states , cyber mafia and teenage hackers alike ” . The violation highlights critical shortcomings in personnel practices , the realities of insider threats and the lack of adequate controls , even within the intelligence community . `` It ’ s too easy for data to be stolenAttack.Databreach, even—allegedly—within the CIA ’ s Center for Cyber Intelligence , '' says Brian Vecci , technical evangelist at Varonis , a software company focused on data protection against insider threats , data breachesAttack.Databreachand ransomware attacksAttack.Ransom'' The entire concept of a spook is to be covert and undetectable ; apparently that also applies to actions on their own network . The CIA is not immune to issues affecting many organizations : too much access with too little oversight and detective controls . '' A Forrester study noted that more 90 percent of data security professionals experience challenges with data security , and 59 percent of organizations do not restrict access to files on a need-to know-basis , Vecci points out . `` In performing forensics on the actual breachAttack.Databreach, the important examination is to determine how 8,761 files just walked out ofAttack.Databreachone of the most secretive and confidential organizations in the world , '' he continues . `` Files that were once useful in their operations are suddenly lethal to those same operations . We call this toxic data , anything that is useful and valuable to an organization but once stolenAttack.Databreachand made public turns toxic to its bottom line and reputation . All you have to do is look at Sony , Mossack Fonseca and the DNC to see the effects of this toxic data conversion . `` Organizations need to get a grip on where their information assets are , who is using them , and who is responsible for them , '' Vecci concludes . They need to put all that data lying around in the right place , restrict access to it and monitor and analyze who is using it . '' Tuesday ’ s document dumpAttack.Databreachmirrors the one WikiLeaks carried out when it exposedAttack.Databreachcyber toolkits used by the National Security Agency , and frankly , is not that surprising of revelation at all , offers Richard Forno , assistant director at the University of Maryland , Baltimore County Center for Cybersecurity and director of the Cybersecurity Graduate Program . “ The big takeawayAttack.Databreachis that it shows the CIA is just as capable of operating in the cyberspace as the NSA , ” Forno says . The CIA ’ s cyber focus reinforces the idea that security in this domain is just as important as others for national security and solidifies the U.S. government ’ s commitment in the area , Forno offers . WikiLeaks contends that the CIA and its contractors developed malware and hacking tools for targeted surveillance efforts , tapping otherwise ordinary devices such as cellphones , computers , televisions and automobiles to spy on targets . Some cases involved CIA collaboration with the United Kingdom ’ s intelligence MI5/BTSS , WikiLeaks states . It maintains the CIA ’ s Mobile Devices Branch developed malware to penetrate cellphone securities and could be tapped to send CIA users ’ geolocation information , audio and text files and covertly activate the phones ’ cameras and microphones . “ These techniques permit the CIA to bypass the encryption of WhatsApp , Signal , Telegram , Wiebo , Confide and Cloackman by hackingAttack.Databreachthe ‘ smart ’ phones that they run on and collectingAttack.Databreachaudio and message traffic before encryption is applied , ” the group states .