Radisson Hotel Group has confirmed that it has suffered a data breach Attack.Databreach on affecting “ a small percentage of our Radisson Rewards members ” . Business Traveller was alerted to the incident by one of our readers , who had received an email from Radisson confirming that his details had been compromised Attack.Databreach . Radisson says that it identified the breach on October 1 , although it ’ s not clear exactly when the incident occured . A statement on the group ’ s website states : “ This data security incident did not compromise Attack.Databreach any credit card or password information . Our ongoing investigation has determined that the information accessed Attack.Databreach was restricted to member name , address ( including country of residence ) , email address , and in some cases , company name , phone number , Radisson Rewards member number and any frequent flyer numbers on file . “ Upon identifying this issue Radisson Rewards immediately revoked access to the unauthorized person ( s ) . All impacted member accounts have been secured and flagged to monitor for any potential unauthorized behavior . “ While the ongoing risk to your Radisson Rewards account is low , please monitor your account for any suspicious activity . You should also be aware that third parties may claim to be Attack.Phishing Radisson Rewards and attempt to gather personal information by deception ( known as “ phishing Attack.Phishing ” ) , including through the use of links to fake websites . Radisson Rewards will not ask for your password or user information to be provided in an e-mail . “ Radisson Rewards takes this incident very seriously and is conducting an ongoing extensive investigation into the incident to help prevent data privacy incidents from happening again in the future. ” Radisson says that affected members will have receives an email notification from Radisson Rewards either yesterday ( October 30 ) or today ( October 31 ) . In the FAQs Radisson stresses that credit card data was not exposed by the breach Attack.Databreach , nor were members ’ passwords or travel histories / future stays . The hotel group is the latest in a line of travel companies to suffer data breaches Attack.Databreach , with British Airways and Cathay Pacific both admitting to compromised Attack.Databreach data in the last couple of months .

Family genealogy and DNA testing site MyHeritage announced on Monday a security breach Attack.Databreach during which an attacker made off with account details for over 92 million MyHeritage users . In a statement on its website , MyHeritage said it became aware of the incident on Monday , the same day of the announcement . The incident came to light after a security researcher found an archive on a third-party server containing the personal details of 92,283,889 MyHeritage users . Only emails and hashed password were exposed Attack.Databreach . The archive contained only emails and hashed passwords , but not payment card details or DNA test result . MyHeritage says it uses third-party payment processors for financial operations , meaning payment data was never stored on its systems , while DNA test results were saved on separate servers from the one that managed user accounts . Based on the creation dates of some accounts , the breach appears to have taken place on October 26 , 2017 . It is unclear if the breach is the result of a hacker attack or because of a malicious employee selling the company 's data . MyHeritage says that user accounts are safe , as the passwords were hashed using a per-user unique cryptographic key . `` MyHeritage does not store user passwords , but rather a one-way hash of each password , in which the hash key differs for each customer , '' the company said . `` Since Oct 26 , 2017 ( the date of the breach ) and the present we have not seen any activity indicating that any MyHeritage accounts had been compromised Attack.Databreach . '' The company announced the breach in the same day it found out about it because of the EU 's GDPR legislation that forces companies activating in the EU to disclose any security incident within three days of finding out . MyHeritage says it has now reached out to a cyber-security firm to help it investigate the breach severity and what other systems the hacker might have accessed . MyHeritage to roll out 2FA The company also promised to roll out a two-factor authentication ( 2FA ) feature for user accounts , so even if the hacker manages to decrypt the hashed passwords , these would be useless without the second-step verification code . It goes without saying that MyHeritage users should change their passwords as soon as possible . The MyHeritage incident marks the biggest data breach Attack.Databreach of the year , and the biggest leak Attack.Databreach since last year 's Equifax hack Attack.Databreach .

An unpatched vulnerability in the Magento e-commerce platform could allow hackers to upload and execute malicious code on web servers that host online shops . The flaw was discovered Vulnerability-related.DiscoverVulnerability by researchers from security consultancy DefenseCode and is located in Vulnerability-related.DiscoverVulnerability a feature that retrieves preview images for videos hosted on Vimeo . Such videos can be added to product listings in Magento . The DefenseCode researchers determined that if the image URL points to a different file , for example a PHP script , Magento will download the file in order to validate it . If the file is not an image , the platform will return a `` Disallowed file type '' error , but wo n't actually remove it from the server . An attacker with access to exploit this flaw could achieve remote code execution by first tricking Magento to download an .htaccess configuration file that enables PHP execution inside the download directory and then downloading the malicious PHP file itself . Once on the server , the PHP script can act as a backdoor and can be accessed from an external location by pointing the browser to it . For example , attackers could use it to browse the server directories and read the database password from Magento 's configuration file . This can expose customer information stored in the database , which in the case of online shops , can be very sensitive . The only limitation is that this vulnerability can not be exploited Vulnerability-related.DiscoverVulnerability directly because the video-linking functionality requires authentication . This means attackers need to have access to an account on the targeted website , but this can be a lower-privileged user and not necessarily an administrator . The authentication obstacle can also be easily overcome if the website does n't have the `` Add Secret Key to URLs '' option turned on . This option is intended to prevent cross-site request forgery ( CSRF ) attacks and is enabled by default . CSRF is an attack technique that involves forcing a user ’ s browser to perform an unauthorized request on a website when visiting a different one . `` The attack can be constructed as simple as < img src=… in an email or a public message board , which will automatically trigger the arbitrary file upload if a user is currently logged into Magento , '' the DefenseCode researchers said in an advisory . `` An attacker can also entice the user to open a CSRF link using social engineering . '' This means that by simply clicking on a link in an email or by visiting a specifically crafted web page , users who have active Magento sessions in their browser might have their accounts abused to compromise websites . The DefenseCode researchers claim Vulnerability-related.DiscoverVulnerability that they 've reported Vulnerability-related.DiscoverVulnerability these issues to the Magento developers back in November , but received no information regarding patching plans Vulnerability-related.PatchVulnerability since then . Several versions of the Magento Community Edition ( CE ) have been released since November , the most recent one being 2.1.6 on Tuesday . According to DefenseCode , all Magento CE versions continue to be vulnerable Vulnerability-related.DiscoverVulnerability , which is what prompted them to go public Vulnerability-related.DiscoverVulnerability about the flaw . “ We have been actively investigating Vulnerability-related.DiscoverVulnerability the root cause of the reported issue and are not aware of any attacks in the wild , ” Magento , the company that oversees development of the e-commerce platform , said in an emailed statement . “ We will be addressing Vulnerability-related.PatchVulnerability the issue in our next patch release and continue to consistently work to improve our assurance processes. ” `` All users are strongly advised to enforce the use of 'Add Secret Key to URLs ' which mitigates the CSRF attack vector , '' the DefenseCode researchers said . `` To prevent remote code execution through arbitrary file upload the server should be configured to disallow .htaccess files in affected directories . '' Magento is used by over 250,000 online retailers , making it an attractive target for hackers . Last year , researchers found thousands of Magento-based online shops that had been compromised Attack.Databreach and infected with malicious code that skimmed Attack.Databreach payment card details .

A cyber attack has compromised Attack.Databreach the personal data of up to 26,000 Debenhams customers . The breach Attack.Databreach , which is understood to have been malware-based , targeted the online portal for the retailer 's florist arm , Debenhams Flowers . Debenhams has stressed that the site is operated by Ecomnova , a third-party supplier , and that customers of other services have not been affected . Ecomnova also operates Debenhams ' websites for hampers , personalised gifts and wines . While all four sites have been suspended , the retailer has not announced whether the others were also breached . Debenhams confirmed to Sky News that customer payment details , names and addresses were accessed or stolen Attack.Databreach during the attack Attack.Databreach . In a statement the company stressed that it was only the Ecomnova-run site that had been compromised Attack.Databreach , and that customers of its main website Debenhams.com `` can be confident they are unaffected by this attack '' . `` All affected customers have been contacted by Debenhams to inform them of the incident , '' the firm told Sky News . `` We are working with Ecomnova to ask the banks of those affected to block payment cards of those customers affected and issue customers with new cards . '' Debenhams said the incident had been reported to the Information Commissioner 's Office ( ICO ) , the UK 's independent body for upholding the Data Protection Act . Following a cyber attack in October 2015 , the ICO fined TalkTalk a record £400,000 after 15,656 individuals ' bank account details and sort codes were stolen Attack.Databreach . An ICO spokesperson said it was aware of the `` potential incident '' involving Debenhams Flowers and that enquiries were being made . `` Businesses and organisations are required under the Data Protection Act to keep people 's personal data safe and secure , '' the spokesperson said . Debenhams chief executive Sergio Bucher said : `` As soon as we were informed that there had been a cyber attack , we suspended the Debenhams Flowers website and commenced a full investigation . `` We are very sorry that customers have been affected by this incident and we are doing everything we can to provide advice to affected customers and reduce their risk . '' Ecomnova did not immediately respond to Sky News for comment .

GameStop customers received breach Attack.Databreach notification warnings this week , cautioning them that their personal and financial information could have been compromised Attack.Databreach nine months ago . According to postal letters sent to customers , GameStop said an undisclosed number of online customers had their credit card or bankcard data stolen Attack.Databreach , including the card numbers , expiration dates , names , addresses and the three-digit card verification values ( CVV2 ) . The breach Attack.Databreach occurred between Aug 10 , 2016 to Feb 9 , 2017 , according to GameStop . In April , the company publicly acknowledged the breach . But , it wasn ’ t until last week that affected customers were individually notified that their cards were likely stolen Attack.Databreach . “ I ’ m pretty upset at GameStop . I should have been notified when they knew about it in April , ” said GameStop customer Ryan Duff , a former cyber operations tactician at U.S. Cyber Command . As a security professional , he said he expected better of GameStop when it came to notifying him of a possible breach Attack.Databreach of his credit card information . Subsequently , Duff said , the card used on GameStop.com back in November had been compromised Attack.Databreach , according to his bank . “ There is no way it should have taken months to be notified , ” he said . Breach notification laws differ from state to state . But many states , such as Massachusetts , mandate victims be notified “ as soon as practicable and without unreasonable delay ” or the company may face civil penalties . The rules are there , in part , to allow for consumers to freeze accounts and avoid paying fees associated with having their card stolen . “ After receiving a report that data from payment card used on www.GameStop.com may have been obtained Attack.Databreach by unauthorized individuals , we immediately began an investigation and hired a leading cybersecurity firm to assist us , ” wrote J. Paul Raines , chief executive officer of GameStop in a letter dated June 2 that was sent sent to impacted customers . “ Although the investigation did not identify evidence of unauthorized access Attack.Databreach to payment card data , we determined on April 18 , 2017 that the potential for what to have occurred existed for certain transactions , ” he wrote . GameStop operates 7,500 retail stores and its consumer product network online includes GameStop.com , game site Kongregate.com and online retailer ThinkGeek . No retail customers were impacted by the breach , according to the company . “ GameStop identified and addressed a potential security incident that was related to transactions made on GameStop ’ s website during a specific period of time , ” the company said in a statement provided to Threatpost . “ GameStop mailed notification letters to customers who made purchases during that time frame advising them of the incident and providing information on steps they can take. ” Still unknown about the breach Attack.Databreach are how many customers may have been impacted , how was the data stolen Attack.Databreach and how was GameStop alerted to the fact the data had been stolen Attack.Databreach . In April , GameStop issued the statement : “ GameStop recently received notification from a third party that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website. ” Krebs on Security reported in April that GameStop had received an alert from a credit card processor stating that its website was potentially comprised . Originally , it was believed that the breach Attack.Databreach involved GameStop retail stores and that the company ’ s point-of-sale system may have been infected with malware . That was because the breach Attack.Databreach occurred at the height of the holiday sales season and that stolen data included card verification values ( CVV2 ) . Online merchants are not supposed to store CVV2 codes on their e-commerce sites . However , since GameStop said no retail customers were impacted , it is now believed that GameStop.com was hacked and that the data was stolen Attack.Databreach through the use of malware . Over the past 12 months , there has been an unprecedented number of data breaches Attack.Databreach . Some of those impacted have been ecommerce sites running vulnerable versions of Magento and WordPress and ecommerce platforms Powerfront CMS and OpenCart . Criminals have used a number of techniques to siphon Attack.Databreach off credit card data from these sites ranging from compromised ecommerce plugins that can perform reflected XSS ( cross-site scripting ) attacks , web-based keyloggers , and DOM-based XSS attacks . Over 2,000 WordPress sites are infected as part of a keylogger campaign that leverages an old malicious script .

News Corp is a network of leading companies in the worlds of diversified media , news , education , and information services . Addresses , names and phone numbers for staff were accessed Attack.Databreach in the data breach Attack.Databreach SPORTS Direct failed to tell its workers about a major data breach Attack.Databreach that saw personal information accessed Attack.Databreach by hackers . A cyber attacker gained access Attack.Databreach to internal systems containing details for phone numbers , names and home and email addresses of the retail giant's 30,000 staff members . But according to The Register , workers still have n't been told about the breach Attack.Databreach , which took place in September . Sports Direct discovered the attack Attack.Databreach three months later after a phone number was left Attack.Databreach on the company 's internal site with a message encouraging bosses to make contact . Chiefs filed a report with the Information Commissioner 's office after it became aware that personal information had been compromised Attack.Databreach . But as there was no evidence the data had been shared Attack.Databreach , Sports Direct did n't report the breach Attack.Databreach to staff . The blunder is the latest in a string of controversies surrounding the sporting goods retailer . Allegations also surfaced of some workers being promised permanent contracts in exchange for sexual favours . Committee chairman Iain Wright said evidence heard by MPs last year suggested Sports Direct 's working practices `` are closer to that of a Victorian workhouse than that of a modern , reputable High Street retailer '' . In November , six MPs from the Business and Skills Committee said attempts were made to record their private discussions when they visited Sport Direct to investigate working practices . A spokesman for Sports Direct said : `` We can not comment on operational matters in relation to cyber-security for obvious reasons .