, noting that the incidentAttack.Databreachmight involve a vast amount of personal data ( such as name , date of birth , passport number , Hong Kong Identity Card number , credit card number , etc ) of local and foreign citizens . The office of the Privacy Commissioner for Personal Data , Hong Kong ( PCPD ) would proactively contact the airline and initiate a compliance check . The Privacy Commissioner advised the airline to notify the affected clients as soon as possible , and take remedial steps with details explained immediately . Mr Wong said that organisations must take effective security measures to protect the personal data of its clients . If an external service provider is engaged as a data processor , the organisation must adopt contractual or other means to safeguard personal data from unauthorised or accidental access , processing or use . Mr Wong reminded members of the public that if they find any abnormalities with their personal accounts of the airline concerned or credit card accounts , they should contact the airline and the related financial institutions . They should also change the account passwords and enable two-factor authentication to protect their personal data . Mr Wong stated that while reporting of data breachAttack.Databreachis voluntary , any organisation concerned is encouraged to notify the PCPD . By doing so , the PCPD can work together with the organisation to minimise the potential damage to clients .
Science Inc. , the company behind the popular online poll creation app Wishbone , has suffered a data breachAttack.Databreach. As a consequence , personal and account information of over 2.2 million of the app ’ s users is being circulatedAttack.Databreachon underground forums . The compromised records include names , usernames , email addresses and telephone numbers of the users , but also their gender and birth date ( if they chose to share that info when they set up the account ) . According to Troy Hunt , who received a copy of the compromised MongoDB database , 2,326,452 full names , 2,247,314 unique email addresses , and 287,502 cellphone numbers were included . Most importantly , the great majority of Wishbone users are teenagers and young adults , and predominantly female . “ I ’ d be worried about the potential for kids to abuse the data , ” Hunt told Motherboard . “ There ’ s a lot of young people in there and finding , say , young females and being able to contact them by phone is a worry ” . Not only that , but the data could be used to ferret out additional information about these persons , either via phishingAttack.Phishingor by searching the Internet for unsecured social media accounts that can be tied to them . Armed with all this information , fraudsters could easily perpetrate identity theft schemes . And perhaps the stolen data has already been misused . Hunt say that the data breachAttack.Databreachdates back to August 2016 , but according to the notification letter the Wishbone team sent out , they “ became aware that unknown individuals may have had accessAttack.Databreachto an API without authorization and were able to obtainAttack.Databreachaccount information of its users ” only on March 14 , 2017 . Since then , they “ rectifiedVulnerability-related.PatchVulnerability” the vulnerability that allowed the information to be slurpedAttack.Databreachby the attackers , and are now advising users to consider changing their passwords ( even though they have not been compromisedAttack.Databreachin the incidentAttack.Databreach) .
E-Sports Entertainment Association ( ESEA ) , one of the largest competitive video gaming communities on the planet , was hacked last December . As a result , a database containing 1.5 million player profiles was compromised . On Sunday , ESEA posted a message to Twitter , reminding players of the warning issued on December 30 , 2016 , three days after they were informed of the hack . Sunday ’ s message said the leak of player informationAttack.Databreachwas expected , but they ’ ve not confirmed if the leaked recordsAttack.Databreachcame from their systems . Late Saturday evening , breach notification service LeakedSource announced the addition of 1,503,707 ESEA records to their database . When asked for additional information by Salted Hash , a LeakedSource spokesperson shared the database schema , as well as sample records pulled at random from the database . Learn about top security certifications : Who they 're for , what they cost , and which you need . However , in all , there are more than 90 fields associated with a given player record in the ESEA database . While the passwords are safe , the other data points in the leaked records could be used to construct a number of socially-based attacks , including PhishingAttack.Phishing. Players on Reddit have confirmed their information was discovered in the leaked data . A similar confirmation was made Twitch ’ s Jimmy Whisenhunt on Twitter . The LeakedSource spokesperson said that the ESEA hack was part of a ransom schemeAttack.Ransom, as the hacker responsible demandedAttack.Ransom$ 50,000 in paymentAttack.Ransom. In exchange for meeting their demands , the hacker would keep silent about the ESEA hack and help the organization address the security flaw that made it possible . In their previous notification , ESEA said they learned about the incidentAttack.Databreachon December 27 , but make no mention of any related extortion attemptsAttack.Ransom. The organization reset passwords , multi-factor authentication tokens , and security questions as part of their recovery efforts . We ’ ve reached out to confirm the extortion attemptAttack.Ransomclaims made by the hacker , as well as the total count for players affected by the data breachAttack.Databreach. In an emailed statement , a spokesperson for ESL Gaming ( parent company to Turtle Entertainment ) confirmed that the hacker did in fact attempt to extort moneyAttack.Ransom, but the sum demandedAttack.Ransomwas `` substantially higher '' than the $ 50,000 previously mentioned . The company refused to give into the extortion demandsAttack.Ransom, and went public with details before the hacker could publish anything . The statement also confirms the affected user count of 1.5 million , and stressed the point that ESEA passwords were hashed with bcrypt . When it comes to the profile fields , where more than 90 data points are listed , ESL Gaming says those are optional data points for profile settings . `` We take the security and integrity of customer details very seriously and we are doing everything in our power to investigate this incident , establish precisely what has been taken , and make changes to our systems to mitigate any further breaches . The authorities ( FBI ) were also informed and we will do everything possible to facilitate the investigation of this attack , '' the message from ESL Gaming concluded . `` Based on the proof provided to us by the threat actor of possessionAttack.Databreachof the stolen data , we were able to identify the scope of the data that was accessedAttack.Databreach. While the primary concern and focus was on personal data , some of ESEA ’ s internal infrastructure including configuration settings of game server hardware specifications , as well as game server IPs was also accessibleAttack.Databreach. Due to the ongoing investigation , we prioritized customer user data first , '' the statement explains . In the days that followed that initial contact , ESEA worked to secure their systems , and the hacker kept making demands . On January 7 , ESEA learned the hacker also exfiltratedAttack.Databreachintellectual property from the compromised servers
The mobile phone company Three has experienced a fresh data breachAttack.Databreachafter some customers logging into their accounts were presented with the names , addresses , phone numbers and call histories of strangers . Three saidVulnerability-related.DiscoverVulnerabilityit was investigatingVulnerability-related.DiscoverVulnerabilitya technical issue with its systems and urged those affected to contact its customer service department . One customer , Andy Fidler , told the Guardian he was presented with the data usage and full call and text history of another named customer when he logged in on Sunday night . Another , Mark Thompson , said on Facebook he received a call from a complete stranger who said she had logged on to her account and was shown his details . Thompson said it was a “ shocking breach of data privacyAttack.Databreach” . He wrote on Three UK ’ s Facebook page : “ Care to explain just how my details have been shared , how many people have had accessAttack.Databreachto my personal information , for how long , and how many of your other customers have had their details leakedAttack.Databreachby yourselves to other members of the public as well ? ” Other customers also wanted to know why they were being presented with other people ’ s information when they logged in . Three UK , which is owned by the telecoms giant Hutchinson and has 9 million customers in Britain , said it was investigating . “ We are aware of a small number of customers who may have been able to view the mobile account details of other Three users using My3 , ” a spokesman said . “ No financial details were viewable during this time and we are investigating the matter ” . The Information Commissioner ’ s Office said it “ will be looking into this potential incident involving Three ” . A spokeswoman for the regulator said : “ Data protection law requires organisations to keep any personal information they hold secure . It ’ s our job to act on behalf of consumers to see whether that ’ s happened and take appropriate action if it has not ” . The problem comes four months after three men were arrested after fraudsters accessedAttack.Databreachpersonal data of thousands of Three customers , including names and addresses , by using authorised logins to its database of customers eligible for an upgraded handset . Customer information from more than 133,000 users was compromisedAttack.Databreachin the incidentAttack.Databreach.
Last week , the Internal Revenue Service ( IRS ) issued a new warning to employers , urging them to stay alert as reports of compromised W-2 records started to climb . This newest advisory aligns with the agency 's plan to delay refunds for those filing their returns early in order to combat identity theft and fraud . The IRS also informed employers the W-2 scam has moved beyond corporations , expanding to include schools , tribal organizations , and nonprofits . In a statement , IRS Commissioner , John Koskinen , said the scams - sometimes known as Business Email Compromise (BEC) attacksAttack.Phishing- are some of the most dangerous email scams the agency has seen in a long time . [ Learn about top security certifications : Who they 're for , what they cost , and which you need . `` It can result in the large-scale theft of sensitive dataAttack.Databreachthat criminals can use to commit various crimes , including filing fraudulent tax returns . We need everyone ’ s help to turn the tide against this scheme , '' Koskinen said . In 2016 , at least 145 organizations fell victim to BEC scamsAttack.Phishing, exposing tens of thousands of employees to tax fraud and identity theft . Salted Hash kept track of some of the high-profile cases , and Databreaches.net tracked everything , resulting in a massive list of documented successful attacks . As of February 5 , 23 organizations have disclosed BEC-related data breachesAttack.Databreachpublicly , each one resulting in compromised W-2 data . The confirmed BEC victims include ten school systems , a software development firm , a utility company in Pennsylvania , at least one restaurant in Indianapolis , and businesses operating within the healthcare , finance , manufacturing , and energy sectors . Distribution International emailed employees that their W-2 data was compromisedAttack.Databreachon January 27 . Their notification expands the number of affected taxpayers to more than 30,000 . The scammers spoofedAttack.Phishingan email and pretended to beAttack.Phishingone of the company 's owners . W-2 records for all companies and all employees were compromisedAttack.Databreach. Salted Hash reached out to Sky Climber 's CFO , Jeff Caswell , for more information . Also , the College of Southern Idaho has reported an incident that could impact 3,000 employees . According to Public Information Officer Doug Maughan , the W-2 records affected belong to seasonal and auxiliary staff . Palomar College disclosed an attackAttack.Databreachon January 30 , which affected employee W-2 records . The school did n't say the incidentAttack.Databreachwas the result of a BEC attackAttack.Phishing, but Salted Hash is listing it anyway due to the timing of the attack and the information targeted . Finally today , the West Michigan Whitecaps - a Class A minor league baseball team affiliated with the Detroit Tigers - said staff W-2 records were compromised after someone posing asAttack.Phishinga manager requested them . In 2016 , the criminals behind the BEC attacksAttack.Phishingmostly focused on payroll and tax records . This year though , the IRS says that in addition to the usual records request , the scammers are now following-up and requesting wire transfers . `` Although not tax related , the wire transfer scam is being coupled with the W-2 scam email , and some companies have lost both employees ’ W-2s and thousands of dollars due to wire transfers , '' the IRS explained in their warning . `` Employers should consider creating an internal policy , if one is lacking , on the distribution of employee W-2 information and conducting wire transfers . '' BEC attacksAttack.Phishingare essentially Phishing scamsAttack.Phishing, or Spear PhishingAttack.Phishingsince the criminals have a specific target . They 're effective too , exploiting the trust relationships that exist within the corporate environment . In a majority of the reported cases from 2016 , the attackers forgedAttack.Phishingan email and pretended to beAttack.Phishingthe victim organization 's top executive , or someone with direct authority . Often it is the CEO or CFO , but any high-level manager will work .
The toys -- which can receive and send voice messages from children and parents -- have been involved in a data breachAttack.Databreachdealing with more than 800,000 user accounts . The breachAttack.Databreach, which grabbed headlines on Monday , is drawing concerns from security researchers because it may have given hackers accessAttack.Databreachto voice recordings from the toy 's customers . But the company behind the products , Spiral Toys , is denying that any customers were hackedAttack.Databreach. Absolutely not , '' said Mark Meyers , CEO of the company . Security researcher Troy Hunt , who tracks data breachesAttack.Databreach, brought the incidentAttack.Databreachto light on Monday . Hackers appear to have accessedAttack.Databreachan exposed CloudPets ' database , which contained email addresses and hashed passwords , and they even sought to ransomAttack.Ransomthe information back in January , he said in a blog post . The incidentAttack.Databreachunderscores the danger with connected devices , including toys , and how data passing through them can be exposedAttack.Databreach, he added . In the case of CloudPets , the brand allegedly made the mistake of storing the customer information in a publicly exposedAttack.Databreachonline MongoDB database that required no authentication to access . That allowed anyone , including hackers , to view and stealAttack.Databreachthe data . On the plus side , the passwords exposedAttack.Databreachin the breachAttack.Databreachare hashed with the bcrypt algorithm , making them difficult to crack . Unfortunately , CloudPets placed no requirement on password strength , meaning that even a single character such as letter `` a '' was acceptable , according to Hunt , who was given a copy of the stolen data last week . As a result , Hunt was able to decipher a large number of the passwords , by simply checking them against common terms such as qwerty , 123456 , and cloudpets . `` Anyone with the data could crack a large number of passwords , log on to accounts and pull down the voice recordings , '' Hunt said in his blog post . Security researcher Victor Gevers from the GDI Foundation said he also discovered the exposed database from CloudPets and tried to contact the toy maker in late December . However , both Gevers and Hunt said the company never responded to their repeated warnings . On Monday , California-based Spiral Toys , which operates the CloudPets brand , claimed the company never received the warnings . `` The headlines that say 2 million messages were leakedAttack.Databreachon the internet are completely false , '' Meyers said . His company only became aware of the issue after a reporter from Vice Media contacted them last week . `` We looked at it and thought it was a very minimal issue , '' he said . A malicious actor would only be able to accessAttack.Databreacha customer 's voice recording if they managed to guess the password , he said . `` We have to find a balance , '' Meyers said , when he addressed the toy maker 's lack of password strength requirements . He also said that Spiral Toys had outsourced its server management to a third-party vendor . In January , the company implemented changes MongoDB requested to increase the server 's security . Spiral Toys hasn ’ t been the only company targeted . In recent months , several hacking groups have been attackingAttack.Databreachthousands of publicly exposed MongoDB databases . They ’ ve done so by erasing the data , and then saying they can restore it , but only if victims pay a ransom feeAttack.Ransom. In the CloudPets incident , different hackers appear to have deleted the original databases , but leftAttack.Ransomransom notes on the exposed systems , Hunt said . Although the CloudPets ’ databases are no longer publicly accessible , it appears that the toy maker hasn ’ t notified customers about the breachAttack.Databreach, Hunt said . The danger is that hackers might be using the stolen information to break into customer accounts registered with the toys . But Meyers said the company found no evidence that any hackers broke into customer accounts . To protect its users , the company is planning on a password reset for all users . `` Maybe our solution is to put more complex passwords , '' he said .
Yahoo CEO Marissa Mayer said she 'll forego her 2016 bonus and any stock award for this year after the company admitted it failed to properly investigate hack attacksAttack.Databreachthat compromisedAttack.Databreachmore than a billion user accounts . Further ReadingYahoo admits it ’ s been hackedAttack.Databreachagain , and 1 billion accounts were exposedAttack.Databreach`` When I learned in September 2016 that a large number of our user database files had been stolenAttack.Databreach, I worked with the team to disclose the incidentAttack.Databreachto users , regulators , and government agencies , '' she wrote in a note published Monday on Tumblr . `` However , I am the CEO of the company and since this incident happened during my tenure , I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company ’ s hardworking employees , who contributed so much to Yahoo ’ s success in 2016 . '' Her note came as Yahoo for the first time said that outside investigators identified about 32 million accounts for which forged browser cookies were used or taken in 2015 and 2016 . The investigators said some of the forgeries were connected to the same nation-sponsored attackers who compromised Yahoo in 2014 . The cookies tied to the forgeries have since been invalidated . Yahoo also said that the 2014 attacks targeted 26 specific accounts by exploiting the company ’ s account management tool . The company went on to say unnamed senior executives failed to grasp the extent of the breach early enough . A filing submitted Monday with the US Securities and Exchange Commission stated : Based on its investigation , the Independent Committee concluded that the Company ’ s information security team had contemporaneous knowledge of the 2014 compromise of user accounts , as well as incidents by the same attacker involving cookie forging in 2015 and 2016 . In late 2014 , senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company ’ s account management tool . The Company took certain remedial actions , notifying 26 specifically targeted users and consulting with law enforcement . While significant additional security measures were implemented in response to those incidents , it appears certain senior executives did not properly comprehend or investigate , and therefore failed to act sufficiently upon , the full extent of knowledge known internally by the Company ’ s information security team . Specifically , as of December 2014 , the information security team understood that the attacker had exfiltratedAttack.Databreachcopies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team . However , the Independent Committee did not conclude that there was an intentional suppression of relevant information . Nonetheless , the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014 , and they did not sufficiently pursue it . As a result , the 2014 Security Incident was not properly investigated and analyzed at the time , and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident . The Independent Committee found that failures in communication , management , inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident .
The breach indicates even more capable Asian states are struggling to confront cyber threats . On February 28 , Singapore ’ s defense ministry ( MINDEF ) disclosed that a breachAttack.Databreachin an Internet-connected system earlier this month had resulted in the personal data of 850 national servicemen and employees being stolenAttack.Databreach. Though the impact of the breach was quite limited , it nonetheless highlights the difficulties that Singapore faces as it confronts its growing cyber challenge . According to MINDEF , the I-net system used by personnel to access the Internet through terminals at the ministry and other facilities was breachedAttack.Databreachby an attackAttack.Databreachin early February . While personal data , including identification numbers , phone numbers , and date of birth , were believed to have been stolenAttack.Databreachduring the incidentAttack.Databreach, the ministry said no classified information was compromisedAttack.Databreachbecause it is stored on a separate system not connected to the Internet . As I have noted before , it has been paying keen attention to the cyber domain as a developed , highly-networked country . Singapore is particularly vulnerable as it relies on its reputation for security and stability to serve as a hub for businesses and attract talent . Indeed , last year , Deloitte found that Singapore was among the five Asian countries most vulnerable to cyber attacks ( See : “ Singapore Among Most Vulnerable to Cyberattacks in Asia ” ) . In response , Singapore has unveiled a series of initiatives aimed at boosting cybersecurity , including creating new institutions , safeguarding critical infrastructure , training cyber security personnel , and collaborating more with the private sector ( See : “ Singapore ’ s Cyber War Gets a Boost ” ) . And as I noted before , Prime Minister Lee Hsien Loong also outlined Singapore ’ s overall cybersecurity strategy at the inaugural Singapore International Cyber Week in October last year ( See : “ Singapore Unveils New ASEAN Cyber Initiative ” ) . Nonetheless , the cyber attack this week is a reminder that even the more capable states in the Asia-Pacific continue to struggle with confronting threats in the cyber realm . This was the first publicly disclosed cyber attack that MINDEF has experienced , and the ministry has described it as “ targeted and carefully planned , ” with the purpose of gaining access to official secrets . And based on what Singaporean officials have discovered so far , the attack appears to be less like the work of regular hackers and more along the lines of sophisticated state or state-backed actors