to anonymous attackers through the digital currency Bitcoin . A Connecticut city has paidAttack.RansomUSD 2,000 to restore access to its computer system after a ransomware attackAttack.Ransom. West Haven officials said Thursday they paid the moneyAttack.Ransomto anonymous attackers through the digital currency bitcoin to unlock 23 servers and restore access to city data . The attackAttack.Ransomdisabled servers early Tuesday morning , and city officials say it was contained by 5:30 PM Wednesday . City attorney Lee Tiernan says officials initially did n't want to pay the ransomAttack.Ransom, but research showed it was the best course of action . The city says there 's no reason to believe data was compromisedAttack.Databreach. Employee pay was not affected . The US Department of Homeland Security says the attack came from outside the US . An investigation is ongoing .
City employees in Atlanta coming to work Friday morning were told not to turn on their computers and WiFi at the Atlanta airport was turned off due to a ransomware attackAttack.Ransomthat hitAttack.Ransommunicipal systems on Thursday . As employees walked into city hall for work , they were handed a printed notice telling them to not use their computers until they were cleared by the municipal IT group , the Atlanta Journal Constitution reported . At a news conference Friday afternoon , Atlanta chief operating officer Richard Cox said that the WiFi at Hartsfield–Jackson Atlanta International Airport had been disabled out of `` an abundance of caution . '' The city is still working on mitigating the ransomware and Mayor Keisha Lance Bottoms did not answer questions from reporters as to whether the attack had ended . `` What we want to make sure of is that we aren ’ t putting a Band-Aid on a gaping wound . We want to make sure that we take the appropriate steps , '' she said . Atlanta doesn ’ t know who is behind the attack , the mayor said . The good news is that while “ this is a massive inconvenience to the city , it is not life and death , ” she said . Police , fire and other vital services are still fully functional , Cox said . The attack hit early Thursday morning . Bottoms has repeatedly told employees they should monitor their bank accounts because city officials don ’ t yet know what information was compromisedAttack.Databreachin the attackAttack.Databreach. `` Let 's just assume that if your personal information is housed by the City of Atlanta , whether it be because you are a customer who goes online and pays your bills or any employee or even a retiree , we do n't know the extent , so we just ask that you be vigilant , '' Bottoms said . The ransomware is affecting applications that customers use to pay bills and access court-related information among other things , Bottoms said . The attackers demandedAttack.Ransomthe equivalent of $ 51,000 in digital currency to unlock the system . The city is working with the FBI and local law enforcement to investigate the attack , Cox said . While it has been a difficult two days , Atlanta will in the end prevail , he said . `` The city was around before computers were around , said Cox . `` We ’ ll rise from the ashes , '' he added
Cyber criminals took a second swing at Mecklenburg County government on Thursday after officials rejected a demand for moneyAttack.Ransomfollowing a ransomware attackAttack.Ransom. The follow-up attempts to hold the county hostage over illegally encrypted data came just hours after County Manager Dena Diorio announced she ’ d decided against payingAttack.Ransoma hacker ransomAttack.Ransom. Instead of agreeing to payAttack.Ransomcriminals , she said Wednesday , the county will rebuild its system applications and restore files and data from backups . But by Thursday afternoon , hackers tried to strike again . Diorio sent staff members an email saying , “ I have a new warning for employees. ” As the county ’ s IT staff worked to recover from the first cyberattack , Diorio said , they discovered more attempts to compromiseAttack.Databreachcomputers and data on Thursday . “ To limit the possibility of a new infection , ITS is disabling employees ’ ability to open attachments generated by DropBox and Google Documents , ” she wrote in an email . “ The best advice for now is to limit your use of emails containing attachments , and try to conduct as much business as possible by phone or in person. ” She described the aftermath of the ransomware attackAttack.Ransomas a “ crisis ” and reassured employees they should not feel personally responsible for the incident . The county first learned of the problem earlier this week after an employee openedAttack.Phishinga malicious “ phishing ” email and accessed an attached file that unleashed a widespread problem inside the county ’ s network of computers and information technology . The intent of that ransomware attackAttack.Ransomwas to essentially access as many county government files and data servers as possible . Then , the information was encrypted or locked , keeping employees at the county from accessing operating systems and files . The person or people responsible for the infiltration then demandedAttack.Ransomthe county payAttack.Ransomtwo bitcoins , or about $ 23,000 , in exchange for a release of the locked data . The county refused to payAttack.Ransom. County officials say they anticipate the recovery time for Mecklenburg County government operations will take days . “ We are open for business , and we are slow , but there ’ s no indication of any data lossAttack.Databreachor that personal information was compromisedAttack.Databreach, ” Diorio said . Diorio said third-party security experts believe the attackAttack.Ransomearlier this week by a new strain of ransomware called LockCrypt originated from Iran or Ukraine . Forty-eight of about 500 county computer servers were affected .
Federal officials , Microsoft and Cisco are working with the city of Atlanta to resolve the attackAttack.Ransom, but Atlanta 's mayor wo n't say if the city paidAttack.Ransomthe $ 51,000 ransomAttack.Ransom. As of Saturday , Atlanta officials and federal partners were still “ working around the clock ” to resolve the ransomware attackAttack.Ransomon city computers that occurred around 5 a.m. on Thursday , March 22 , and encrypted some financial and person data . As @ Cityofatlanta officials & federal partners continue working around the clock to resolve issues related to the ransomware cyber attackAttack.Ransomlaunched against the City , solid waste & other DPW operations are not impacted . — ATLPublicWorks ( @ ATLPublicWorks ) March 24 , 2018 On Thursday , the official investigation included “ the FBI , U.S. Department of Homeland Security , Cisco cybersecurity officials and Microsoft to determine what information has been accessedAttack.Databreachand how to resolve the situation. ” A city employee sent WXIA a screenshot of the ransom demandAttack.Ransom, which included a pay-per-computer optionAttack.Ransomof $ 6,800 or an option to payAttack.Ransom$ 51,000 to unlock the entire system . CBS 46 reported that the ransom demandAttack.Ransomand instruction said : Send .8 bitcoins for each computer or 6 bitcoins for all of the computers . ( That 's the equivalent of around $ 51,000 . ) After the .8 bitcoin is sent , leave a comment on their website with the provided host name . They ’ ll then reply to the comment with a decryption software . When you run that , all of the encrypted files will be recovered . On Friday , March 23 , city employees were handed a printed notice as they walked through the front doors . They were told not to turn on their computers until the issue was resolved . Officials were still unsure who was behind the attack . Mayor Keisha Lance Bottoms advised city employees and customers to monitor their personal information , although there was no evidence to show customer or employee data was compromisedAttack.Databreach. Mayor Bottoms clarified what services had not been impacted and were still available to residents and which ones had been impacted . Mayor Bottoms will not say if Atlanta intends to pay the ransom demandAttack.Ransom, saying , “ We will be looking for guidance from , specifically , our federal partners on how to best navigate the best course of action. ” During a press conference , Bottoms said , “ What we want to make sure of is that we aren ’ t putting a Band-Aid on a gaping wound. ” She then turned the press conference over to Richard Cox , the City of Atlanta 's chief operations officer ; the poor dude is brand new to serving as Atlanta ’ s COO . He confirmed the existence of the ransom demandAttack.Ransombut would not reveal the contents .
Nearly a week after it became the target of one of the largest ransomware attacksAttack.Ransomto date , the City of Atlanta has made progress toward recovery , but it is still far from business as usual . Hackers encrypted many of the city government 's vital data and computer systems . The ransomware attackAttack.Ransom, which Mayor Keisha Lance Bottoms characterized as `` a hostage situation , '' forced the city to shut down municipal courts and even prevented residents from paying bills online . The city has been unable to issue warrants , and in many cases city employees have had to fill out forms and reports by hand . The hackers demandedAttack.Ransomthat officials pay a ransomAttack.Ransomof US $ 51,000 to be sent to a bitcoin wallet . Threat researchers from Dell-owned Secureworks , which is based in Atlanta , have been working to help the city recover from the attack . The security firm identified the assailants as the SamSam hacking group , The New York Times reported on Thursday . That organization has been known for similar ransomware attacksAttack.Ransom; it typically makes ransom demandsAttack.Ransomof $ 50,000 or more , usually payable only with bitcoin . Secureworks has been working with the city 's incident response team as well as the FBI , the Department of Homeland Security and the U.S. Secret Service . In addition , a number of independent experts , including researchers from Georgia Tech , have been called in to determine how the attack occurred and help strategize to prevent another such attack . As of Thursday , the city 's Department of Information Management , which first discovered the attack on March 21 , said that it had found no evidence that customer or employee data was compromisedAttack.Databreach. It nevertheless encouraged everyone to take precautionary measures , including the monitoring of personal accounts and protecting personal information .
The mobile phone company Three has experienced a fresh data breachAttack.Databreachafter some customers logging into their accounts were presented with the names , addresses , phone numbers and call histories of strangers . Three saidVulnerability-related.DiscoverVulnerabilityit was investigatingVulnerability-related.DiscoverVulnerabilitya technical issue with its systems and urged those affected to contact its customer service department . One customer , Andy Fidler , told the Guardian he was presented with the data usage and full call and text history of another named customer when he logged in on Sunday night . Another , Mark Thompson , said on Facebook he received a call from a complete stranger who said she had logged on to her account and was shown his details . Thompson said it was a “ shocking breach of data privacyAttack.Databreach” . He wrote on Three UK ’ s Facebook page : “ Care to explain just how my details have been shared , how many people have had accessAttack.Databreachto my personal information , for how long , and how many of your other customers have had their details leakedAttack.Databreachby yourselves to other members of the public as well ? ” Other customers also wanted to know why they were being presented with other people ’ s information when they logged in . Three UK , which is owned by the telecoms giant Hutchinson and has 9 million customers in Britain , said it was investigating . “ We are aware of a small number of customers who may have been able to view the mobile account details of other Three users using My3 , ” a spokesman said . “ No financial details were viewable during this time and we are investigating the matter ” . The Information Commissioner ’ s Office said it “ will be looking into this potential incident involving Three ” . A spokeswoman for the regulator said : “ Data protection law requires organisations to keep any personal information they hold secure . It ’ s our job to act on behalf of consumers to see whether that ’ s happened and take appropriate action if it has not ” . The problem comes four months after three men were arrested after fraudsters accessedAttack.Databreachpersonal data of thousands of Three customers , including names and addresses , by using authorised logins to its database of customers eligible for an upgraded handset . Customer information from more than 133,000 users was compromisedAttack.Databreachin the incidentAttack.Databreach.
Payday lender Wonga appears to be the latest big-name brand to suffer a damaging data breachAttack.Databreach, after admitting over the weekend “ there may have been illegal and unauthorized accessAttack.Databreach” to customers ’ personal details . The firm was tight-lipped on how many customers might have been affected , although reports suggest it is in the region of 270,000 , most of whom are based in the UK . The short-term loans company , which charges customers over 1200 % APR , was also short on details and hedged its bets somewhat as to the cause . The firm claimed in an FAQ on the incident that it is still trying to establish the details and contact those affected . What we do know is that customer names , e-mail addresses , home addresses and phone numbers may have been compromisedAttack.Databreach, along with the last four digits of their card number and/or bank account number and sort code . It added : “ We do not believe your Wonga account password was compromisedAttack.Databreachand believe your account should be secure , however if you are concerned you should change your account password . We also recommend that you look out for any unusual activity across any bank accounts and online portals ” . Wonga also advised customers to be on the lookout for follow-up scams , both online and over the phone . The kind of information that appears to have been compromisedAttack.Databreachwould certainly provide seasoned fraudsters with enough to socially engineer targets into divulging more details such as their full card numbers . This is just the latest in a long line of breaches at big-name companies . Data from over 130,000 customers of network operator Three was illegally obtainedAttack.Databreachby fraudsters back in November . The impact to brand and reputation can be a serious blow to breached organizations . TalkTalk is said to have lost 100,000 customers and £60m as a result of a breach at the ISP . André Stewart , EMEA vice-president at Netskope , argued that coming European privacy laws will force organizations to be more accountable for their data practices . “ As a result , companies will be forced to take active measures to mitigate any threats to personal privacy , whether that data is stored on-premises or in the cloud . Any companies falling short of these standards could face hefty fines , ” he explained . “ Alongside demonstrating that they have coached employees on the GDPR and secure data handling , employers will also need to provide staff with the tools to do their jobs securely without sacrificing ease and convenience ” . Kevin Cunningham , president of SailPoint , added that staff from the board down need to be well-drilled in order to help protect sensitive customer information . “ In today ’ s market , it ’ s a matter of when , not if , a data breachAttack.Databreachwill happen . So the most important factors are prevention , education , and rapid response , ” he argued . “ When a breach does happen , it ’ s important to quickly find out how and why it occurred , assess the damage and required response , and put IT controls in place to address future attacks ”
Personal and financial data of some 270,000 customers of UK payday loan firm Wonga have likely been pilferedAttack.Databreachin a data breachAttack.Databreach. The data that was accessedAttack.Databreachby the attackers includes the name , e-mail address , home address , and phone number of around 245,000 customers in the UK and 25,000 customers in Poland , as well as the last four digits of their payment card number and/or their bank account number and sort code . “ We do not believe your Wonga account password was compromisedAttack.Databreachand believe your [ loan ] account should be secure , however if you are concerned you should change your account password . We also recommend that you look out for any unusual activity across any bank accounts and online portals , ” the company advised users . “ We will be alerting financial institutions about this issue and any individuals impacted as soon as possible , but we recommend that you also contact your bank and ask them to look out for any suspicious activity. ” They ’ ve also warned users to be on the lookout for scammers looking to leverage the stolen information to gain more information or money directly from the users . According to the BBC , the company noticed that something was amiss last week , but it took them until Friday to discover that customer data may have been compromisedAttack.Databreach. The company started to inform customers of the breachAttack.Databreachon Saturday . “ Wonga ’ s stock with the general public has never been particularly high , but this breach will see it fall even further . It is simply the latest name in a long list of data breach victims that will come to realise that the reputational impact of a breach is more damaging than anything the ICO can do to them , or the cybercriminals themselves for that matter , ” commented Marc Agnew , Vice President , ViaSat Europe . “ The stakes are so high that organisations need to treat cyber-attack not only as a threat , but as an inevitability . Organisations must therefore ensure that all customer data is encrypted , not just the passwords and card details , so that any stolen data is essentially worthless . Inadequately protecting customer data can create massive problems for enterprises and consumers alike . Reacting to an attack appropriately is vital ; from isolating and identifying the origin , to taking stock of what has been stolenAttack.Databreachor affected and making sure those who have been put at risk are notified and protected as soon as possible . By the looks of it , Wonga ’ s customers were alerted in a timely manner and should be well informed enough to take action . This is all Wonga can do at this stage , but it ’ ll be interesting to see what happens next and how serious an attack this turns out to be. ” “ While the organisation has stated that affected customers are unlikely to be at risk of theft , the fact remains that private personal information was compromisedAttack.Databreach– posing a risk to customers , ” André Stewart , VP EMEA at Netskope , pointed out . “ Data loss prevention needs to be a key priority for all businesses . The EU General Data Protection Regulation ( GDPR ) – set to come into effect in just over a year – will hold organisations accountable for their data practices . As a result , companies will be forced to take active measures to mitigate any threats to personal privacy , whether that data is stored on-premises or in the cloud . Any companies falling short of these standards could face hefty fines , ” he also noted .
Personal and financial data of some 270,000 customers of UK payday loan firm Wonga have likely been pilferedAttack.Databreachin a data breachAttack.Databreach. The data that was accessedAttack.Databreachby the attackers includes the name , e-mail address , home address , and phone number of around 245,000 customers in the UK and 25,000 customers in Poland , as well as the last four digits of their payment card number and/or their bank account number and sort code . “ We do not believe your Wonga account password was compromisedAttack.Databreachand believe your [ loan ] account should be secure , however if you are concerned you should change your account password . We also recommend that you look out for any unusual activity across any bank accounts and online portals , ” the company advised users . “ We will be alerting financial institutions about this issue and any individuals impacted as soon as possible , but we recommend that you also contact your bank and ask them to look out for any suspicious activity. ” They ’ ve also warned users to be on the lookout for scammers looking to leverage the stolen information to gain more information or money directly from the users . According to the BBC , the company noticed that something was amiss last week , but it took them until Friday to discover that customer data may have been compromisedAttack.Databreach. The company started to inform customers of the breachAttack.Databreachon Saturday . “ Wonga ’ s stock with the general public has never been particularly high , but this breach will see it fall even further . It is simply the latest name in a long list of data breach victims that will come to realise that the reputational impact of a breach is more damaging than anything the ICO can do to them , or the cybercriminals themselves for that matter , ” commented Marc Agnew , Vice President , ViaSat Europe . “ The stakes are so high that organisations need to treat cyber-attack not only as a threat , but as an inevitability . Organisations must therefore ensure that all customer data is encrypted , not just the passwords and card details , so that any stolen data is essentially worthless . Inadequately protecting customer data can create massive problems for enterprises and consumers alike . Reacting to an attack appropriately is vital ; from isolating and identifying the origin , to taking stock of what has been stolenAttack.Databreachor affected and making sure those who have been put at risk are notified and protected as soon as possible . By the looks of it , Wonga ’ s customers were alerted in a timely manner and should be well informed enough to take action . This is all Wonga can do at this stage , but it ’ ll be interesting to see what happens next and how serious an attack this turns out to be. ” “ While the organisation has stated that affected customers are unlikely to be at risk of theft , the fact remains that private personal information was compromisedAttack.Databreach– posing a risk to customers , ” André Stewart , VP EMEA at Netskope , pointed out . “ Data loss prevention needs to be a key priority for all businesses . The EU General Data Protection Regulation ( GDPR ) – set to come into effect in just over a year – will hold organisations accountable for their data practices . As a result , companies will be forced to take active measures to mitigate any threats to personal privacy , whether that data is stored on-premises or in the cloud . Any companies falling short of these standards could face hefty fines , ” he also noted .
Retina-X Studios , the makers of several consumer-grade monitoring products , have finally announced that they have suffered a data breachAttack.Databreach. Retina-X and FlexiSpy , another spyware maker , were attackedAttack.Databreachby two hackers / hacker groups that revealed last week how they went about compromisingAttack.Databreachthe companies ’ assets and made offAttack.Databreachwith customer and other data . “ A hacker known for SQL exploits of great magnitude was able to find a weakness in a decompiled and decrypted version of a now-discontinued product . The vulnerability hidden inside the coded software led to a breach of the database and the eventual exploit by unauthorized individuals , ” the company noted . “ According to the report , the attacker was able to break intoAttack.Databreacha server that held database tables for Net Orbit , PhoneSheriff and TeenShield . The tables held information such as login usernames , subscription keys , device metadata , text messages , GPS locations , contacts ’ information , apps installed and website logs . A third-party photo storage account was also breachedAttack.Databreach. Only accounts created before February 21st , 2017 were affected. ” They were quick to point out that no payment information was compromisedAttack.Databreach, and they say that the attacker has not publicly releasedAttack.Databreachthe stolen data – and he seemingly does not plan to . They are also trying to differentiate itself from the other victim ( FlexiSpy ) , by saying that their software can ’ t be used to monitor individuals that the monitorer has no legal right to keep under surveillance ( e.g . their employees or their underage children ) , because this would violate their terms of service and the account would be terminated . “ Our child and employee monitoring software shows up as an icon and in the Installed Apps list of devices . There are also notifications to let the user of the device know that activities are being monitored , ” the company noted , while failing to mention that these notifications can be turned off and the icon removed . They also did not mention how or how quickly they are able to discover that someone is using the software to perform illegitimate surveillance . For all we know , it could be weeks or months , but even days are too much for people who are spied on in this way .
OneLogin has revealed more about the attackAttack.Databreachon its systems , confirming that a `` threat actor '' had accessedAttack.Databreachdatabase tables including `` information about users , apps , and various types of keys . '' It warned once again that the malefactor , who was able to rifle through OneLogin 's infrastructure for seven hours , may have been able to decrypt customer data . The company said : Our review has shown that a threat actor obtained accessAttack.Databreachto a set of AWS keys and used them to access the AWS API from an intermediate host with another , smaller service provider in the US . Evidence shows the attack started on May 31 , 2017 around 2 am PST . Through the AWS API , the actor created several instances in our infrastructure to do reconnaissance . OneLogin staff was alerted of unusual database activity around 9 am PST and within minutes shut down the affected instance as well as the AWS keys that were used to create it . One customer affected by the OneLogin attack told Ars that he was having to `` rebuild the whole authentication security system ... OUCH ! '' OneLogin told fretful customers in an internal notification that they would need to work through a number of steps to secure their accounts , including generation of new API credentials and OAuth tokens . Any users served by the firm 's US data centre have been hit by the breach , OneLogin said . `` While we encrypt certain sensitive data at rest , at this time we can not rule out the possibility that the threat actor also obtainedAttack.Databreachthe ability to decrypt data , '' OneLogin said . `` We are thus erring on the side of caution and recommending actions our customers should take , which we have already communicated to our customers . '' OneLogin has admitted that the single sign-on ( SSO ) and identity management firm has suffered a data breachAttack.Databreach. However its public statement is vague about the nature of the attack . An e-mail to customers provides a bit of detail—warning them that their data may have been exposed . And a support page that is only accessible to OneLogin account holders is even more worrying for customers . It apparently says that `` customer data was compromisedAttack.Databreach, including the ability to decrypt encrypted data . '' OneLogin—which claims to offer a service that `` secures connections across all users , all devices , and every application '' —said on Thursday that it had `` detected unauthorised access '' in the company 's US data region . It added in the post penned by OneLogin CISO Alvaro Hoyos : We have since blocked this unauthorised access , reported the matter to law enforcement , and are working with an independent security firm to determine how the unauthorised access happened and verify the extent of the impact of this incident . We want our customers to know that the trust they have placed in us is paramount . While our investigation is still ongoing , we have already reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented . It has given customers a long list of actions to protect their accounts following the attack . It 's unclear why it is that OneLogin has provided three different sets of information to its customers . It 's possible the company was hoping to only disclose more detail to those directly affected by the attack to avoid revealing potential weaknesses that may have exposed the data in the first place . But that attempt to keep the information under wraps has clearly backfired as customers scramble to secure their accounts . This is the second data breachAttack.Databreachthat OneLogin has suffered within the past year . Last August it warned customers of a cleartext login bug on its Secure Notes service , after `` an unauthorised user gained access to one of our standalone systems , which we use for log storage and analytics . '' Hoyos apologised for that particular breach . `` We are making every effort to prevent any similar occurrence in the future , '' he said at the time .
OneLogin , an online service that lets users manage logins to sites and apps from a single platform , says it has suffered a security breachAttack.Databreachin which customer data was compromisedAttack.Databreach, including the ability to decrypt encrypted data . Headquartered in San Francisco , OneLogin provides single sign-on and identity management for cloud-base applications . OneLogin counts among its customers some 2,000 companies in 44 countries , over 300 app vendors and more than 70 software-as-a-service providers . A breachAttack.Databreachthat allowed intruders to decrypt customer data could be extremely damaging for affected customers . After OneLogin customers sign into their account , the service takes care of remembering and supplying the customer ’ s usernames and passwords for all of their other applications . In a brief blog post Wednesday , OneLogin chief information security officer Alvaro Hoyos wrote that the company detected unauthorized accessAttack.Databreachto OneLogin data . “ Today we detected unauthorized accessAttack.Databreachto OneLogin data in our US data region . We have since blocked this unauthorized access , reported the matter to law enforcement , and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident . We want our customers to know that the trust they have placed in us is paramount. ” “ While our investigation is still ongoing , we have already reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented. ” OneLogin ’ s blog post includes no other details , aside from a reference to the company ’ s compliance page . The company has not yet responded to request for comment . However , Motherboard has obtained a copy of a message OneLogin reportedly sent to its customers about the incident , and that missive contains a critical piece of information : “ Customer data was compromisedAttack.Databreach, including the ability to decrypt encrypted data , ” reads the message OneLogin sent to customers . According to Motherboard , the message also directed customers to a list of required steps to minimize any damage from the breach , such as generating new API keys and OAuth tokens ( OAuth being a system for logging into accounts ) , creating new security certificates as well as credentials ; recycling any secrets stored in OneLogin ’ s Secure Notes feature ; and having end-users update their passwords . Gartner Inc. financial fraud analyst Avivah Litan said she has long discouraged companies from using cloud-based single sign-on services , arguing that they are the digital equivalent to an organization putting all of its eggs in one basket . “ It ’ s just such a massive single point of failure , ” Litan said . “ And this breach shows that other [ cloud-based single sign-on ] services are vulnerable , too . This is a big deal and it ’ s disruptive for victim customers , because they have to now change the inner guts of their authentication systems and there ’ s a lot of employee inconvenience while that ’ s going on. ” KrebsOnSecurity will likely update this story throughout the day as more details become available . “ Our review has shown that a threat actor obtained accessAttack.Databreachto a set of AWS keys and used them to access the AWS API from an intermediate host with another , smaller service provider in the US . Evidence shows the attack started on May 31 , 2017 around 2 am PST . Through the AWS API , the actor created several instances in our infrastructure to do reconnaissance . OneLogin staff was alerted of unusual database activity around 9 am PST and within minutes shut down the affected instance as well as the AWS keys that were used to create it. ” “ The threat actor was able to accessAttack.Databreachdatabase tables that contain information about users , apps , and various types of keys . While we encrypt certain sensitive data at rest , at this time we can not rule out the possibility that the threat actor also obtained the ability to decrypt data . We are thus erring on the side of caution and recommending actions our customers should take , which we have already communicated to our customers . ”
OneLogin , an online service that lets users manage logins to sites and apps from a single platform , says it has suffered a security breachAttack.Databreachin which customer data was compromisedAttack.Databreach, including the ability to decrypt encrypted data . Headquartered in San Francisco , OneLogin provides single sign-on and identity management for cloud-base applications . OneLogin counts among its customers some 2,000 companies in 44 countries , over 300 app vendors and more than 70 software-as-a-service providers . A breachAttack.Databreachthat allowed intruders to decrypt customer data could be extremely damaging for affected customers . After OneLogin customers sign into their account , the service takes care of remembering and supplying the customer ’ s usernames and passwords for all of their other applications . In a brief blog post Wednesday , OneLogin chief information security officer Alvaro Hoyos wrote that the company detected unauthorized accessAttack.Databreachto OneLogin data . “ Today we detected unauthorized accessAttack.Databreachto OneLogin data in our US data region . We have since blocked this unauthorized access , reported the matter to law enforcement , and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident . We want our customers to know that the trust they have placed in us is paramount. ” “ While our investigation is still ongoing , we have already reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented. ” OneLogin ’ s blog post includes no other details , aside from a reference to the company ’ s compliance page . The company has not yet responded to request for comment . However , Motherboard has obtained a copy of a message OneLogin reportedly sent to its customers about the incident , and that missive contains a critical piece of information : “ Customer data was compromisedAttack.Databreach, including the ability to decrypt encrypted data , ” reads the message OneLogin sent to customers . According to Motherboard , the message also directed customers to a list of required steps to minimize any damage from the breach , such as generating new API keys and OAuth tokens ( OAuth being a system for logging into accounts ) , creating new security certificates as well as credentials ; recycling any secrets stored in OneLogin ’ s Secure Notes feature ; and having end-users update their passwords . Gartner Inc. financial fraud analyst Avivah Litan said she has long discouraged companies from using cloud-based single sign-on services , arguing that they are the digital equivalent to an organization putting all of its eggs in one basket . “ It ’ s just such a massive single point of failure , ” Litan said . “ And this breach shows that other [ cloud-based single sign-on ] services are vulnerable , too . This is a big deal and it ’ s disruptive for victim customers , because they have to now change the inner guts of their authentication systems and there ’ s a lot of employee inconvenience while that ’ s going on. ” KrebsOnSecurity will likely update this story throughout the day as more details become available . “ Our review has shown that a threat actor obtained accessAttack.Databreachto a set of AWS keys and used them to access the AWS API from an intermediate host with another , smaller service provider in the US . Evidence shows the attack started on May 31 , 2017 around 2 am PST . Through the AWS API , the actor created several instances in our infrastructure to do reconnaissance . OneLogin staff was alerted of unusual database activity around 9 am PST and within minutes shut down the affected instance as well as the AWS keys that were used to create it. ” “ The threat actor was able to accessAttack.Databreachdatabase tables that contain information about users , apps , and various types of keys . While we encrypt certain sensitive data at rest , at this time we can not rule out the possibility that the threat actor also obtained the ability to decrypt data . We are thus erring on the side of caution and recommending actions our customers should take , which we have already communicated to our customers . ”
Los Angeles Valley College in Valley Glen was subject to a cyber attack over the winter break but it is not known how large the breachAttack.Databreachwas , officials said Tuesday . The attack was described as “ malicious cyber activity targeting Los Angeles Valley College , ” according to a statement from Los Angeles Community College District Chancellor Francisco Rodriguez . “ This attack is believed to have taken place over the holidays and we are working closely with local and federal authorities to learn more about its potential impact , ” Rodriguez said . “ Our top priority in resolving this incident is ensuring that the security and privacy of our students and employees is protected ” . Additional details about the attackAttack.Databreachwere not made available and it was not immediately clear if anyone ’ s personal data was compromisedAttack.Databreach. Los Angeles Sheriff ’ s cyber crimes unit was investigating , Deputy Caroline Rodriguez of the Sheriff ’ s Information Bureau said . The FBI did not immediately reply to emailed questions regarding the attack
Last week , the Internal Revenue Service ( IRS ) issued a new warning to employers , urging them to stay alert as reports of compromised W-2 records started to climb . This newest advisory aligns with the agency 's plan to delay refunds for those filing their returns early in order to combat identity theft and fraud . The IRS also informed employers the W-2 scam has moved beyond corporations , expanding to include schools , tribal organizations , and nonprofits . In a statement , IRS Commissioner , John Koskinen , said the scams - sometimes known as Business Email Compromise (BEC) attacksAttack.Phishing- are some of the most dangerous email scams the agency has seen in a long time . [ Learn about top security certifications : Who they 're for , what they cost , and which you need . `` It can result in the large-scale theft of sensitive dataAttack.Databreachthat criminals can use to commit various crimes , including filing fraudulent tax returns . We need everyone ’ s help to turn the tide against this scheme , '' Koskinen said . In 2016 , at least 145 organizations fell victim to BEC scamsAttack.Phishing, exposing tens of thousands of employees to tax fraud and identity theft . Salted Hash kept track of some of the high-profile cases , and Databreaches.net tracked everything , resulting in a massive list of documented successful attacks . As of February 5 , 23 organizations have disclosed BEC-related data breachesAttack.Databreachpublicly , each one resulting in compromised W-2 data . The confirmed BEC victims include ten school systems , a software development firm , a utility company in Pennsylvania , at least one restaurant in Indianapolis , and businesses operating within the healthcare , finance , manufacturing , and energy sectors . Distribution International emailed employees that their W-2 data was compromisedAttack.Databreachon January 27 . Their notification expands the number of affected taxpayers to more than 30,000 . The scammers spoofedAttack.Phishingan email and pretended to beAttack.Phishingone of the company 's owners . W-2 records for all companies and all employees were compromisedAttack.Databreach. Salted Hash reached out to Sky Climber 's CFO , Jeff Caswell , for more information . Also , the College of Southern Idaho has reported an incident that could impact 3,000 employees . According to Public Information Officer Doug Maughan , the W-2 records affected belong to seasonal and auxiliary staff . Palomar College disclosed an attackAttack.Databreachon January 30 , which affected employee W-2 records . The school did n't say the incidentAttack.Databreachwas the result of a BEC attackAttack.Phishing, but Salted Hash is listing it anyway due to the timing of the attack and the information targeted . Finally today , the West Michigan Whitecaps - a Class A minor league baseball team affiliated with the Detroit Tigers - said staff W-2 records were compromised after someone posing asAttack.Phishinga manager requested them . In 2016 , the criminals behind the BEC attacksAttack.Phishingmostly focused on payroll and tax records . This year though , the IRS says that in addition to the usual records request , the scammers are now following-up and requesting wire transfers . `` Although not tax related , the wire transfer scam is being coupled with the W-2 scam email , and some companies have lost both employees ’ W-2s and thousands of dollars due to wire transfers , '' the IRS explained in their warning . `` Employers should consider creating an internal policy , if one is lacking , on the distribution of employee W-2 information and conducting wire transfers . '' BEC attacksAttack.Phishingare essentially Phishing scamsAttack.Phishing, or Spear PhishingAttack.Phishingsince the criminals have a specific target . They 're effective too , exploiting the trust relationships that exist within the corporate environment . In a majority of the reported cases from 2016 , the attackers forgedAttack.Phishingan email and pretended to beAttack.Phishingthe victim organization 's top executive , or someone with direct authority . Often it is the CEO or CFO , but any high-level manager will work .
The breach indicates even more capable Asian states are struggling to confront cyber threats . On February 28 , Singapore ’ s defense ministry ( MINDEF ) disclosed that a breachAttack.Databreachin an Internet-connected system earlier this month had resulted in the personal data of 850 national servicemen and employees being stolenAttack.Databreach. Though the impact of the breach was quite limited , it nonetheless highlights the difficulties that Singapore faces as it confronts its growing cyber challenge . According to MINDEF , the I-net system used by personnel to access the Internet through terminals at the ministry and other facilities was breachedAttack.Databreachby an attackAttack.Databreachin early February . While personal data , including identification numbers , phone numbers , and date of birth , were believed to have been stolenAttack.Databreachduring the incidentAttack.Databreach, the ministry said no classified information was compromisedAttack.Databreachbecause it is stored on a separate system not connected to the Internet . As I have noted before , it has been paying keen attention to the cyber domain as a developed , highly-networked country . Singapore is particularly vulnerable as it relies on its reputation for security and stability to serve as a hub for businesses and attract talent . Indeed , last year , Deloitte found that Singapore was among the five Asian countries most vulnerable to cyber attacks ( See : “ Singapore Among Most Vulnerable to Cyberattacks in Asia ” ) . In response , Singapore has unveiled a series of initiatives aimed at boosting cybersecurity , including creating new institutions , safeguarding critical infrastructure , training cyber security personnel , and collaborating more with the private sector ( See : “ Singapore ’ s Cyber War Gets a Boost ” ) . And as I noted before , Prime Minister Lee Hsien Loong also outlined Singapore ’ s overall cybersecurity strategy at the inaugural Singapore International Cyber Week in October last year ( See : “ Singapore Unveils New ASEAN Cyber Initiative ” ) . Nonetheless , the cyber attack this week is a reminder that even the more capable states in the Asia-Pacific continue to struggle with confronting threats in the cyber realm . This was the first publicly disclosed cyber attack that MINDEF has experienced , and the ministry has described it as “ targeted and carefully planned , ” with the purpose of gaining access to official secrets . And based on what Singaporean officials have discovered so far , the attack appears to be less like the work of regular hackers and more along the lines of sophisticated state or state-backed actors