Remember the good old days when you didn’t hear about a data breach every few months?
If we can’t avoid the fact that retailers and financial institutions are going to be targets for cybercriminals, we might as well learn how to deal with the fallout. And a great way of staying up to date on the latest breaches is by setting up Google email alerts or subscribing to security-oriented newsletters.
So let’s take a look at some data breaches that were recently highlighted by the ID Watchdog newsletter.
February Data Breaches
First up are two breaches identified in February: one involved the French-based Octoly, and the other was the California-based Sacramento Bee. While both allowed identity thieves access to user data, the way that information became available to cybercriminals was quite different.
Octoly acts as a community hub for social media influencers by helping them connect with peers and major product brands—presumably to work out product review opportunities (among other things). The platform is accessed via Octoly’s proprietary application, and—as you can imagine—plenty of people saw it as an opportunity to grow their brand.
Unfortunately, cybercriminals also saw the company as an opportunity—especially since their Amazon Web Services cloud server was unsecure. And, despite warnings in January from cyber-risk research company UpGuard, Octoly did not secure private information until February, which, according to ID Watchdog, included “real names, addresses, phone numbers, and email addresses.” 12,000 user accounts were gobbled up by hackers as a result.
The Sacramento Bee is, predictably, a local newspaper in Sacramento, California. What you might not have divined is that “The Bee,” according to their own reporting, stored two databases—1) subscriber information and 2) voter records—on servers provided by a third party. The third party, it seems, was targeted by a ransomware scam that, as ID Watchdog noted, “exposed the records of 19.5 million California voters as well as 53,000 past and current subscribers of the newspaper.” (The Bee reported that 19.4 million records were compromised, but that discrepancy could be attributed to information available at the time of reporting. And, no matter how you slice it, that’s a huge number of personal records.)
The cybercriminals demanded a Bitcoin ransom for the safe return of the data, which The Bee reported it did not pay. As many who were paying attention to the WannaCry ransomware scam may have noted, data is rarely returned after payment is issued, and it’s very difficult to rescind payments made in cryptocurrency. The somewhat silver lining of the incident is that The Bee noted “sensitive financial data such as Social Security numbers, credit card numbers, [and] bank account information” were not recorded in the databases. However, what was accessed wasn’t exactly benign: “names, addresses, email addresses, and phone numbers were exposed,” and that kind of information can help cyber-thieves access secure accounts that do contain financial data.
March Data Breaches
When you start paying attention to data breach alerts, you’ll quickly learn that there are more events than you expect. The following were revealed in March, and you might have heard about them since they hit two companies responsible for popular consumer brands: Hudson’s Bay and Under Armour.
You may not be familiar with parent company Hudson’s Bay, but you’ve probably heard of the businesses ID Watchdog listed as victims of credit card theft: Saks Fifth Avenue, Saks Off Fifth, and Lord & Taylor. This particular breach seems to have started in May 2017 and just ended in this past March, handing cybercriminals credit card information for more than 5 million customers. According to Reuters, “the hacking group [JokerStash] has so far released about 125,000 payment cards, about 75 percent of which appear to have been taken from the Hudson’s Bay units.”
For the uninitiated, Under Armour is a fitness clothing and accessories company (full disclosure: my wife gave me one of their red gym bags for Christmas). To compete with popular fitness-tracker software and peripherals (FitBit), the company created MyFitnessPal, a company that makes a diet-and-exercise-tracking application. As with most online applications, signing up required a user name, email address, and password.
According to the Washington Post, Under Armour’s MyFitnessPal application was breached in February 2018, but it wasn’t discovered until March. ID Watchdog reported that 150 million users now have to worry about hackers having access to their account information—though credit cards were luckily not included in the harvested data.
These incidents serve as a grave warning for businesses that don’t use secure servers and potential users who trust their data to third parties. That being said, the last data breach we’re going to talk about deserves its own subheading (and we’re going to cover it in depth on the next blog, so be on the lookout).
The City of Atlanta
It’s probably not surprising to learn that businesses and individuals are frequent targets of ID theft schemes, but it may be surprising to find out that city governments often are too. This sort of strategy makes sense in a way: city governments likely aren’t securing their data as well as larger government bodies, like state- and federal-level agencies. Data coming from smaller entities can be a ripe target for scammers looking to make a quick buck. But when a bigger city like Atlanta is targeted, it turns heads.
Just as was the case with Octoly, The Washington Times reported that the City of Atlanta seemed to ignore security warnings: and these dated back to June and July of 2017, ultimately resulting in city computers being infected with ransomware by March 2018. That meant any process requiring access to those computers was brought to a sudden halt. There’s a common theme here, and it tends to sound a lot like “ignoring warning signs is a bad idea.”
Ryan Norton, Contributor