The Week in Breach: 01/19/19 – 01/25/19
This week, Canada and Australia catch a break on data breaches, a US ice cream maker is melted by malware, a video sharing platform in France faces a credential stuffing attack, and cybersecurity misconceptions result in vulnerabilities.
Dark Web ID Trends:
Top Source Hits: ID Theft Forum (100%)
Top Compromise Type: Domain (99%)
Top Industry: High-Tech / IT
Top Employee Count: 11-50 Employees (43%)
United States- Graeter’s Ice Cream
Exploit: Malware on website checkout page.
Graeter’s Ice Cream: Regional ice cream brand based in Cincinnati.
 |
Risk to Small Business: 1.888 = Severe: After discovering the potential breach, the ice cream chain was forced to notify approximately 12,000 customers, informing them that their personal and payment information may have been compromised. Malicious code was inserted into the company website’s checkout page between June 28, 2018 and December 18, 2018, but the investigation has still not definitively revealed if anyone was actually breached. Nevertheless, customers are upset due to uncertainty surrounding the breach and the brand will reluctantly undergo security process improvements that will cost additional time and money. |
|
Individual Risk: 2.428 = Severe: The malware was capable of copying any data entered during the checkout process, including personal details (names, addresses, phone numbers, fax numbers) and financial information (card types, numbers, expiration dates, and card verification codes). With this in hand, hackers are able to conduct payment fraud or build data profiles that can be sold on the Dark Web. |
Customers Impacted: Approximately 12,000
How it Could Affect Your Customers’ Business: Considering that Graeter’s is still unsure if the malware was able to siphon payment data, the situation can quickly become frightening and frustrating for the end-user. The ambiguity leads to customers shuffling through statements and wondering if they’ve been hacked, causing them to think twice before doing business on a checkout page that has previously been breached.
ID Agent to the Rescue: Dark Web ID™ can monitor the Dark Web and find out if your customers’ data has been compromised. We work with MSSPs to strengthen their security suite by offering industry-leading detection. Find out more here: https://www.idagent.com/dark-web/.
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
United States- Valley Hope Association
https://www.healthdatamanagement.com/news/email-hack-suspected-in-valley-hope-association-data-breach
Exploit: Employee phishing attack.
Valley Hope Association: Kansas-based group of addiction treatment centers.
|
Risk to Small Business: 1.777 = Severe: Upon discovering suspicious activity on an employee email account dating back to October 2018, the association began notifying patients that sensitive data might have been compromised, including payment, personal, and health information. Aside from dealing with disgruntled patients, the association must implement new security measures and offer free credit monitoring and identity protection services. |
|
Individual Risk: 2.142 = Severe: Although the details varied by patient, anything from personal data including names, SSNs, date of births, license numbers to protected health information (PHI) such as claims and billing data, health insurance details, medical record numbers, prescriptions, and doctor’s names could have been involved. This poses grave risk to patients and caregivers that are affected. |
Customers Impacted: 70,000 patients.
How it Could Affect Your Customers’ Business: Every single minute that transpires between a cyber-attack and discovery is crucial, as it can be measured in time, money, and customer churn. Organizations of all sizes should focus their efforts on early detection, which can help reduce the number of patients or consumers impacted.
ID Agent to the Rescue: SpotLight ID™ by ID Agent can help monitor stolen employee data, mitigating losses from this breach type. Learn more at: https://www.idagent.com/identity-monitoring-programs.
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
United States- Lebanon VA Medical Center
https://www.beckershospitalreview.com/cybersecurity/pennsylvania-va-inadvertently-exposes-1-000-patients-health-information.html
Exploit: Employee error.
Lebanon VA Medical Center: Veterans hospital located in Pennsylvania.
|
Risk to Small Business: 2 = Severe: A hospital employee accidentally sent an email to a veteran’s family member with protected health information (PHI) for up to 1,002 patients. Instead of emailing a document listing all nursing homes that work with the US Department of Veteran Affairs, the staff member ended up violating HIPAA requirements by sending a historical list of nursing home residents. Although this was an isolated incident with limited risk, the center will be encrypting files that contain historical information and notifying all patients that may have been affected. |
 |
Individual Risk: 2.574 = Moderate: The disclosed list included veteran names, abbreviated SSNs, nursing home admittances, diagnoses, and service-connection disability ratings. Although this may not seem like much exposure, anytime PHI is involved, risk increases significantly. |
Customers Impacted: 1,002 patients
How it Could Affect Your Customers’ Business: This event demonstrates the ease at which such a breach, however innocent, can occur. By implementing encryption, organizations can showcase their commitment toward data security for their patients or consumers, which also serves as a reflection of their services and care.
ID Agent to the Rescue: Dark Web ID combines human and sophisticated Dark Web intelligence with search capabilities to identify, analyze and proactively monitor for your organization’s compromised patient or customer data. Find out how you can work with us here: https://www.idagent.com/dark-web/.
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
United Kingdom- Deliveroo
https://www.pymnts.com/news/regulation/2019/deliveroo-gdpr-data-security/
Exploit: Account takeover.
Deliveroo: Online food delivery business based in London.
|
Risk to Small Business: 1.777 = Severe: Customers are complaining that they are being charged for online orders they have not made through Deliveroo, amounting up to 1,000 euros. The company maintains that this being caused by “customers using the same usernames and passwords on multiple online accounts and those details being involved in a data breach on another platform”. However, the company could have proactively asked users to reset their accounts, especially in light of the fact that a similar incident occurred back in 2016. Risk levels are high, considering the company could be fined millions while also facing customer churn. |
|
Individual Risk: 2.428=Severe: Although it remains to be understood as to how hackers are accessing Deliveroo user accounts, they have likely gained access to usernames, passwords, and financial details. Users who share account details across multiple platforms are even more susceptible to high risk |
Customers Impacted: To be determined.
How it Could Affect Your Customers’ Business: Even when identity theft originates from another breach, companies will be held responsible for securing accounts on their platforms by regulatory agencies as well as customers. It is crucial that businesses protect their reputation by asking users to change account details periodically. Also, as mentioned previously, they must invest in detection solutions to track down the source of a breach early on.
ID Agent to the Rescue: Dark Web ID offers industry-leading detection by monitoring the Dark Web for your customer’s data. Learn how you can partner with us here: https://www.idagent.com/dark-web/.
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
United Kingdom – B&Q
https://www.scmagazine.com/home/security-news/u-k-home-supply-giant-leaves-offender-database-open/
Exploit: Database leak.
B&Q: Home improvement retailer.
|
Risk to Small Business: 2.222 = Severe: Security researchers discovered that B&Q exposed the information of 70,000 people who were allegedly involved in criminal activity related to their stores. This can be classified as sensitive data under new GDPR requirements. However, what’s worse is that the company failed to report the incident or take the database offline after being notified. |
|
Individual Risk: 2.714 = Moderate: Since the nature of the data includes criminal activity, along with associated names and vehicle details, this could be specifically damaging for those accused. If received in the wrong hands, it can be leveraged for data breaches, or even cause reputational harm to individuals. |
Customers Impacted: 70,000.
How it Could Affect Your Customers’ Business: When a breach occurs, a company’s cybersecurity practices and incident response teams are examined under a microscope. In this case, not only did a third party discover the compromise, but the company did not act in time. As news headlines demonstrate, such a delay in action will be criticized online, causing overall brand erosion and eventually cascading to customer loyalty being negatively impacted.
ID Agent to the Rescue: DarkWeb ID can help you proactively monitor if customer data is being leaked on the Dark Web, helping reduce the losses incurred from such a breach. See how you can benefit here: https://www.idagent.com/dark-web/.
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
France – DailyMotion
https://www.zdnet.com/article/dailymotion-discloses-credential-stuffing-attack/
Exploit: Credential stuffing attack.
Daily Motion: Video sharing platform.
|
Risk to Small Business: 2.333 = Severe:
In this incident, hackers attempted to scam parents of Newcastle students by asking them to pay school fees in bitcoin to receive a 25% discount. Since the attackers had access to the email addresses of parents, the Information Commissioner’s Office (ICO) is investigating to learn more and advising caution regarding future phishing attacks targeted towards schools. |
|
Individual Risk: 2.571=Moderate: It is still unknown how hackers gained access to parents’ email addresses, which could put personal information at risk. However, it is unlikely that payment details were exposed. |
Customers Impacted: To be determined.
How it Could Affect Your Customers’ Business: Multiple cybersecurity firms have issued recent warnings for cyber-attacks that are intended for the education sector. Hackers have zeroed in on such institutions because store valuable information and are protected by legacy systems that are easily compromised.
ID Agent to the Rescue: SpotLight ID allows MSPs, Resellers and Channel Partners to deliver comprehensive personal identity protection for clients’ employees and customers, ultimately safeguarding corporate systems. Get started here: https://www.idagent.com/identity-monitoring-programs.
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
Philippines – Cebuana Lhuilier
https://www.bworldonline.com/bsp-says-cebuana-lhuillier-data-breach-contained/
Exploit: Email server compromise.
Cebuana Lhuillier: Pawn shop and microfinance firm.
|
Risk to Small Business: 2 = Severe: The company recently announced that data from 900,000 clients, or 3% of total clientele, had been accessed August 5th and 12th of 2018. Hackers downloaded contact lists used for marketing campaigns, which they can use to orchestrate email phishing attacks. Along with hiring a third-party information security provider, the company has alerted authorities and customers. However, the breach did not involve financial details and the company will likely recover after spending resources on containing the breach. |
|
Individual Risk: 2.857 = Moderate: The attacker gained access to customer birthdays, addresses, and sources of income, which is quite limited in scope compared to other reported breaches. However, customers should ensure that this information cannot be leveraged to access other accounts.
|
Customers Impacted:900,000 clients.
How it Could Affect Your Customers’ Business: When we think of data breaches, we usually do not account for marketing campaigns that reveal relatively little about customers. Yet, with the increased vigilance towards protecting personal information, even this type of data must be secured. As companies begin to accumulate more data around their customers to fortify their marketing efforts, they must also consider the implications for data security and identity protection.
ID Agent to the Rescue: Backed by ID Agent’s $1 million identity theft restoration policy, SpotLight ID allows MSPs’ clients to protect customers while enhancing their overall cybersecurity awareness. Learn more: https://www.idagent.com/identity-monitoring-programs.
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
New Zealand – Cryptopia
https://itbrief.co.nz/story/police-making-progress-into-cryptopia-breach
Exploit: Payment fraud.
Cryptopia: Online cryptocurrency exchange.
|
Risk to Small Business: 1.888 = Severe: The breach initially occurred on January 13 and 14, yet little was known regarding the method of compromise. Hackers were able to extract cryptocurrency amounting to anywhere from $3 to $16 million in USD (NZ $4.4M-23.5M) over 5 days. Aside from likely having to reimburse customers, the exchange will have to contract with expensive financial forensics teams and likely face a decline in users. |
|
Individual Risk: 2.428 = Severe: User wallets were depleted over 5 days, resulting in heavy financial losses among individuals. It remains to be seen if they will recover any of it, with the only silver lining being that personal information was most likely not compromised. |
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: For companies dealing with discreet financial instruments, it becomes even more important for businesses to enhance their security efforts. Since cryptocurrency is based on anonymity, it will be incredibly difficult to trace hacker activities and understand how and which users were affected.
ID Agent to the Rescue: Find out why the largest private and public sector organizations globally rely on Dark Web ID to provide actionable stolen credential data and make informed decisions here: https://www.idagent.com/dark-web/. .
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
GDPR Update: 95,000 Data Breach Complaints Since Adoption
Since the widely anticipated installation of the EU privacy law known as the General Data Protection Regulation (GDPR), regulators have received over 95,000 complaints of possible data breaches within an eight month period.
As you may already know, GDPR enables privacy enforcers to levy fines of up to 4 percent of global revenue or 20 million euros ($23 million), whichever amounts to a higher number. Just last week, the French data protection watchdog imposed a fine of 50M euros on Alphabet-owned Google over allegations that they failed to obtain user consent for personalized ads, the largest GDPR sanction to date. As more penalties begin to join in the mix, organizations must consult experts to ensure that they are adhering to the stringent regulations for protecting EU consumers.
So far, most complaints have been related to telemarketing, promotional emails and video surveillance by closed-circuit televisions. https://www.dailysabah.com/technology/2019/01/26/over-95000-data-breach-complaints-since-eu-rules-kicked-in
What We’re Listening To:
Know Tech Talks
The Continuum Podcast
Security Now
Defensive Security Podcast
Small Business, Big Marketing – Australia’s #1 Marketing Show!
TubbTalk – The Podcast for IT Consultants
Risky Business
Frankly MSP
CHANNELe2e
A note for your customers:
How cybersecurity misconceptions are leaving customers vulnerable
According to a recent survey among 2,034 US consumers, public misconceptions are making customers more vulnerable to breach. Almost 90% believe that cybersecurity risks are increasing, with 41% who know someone that has been a victim and 25% being personally impacted.
However, just over half are taking critical measures such as using two-factor authentication or changing their settings across browsers, social media, or email. Additionally, most have not recognized the vulnerabilities involved in smart home devices or mobile device security.
There is also a lack of alignment in terms of which breaches are the most common and severe, with 97.4% being aware of viruses, even though phishing and identity theft are the first and second most damaging threats to consumers. In order to prepare for future breaches to come, consumers must educate themselves on the new landscape of cybersecurity and take recommended actions to protect themselves.
Are you an ID Agent Partner? Feel free to re-use this blog post (in part or in entirety) for your own social media and marketing efforts! Just send an email to [email protected] to let us know!
Not a Partner? Learn more about Dark Web ID™ and the benefits it holds for your Business. Contact us today!