The cyber security story for May 2019 is much the same as it was last month, with one mammoth breach raising the monthly total.
The offender this time is the First American Financial Corp., which breached sixteen years’ worth of insurance data. That incident accounted for more than 60% of all of May’s breached records.
In total, at least 1,389,463,242 records were compromised. That brings the annual running total to 7.28 billion and reduces the monthly average to 1.44 billion.
Cyber attacks
- US energy companies report denial of service conditions (unknown)
- Telangana power supplier website hit by a cyber attack (unknown)
- Rivalry between Bay Area lunch companies ends in a cyber attack (200+)
- Hackers steal card data from 201 online campus stores in US and Canada(unknown)
- Austrian construction group hit by cyber attack (unknown)
- Airbnb customers say their accounts have been hacked (unknown)
- Binance breached as hackers steal £38 million in bitcoin (unknown)
- Michigan-based health clinic says an employee’s account was compromised(1,000)
- Student at NY-based school arrested, charged with hacking former superintendent’s account (unknown)
- NY-based Episcopal Health Service notifies patients of data breach (unknown)
- US Virgin Islands-based FirstBank cancelling debit cards amid fears that accounts have been compromised (50)
- Affiliate of NBA’s Indiana Pacers says it has fallen victim to a phishing scam(unknown)
- Oregon Health Authority sends speedy notification after phishing attack(unknown)
- Paterson, NJ, public schools hit by cyber attack (23,103)
- Equitas Health says two employees’ email accounts were compromised (569)
- Hackers breach Uniqlo’s online store, access customers’ details (460,000)
- Singapore Red Cross’s website hacked, blood donors’ details compromised(4,000)
- Cancer Treatment Centers of America notifies patients of phishing attack(unknown)
- Salesforce customers faced 15-hour delay as org investigates security incident(unknown)
- Stack Overflow says cyber attack compromised customers’ data (unknown)
- Oregon Construction Contractors Board confirms data breach (8,013)
- More than 12,000 MongoDB databases deleted by Unistellar attackers(unknown)
- Database containing Instagram influencers’ contact details found online (49 million)
- Sunderland City Council launches investigation after library users’ personal data hacked (45)
- Third-party mailbox used by Computacenter employees hit by phishing scam(unknown)
- Graphic design firm Canva hit by massive data breach (139 million)
- Hackers break into database of Dutch letting agent and steal identity card scans(200+)
- Tampa-based Checkers Drive-In Restaurants notifies guests about malware attack (unknown)
Ransomware
- Hackers breach the Philippines United Student Financial System for Tertiary Education (unknown)
- A hacker is wiping Git repositories and asking for a ransom (unknown)
- New York newspaper firm faces another Ryuk attack (unknown)
- Connecticut school district thwarts ransomware attack (unknown)
- American Baptist Homes of the Midwest hit by ransomware (unknown)
- Kentucky library closes due to ransomware attack (unknown)
- City of Baltimore hit by second ransomware attack in a year (unknown)
- Illinois-based Augustana College reports ransomware attack (unknown)
- Southeastern Council on Alcoholism and Drug Dependence notifies patients of ransomware attack (25,148)
- Oklahoma City Public Schools confirm that they have been hit by ransomware(unknown)
- Louisville Regional Airport Authority hit by ransomware (unknown)
Data breaches
- Popular US recruitment site Ladders exposes users’ data in security lapse (13.7 million)
- Seattle University laptop containing Social Security numbers lost (2,000)
- UK government commits email privacy blunder (300)
- Vulnerability in Tommy Hilfiger Japan database expose customers’ data (1 million)
- Louisiana’s Madison Parish Hospital notifies patients of a security incident(1,436)
- Hong Kong government dental clinic loses patients’ personal data (383)
- Man finds medical records from Cork University Hospital on city street(unknown)
- Cork University Hospital accuses man who found medical record on city street of data breach (unknown)
- Children’s personal data found at dump in Yellowknife, Canada (191)
- Virginia hospital loses patient’s personal data… twice (1)
- Data leak at Canada’s fourth phone network exposed customer data (5 million)
- Database containing Indian personal records exposed and hijacked(275,265,298)
- School exam vendor exposes students’ personal data (525,000)
- Data breach at CT-based Greenwich school poses ‘clear and present danger’(unknown)
- DVLA sends motorists’ sensitive data to the wrong address (2,000)
- Almost everyone in Panama has had their personal data exposed (3,427,396)
- Oklahoma Dept of Securities notifies those affected by 2018 data breach (2 million+)
- Data breach exposes passport info of Russian officials and citizens (360,000)
- Burger King online store for children exposes customers’ info (37,900)
- Unsecured survey database exposes respondents’ personal details (8 million)
- TeamViewer confirms undisclosed data breach from 2016 (unknown)
- Redtail CRM data breach might have exposed client info (unknown)
Financial information
- Ongoing attack stealing credit cards from more than 100 shopping sites(unknown)
- Houston-based hospital employee used patients’ financial records to pay his rent (unknown)
- Condé Nast notifies Wired subscribers of data breach affecting payment details(1,100)
- Freedom Mobile users’ personal data found on unsecured database (1.5 million)
- Employees at Indian financial company arrested after selling credit card details of police and army officers (50,000)
- The Shubert Organization, owner of 17 Broadway theatres, suffers data breach(unknown)
- First American Financial Corp. leaked sixteen years’ worth of title insurance records (885 million)
Malicious insiders and miscellaneous incidents
- Dell laptops and computers vulnerable to remote hijacks (unknown)
- American Indian Health & Services reports email misuse (unknown)
- TX-based UMC says two employees mishandled patient data (unknown)
- NY-based Independent Health emailed health information to the wrong addresses (7,600)
- A Leicestershire council says it accidentally published residents’ personal details online (134)
- Indonesian banks sold customers’ personal data to credit card salespeople(unknown)
- Canadian government employees gain unauthorised access to info of Brampton residents (13,000)
- Employees at India’s Speciality Polyfilm arrested for stealing sensitive information (unknown)
- Laptop containing children’s health data stolen from Canadian medical centre(225)
- Cincinnati-based TriHealth accidentally sent personal data to a student mentee(2,000)
In other news…
- Tesla tells employees to stop leaking sensitive data (unknown)
- Scottish National Party faces fine after mailing list error (20,000+)
- Florida teens hack school system to email students about ‘mandatory penis inspection’ (unknown)
- Top-tier Russian hacking collective claims breaches of three major anti-virus companies (unknown)
- WhatsApp users urged to update app after serious security vulnerability discovered (unknown)
- Linksys routers are leaking customers’ personal details (25,000)
- Researcher discovers vulnerability in travel distribution company Amadeus(unknown)
Source: IT Governance
Source: 5G exposed
Amazon.com Inc. is developing a voice-activated wearable device that can recognize human emotions.
The wrist-worn gadget is described as a health and wellness product in internal documents reviewed by Bloomberg. It’s a collaboration between Lab126, the hardware development group behind Amazon’s Fire phone and Echo smart speaker, and the Alexa voice software team.
Designed to work with a smartphone app, the device has microphones paired with software that can discern the wearer’s emotional state from the sound of his or her voice, according to the documents and a person familiar with the program. Eventually the technology could be able to advise the wearer how to interact more effectively with others, the documents show.
It’s unclear how far along the project is, or if it will ever become a commercial device. Amazon gives teams wide latitude to experiment with products, some of which will never come to market. Work on the project, code-named Dylan, was ongoing recently, according to the documents and the person, who requested anonymity to discuss an internal matter. A beta testing program is underway, this person said, though it’s unclear whether the trial includes prototype hardware, the emotion-detecting software or both. Amazon declined to comment.
The notion of building machines that can understand human emotions has long been a staple of science fiction, from stories by Isaac Asimov to Star Trek’s android Data. Amid advances in machine learning and voice and image recognition, the concept has recently marched toward reality. Companies including Microsoft Corp., Alphabet Inc.’s Google and IBM Corp., among a host of other firms, are developing technologies designed to derive emotional states from images, audio data and other inputs. Amazon has discussed publicly its desire to build a more lifelike voice assistant.
The technology could help the company gain insights for potential health products or be used to better target advertising or product recommendations. The concept is likely to add fuel to the debate about the amount and type of personal data scooped up by technology giants, which already collect reams of information about their customers. Earlier this year, Bloomberg reported that Amazon has a team listening to and annotating audio clips captured by the company’s Echo line of voice-activated speakers.
A U.S. patent filed in 2017 describes a system in which voice software uses analysis of vocal patterns to determine how a user is feeling, discerning among “joy, anger, sorrow, sadness, fear, disgust, boredom, stress, or other emotional states.” The patent, made public last year, suggests Amazon could use knowledge of a user’s emotions to recommend products or otherwise tailor responses.
A diagram in the patent filing says the technology can detect an abnormal emotional condition and shows a sniffling woman telling Alexa she’s hungry. The digital assistant, picking up that she has a cold, asks the woman if she would like a recipe for chicken soup.
A second patent awarded to Amazon mentions a system that uses techniques to distinguish the wearer’s speech from background noises. Amazon documents reviewed by Bloomberg say the wearable device will take advantage of such technology.
Amazon’s work on a wearable device underscores its ambitions of becoming a leading maker of both cutting-edge speech recognition software and consumer electronics. The Echo smart speaker line and embedded Alexa voice software have popularized the use of voice commands in the home. The company has also added voice control to Fire-branded video streaming devices for television, as well as tablets.
But Amazon’s efforts to create smartphone software to rival Apple Inc. or Google have failed. So the company is trying to make Alexa ubiquitous in other ways. Bloomberg reported earlier this year that Amazon was developing wireless earbuds, similar to Apple AirPods, that are expected to include the Alexa voice software. The company has begun distributing Echo Auto, a dashboard-mounted speaker and microphone array designed to pair with a smartphone, and says it received 1 million pre-orders.
Amazon has also been working on a domestic robot, Bloomberg reported last year. Codenamed “Vesta,” after the Roman goddess of the hearth, home and family, the bot could be a kind of mobile Alexa, according to people familiar with the project. Prototypes of the robot can navigate through homes like a self-driving car.
Source: Bloomberg
New York (CNN Business)Binance, a major cryptocurrency exchange, says hackers stole more than $40 million worth of bitcoin from its customers.
The Taiwan-based company, one of the world’s largest crypto exchanges, announced that it discovered a “large scale security breach” Tuesday. It said hackers stole 7,000 bitcoins in one transaction. One bitcoin trades at nearly $6,000.
“The hackers used a variety of techniques, including phishing, viruses and other attacks,” CEO Changpeng Zhao wrote in the statement. He said the company continues to investigate the breach.
Zhao explained that the hackers waited for the best time to conduct their operation, but he didn’t clarify specifically how the hack went undetected.
“The transaction is structured in a way that passed our existing security checks,” he said. “Once executed, the withdrawal triggered various alarms in our system. We stopped all withdrawals immediately after that.”
The stolen bitcoin (XBT) will be reimbursed through Binance’s secure asset fund, emergency insurance available in case of a breach. Binance warned that other accounts could be affected.
Binance also temporarily suspended deposits and withdrawals, but it said bitcoin trading can continue. A security review of the incident will take at least a week.
“We beg for your understanding in this difficult situation,” Zhao wrote.
The hack is coming during a time when bitcoin is hot once again. Bitcoin prices have surged nearly 60% this year after plunging almost 75% in 2018
Source: CNN
Facebook makes a U-turn on Blockchain and cryptocurrency ads, CNBC reports. Hence, more crypto-oriented companies will be able to promote their products on the biggest social media network.
‘Facebook Coin’ Reportedly Coming in First Half of 2019
No need for pre-approval
As reported by U.Today, Facebook relaxed is crypto ad ban back in June, but ICOs were still barred from the website. Despite this announcement, the social media giant continued to blackball the majority of crypto-related ads. The thing is, Facebook only readmitted the companies that already got the green light before the ban, but the majority of new submissions have been rejected (mostly for some obscure reasons).
Now, a wide range of crypto-related ads does not need to be pre-approved at all. It appears that only those ads that are promoting ICOs and other crypto projects will be vetted as usual by Facebook.
“While we will still require people to apply to run ads promoting cryptocurrency, starting today, we will narrow this policy to no longer require pre-approval for ads related to blockchain technology, industry news, education or events related to cryptocurrency,” the blog post read.
Back in October, Google also reversed its crypto ban for regulatory compliant exchanges after banning crypto ads along with a slew of other tech companies, such as LinkedIn and Snapchat.
Facebook’s crypto bet
Facebook had no choice but loosen its grip on crypto since it’s prepping to issue its own cryptocurrency that is supposed to become a major disruptor in the industry. Facebook’s foray into crypto is allegedly the reason why major institutions are becoming enthusiasticabout digital assets.
Source: U Today
We would’ve been talking about an extraordinarily low number of breached records this month if it hadn’t been for a string of incidents in India, another Facebook gaffe and a massive blunder in China, in which a series of companies exposed almost 600 million citizens’ CVs.
Still, April 2019 saw a not completely disastrous 1,334,488,724 breached records. That’s better than last month, bringing the annual total to 5.64 billion and reducing the monthly average to 1.46 billion.
Here’s the list in full:
Cyber attacks
- Criminal accesses personal data of faculty staff and students at Georgia Tech(1.3 million)
- Bangladesh Oil, Gas and Mineral Corporation’s website hacked hours after recovering from previous attack (unknown)
- Australian Signals Directorate confirms data was stolen in parliament IT breach(unknown)
- Massachusetts hospital caught in phishing scam (12,000)
- Hacker breached Minnesota state agency email (11,000)
- South Carolina’s Palmetto Health discloses phishing attack dating back to 2018(23,811)
- Phishing scam exposes personal data at Florida’s Clearway Pain Solutions Institute (35,000)
- Customer data stolen as website of Japanese luxury railway hit by cyber attack(8,000)
- Dakota County, MN, discloses breach after an employee’s email is hacked(1,000)
- Blue Cross of Idaho notifies members of privacy breach after thwarting financial fraud (5,600)
- Texas’s Questcare Medical Services investigating business email compromise attack (unknown)
- Ontario’s Stratford City Hall recovers from cyber attack (unknown)
- IT outsourcing and consulting giant Wipro hacked (unknown)
- Texas-based Metrocare Services discloses second breach in five months (5,290)
- California-based Centrelake Medical Group notifies patients of security incident(unknown)
- North Carolina’s Klaussner Furniture Industries notifies employees of security incident (9,352)
- Customers at US fast food retailer Chipotle say their accounts have been hacked (unknown)
- Minnesota’s Riverplace Counseling Center notifies patients after malware infection (11,639)
- Hacktivists attack UK police sites to protest arrest of Julian Assange (unknown)
- Texas-based EmCare says patient and employee data has been hacked (60,000)
- Idaho-based bodybuilding.com discloses employee-related data breach(unknown)
- Illinois dental insurer notifies members after phishing attack (unknown)
- Attackers breached Docker Hub, grabbed keys and tokens (190,000)
- Atlanta’s Woodruff Arts Center shuts down network amid security breach(unknown)
- University of Alaska discloses data breach that occurred more than a year ago(unknown)
- Magecart hackers steal data from Atlanta Hawks’ online shop (unknown)
Ransomware
- Genesee County, MI, government suffers ‘aggressive’ ransomware attack(unknown)
- Ransomware attack affects Women’s Health Care Group of PA (300,000)
- Greenville, NC, government’s systems knocked out by ransomware (unknown)
- Ransomware attack hits Garfield County, UT (unknown)
- Augusta, ME, hit by ransomware, forcing City Center to close (unknown)
- New Jersey-based paediatric orthopaedic surgeon hit by ransomware (unknown)
- Ransomware at Florida’s Stuart City Hall “more than likely” caused by phishing(unknown)
- Massachusetts-based medical billing services notifies patients of ransomware attack (unknown)
- Idaho’s Sugar-Salem School District 322 hit by ransomware during ISAT testing(unknown)
- Ransomware disables Cleveland airport’s email systems, information screens(unknown)
Data breaches
- Indian government leaves healthcare database exposed on web (12.5 million)
- West Yorkshire council data leak leaves couple who adopted abused children living in fear (2)
- History repeats itself as Facebook third-party apps expose users’ personal data(540 million)
- Canadian pension firm loses microfiche containing personal data (unknown)
- Crook swipes Winnipeg Regional Health Authority employee’s bag; patients’ records taken (75)
- VoterVoice exposes database containing ‘treasure trove’ of personal data(300,000)
- Ohio government accidentally leaks information of those seeking job, family services and health aid (993)
- Chinese companies responsible for massive data breach of CVs (590 million)
- Texas’s Weslaco Regional Rehabilitation Hospital discloses data breach(unknown)
- Russian hospital dumps medical waste, sensitive data in landfill site (unknown)
- UK’s Home Office sorry for EU citizen data breach (240)
- Pennsylvania’s Community College of Allegheny County discloses data breach(unknown)
- Patients at Toledo, OH, rehab hospital subject to data breach (unknown)
- Washington state-based RS Medical discloses incident that may have compromised patient information (unknown)
- Athens, OH, rehabilitation centre notifies patients after unauthorised access to network (20,485)
- Sensitive data found on hard disks may be India’s largest ever data breach (78 million)
- California-based LD Evans says it has only just learned about 2018’s Citrix vulnerability (631)
- India’s JustDial service is breaching users’ personal data in real time (100 million)
- Drug addicts’ personal data found in rehab centres’ unexposed databases (4.91 million)
- Researcher uncovers exposed personal data from Iranian ride-hailing app(6,772,269)
- Pennsylvania-based Partners for Quality discloses data breach (3,673)
- US health provider Inmediata discovers patients’ information was exposed on the web (unknown)
- ‘Horrendous’ privacy breach at Australia’s Centrelink sees clients’ names published on Facebook (unknown)
- Personal data of employees at Lauderdale County, MS, emailed to colleagues(100)
- US consumer commission warns of data breach affecting safety information(unknown)
Financial information
- Almost $500,000 swiped in Tallahassee, FL, payroll hack (unknown)
- AeroGrow says hackers stole months of credit card data (unknown)
- Florida-based United Way of the Big Bend says tax payers’ info was stolen (64)
- KPMG faces fine of up to $1.6 million after leaking payroll data (41)
Malicious insiders and miscellaneous incidents
- Former IT aide to New Hampshire senator caught keylogging (unknown)
- Employee at Cleveland’s University Hospital accidentally shared patients’ health info (840)
- University of Toledo counsellor fired after allegedly disclosing a student’s PTSD(1)
- Maine’s Acadia Hospital mistakenly release confidential information of Suboxone patients (300)
- Employee at California’s St. Boniface Hospital “inappropriately” viewed patient records (38)
In other news…
- USB stick containing sensitive data (and the movie Gone Girl) discovered during manslaughter trial (6,385)
- Barking resident jailed for blackmailing porn watchers (unknown)
- Source code of Iranian cyber-espionage tools leaked on Telegram (unknown)
- Supply chain hackers snuck malware into video games (unknown)
Source: IT Governanace