Thanks to a whopping data breach from an unknown server exposing 419 million data records, our monthly total comes to 531,596,111 breached records.
This brings the total amount of breached records for the year so far to 10,331,579,614.
September may have had fewer incidents than August at only 75, but overall there was a massive 363% increase on records breached.
- University of Ghana accommodation registration portal hacked (unknown)
- Cincinnati-based UC Health says multiple accounts compromised in phishing scam (unknown)
- Students in Thailand accused of stealing, selling food discount codes (unknown)
- Hong Kong Stock Exchange says its website was hacked (unknown)
- Oklahoma Highway Patrol reports $4.1 million theft from pension fund (unknown)
- xkcd forum taken offline after personal data leak (562,000)
- US Secret Service investigating after its systems found for sale on the dark web (unknown)
- Students at Marquette University, WI, receive unusual scam email (unknown)
- Malaysia’s Malindo Air confirms that passengers’ data was posted on online forums (30,000,000)
- Hacker destroys Hungarian Development Center’s digital database (unknown)
- Staff and students at Swindon College at risk after cyber attack (unknown)
- Ramsay County, MN, says last year’s email attack was much worse than they thought (118,000)
- Health Ministry of Malaysia investigating data leak of radiology reports (19,992)
- Hacker accesses email account of employee at New Mexico’s Presbyterian Health Plan (56,226)
- Northshore School District hit by cyber attack (unknown)
- Southwestern Ontario hospitals hit by cyber attack (unknown)
- Police investigate after ransomware found on Sherman School, CT, systems (unknown)
- Flagstaff, AZ, school district hit by ransomware (unknown)
- Thousands of Linux servers infected with new Lilocked ransomware (unknown)
- Utah-based Premier Family Medical notifies patients of ransomware attack (320,000)
- Illinois’ Rockford Public Schools District 205 shut down by ransomware (26,980)
- Pennsylvania’s Soudaton Area School District hit with ransomware (unknown)
- Florida school district shuts down email systems amid ransomware attack (unknown)
- Baltimore acknowledges for first time that data was destroyed in ransomware attack (unknown)
- Irish government admits ransomware attack occurred last year (unknown)
- Pennsylvania’s Wallenpaupack Area School District hit by ransomware for second time this year (2,966)
- Gillette hospital targeted in ransomware attack (unknown)
- Government of LaPorte County Indiana suffered ransomware attack (unknown)
- Alabama Mobile County Public Schools impacted by ransomware (unknown)
- Peoples Injury Network Northwest notifies patients of ransomware incident (12,502)
- Guthrie Public Schools hit by ransomware attack (unknown)
- Providence Health Plan customers affected by data breach (122,000)
- Australia’s Attorney-General accidentally shared senior officials’ contact info (+100)
- French cosmetics giant Yves Rocher left customer info on database (2,500,000)
- Thousands of Supermicro serves are exposing BMC ports (unknown)
- Teletext Holidays left audio files of customer purchases unprotected online (212,000)
- Phone numbers linked to Facebook users found online (419,000,000)
- DK-Lok left private emails and communications unsecured online (unknown)
- California-based Andy Frain Services says laptop was stolen from an employee’s car (unknown)
- com says a third party exposed user data but didn’t tell anyone (unknown)
- Minnesota-based Metro Mobility may have breached personal details of people with disabilities (15,000)
- Major security flaw found in website of online furniture store Pepperfry (unknown)
- Charing Cross Gender Identity Clinic accidentally shared patient data in CC email gaffe (1,800)
- Mississippi-based Meridian Community College discloses breach that occurred in January (unknown)
- Breach notification from Alive Hospital, TN, was itself a data breach (unknown)
- Facial recognition app leaks photos of suspects from Indian police database (unknown)
- New Zealand Transport Authority admits to tech error that exposed sensitive data (unknown)
- Boy Scouts’ personal data breached by third party (unknown)
- Researcher discovers that Vancouver Coastal Health broadcasts medical info over unencrypted radio signals (unknown)
- Netanyahu’s party exposed personal details, political affiliations of Israeli voters (4,000,000)
- Australian ticketing start-up Get investigating data leak (159,000)
- UNICEF accidentally leaked personal data of online students (8,000)
- Robstown, TX, Police Department lose evidence, reports in data breach (unknown)
- Population of Ecuador at risk after misconfigured database left unprotected online (16,600,000)
- Personal data of Lumin PDF users shared on hacking forum (24,300,000)
- Gootkit malware crew left their database online without password protection (2,385,472)
- UpGuard secures a storage device containing 1.7 TB of sensitive information (unknown)
- Tesco parking app taken offline after exposing car registration number plates (>20,000,000)
- Indiana Doctor’s clinic had thousands of abandoned medical records (unknown)
- Unshredded NHS records used to weigh down scaffolding at art festival (unknown)
- Polish online retailer issued fine over data breach (2,200,000)
- Vodafone customer account details ‘briefly exposed (3)
- Heyyo dating app leaked users’ personal data (72,000)
- DoorDash confirms breach impacting 4.9 million (4,900,000)
- Credit card data from Russell Stover breach shows up on the dark web (unknown)
- LA-based surgical assistant suspected of identity theft scheme at SoCal hospitals (unknown)
- Russian Hacker Pleads Guilty For Involvement In Massive Network Intrusions At U.S. Financial Institutions (unknown)
Malicious insiders and miscellaneous incidents
- Two men accused of harassing NJ police officers by posting hacked info online (50)
- Dutch hospital used medical files as a shopping list, left info in supermarket (unknown)
- Little Rock Plastic Surgery releases statement after internal HIPAA breach (unknown)
- Someone stole the autopsy photos of several patients from Chicago’s Loyola University Medical Center (10)
- People’s Party of Canada candidate accused of stealing voter’s personal data (unknown)
- Computers used to check in Atlanta voters stolen hours before election (4,000,000)
- Crook steals hard disks, RAM from INS Vikrant, India’s first aircraft carrier (unknown)
- Wigan Hospital employee viewed personal information without legitimate reason (2,000)
- Melbourne medical clinic faxes sensitive data to wrong number (10)
In other news…
- Researchers find malware hiding in downloadable student textbooks and essays
- New York’s Orange County school district the latest to delay new term as it recovers from ransomware
- Former student convicted in dark web threats targeting San Francisco school
- Virus Cripples Most City-Owned Computers In Union City
- US Navy hiring new cyber chief to better shield military secrets from Chinese hackers
Source: IT Governance
At first glance, August has been a quiet month for data breaches, with a total of 114,686,290 breached records. That’s about 10 percent of the monthly average coming into the month.
But that figure comes from 95 incidents in total, which is the highest number of breaches we’ve had all year.
Let’s take a look at those breaches in full in our slightly tweaked monthly list. After a reader suggestion last month, we’re also listing the UK-specific incidents in bold. Let us know if you like that change or if you have any other suggestions for future months.
- New Orleans school becomes latest cyber attack victim in Louisiana ‘crisis’ (unknown
- StockX admits that it was hacked after initially denying rumours (6.8 million)
- Murfreesboro, TX, says its water department payment portal was ‘hacked by Iranian hackers’ (unknown)
- Hackers access personal details of DeKalb, Georgia, students after exploiting web platform vulnerability (unknown)
- Custom t-shirt and merch company CafePress says users’ accounts have been hacked (23 million)
- California-based SuperINN Plus notifies clients of a cyber attack (43,000)
- Australian education provider TAFE NSW hit by phishing scam (30)
- Air New Zealand warns Airpoints members after employee falls for phishing email (100,000)
- Multiple sites affiliated with the University of Florida student government hacked (unknown)
- British Airways e-ticketing flaw exposes passenger’s personal data (unknown)
- Hackers compromise guest record database at Choice Hotel (700,000)
- Florida’s NCH Healthcare System is investigating the damage of phishing scam (unknown)
- European Central Bank says one its websites was hacked (481)
- Iowa-based Virginia Gay Hospital says an employee’s email account was breached (unknown)
- Michigan Medicine notifies patients about phishing campaign that exposed health info (5,500)
- California’s San Dieguito Union High School notifies parents of malware attack (unknown)
- Cyber attack forces websites of four New Zealand medical practices offline (unknown)
- Hackers steal personal data from website of Denmark’s Tivoli Park (1,000)
- Website of Illinois’ Macon County Circuit Clerk defaced by hackers (unknown)
- A phishing campaign has been using infected PDF attachments to target utility providers (unknown)
- Website and email domain of California’s Sonoma Valley Hospital hijacked by ‘pirates’ (unknown)
- Canada’s Alberta Health Services says patients’ health data was compromised in email hack (7,000)
- Chinese hackers stole personal data from Indian healthcare website (6.8 million)
- Internet hosting provider Hostinger resets users’ passwords after security breach (14 million)
- India: Desktop engineer detained after allegedly stealing data from the Revenue Dept. (unknown)
- Emails stolen after employee at NZ’s Capital & Coast District Health Board struck by phishing scam (unknown)
- French police ‘neutralize’ Monero mining virus as it spreads worldwide (850,000)
- Ransomware strain targets German organisations, wipes files (unknown)
- Oklahoma-based Broken Arrow school system hit by ransomware (unknown)
- Nashville, TN, company Asurion paid $300k ransom after malware attack (unknown)
- Arizona’s Camp Verde Unified School District hit by ransomware as school year starts (unknown)
- Missouri-based radio station KNEO hit by ransomware (unknown)
- Washington-based Grays Habor Community Hospital and its subsidiary attacked with ransomware (85,000)
- A coordinated ransomware attack hits at least 20 local governments in Texas (unknown)
- California’s Hospice of San Joaquin discloses ransomware attack (unknown)
- New York’s Rockville Centre school district almost $100,000 after ransomware attack (unknown)
- Lake County, IN, in emergency shutdown after ransomware infection (3,000)
- Idaho’s Nampa School District resorts to pen and paper after suspected ransomware attack (unknown)
- Virginia’s New Kent Co. Public Schools hit by ransomware ahead of new term (unknown)
- Ransomware attack targets Connecticut’s Woolcott Public Schools (unknown)
- Hentai porn site exposes the identity users who thought they were anonymous (1.1 million)
- Virginia school says a third party breached student and administrator data (unknown)
- A misconfigured AWS bucket exposed personal and counselling logs of Indian employees (300,000)
- Illinois school district has discovered a data breach that occurred in November last year (unknown)
- Online clothing retailer Poshmark confirms data breach (unknown)
- Data leak exposes personal data of Chilean residents (14 million)
- E3 website accidentally doxed contact information of journalists (2,000)
- Greenville County, SC, students and alumni affected by data breach (24,000)
- New Mexico-based Presbyterian Healthcare Services notifies patients of data breach (183,000)
- California-based Amarin Pharma identifies patients affected by June data breach (unknown)
- Australia-based Neoclinical breaches patients’ medical histories and other private info (37,000)
- Group dating app 3fun exposes sensitive data amid app vulnerability (1.5 million)
- Maplewood, NJ, provides media notification of malware attack (unknown)
- Riverside County, CA, says data concerning abuse cases stolen from employee’s car (770)
- Finnish tax authority sent citizens’ info to the wrong people (60,000)
- Two more leaks expose Indian citizens’ personal and medical information (+1.1 million)
- FDNY exposes patients’ personal details after losing a hard drive (10,000)
- Tiverton residents furious after confidential medical records dumped in a shed (+24)
- University of Hong Kong ‘sorry’ after laptop containing personal data stolen (3,600)
- Washington-based non-profit LEE has left unprotected database online (3.7 million)
- Northern Nevada’s largest healthcare provider is still looking for missing thumb drive (unknown)
- ‘Chinese Tinder’ has been exposing chats and private photos (10 million)
- Hacker’s site incriminating database published online by rival group (749,161)
- North Dakota students and alumni told their data has been leaked (18,500)
- Indian Army detects cyber security breach in Northern Command officer’s computer (unknown)
- Charleston County, SC, reports breach after employee’s email gaffe (824)
- Researcher identified unsecured databases containing pharmacy and telemarketing information (3 million)
- Major breach found in biometric system used by banks, UK police and defence firms (1 million)
- Australia’s Public Transport Victoria exposed travel history of myki card holders (15,184,336)
- Cincinnati Public Schools inadvertently said busing information to wrong students (7,000)
- Western Connecticut Health Network says box containing medical records broke open in the post (unknown)
- Arizona State University accidentally reveals email addressed of students (4,000)
- Mastercard reports data breach affecting German loyalty programme (93,000)
- Privacy breach at Massachusetts General Hospital’s neurology department (9,900)
- Hackers leaked sensitive government data in Argentina, but ‘nobody cares’ (unknown)
- New Zealand’s Ministry for Culture investigating serious privacy breach (302)
- Malaysia-based Astro has breached customer data yet again (68,000)
- Imperva discloses security incident impacting Cloud firewall users (unknown)
- NASA astronaut accused of identity theft in first criminal allegation from space (1)
- Digital bank Monzo tells British customers to change their PINS after security error (480,000)
- Silicon Valley tech company Earnin hit by breach that revealed lax security measures (unknown)
- US supermarket chain Hy-Vee announces payment card breach (unknown)
- Australian banks warns customers after fresh PayID data breach (unknown)
- Delaware-based mortgage broker Lyons Companies involves in serious breach (unknown)
- Hackers breach Australians’ bank accounts, steal financial and personal data (98,000)
Malicious insiders and miscellaneous incidents
- Canadian patients horrified after hospital leaves medical records in a plastic bag outside clinic (unknown)
- Ikea apologises to Singapore customers after email gaffe (410)
- AT&T insiders bribed to unlock millions of phones and hack their employer (2 million)
- Two arrested amid Revenu Quebec data leak (23,00)
- Australian police commissioner admits officers inappropriately accessed private medical records (1)
- Employee at Canada’s Child and Family Services caught snooping on patient data (unknown)
- Canada Border Services Agency employee caught leaking police info to family (unknown)
- New Zealand-based medical centre receptionist sacked after sharing patient history (unknown)
In other news…
- Houston County delays start of school year again as it struggles with malware attack
- Student spear phished his teachers and adjusted his class’s grades
- Garda lost sensitive information after it fell off the back of a motorbike as it hit a speed bump
- Australians warned about glitch in education software that allows strangers to contact students
- Police recover $347k stolen during Spotsylvania County phishing scam
Source: IT Governance
Capital One Financial Corp. announced late Monday that more than 100 million people had their personal information hacked.
The hacker got information including credit scores and balances, plus the Social Security numbers of about 140,000 customers and 80,000 bank-account numbers from credit-card customers, the bank said. It will offer free credit-monitoring services to those affected. The hack affected about 100 million people in the U.S. and 6 million in Canada.
Capital One couldn’t say for sure whether the leaked data was used for fraud. It first heard about the hack on July 19, but waited until July 29 to inform customers. Over that time, it sought help from law enforcement.
The hacker also stole the names, addresses, phone numbers, dates of birth, credit scores and other financial data, Capital One COF, -1.18% said. The company couldn’t say for sure whether the leaked data was used for fraud. It first heard about the hack on July 19, but waited until July 29 to inform customers; it sought help from law enforcement to catch the alleged perpetrator.
Two years after Equifax EFX, +0.27% revealed that hackers accessed the personal information of up to 147 million people, the credit bureau recently announced a settlement for up to $700 million, including $425 million in relief for those who have been affected, although there are some key requirementspeople should be aware of before they file a claim.
Last year, Facebook FB, -1.91% announced that U.K.-based Cambridge Analytica improperly accessed 87 million Facebook users’ data. Facebook Chief Executive Mark Zuckerberg testified before Congress and vowed to do more to fix the problem, and help make sure that nothing like that happens again. Cambridge Analytica closed down in the wake of the scandal. Earlier this month, the Federal Trade Commission fined Facebook $5 billion.
WhatsApp, the messaging and audio app owned by Facebook, announced last May that hackers were able to install spyware on Android smartphones and AppleAAPL, +0.93% iPhones. “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” it said at the time.
More than 57 million customers of Uber UBER, -1.44% had their data exposed by a massive hack in October 2016. Uber fired its chief security officer, Joe Sullivan, and one of his deputies for concealing the hack, which included the email addresses of 50 million Uber riders around the world. The revelation was made a year after the attack. It also affected 7 million drivers.
Be on your toes after a major hack or data breach. Consumers should never give out personal details over the telephone, even if the caller seems to represent Capital One or the email appears to be from a Capital One email address.
Be on your toes after a major hack or data breach. Consumers should never give out personal details over the telephone, even if the caller seems to represent Capital One or the email appears to be from a Capital One address. Consumers need to be careful whenever they are contacted by an unsolicited caller. Hang up and call the number on your card. “Phishing” scams — calls, emails or text messages that appear to offer protection — are actually trying to get more data from customers.
Security experts generally recommend never re-using security passwords and say people should use two-factor authentication on their phones, which requires a user to put a code sent to a phone or email into an app or website in order to log in from a new device or to change a password. They also say those affected by such hacks should freeze their credit report.
Don’t be pawned off by an offer of credit monitoring. Credit monitoring only looks for changes on a credit report, indicating that someone is using your personal information to open new accounts in your name. Here’s the bad news: Such security precautions would not help people protect against a data breach like the one Capital One announced Monday evening. Exposure of data that can’t be changed, such as Social Security numbers, are the hallmarks of particularly severe data breaches.
Here’s what else you should do now:
1. Check if your accounts have been affected
There still aren’t many formal ways to check if your data has been compromised in a breach. Often, the company will alert affected customers, but they aren’t required to. Some states, like California, have laws requiring companies to disclose data breaches that affect a certain number of customers, and the Federal Trade Commission has discussed proposing similar regulations. Consumers can also monitor their credit report to shut down fraudulent activity as quickly as possible.
2. Know the difference between a credit freeze and a lock
A freeze means that a consumer cannot take out a new loan or credit card without “unfreezing” the report first, but also prevents a hacker from taking out a loan in your name. Credit agencies also offer a service called credit “locking,” which offers the same protections as a freeze, but typically cost a monthly fee. Contact Equifax, Experian EXPN, +1.53% and TransUnion TRU, -1.34% to request a freeze.
3. Sign up for additional fraud protection
Those affected should sign up for services that go beyond typical credit freezing and alert services, such as Lifelock, EZ Shield and Identity Guard. The most basic version of Lifelock costs $9.99 per month and provides benefits including address change verification, help canceling or replacing lost credit cards, driver’s licenses, Social Security cards and insurance cards, plus a “restoration team” that helps correct any identity-theft issues and black-market website surveillance.
4. Know the difference between a hack and a breach
A breach is when data is unintentionally left unsecured and vulnerable to hacking, as a result of malicious activity or from negligence. A hack specifically refers to the activities of cyber attackers who purposely compromise IT infrastructure to steal information or to hold systems ransom; that’s what happened with Capital One. If your data was part of a breach, it’s possible it was just left exposed online and was not stolen.
Source: Market Watch
The cyber security story for May 2019 is much the same as it was last month, with one mammoth breach raising the monthly total.
The offender this time is the First American Financial Corp., which breached sixteen years’ worth of insurance data. That incident accounted for more than 60% of all of May’s breached records.
In total, at least 1,389,463,242 records were compromised. That brings the annual running total to 7.28 billion and reduces the monthly average to 1.44 billion.
- US energy companies report denial of service conditions (unknown)
- Telangana power supplier website hit by a cyber attack (unknown)
- Rivalry between Bay Area lunch companies ends in a cyber attack (200+)
- Hackers steal card data from 201 online campus stores in US and Canada(unknown)
- Austrian construction group hit by cyber attack (unknown)
- Airbnb customers say their accounts have been hacked (unknown)
- Binance breached as hackers steal £38 million in bitcoin (unknown)
- Michigan-based health clinic says an employee’s account was compromised(1,000)
- Student at NY-based school arrested, charged with hacking former superintendent’s account (unknown)
- NY-based Episcopal Health Service notifies patients of data breach (unknown)
- US Virgin Islands-based FirstBank cancelling debit cards amid fears that accounts have been compromised (50)
- Affiliate of NBA’s Indiana Pacers says it has fallen victim to a phishing scam(unknown)
- Oregon Health Authority sends speedy notification after phishing attack(unknown)
- Paterson, NJ, public schools hit by cyber attack (23,103)
- Equitas Health says two employees’ email accounts were compromised (569)
- Hackers breach Uniqlo’s online store, access customers’ details (460,000)
- Singapore Red Cross’s website hacked, blood donors’ details compromised(4,000)
- Cancer Treatment Centers of America notifies patients of phishing attack(unknown)
- Salesforce customers faced 15-hour delay as org investigates security incident(unknown)
- Stack Overflow says cyber attack compromised customers’ data (unknown)
- Oregon Construction Contractors Board confirms data breach (8,013)
- More than 12,000 MongoDB databases deleted by Unistellar attackers(unknown)
- Database containing Instagram influencers’ contact details found online (49 million)
- Sunderland City Council launches investigation after library users’ personal data hacked (45)
- Third-party mailbox used by Computacenter employees hit by phishing scam(unknown)
- Graphic design firm Canva hit by massive data breach (139 million)
- Hackers break into database of Dutch letting agent and steal identity card scans(200+)
- Tampa-based Checkers Drive-In Restaurants notifies guests about malware attack (unknown)
- Hackers breach the Philippines United Student Financial System for Tertiary Education (unknown)
- A hacker is wiping Git repositories and asking for a ransom (unknown)
- New York newspaper firm faces another Ryuk attack (unknown)
- Connecticut school district thwarts ransomware attack (unknown)
- American Baptist Homes of the Midwest hit by ransomware (unknown)
- Kentucky library closes due to ransomware attack (unknown)
- City of Baltimore hit by second ransomware attack in a year (unknown)
- Illinois-based Augustana College reports ransomware attack (unknown)
- Southeastern Council on Alcoholism and Drug Dependence notifies patients of ransomware attack (25,148)
- Oklahoma City Public Schools confirm that they have been hit by ransomware(unknown)
- Louisville Regional Airport Authority hit by ransomware (unknown)
- Popular US recruitment site Ladders exposes users’ data in security lapse (13.7 million)
- Seattle University laptop containing Social Security numbers lost (2,000)
- UK government commits email privacy blunder (300)
- Vulnerability in Tommy Hilfiger Japan database expose customers’ data (1 million)
- Louisiana’s Madison Parish Hospital notifies patients of a security incident(1,436)
- Hong Kong government dental clinic loses patients’ personal data (383)
- Man finds medical records from Cork University Hospital on city street(unknown)
- Cork University Hospital accuses man who found medical record on city street of data breach (unknown)
- Children’s personal data found at dump in Yellowknife, Canada (191)
- Virginia hospital loses patient’s personal data… twice (1)
- Data leak at Canada’s fourth phone network exposed customer data (5 million)
- Database containing Indian personal records exposed and hijacked(275,265,298)
- School exam vendor exposes students’ personal data (525,000)
- Data breach at CT-based Greenwich school poses ‘clear and present danger’(unknown)
- DVLA sends motorists’ sensitive data to the wrong address (2,000)
- Almost everyone in Panama has had their personal data exposed (3,427,396)
- Oklahoma Dept of Securities notifies those affected by 2018 data breach (2 million+)
- Data breach exposes passport info of Russian officials and citizens (360,000)
- Burger King online store for children exposes customers’ info (37,900)
- Unsecured survey database exposes respondents’ personal details (8 million)
- TeamViewer confirms undisclosed data breach from 2016 (unknown)
- Redtail CRM data breach might have exposed client info (unknown)
- Ongoing attack stealing credit cards from more than 100 shopping sites(unknown)
- Houston-based hospital employee used patients’ financial records to pay his rent (unknown)
- Condé Nast notifies Wired subscribers of data breach affecting payment details(1,100)
- Freedom Mobile users’ personal data found on unsecured database (1.5 million)
- Employees at Indian financial company arrested after selling credit card details of police and army officers (50,000)
- The Shubert Organization, owner of 17 Broadway theatres, suffers data breach(unknown)
- First American Financial Corp. leaked sixteen years’ worth of title insurance records (885 million)
Malicious insiders and miscellaneous incidents
- Dell laptops and computers vulnerable to remote hijacks (unknown)
- American Indian Health & Services reports email misuse (unknown)
- TX-based UMC says two employees mishandled patient data (unknown)
- NY-based Independent Health emailed health information to the wrong addresses (7,600)
- A Leicestershire council says it accidentally published residents’ personal details online (134)
- Indonesian banks sold customers’ personal data to credit card salespeople(unknown)
- Canadian government employees gain unauthorised access to info of Brampton residents (13,000)
- Employees at India’s Speciality Polyfilm arrested for stealing sensitive information (unknown)
- Laptop containing children’s health data stolen from Canadian medical centre(225)
- Cincinnati-based TriHealth accidentally sent personal data to a student mentee(2,000)
In other news…
- Tesla tells employees to stop leaking sensitive data (unknown)
- Scottish National Party faces fine after mailing list error (20,000+)
- Florida teens hack school system to email students about ‘mandatory penis inspection’ (unknown)
- Top-tier Russian hacking collective claims breaches of three major anti-virus companies (unknown)
- WhatsApp users urged to update app after serious security vulnerability discovered (unknown)
- Linksys routers are leaking customers’ personal details (25,000)
- Researcher discovers vulnerability in travel distribution company Amadeus(unknown)
Source: IT Governance
New York (CNN Business)Binance, a major cryptocurrency exchange, says hackers stole more than $40 million worth of bitcoin from its customers.
The Taiwan-based company, one of the world’s largest crypto exchanges, announced that it discovered a “large scale security breach” Tuesday. It said hackers stole 7,000 bitcoins in one transaction. One bitcoin trades at nearly $6,000.
“The hackers used a variety of techniques, including phishing, viruses and other attacks,” CEO Changpeng Zhao wrote in the statement. He said the company continues to investigate the breach.
Zhao explained that the hackers waited for the best time to conduct their operation, but he didn’t clarify specifically how the hack went undetected.
“The transaction is structured in a way that passed our existing security checks,” he said. “Once executed, the withdrawal triggered various alarms in our system. We stopped all withdrawals immediately after that.”
The stolen bitcoin (through Binance’s secure asset fund, emergency insurance available in case of a breach. Binance warned that other accounts could be affected.) will be reimbursed
Binance also temporarily suspended deposits and withdrawals, but it said bitcoin trading can continue. A security review of the incident will take at least a week.
“We beg for your understanding in this difficult situation,” Zhao wrote.
The hack is coming during a time when bitcoin is hot once again. Bitcoin prices have surged nearly 60% this year after plunging almost 75% in 2018
Cybersecurity issues are becoming a day-to-day struggle for businesses. Trends show a huge increase in hacked and breached data from sources that are increasingly common in the workplace, like mobile and IoT devices.
Additionally, recent research suggests that most companies have unprotected data and poor cybersecurity practices in place, making them vulnerable to data loss.
We’ve compiled 60 cybersecurity statistics to give you a better idea of the current state of overall security, and paint a picture of how potentially dire leaving your company unsecure can be.
Data Breaches by the Numbers
The increasing amount of large-scale, well-publicized breaches suggests that not only are the number of security breaches going up — they’re increasing in severity, as well.
- In 2016, 3 billion Yahoo accounts were hacked in one of the biggest breaches of all time. (Oath.com)
- In 2016, Uber reported that hackers stole the information of over 57 million riders and drivers. (Uber)
- In 2017, 412 million user accounts were stolen from Friendfinder’s sites. (LeakedSource)
- In 2017, 147.9 million consumers were affected by the Equifax Breach. (Equifax)
- According to 2017 statistics, there are over 130 large-scale, targeted breaches in the U.S. per year, and that number is growing by 27 percent per year. (Accenture)
- Thirty-one percent of organizations have experienced cyber attacks on operational technology infrastructure. (Cisco)
- 100,000 groups in at least 150 countries and more than 400,000 machines were infected by the Wannacry virus in 2017, at a total cost of around $4 billion. (Malware Tech Blog)
- Attacks involving cryptojacking increased by 8,500 percent in 2017. (Symantec)
- In 2017, 5.4 billion attacks by the WannaCry virus were blocked. (Symantec)
- There are around 24,000 malicious mobile apps blocked every day. (Symantec)
- In 2017, the average number of breached records by country was 24,089. The nation with the most breaches annually was India with over 33k files; the US had 28.5k. (Ponemon Institute’s 2017 Cost of Data Breach Study)
- In 2018, Under Armor reported that its “My Fitness Pal” was hacked, affecting 150 million users. (Under Armor)
- Between January 1, 2005 and April 18, 2018 there have been 8,854 recorded breaches. (ID Theft Resource Center)
Average expenditures on cybercrime are increasing dramatically, and costs associated with these crimes can be crippling to companies who have not made cybersecurity part of their regular budget.
- In 2017, cyber crime costs accelerated with organizations spending nearly 23 percent more than 2016 — on average about $11.7 million. (Accenture)
- The average cost of a malware attack on a company is $2.4 million. (Accenture)
- The average cost in time of a malware attack is 50 days. (Accenture)
- From 2016 to 2017 there was an 22.7 percentage increase in cybersecurity costs. (Accenture)
- The average global cost of cyber crime increased by over 27 percent in 2017. (Accenture)
- The most expensive component of a cyber attack is information loss, which represents 43 percent of costs. (Accenture)
- Ransomware damage costs exceed $5 billion in 2017, 15 times the cost in 2015. (CSO Online)
- The Equifax breach cost the company over $4 billion in total. (Time Magazine)
- The average cost per lost or stolen records per individual is $141 — but that cost varies per country. Breaches are most expensive in the United States ($225) and Canada ($190). (Ponemon Institute’s 2017 Cost of Data Breach Study)
- In companies with over 50k compromised records, the average cost of a data breach is $6.3 million. (Ponemon Institute’s 2017 Cost of Data Breach Study)
- Including turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill the cost of lost business globally was highest for U.S. companies at $4.13 million per company. (Ponemon Institute’s 2017 Cost of Data Breach Study)
- Damage related to cybercrime is projected to hit $6 trillion annually by 2021. (Cybersecurity Ventures)
Cybersecurity Facts and Figures
It’s crucial to have a grasp on the general landscape of metrics surrounding cybersecurity issues, including what the most common types of attacks are and where they come from.
- Ransomware detections have been more dominant in countries with higher numbers of internet-connected populations. The United States ranks highest with 18.2 percent of all ransomware attacks. (Symantec)
- Trojan horse virus Ramnit largely affected the financial sector in 2017, accounting for 53 percent of attacks. (Cisco)
- Most malicious domains, about 60 percent, are associated with spam campaigns. (Cisco)
- Seventy-four percent of companies have over 1,000 stale sensitive files. (Varonis)
- Malware and web-based attacks are the two most costly attack types — companies spent an average of US $2.4 million in defense. (Accenture)
- The financial services industry takes in the highest cost from cyber crime at an average of $18.3m per company surveyed. (Accenture)
- Microsoft Office formats such as Word, PowerPoint and Excel make up the most prevalent group of malicious file extensions at 38 percent of the total. (Cisco)
- About 20 percent of malicious domains are very new and used around 1 week after they are registered. (Cisco)
- Over 20 percent of cyber attacks in 2017 came from China, 11 percent from the US and 6 percent from the Russian Federation. (Symantec)
- The app categories with most cybersecurity issues are lifestyle apps, which account for 27 percent of malicious apps. Music and audio apps account for 20 percent. (Symantec)
- The information that apps most often leak are phone numbers (63 percent) and device location (37 percent). (Symantec)
- In 2017, spear-phishing emails were the most widely used infection vector, employed by 71 percent of those groups that staged cyber attacks. (Symantec)
- Between 2015 and 2017, the U.S. was the country most affected by targeted cyber attacks with 303 known large-scale attacks. (Symantec)
- In 2017, overall malware variants were up by 88 percent. (Symantec)
- Among the top 10 malware detections were Heur.AdvML.C 23,335,068 27.5 2 Heur.AdvML.B 10,408,782 12.3 3 and JS.Downloader 2,645,965 3.1 (Symantec)
- By 2020, the estimated number of passwords used by humans and machines worldwide will grow to 300 billion. (Cybersecurity Media)
With new threats emerging every day, the risks of not securing files is more dangerous than ever, especially for companies.
- 21 percent of all files are not protected in any way. (Varonis)
- 41 percent of companies have over 1,000 sensitive files including credit card numbers and health records left unprotected. (Varonis)
- 70 percent of organizations say that they believe their security risk increased significantly in 2017. (Ponemon Institute’s 2017 Cost of Data Breach Study)
- 69 percent of organizations don’t believe the threats they’re seeing can be blocked by their anti-virus software. (Ponemon Institute’s 2017 Cost of Data Breach Study)
- Nearly half of the security risk that organizations face stems from having multiple security vendors and products. (Cisco)
- 7 out of 10 organizations say their security risk increased significantly in 2017. (Ponemon Institute’s 2017 Cost of Data Breach Study)
- 65 percent of companies have over 500 users who never are never prompted to change their passwords. (Varonis)
- Ransomware attacks are growing more than 350 percent annually. (Cisco)
- IoT attacks were up 600 percent in 2017. (Symantec)
- The industry with the highest number of attacks by ransomware is the healthcare industry. Attacks will quadruple by 2020. (CSO Online)
- 61 percent of breach victims in 2017 were businesses with under 1,000 employees. (Verizon)
- Ransomware damage costs will rise to $11.5 billion in 2019 and a business will fall victim to a ransomware attack every 14 seconds at that time. (Cybersecurity Ventures)
- Variants of mobile malware increased by 54 percent in 2017. (Symantec)
- Today, 1 in 13 web requests lead to malware (Up 3 percent from 2016). (Symantec)
- 2017 represented an 80 percent increase in new malware on Mac computers. (Symantec)
- In 2017 there was a 13 percent overall increase in reported system vulnerabilities. (Symantec)
- 2017 brought a 29 percent Increase in industrial control system–related vulnerabilities. (Symantec)
- By 2020, we expect IT analysts covering cybersecurity will be predicting five-year spending forecasts (to 2025) at well over $1 trillion. (Cybersecurity Ventures)
- The United States and the Middle East spend the most on post-data breach response. Costs in the U.S. were $1.56 million and $1.43 million in the Middle East. (Ponemon Institute’s 2017 Cost of Data Breach Study)
There’s no question that the situation with cybercrime is dire. Luckily, by assessing your business’s cybersecurity risk, making with company-wide changes and improving overall security behavior, it’s possible to protect your business from most data breaches.
Make sure you’ve done everything you can do to avoid your company becoming a victim to an attack. The time to change the culture toward improved cybersecurity is now.
At 19, Santiago Lopez is already counting earnings totaling over USD 1 million from reporting security vulnerabilities through vulnerability coordination and bug bounty program HackerOne. He’s the first to make this kind of money on the platform.
In 2015 when he was 16-years old, Lopez started to learn about hacking. He is self-taught, his hacker school being the internet, where he watched and read tutorials on how to bypass or defeat security protections.
The rewards came a year later when he got a $50 payout for a cross-site request forgery (CSRF) vulnerability. His largest bounty was $9,000, for a server-side request forgery (SSRF).
He spent his first bug bounty money on a new computer, and as he accumulated more in rewards, he moved to cars.
At the moment, he has a record of 1676 distinct vulnerabilities submitted for online assets belonging to big-name companies like Verizon, Automattic, Twitter, HackerOne, private companies, and even to the US government. Lopez ranks second on HackerOne.
A hacker’s work week, tools and experience
In 2018, the researchers on HackerOne earned over $19 million in bounties; the amount is a big jump from the more than $24 million paid in the previous five years. However, the goal of the program is to reach $100 million by the end of 2020.
The recent report from the platform shows that there are over 300,000 registered hackers that submitted more than 100,000 valid vulnerabilities.
Most of the hackers (35.7%) spend up to 10 hours on average per week looking for bugs. A quarter of them works between 10 and 20 hours every week.
According to the survey, the researchers with plenty of experience in cybersecurity, over 21 years, represent the smallest percentage. The majority of the hackers, 72.3% have between one and five years of the experience.
Over 72% of the hackers surveyed by HackerOne for the report look into website security and 6.8% research APIs and technology that holds its own data. The favorite tool of the trade is Burp Suite for testing web apps.
Making money, leaning the ropes, being challenged and having fun are the top reasons for the work of the researchers submitting bugs via HackerOne, while bragging rights fall in the last place.
Source: Bleeping Computer
Let me guess. From a young age, you were attracted to spy movies. You are someone who wasn’t necessarily interested in school subjects, but probably did okay regardless. You learn concepts easily and quickly compared to others. You had a natural affinity for computers at a young age. Something about you is excited by the subversive blackhat hacking community, but actually, you’re a good person who doesn’t like the idea of ruining people’s lives or spending your life doing chin-ups with your morally questionable mate “Steve” in a high security prison.
So what’s the solution? Become an ethical hacker, so that you can do these illegal things without risk of jailtime, and get paid for it!
I should start with a disclaimer — I’m not an expert. I’ve only ever landed one hacking job, which is my current one — and I haven’t even been here long! But I did spend a lot of time in other sectors of IT wishing I was in security. As a result, I’ve read a lot of stuff and spoken to a lot of people. Basically, it all boils down to this:
There is no one-size-fits-all approach to getting your first infosec role. There was a recent Twitter hashtag that did the rounds, #MyWeirdPathToInfosec, where a whole bunch of infosec professionals revealed the paths they took to an eventual infosec role. They varied widely, some spent time in federal prison (not recommended), some were musicians, some scored an infosec role straight out of college, some were offered jobs after illegally hacking a company and then telling the company how they did it (also not recommended). This technique may have worked for some people in the 90s, now it will probably land you in jail.
The point is, don’t have tunnel-vision. Career opportunities often arise where you least expect.
A Little About My Path to Infosec
I remember my first experience with “hacking.” I was about 10 years old, and I discovered the ability to save webpages locally. I headed straight to Google, downloaded the home page, and edited my local copy in notepad.exe to contain the words “Luke was ‘ere!”. When I opened up the edited page, my stomach dropped. I thought I had defaced Google. How long until the FBI kick in my door? Should I tell my parents before they find out?
Back in myyy daaaay, there were no hacking challenge sites. In fact, there was barely any information out there, at least that I could find. My first resource was a website by Carolyn Meinel, titled “The Guides to (mostly) Harmless Hacking.” The guides were written in Comic Sans, the token font of that bad design genre that can only be found in the 90s and early 00s. These guides included such classics as “Telnet: the Number One Hacking Tool” and “How to Hack with Windows XP part I: The Magic of DOS.” They can still be found here.
Upon finishing school I scored my first job in IT and started a computer science degree, almost finished, dropped out, got made redundant, moved out of home, acquired Bachelor of Music, became a full-time musician, spent a couple of years performing on cruise ships, met my wife, lived in the UK, got married, moved back to Australia, and started working as a full-time web developer.
Throughout all this, my passion for hacking never really subsided, and development was never something I loved. I had a wonderful job with great people, but the actual tasks of my job weren’t sparking me. As it turns out, I was on a project which involved e-commerce and sensitive data, so my boss offered for me to take a security related course. I emailed the CEO of a local penetration testing firm and asked what the best security course was, and he recommended OSCP. So I did it!
Completing my OSCP was a turning point for me. I spent every spare moment of those 60 days learning as much as possible about the art of hacking. Even when I was exhausted, I had trouble sleeping because my brain wouldn’t stop thinking about the challenge boxes in the labs. That’s how I knew it should probably be my job, instead of development, which I had grown tired of. (I wrote a three-part blog series about the OSCP too, if you’re into that.)
Only a month or two after completing OSCP, I landed my first penetration testing job through a great infosec recruiter after solving a hacking challenge they posted online. You can read more about that story here.
Enough about me! Finally, we are at the bit you all came here to read. Some actionable tips on how to get your first job as a hacker:
Get Active in the White Hat Community
Contribute to open source tools, write your own, blog, start a podcast, go to hacker cons, connect with people on Twitter. You will learn a lot and it will introduce you to a whole network of lovely people who can help you. The infosec community on the whole are a friendly, tight-knit pack of smart, passionate people. If you’re reading this, there’s a good chance you will feel at home.
Email People You Respect
Are there people out there in your dream role? Email them and ask about your career path. The worst that will happen is that they don’t reply, the best that can happen is that you gain a mentor and some life-changing advice.
You can have every hacking certification under the sun, but if you walk into the interview gloating about some illegal stunt you pulled, nobody will risk hiring you. The white hat community often deal with highly sensitive data — your employer and your clients need to be able to trust you.
On that note, when you’re in an interview and you don’t know the answer to a technical question, it’s better to say “sorry, I don’t know, but I will be sure to research that later!” than to try to bluff your way through an answer. The person interviewing you will be able to tell, and they are probably more interested in you being honest and genuine than correct. At this point in time, experienced security professionals are rare, so many companies are hiring less experienced staff with the right mindset and attitude, then putting them through training to learn the technical skills.
Frankly, many certifications in this field aren’t a good indicator of someone’s technical ability. Having said that — you’re more likely to get a job if you have them. It shows that you’re invested in the craft, you have spent time/money skilling up, and you are interested. There are a few great certifications out there, and some that aren’t so good. If you’re not sure which ones are good, ask someone who knows!
Bug Bounties, CTFs and Challenge Sites
Have you been in a HackerOne/BugCrowd hall of fame? Found a RCE in a bug bounty? Did you do well in a CTF at a hacking conference? Are you highly ranked on hackthebox.eu? Put it on your CV! These things might seem like games, but they’re also proof that you’re passionate about the craft, and have some skills.
Don’t Be Afraid of Recruiters
Recruiters get a bad name for relentlessly calling you and using dodgy tactics to get the right contacts, but they’re not all like that. Finding a quality recruiter with good connections can make all the difference. When you are looking for a recruiter for a hacking gig, find one that specialises in infosec. A standard IT recruiter probably won’t know the right people.
Make Your Current Role a Security Role
Are you a developer? Find a bug in the application you develop, show it to your boss, ask permission to conduct more in depth security testing. Are you a sysadmin? Find a security hole in your network (you probably already know where to look), communicate the risk to your boss and ask for permission to conduct further testing. Whatever role you’re in — there’s a good chance you can make a name for yourself as the in-house security expert.
Now in your infosec interview/CV, you can say you were the in-house security expert, even though your official title was just “developer.” You can also fill out the “responsibilities” section of your role with some security related tasks.
Researchers playing with Twinkly IoT lights found security weaknesses that allowed them to display custom lighting effects and to remotely turn off their Christmas brilliance. They estimate that about 20,000 devices are reachable over the internet.
The LEDs in Twinkly lights can be controlled individually. Exploiting inherent security weaknesses related to authentication and the communication of commands, the researchers were able to use the curtain of lights to play Snake, the game made so popular by Nokia phones in the late 1990s.
Users can manage their Twinkly smart decoration via a mobile app that sends unencrypted communication over the local network; this makes trivial analyzing the traffic from a man-in-the-middle position.
To talk to the lights, the app discovers them by running a UDP broadcast to port 5555 and receives in return an IP address and the name of the device.
“Once the application knows the IP address of the lights, it authenticates with them, receives an authentication token and retrieves information about the device. The authentication process, although a good idea, is flawed,” said the researchers from MWR InfoSecurity, a company recently acquired by F-Secure.
After analyzing the hardware internals and the mobile app, the researchers had a clear view of how the entire communication and authentication process worked.
They found the calls to the API endpoints, the algorithms used for creating the authentication challenge-responses.
Another discovery relates to the firmware update process, which does not use signatures to check the authenticity of the files received; this allows installing an arbitrary firmware “to the device over the local network without any real authentication or authorization, making it straightforward to gain arbitrary code execution.”
Hardcoded in the firmware is a username/password, used to connect to a private broker through the Message Queuing Telemetry Transport (MQTT) protocol for exchanging messages with remote IoT boards and sensors.
MQTT allows subscribing to a topic using wildcards using the symbol ‘#’ and doing so to the root means access to all topics and, implicitly, the information published by the lights.
“Monitoring the root for unique mac addresses we estimate there are almost 20,000 devices out there,” MWR Labs says.
Remote tampering with the lights is not difficult
Considering these security faults, it would be easy for an attacker on the network to intercept the communication between the Twinkly lights and the mobile app and use them to manipulate the LEDs into custom patterns or turn them off.
“As any MQTT node can publish to any topic, it is thus possible for anyone to issue commands to any set of lights and turn them off. We tested this remotely from AWS against the lights in the office and it worked perfectly,” MWR Labs experts note in a technical blog post.
To demonstrate remote management of the Twinkly lights across the world, the researchers turned to the DNS rebinding attack technique, known in the infosec industry for over a decade.
An attacker can use DNS rebinding to bypass the same-origin policy (SOP) in web browsers and turn them into a proxy for communicating with devices on the network. All the user would have to do for this to happen is access the wrong link.
MWR Labs created a malicious website specifically for this purpose. When the victim loads it, all the devices on the local network are enumerated. If Twinkly lights are available, they will be configured to show the message ‘Hack the Planet!’ as you can see in the video below.
The vulnerabilities found in Twinkly lights are the exact opposite for the IoT space. In this case, there is little damage an attacker can do by hacking the lights, but other targets may be more valuable, the researchers say.
Source: Bleeping Computer