ElasticSearch Server Exposed The Personal Data Of Over 57 Million US Citizens*:
- An ElasticSearch server that was left open on the Internet without a password has leaked the personal information of nearly 57 million Americans for almost two weeks.
- The leaky server was spotted by Bob Diachenko, Director of Cyber Risk Research for cyber-security firm Hacken, during a regular security audit of unsecured servers indexed by the Shodan search engine.
- The researchers said the ElasticSearch server --a technology used for powering search functions-- was leaking over 73GB of data, and that several databases were cached inside the server's memory.
- Inside one of these databases, Diachenko said he found 56,934,021 records holding the personal data of US citizens.
- In most cases, these records contained personal information such as first name, last name, email address, home address, state, ZIP code, phone number, and IP address.
- But the leaky ElasticSearch server also contained a second cached database named "Yellow Pages," which Diachenko said held an additional 25,917,820 records, which appeared to be business entries.
- These latter records contained a little bit more information, such as names, company details, ZIP codes, carrier routes, latitude/longitude coordinates, census tracts, phone numbers, web addresses, email addresses, employees counts, revenue numbers, NAICS codes, SIC codes, and a few other fields.
- The researcher told ZDNet he was not able to identify who owned the exposed server but based on clues contained within the leaked databases, he said today in a report that he believes that Canadian data firm Data & Leads might be connected to the data, directly or indirectly.
*Source: ZDNet, November 28, 2018
Marriott Hacking Exposes Data Of Up To 500 Million Guests*:
- The hotel chain asked guests checking in for a treasure trove of personal information: credit cards, addresses and sometimes passport numbers.
- On Friday, consumers learned the risk. Marriott International revealed that hackers had breached its Starwood reservation system and had stolen the personal data of up to 500 million guests.
- The assault started as far back as 2014, and was one of the largest known thefts of personal records, second only to a 2013 breach of Yahoo that affected three billion user accounts and larger than a 2017 episode involving the credit bureau Equifax.
- The Starwood attack happened roughly the same time as a number of other breaches at American health insurers and government agencies, including the United States Office of Personnel Management, in what security research firms and government officials described as an effort to compile a vast database of personal information on potential espionage targets.
- Experts don’t know if the Starwood attack was connected to those other episodes.
- But Starwood’s data has not popped up on the so-called dark web, according to Recorded Future, a cybersecurity firm, and Coalition, a cyber insurance provider, which suggested that the hotel attackers weren’t looking to sell what they took.
- The breach hit customers who made reservations for the Marriott-owned Starwood hotel brands from 2014 to September 2018.
- The properties include Sheraton, Westin, W Hotels, St. Regis, Four Points, Aloft, Le Méridien, Tribute, Design Hotels, Element and the Luxury Collection.
- Marriott hotels, including Residence Inn and the Ritz-Carlton, operate on a separate reservation system. The company has plans to merge that system with Starwood’s.
- The names, addresses, phone numbers, birth dates, email addresses and encrypted credit card details of hotel customers were stolen.
- The travel histories and passport numbers of a smaller group of guests were also taken.
- The company is offering one year of free enrollment in a service called Web Watcher to people who live in the United States, Canada and Britain.
- Marriott described it as a service that keeps an eye on websites where thieves swap and sell personal information and then alerts people if anyone is selling their information.
- The intrusion went unnoticed for four years by Starwood, which was acquired by Marriott in 2016 for $13.6 billion.
- It was uncovered in early September, when a security tool alerted Marriott officials to an unauthorized attempt to access Starwood’s guest reservation database.
- The alert prompted Marriott to work with outside security experts, who discovered that the hackers had grabbed a foothold in Starwood’s systems starting in 2014.
*Source: The New York Times, November 30, 2018
Dell Performs Global Password Reset Following Cybersecurity Incident*:
- Dell recently revealed that on November 9, it detected and thwarted a cyber attack targeting Dell.com customer information.
- The bad actors attempted to steal names, e-mail addresses and hashed passwords.
- Although it is possible that the attackers got away with some information, Dell said they have found no evidence to suggest any information was extracted.
- Dell said once the threat was detected, it deployed countermeasures and initiated an investigation.
- A digital forensics team was also brought in to conduct an independent investigation and law enforcement has been notified.
- The company did not say how many accounts were potentially at risk.
- Shortly after the breach, Dell performed a global reset of all Dell.com customer passwords and is requiring a multi-step authentication process prior to users being able to regain access to their accounts.
*Source: Tech Spot, November 29, 2018
Atrium Health Says Data Of About 2.65 Million Patients Involved In Breach*:
- Atrium Health, previously Carolinas HealthCare System, said on Tuesday data of about 2.65 million patients including addresses, dates of birth and social security numbers may have been compromised in a breach at its third-party provider AccuDoc Solutions.
- Atrium, which provides healthcare and wellness programs throughout the Southeast region in the United States, said a review revealed an unauthorized access to AccuDoc’s databases between Sept. 22 and Sept. 29.
- An Atrium spokesman said investigations indicate that data was accessed but not downloaded in the incident.
- Personal clinical and medical records were not involved, nor was financial account information, such as bank account numbers or credit card or debit card information, the company said.
- AccuDoc informed Atrium Health about the breach on Oct. 1.
*Source: Reuters, November 28, 2018
Hackers Breach Dunkin Donuts Accounts In Credential Surfing Attack*:
- A credential stuffing attack has allowed hackers to take a big bite out of Dunkin’ Donuts customer data.
- The donut giant announced Tuesday evening that a data breach in October may have led to customers’ personal information being compromised.
- Dunkin’ Brands Inc. in an advisory posted to its website said that on Oct. 31, a malicious actor attempted to access customers’ first and last names, email address, as well as account information for DD Perks, Dunkin Donuts’ rewards program.
- That account info include customers’ 16-digit DD Perks account number and DD Perks QR code.
- Dunkin’ Donuts has forced a password reset that required all of the potentially impacted DD Perks account holders to log out and log back in to their account using a new password.
- The company said that it believes the hacker obtained usernames and passwords from security breaches of other companies, and then used those usernames and passwords to try to break in to various online accounts via widespread automated login requests – a method also known as credential stuffing.
- Dunkin’ Donuts said its security vendor was successful in stopping most of these attempts, but it is possible still that the hacker may have succeeded in logging in to some DD Perks accounts.
- The incident is the second notable data breach of a company this week.
- On Wednesday, Dell EMC warned customers of unauthorized activity on its network that occurred on Nov. 9 when it believes adversaries attempted to access names, email addresses and hashed passwords.
*Source: Threat Post, November 29, 2018
Uber Fined $1.2 Million By The UK ICO And Dutch DPA Over The 2016 Hack*:
- Two years back, Uber suffered a massive data breach that exposed a mammoth database to hackers.
- As disclosed recently by the Information Commissioner’s Office (ICO), the giant firm Uber were fined a hefty amount by the UK and Dutch authorities due to its security lapse.
- The company faced a data breach that leaked 57 million records to the hackers.
- The incident affected both the riders as well as the passengers.
- Reportedly, the leaked data included personal details of 2.7 million UK customers.
- Whereas, it also contained data of 82,000 drivers from the UK, including the details of rides made, and the payment methods.
- According to the ICO, the hackers allegedly targeted Uber’s system through a credential stuffing attack.
- For failing to protect users’ data, ICO has imposed a fine of £385,000 (around $490,760) on Uber.
- In addition, the Dutch Data Protection Authority (Dutch DPA) has also fined Uber for the same security breach with a whopping €600,000 (approx. $677,587).
- The ICO elaborated that the fine imposed is in accordance with the Data Protection Act 1998.
- Had the incident occurred recently, then Uber might have faced fines up to £500,000 according to the new GDPR.
*Source: Latest Hacking News, November 27, 2018