2022: This Month in breach!

Toronto healthcare provider Scarborough Health Network has disclosed that it has experienced a data breach. Officials say that an unauthorized actor gained access to the organization’s systems around January 25, 2022. The attacker was shut out of the system by February 1, 2022. The information of anyone treated before February 1, 2022, may have been compromised.

The organization says that patients who received care prior to the amalgamation of SHN Centenary Hospital (also known as Scarborough Centenary Hospital), SHN General (also known as Scarborough General), and Birchmount Hospital (also known as Scarborough Grace) under one network in 2016 might be impacted as well as patients who received care at hospitals that were part of the former Rouge Valley Hospital Network, including RVHS Ajax and Pickering Campus or Ajax-Pickering Hospital.

The health network says a big pool of information may have been accessed, including patients’ names, dates of birth, marital statuses, home addresses, phone numbers, email addresses, OHIP numbers, insurance policy numbers, lab results, diagnosis information, COVID-19 immunization records. Staff names and numbers may have also been accessed.

Verizon has announced that hackers obtained access to a database. The hacked database includes the full name, email address, corporate ID numbers, and phone number of hundreds of Verizon employees. According to reports, the hacker contacted Verizon to ask for an extortion payment of $250,000 to prevent the release of the stolen data. Verizon has said that they do not plan to pay.

Information exposed in the database includes employee names, email addresses, corporate ID numbers, and phone numbers. Verizon says that the database does not include Social Security Numbers, passwords or credit card numbers.

General Motors (GM) has announced that it was hit by a credential stuffing attack last month that exposed customer information. GM said that they detected the malicious login activity between April 11-29, 2022, and that hackers obtained access through credential stuffing. GM said in a statement “We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.” The bad actors also redeemed loyalty points from some customers’ accounts for gift cards.

Customer data that was exposed in this incident includes first and last names, personal email addresses, home addresses, usernames and phone numbers for registered family members tied to the account, last known and saved favorite location information, currently subscribed OnStar package (if applicable), family members’ avatars and photos (if uploaded), profile pictures and search and destination information, car mileage history, service history, emergency contacts and Wi-Fi hotspot settings (including passwords).

Chicago Public Schools is facing a big breach of student data after a technology vendor experienced a data security incident. CPS has disclosed that it was recently informed that an unauthorized access incident took place at Battelle for Kids in December 2021. In that incident, a server that housed four years’ worth of personal information about students and staff from the 2015-16 through 2018-2019 school years was breached. Officials say that no Social Security numbers, no financial information, no health data, no current course or schedule information, no home addresses and no course grades, standardized test scores, or teacher evaluation scores were exposed in this incident.

The improperly accessed data included students’ names, schools, dates of birth, gender, CPS identification numbers, state student identification numbers, class schedule information and scores on course-specific assessments used for teacher evaluations. Employee data included names, employee identification numbers, school and course information and emails and usernames.

Sunwing Airlines passengers were finding themselves delayed or stranded in airports in Canada and across the Caribbean after a cyberattack brought down boarding and check-in services maintained by Illinois-based service provider Airline Choice. The airline had been forced to manually check in passengers and handwrite boarding passes, causing massive delays for several days, with passengers stranded in the Caribbean, Mexico and Central America. The company in-turn had to subcontract flights with other airline carriers just to get some of its stranded passengers home.

The Conti group has claimed responsibility for a ransomware attack on the federal government of Costa Rica that has caused trouble in several government agencies for more than a week. Government ministries impacted include Finance, experiencing impacts in customs and tax collection, Labor and the social security agency’s human resources system. Conti’s extortion site claims that the group has published 50% of the stolen data including more than 850 gigabytes of material from the Finance Ministry and other institutions’ databases. Reports say that the group has demanded a $10 million ransom, which the Costa Rican government has stated it will not pay.

The Conti ransomware group has claimed responsibility for an attack on Panasonic’s Canadian operations in February 2022. Panasonic confirmed that it had been the victim of a ransomware attack that impacted its systems, processes and networks. The company says that it has contracted with outside experts to investigate the attack as well as clean and restore servers and rebuild applications. No word was available about what if any data was stolen by the attackers. Panasonic says that relevant authorities have been informed.

UK same-day delivery company CitySprint has informed its drivers of a data breach that may have exposed their personal information. The company says that an unauthorized party gained access to its iFleet internal management and routing system. While CitySprint says that it doesn’t think that drivers’ personal data was compromised, it can’t be sure.

Drivers may have had information exposed including photos of their driving license, vehicle pictures, and records of their weekly earnings.

The BlackCat ransomware outfit has claimed they’re behind a ransomware attack at Florida International University. The group said that it has stolen a range of personal information from students, teachers and staff, amounting to 1.2 TB of data. Among the stolen data, the group says it obtained contracts, accounting documents, social security numbers, email databases and more. No further details about the stolen data was available at press time.

The Lapsus$ gang has released 37GB of source code that they snatched in a hit on Microsoft’s Azure DevOps server. Microsoft confirmed the incident, saying that the threat actors gained access through a compromised employee account.

The source code looks to pertain to various internal Microsoft projects, including for Bing, Cortana and Bing Maps. Microsoft made a blog post about its recent operations to track and potentially interfere with Lapsus$ last week. The company was quick to state, “Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.” Lapsus$ is known to be a ransomware outfit, but no ransom activity was disclosed in this incident.

No information about consumer/employee PII, PHI or financial data exposure was available at press time.

Russian meat wholesaler Miratorg Agribusiness Holding has suffered a major cyberattack that encrypted its IT systems. The attack was reported by Rosselkhoznadzor, Russia’s veterinary medicine and agricultural production and byproducts oversight body.

The attackers reportedly made use of the Windows BitLocker feature to encrypt files, possibly gaining access through a state veterinary information service. Rosselkhoznadzor has suggested that this may be a nation-state cyberattack. Miratorg Agribusiness Holding promised that attack will not affect its supply and shipments to Russian citizens.

Nation-state cybercrime is booming, especially around the Russia/Ukraine conflict.

Anonymous is back at it, this time leaking documents stolen from the Omega Company, the research and development division of Russian oil pipeline company Transneft.

The hacktivist collective, who have publicly sided with Ukraine in response to Russia’s invasion of the country, got ahold of 79GB of the company’s emails and published them on the leak site of the non-profit whistleblower organization Distributed Denial of Secrets. The stolen data includes invoices, equipment technical configurations, and product shipment information.

One unusual detail: the hackers responsible dedicated the hack to Hillary Clinton after she mentioned that Ukraine-aligned hackers should attack Russian targets in a recent interview.

A cyberattack impacting PressReader, the world’s largest digital newspaper and magazine distribution platform, left readers in the US, UK, Australia and Canada unable to access more than 7000 publications. Some of the unavailable publications include The Guardian, Vogue, Forbes and the New York Times.

PressReader said it has resolved the issue and is working to make missed content available to users after experiencing an unspecified cybersecurity event. This may be a nation-state attack; the incident happened shortly after PressReader announced that it was removing dozens of Russian titles from its catalog and publicly stated that it would help the Ukrainian citizens access the news following Russia’s invasion of their country.

West Virginia healthcare organization Monongalia Health System (Mon Health) has announced a data breach. The company operators of Monongalia County General Hospital, Preston Memorial Hospital, Stonewall Jackson Memorial Hospital and other healthcare centers, is informing patients and staffers that they had data stolen in December 2021. This is the second breach announcement in 3 months for Mon Health. Attackers did not gain access to the organization’s health electronic records systems.

Exposed data may include patient, employee, provider and contractor data including names, addresses, birth dates, Social Security numbers, health insurance claim numbers, medical record numbers, patient account numbers, medical treatment information, and various other data.

The Lapsus$ hacking group just published a 190-gigabyte trove of confidential data including source code that it claims to have seized from Samsung Electronics in a ransomware attack.

Reports say that the stolen code contains the source for every Trusted Applet in Samsung’s TrustZone environment, which handles sensitive tasks such as hardware cryptography and access control. It may also include biometric unlock operation algorithms, the bootloader source for recent devices, activation server source code and the full source code used to authenticate and authorize Samsung accounts. Samsung says that they’re investigating the incident.

No information about consumer or employee PII, PHI or financial data exposure was available at press time.

The Christian fundraising platform GiveSendGo was a victim of suspected DDOS (distributed denial of service) attack earlier in February. This was in response to GiveSendGo’s public support to the Canadian Freedom Convey 2022, the trucker protest against government mandated COVID-19 vaccination laws.

GiveSendGo started raising funds after GoFundMe froze the convoy’s account having $10 million in donations. When the site began raising funds, it was then attacked and experienced unexpected downtime. Furthermore, in the aftermath of this cyberattack, the hackers leaked a cache of private information including the full names, donation amounts and partial location of many who donated to the Freedom Convoy’s cause.

Canadian aerospace and defense company IMP Group was the victim of a cyber attack in late February. The Nova Scotia company vying to replace Canada’s aging fleet of fighter jets came under an attack, with a computer virus infiltrating IMP Group’s servers through an email. Amid the recent Russian invasion of Ukraine, much has been made of Russia’s attempt to attack allied countries with cyberwarfare.

Although it is not yet confirmed if Russia is responsible for the attack on the IMP Group, it has been confirmed that the attack came from outside of Canada. The company has been repairing servers and scanning for viruses since the attack. Though they have not specified what the hackers demands were, they have not paid any ransom to the attackers.

Toyota announced that it is shutting down its domestic factory operations briefly after a cyberattack at a supplier. The supplier, Kojima Industries Corp, has admitted to being attacked but offered no further information. It was not made clear how long Toyota’s Japanese factories, which total one-third of its production yearly, will be closed. However, closing the factories for a long period of time could result in major delays in shipment felt throughout the world.

A report just released by the Office of the Inspector General (OIG) details a business email compromise disaster that ended up costing the city of Baltimore more than $375,000. In this incident, bad actors managed to change the bank details kept on file for a vendor who had an agreement with Baltimore’s Mayor’s Office of Children and Family Success (MOCFS).

The cybercriminals contacted both MOCFS and Baltimore’s Bureau of Accounting and Payroll Services (BAPS) asking to have the vendor’s banking information updated to send payments to a different bank account at another financial institution. BAPS ultimately complied with the fraudster’s change request, then began sending electronic payments to the new address. You know how this one ends up. Ultimately, cybercriminals made off with $376,213.10. The vendor was not named, but the report noted that cybercriminals had gained access to the vendor’s email accounts through a phishing attack.

Cybersecurity researchers recently announced the discovery of a trove of information belonging to ISOC in an unsecured Microsoft Azure blob. The blob was reported to contain millions of files with personal and login details belonging to ISOC members. ISOC has secured the blob but there’s no telling how long that data was exposed for or who may have seen it.

The member data exposed includes members’ full names, preferred language, the account ID, donation history, login credentials, social media tokens, email and street addresses, genders and similar personal information.

Online NFT marketplace OpenSea has been embroiled in controversy after a cyberattack cost investors their NFT. There’s been a lot of back-and-forth on this one. A phishing attack perpetrated on the platform’s users is purportedly to blame for the incident that has so far left more than 30 of its users unable to access their NFTs, although some claims have been made on Twitter pointing to a flaw in the platform’s code. Reports say that the attacker has made somewhere between $1.7 – 2 million in Ethereum from selling some of the stolen NFTs. An estimated 254 tokens were stolen over three hours.

Morley Companies, a business service provider to several Fortune 500 companies, announced that it had been hit with a ransomware attack that may have exposed sensitive information for more than 500,000 people. In a statement, the company said that “a ransomware-type malware had prevented access to some data files on our system beginning August 1, 2021, and there was an unauthorized access to some files that contained personal information.”, chalking up the delay in notifying possible victims of this exposure to the complexities of the incident investigation.

Morley Companies said the attack affected the information of “current employees, former employees and various clients.” The potentially compromised information leaked includes names, addresses, Social Security numbers, dates of birth, client identification numbers, medical diagnostic and treatment information and health insurance information. The company is offering credit monitoring and identity theft protection for victims.

Food company KP snacks, manufacturer of beloved British snacks like Hula Hoops, KP Nuts, Butterkist popcorn and Nik Naks, was hit with a ransomware attack in late January that may impact its production. Conti ransomware operators have claimed responsibility. The company informed retailers in early February that the attack had impacted its manufacturing and distribution, and that product shortages may continue into March.

Researchers discovered samples of some of the data it had infiltrated on its dark web leak page, including confidential employee data such as home addresses and phone numbers, employment contracts, credit card statements and even birth certificates.

British Council, the global organization for promoting British culture and administrators of the International English Language Testing System (IELTS) exam, leaked over 144,000 files containing student records due to an unsecured Microsoft Azure blob. Researchers determined that the blob contained the personal information of hundreds of thousands of British Council English course learners and students from around the world. The group points to a contractor as the culprit for the leak.

Exposed data includes a student’s full name, email address, student ID, student status, enrollment dates, duration of study and other information.

Crypto.com, a platform that allows users to swap tokens between blockchains, publicly announced an incident in which a flaw in the platform’s security allowed cybercriminals to snatch an estimated $31 million in cryptocurrency. The company disclosed that 483 users were impacted by unauthorized cryptocurrency withdrawals on their accounts amounting to 4,836.26 ETH, 443.93 BTC, and approximately $84 000 in other cryptocurrencies. In response to this incident, the company is adjusting its protocols to include safeguards like requiring all customers to re-login and set up their 2FA token to ensure only authorized activity would occur and a new policy where the first withdrawal to a whitelisted address must wait 24 hours among other measures.

The City of Tenino, Washington is down $280,309 in public funds according to the Washington State Auditor’s Office after a city employee fell for a phishing message that launched a business email compromise scam. Reports say that former Clerk Treasurer John Millard fell victim to a phishing message and paid cybercriminals a boatload of money, some without city council approval. The official reportedly initiated 20 automated clearing house payments from the city’s bank account to multiple out-of-state bank accounts. News outlets are also reporting that a warning was sent out to clerks about the phishing scam immediately but that didn’t stop this disaster from happening.

The International Committee of the Red Cross has revealed that hackers have stolen data from a Swiss contractor that stores it for them. The stolen data includes information about over 515,000 highly vulnerable people that it has served, recipients of aid and services from at least 60 affiliates of the organization worldwide. The Red Cross says it typically reunites 12 missing people with their families every day through that program. As a result of this cyberattack, The International Red Cross has been forced to temporarily halt a program that reunites families torn apart by violence, migration or other tragedies. A spokesperson for the ICRC told news outlets that there have been no demands from the hackers in exchange for stolen data and that they were working with specialized firms to recover.