Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Breach. Show all posts
Personal Data
Automotive Industry AWS Cloud Data Cloud Misconfiguration Data Breach Data Leak data security Exposed Data Personal Data

Volkswagen Cybersecurity Breach Exposes Sensitive Vehicle Data

 


A recent cybersecurity lapse within Volkswagen’s Cariad unit, which manages the company’s cloud systems, exposed sensitive data from hundreds of thousands of vehicles. The breach, attributed to a misconfiguration in a cloud environment hosted on Amazon Web Services (AWS), was uncovered by a whistleblower and investigated by the Chaos Computer Club, a cybersecurity association. The incident has sparked significant concerns about data privacy and the security of connected vehicles.

The exposed dataset reportedly included detailed information on approximately 800,000 electric vehicles. Notably, location data was exceptionally precise for 460,000 cars. For Volkswagen and its subsidiary Seat, the data pinpointed vehicles to within 10 centimeters, while data from Audi and Skoda vehicles were accurate to within six miles. In some instances, the leaked information was linked to personal details of car owners, such as names, contact information, and vehicle operational statuses. Alarmingly, the breach also disclosed the locations of prominent individuals, including German politicians, raising concerns about potential misuse.

Volkswagen’s Cariad unit is responsible for integrating advanced technologies into the automaker’s vehicles. This incident highlights vulnerabilities in cloud environments used by automakers to store and manage vast amounts of vehicle and customer data. According to Volkswagen, accessing the exposed information required bypassing multiple security layers, which would have demanded advanced expertise and considerable effort. Despite this, the data remained publicly accessible for several months, drawing criticism and prompting calls for stronger cybersecurity measures.

Existing Security Measures and Gaps

Automakers generally follow industry standards such as ISO/SAE 21434, which outline best practices for securing systems against breaches and mitigating vulnerabilities. Many vehicles are also equipped with cybersecurity hardware, including network switches and firewalls, to protect data within a car’s subsystems. However, the Volkswagen incident underscores critical gaps in these measures that require urgent attention.

Company Response and Moving Forward

The leaked dataset, spanning several terabytes, reportedly did not include payment details or login credentials, according to Volkswagen. The company has since patched the vulnerability and emphasized its commitment to data security. While Volkswagen stated that there was no evidence hackers had downloaded the information, the breach serves as a stark reminder of the risks inherent in managing sensitive data within interconnected systems.

This incident underscores the need for stricter regulations and enhanced cybersecurity frameworks for cloud-based infrastructures, especially as connected vehicles become increasingly prevalent. Moving forward, automakers must prioritize robust security protocols to safeguard consumer data and prevent similar breaches in the future.

Read more »
trending news
Cybersecurity Breach Data Breach EU News SecurityScorecard trending news

Third-Party Data Breaches Expose Cybersecurity Risks in EU's Largest Firms

A recent report by SecurityScorecard has shed light on the widespread issue of third-party data breaches among the European Union’s top companies. The study, which evaluated the cybersecurity health of the region’s 100 largest firms, revealed that 98% experienced breaches through external vendors over the past year. This alarming figure underscores the vulnerabilities posed by interconnected digital ecosystems.

Industry Disparities in Cybersecurity

While only 18% of the companies reported direct breaches, the prevalence of third-party incidents highlights hidden risks that could disrupt operations across multiple sectors. Security performance varied significantly by industry, with the transport sector standing out for its robust defenses. All companies in this sector received high cybersecurity ratings, reflecting strong proactive measures.

In contrast, the energy sector lagged behind, with 75% of firms scoring poorly, receiving cybersecurity grades of C or lower. Alarmingly, one in four energy companies reported direct breaches, further exposing their susceptibility to cyber threats.

Regional differences also emerged, with Scandinavian, British, and German firms demonstrating stronger cybersecurity postures. Meanwhile, French companies recorded the highest rates of third- and fourth-party breaches, reaching 98% and 100%, respectively.

Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, stressed the importance of prioritizing third-party risk management. His remarks come as the EU prepares to implement the Digital Operational Resilience Act (DORA), a regulation designed to enhance the cybersecurity infrastructure of financial institutions.

“With regulations like DORA set to reshape cybersecurity standards, European companies must prioritise third-party risk management and leverage rating systems to safeguard their ecosystems,” Sherstobitoff stated in a media briefing.

Strengthening Cybersecurity Resilience

DORA introduces stricter requirements for banks, insurance companies, and investment firms to bolster their resilience against cyberattacks and operational disruptions. As organizations gear up for the rollout of this framework, addressing third-party risks will be crucial for maintaining operational integrity and adhering to evolving cybersecurity standards.

The findings from SecurityScorecard highlight the urgent need for EU businesses to fortify their digital ecosystems and prepare for regulatory demands. By addressing third-party vulnerabilities, organizations can better safeguard their operations and protect against emerging threats.

Read more »
supply chain security
Bank Data Data Breach Data Leak data security fake ads Fidelity Personal Data Phishing Attack Phishing Camapign supply chain security

General Dynamics Confirms Data Breach Via Phishing Campaign

 


In October 2024, General Dynamics (GD), a prominent name in aerospace and defense, confirmed a data breach impacting employee benefits accounts. The breach, detected on October 10, affected 37 individuals, including two residents of Maine. Attackers accessed sensitive personal data and bank details, with some accounts experiencing unauthorized changes.

The incident originated from a phishing campaign targeting a third-party login portal for Fidelity’s NetBenefits Employee Self Service system. Through a fraudulent ad campaign, attackers redirected employees to a spoofed login page resembling the legitimate portal. Employees who entered their credentials inadvertently provided access to their accounts. The compromised data included:

  • Personal Information: Names, birthdates, and Social Security numbers.
  • Government IDs: Details of government-issued identification.
  • Banking Details: Account numbers and direct deposit information.
  • Health Information: Disability status of some employees.

In some cases, attackers altered direct deposit information in affected accounts. The breach began on October 1, 2024, but was only discovered by General Dynamics on October 10. Once identified, access to the compromised portal was suspended, and affected employees were promptly notified. Written instructions were sent to reset credentials and secure accounts. Forensic experts were engaged to assess the breach, determine its scope, and address vulnerabilities.

Company’s Response and Support

General Dynamics emphasized that the breach was isolated to the third-party login portal and did not compromise its internal systems. In a report to the Maine Attorney General’s Office, the company stated, “Available evidence indicates that the unauthorized access occurred through the third party and not directly through any GD business units.”

To assist affected individuals, General Dynamics is offering two years of free credit monitoring services. Impacted employees were advised to:

  • Reset login credentials and avoid reusing old passwords.
  • Monitor bank and benefits accounts for suspicious activity.
  • Follow provided guidelines to safeguard personal information.

For additional support, the company provided resources and contacts to address employee concerns.

Previous Cybersecurity Incidents

This is not the first cybersecurity challenge faced by General Dynamics. In June 2024, its Spanish subsidiary, Santa Barbara Systems, was targeted by a pro-Russian hacker group in a distributed denial-of-service (DDoS) attack. While the incident caused temporary website disruption, no sensitive data was compromised.

Earlier, in March 2020, a ransomware attack on Visser Precision, a General Dynamics subcontractor, exposed sensitive data through the DoppelPaymer ransomware group. Although General Dynamics’ internal systems were not directly impacted, the incident highlighted vulnerabilities in supply chain cybersecurity.

These recurring incidents highlight the persistent threats faced by defense companies and underscore the critical need for robust cybersecurity measures to protect sensitive data. General Dynamics’ swift response and ongoing vigilance demonstrate its commitment to addressing cybersecurity challenges and safeguarding its employees and systems.

Read more »
Supply-Chain Attack
Breach attack cyberattacks trending news Data Breach News Supply-Chain Attack

Hackers Breach Cyberhaven’s Chrome Extension in Supply-Chain Attack, Exfiltrating Sensitive Data

Hackers compromised Cyberhaven’s Chrome extension in a suspected supply-chain attack, publishing a malicious update capable of stealing customer passwords and session tokens. The attack raised serious concerns about the security of widely-used browser extensions. Cyberhaven, a data-loss prevention startup, confirmed the incident but withheld specific technical details about the breach.

According to an email sent to affected customers and later shared by security researcher Matt Johansen, the attack occurred during the early hours of December 25. Hackers reportedly gained access to a company account and used it to push a malicious update (version 24.10.4) to unsuspecting users. This update potentially allowed attackers to exfiltrate sensitive information, such as authenticated session tokens, cookies, and customer credentials.

The breach was detected later that day by Cyberhaven's internal security team, who immediately removed the compromised extension from the Chrome Web Store. A secure version (24.10.5) was released shortly afterward to mitigate the impact and restore user confidence. However, the rapid timeline of the attack highlights the challenges companies face in responding to supply-chain breaches.

Impact on Corporate Users

Cyberhaven’s products are widely used by over 400,000 corporate customers to monitor for data exfiltration and cyber threats. Affected organizations include a mix of prominent enterprises and technology leaders, such as:

  • Snowflake: Cloud data platform provider
  • Canon: Imaging and optical solutions company
  • Motorola: Telecommunications and consumer electronics firm
  • Reddit: Social media and online forum giant
  • AmeriHealth: Healthcare insurance provider
  • Cooley: International law firm
  • IVP: Investment management company
  • DBS: Leading banking group in Asia
  • Kirkland & Ellis: Prestigious global law firm
  • Upstart: AI-powered lending platform

Although Cyberhaven has refrained from disclosing the exact number of customers impacted, the company strongly advised all users to take immediate precautionary steps. These included revoking and rotating passwords, regenerating API tokens, and thoroughly reviewing system logs for any signs of malicious activity.

Security Weaknesses Exploited

The attack shed light on a critical security lapse. Cyberhaven disclosed that the compromised account was the sole administrator for the Google Chrome Store, granting attackers full control over extension updates. However, the exact method used to breach this account remains unclear. The incident has prompted the company to launch a comprehensive security review, with plans to implement stricter safeguards for its account management and extension distribution processes.

To aid in the investigation, Cyberhaven has engaged Mandiant, a leading incident response firm, and is collaborating with federal law enforcement agencies. Early findings suggest the breach was part of a broader campaign targeting multiple Chrome extension developers, affecting extensions with tens of thousands of users.

Insights from Experts

Jaime Blasco, CTO of Nudge Security, emphasized that the attack appeared opportunistic rather than targeted specifically at Cyberhaven. "It seems it wasn’t targeted against Cyberhaven, but rather opportunistically targeting extension developers. I think they went after the extensions that they could based on the developers’ credentials that they had," Blasco explained.

Cyberhaven echoed this assessment, pointing to public reports that suggest the attack extended across multiple organizations. While the full scope of the campaign and the identity of the perpetrators remains unclear, the incident underscores the importance of securing developer credentials and implementing rigorous monitoring processes for software supply chains.

As supply-chain attacks continue to evolve, this breach serves as a stark reminder for organizations to remain vigilant and proactive in securing their digital ecosystems.

Read more »
ZAGG
BigCommerce Credit Card Theft Data Breach e-commerce security FreshClick app payment card data ZAGG

ZAGG Inc. Data Breach Compromises Customer Payment Information

 


ZAGG Inc., a leading manufacturer of mobile accessories such as screen protectors, phone cases, and power banks, recently alerted customers about a data breach that compromised payment information. The breach occurred due to hackers infiltrating a third-party app, FreshClick, available through the BigCommerce platform.

"We learned that an unknown actor injected into the FreshClick app malicious code that was designed to scrape credit card data entered as part of the checkout process for certain ZAGG.com customer transactions between October 26, 2024, and November 7, 2024,” ZAGG stated in its notification to affected individuals.

BigCommerce Responds

BigCommerce, an Austin-based SaaS e-commerce platform, confirmed that its systems were not directly compromised. In a statement to BleepingComputer, the company explained, “Using our internal tools and in communication with the partner, we verified the third-party FreshClick app was compromised. Acting in the best interest of our customers and their shoppers, we immediately uninstalled the app in their stores, which removed any compromised APIs and malicious code.”

The FreshClick app, designed to enhance e-commerce functionality and customer experience, was exploited by malicious actors who stole sensitive shopper information, including:

  • Personal Details: Names and addresses.
  • Payment Information: Credit card data entered during the checkout process.

ZAGG’s Mitigation Measures

In response to the breach, ZAGG has implemented several remediation measures, including notifying law enforcement and offering impacted customers 12 months of complimentary credit monitoring through Experian. Customers are encouraged to:

  • Monitor financial accounts for unauthorized transactions.
  • Place fraud alerts on their credit reports.
  • Consider implementing a credit freeze for added protection.

Scope of the Breach

The company has not yet disclosed the total number of customers affected by the breach. However, it has assured its customers that steps are being taken to enhance security and prevent similar incidents in the future.

This incident underscores the vulnerabilities associated with third-party integrations in e-commerce platforms. ZAGG’s proactive measures, along with BigCommerce’s swift response in removing the compromised app, highlight the importance of collaboration in addressing cybersecurity threats and protecting customer data.

Read more »
Sensitive data
Builder.ai Data Breach database Identity Theft Sensitive data

Builder.ai Data Breach Exposes Sensitive Information of Over 3 Million Users

 

A huge data security breach has come to light, with the data platform Builder.ai. It's a service that lets organizations build their own proprietary, custom software applications, which don't need heavy programming. According to a blog post by a security researcher, sensitive information from more than three million users' accounts was inadvertently leaked to the internet, leaving an open question of what now?

Jeremiah Fowler, a cybersecurity expert known for discovering unsecured online databases, found a Builder.ai archive with over 3 million records. This archive reportedly contained 1.29 terabytes of data, including very sensitive materials such as invoices, NDAs, email screenshots, and tax documents.

Worryingly, files contained access keys and configurations of two cloud storage systems. These keys, in the wrong hands, could grant hackers access to even more sensitive data.  


What Was Exposed

The exposed database included the following:  

337,434 invoices: The documents comprised transactions between Builder.ai and its clients.

32,810 master service agreements: Most agreements included user names, e-mail addresses, IP details and project estimations of the cost associated with a particular project giving a holistic overview of their sensitive information.  


Such data left unprotected poses grave risks. This information could be used for phishing scams, identity theft, or even financial fraud by criminals. Phishing is the art of making people give up their personal information by claiming to be a trusted person. The presence of cloud storage keys in the database further increases the worry, as this may also open access to more sensitive files elsewhere.

Fowler quickly notified the company, Builder.ai. However, the company, in its defense, showed that it could not tighten the database security due to "complexities with dependent systems." It is already a month, and nobody knows if the problem persists.  

Misconfigured databases are one of the constant problems of the digital era. Companies don't realize they have a shared responsibility to secure the data when it comes to cloud services, leaving large repositories of information exposed unintentionally. 

For businesses, this is an important wake-up call regarding comprehensive cybersecurity practices- periodic checks and ensuring the databases are properly secured for users' data protection.

For users, vigilance is key. Anyone who's interacted with Builder.ai should keep an eye out on their accounts for anything weird and be on their toes for phishing scams.

And in this hyperconnected world, security breaches such as this remind us that vigilance is key, too, for companies as much as it is for their users.



Read more »
Zero-day vulnerability
Cleo data breach Clop Ransomware Gang CVE-2024-50623 exploit Data Breach data theft attack ransom payment negotiation Zero-day vulnerability

Clop Ransomware Gang Threatens 66 Companies with Data Leak After Cleo Breach

 

The Clop ransomware gang has intensified its extortion tactics following a data theft attack targeting Cleo software. On its dark web portal, the group revealed that 66 companies have been given 48 hours to meet their ransom demands.

According to Clop, the affected companies are being contacted directly with links to secure chat channels for negotiating ransom payments. Additionally, the hackers have provided email addresses for victims to initiate communication.

A notice on Clop’s data leak site lists partial names of 66 companies that have yet to engage in negotiations. The gang has threatened to reveal the full names of these companies if they continue to ignore the demands, implying that the actual number of affected organizations might be higher.

Clop exploited a zero-day vulnerability in Cleo LexiCom, VLTrader, and Harmony products to access data from compromised networks. This attack marks another significant breach for the ransomware group, known for targeting zero-day flaws in platforms like Accellion FTA, GoAnywhere MFT, and MOVEit Transfer in previous campaigns.

The vulnerability exploited in the Cleo software, tracked as CVE-2024-50623, allows remote attackers to upload and download files without restriction, enabling remote code execution. A fix is available in Cleo Harmony, VLTrader, and LexiCom version 5.8.0.21, but a private advisory warned that hackers have been leveraging the flaw to open reverse shells on affected networks.

Earlier this month, Huntress publicly disclosed the active exploitation of the vulnerability and warned that the vendor’s fix could be bypassed. The researchers also released a proof-of-concept (PoC) to demonstrate their findings. Days later, Clop confirmed to BleepingComputer that it was behind the exploitation of CVE-2024-50623.

The ransomware group announced it would delete data from previous attacks as it shifts focus to the current wave of extortion.

Macnica researcher Yutaka Sejiyama told BleepingComputer:"Even with the incomplete company names that Clop published on its data leak site, it is possible to identify some of the victims by simply cross-checking the hacker's hints with owners of Cleo servers exposed on the public web."

While the total number of companies affected remains unclear, Cleo states that its software serves over 4,000 organizations worldwide.
Read more »
SEV
Advantech vulnerabilities Cyber Privacy Cyber Technology Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Data Breach Data protection nAMD System SEV

AMD Systems Vulnerability Could Threaten Encrypted Data Protection

 


There has been an announcement of a new technique for bypassing key security protections used in AMD chips to gain access to the clients of those services. Researchers believe that hackers will be able to spy on clients through physical access to cloud computing environments. Known as the "badRAM" security flaw, it has been described as a $10 hack that undermines the trust that the cloud has in it. 

This vulnerability was announced on Tuesday. Like other branded vulnerabilities, this vulnerability is being disclosed on a website with a logo and will be explained in a paper to be presented at next May's IEEE Symposium on Security and Privacy 2025. 

There is an increasing use of encryption in today's computers to protect sensitive data in their DRAM, especially in shared cloud environments with multiple data breaches and insider threats, which are commonplace. The Secure Encrypted Virtualization (SEV) technology of AMD enables users to protect privacy and trust in cloud computing by encrypting the memory of virtual machines (VMs) and isolating them from advanced attackers, including those who compromise critical infrastructure like the virtual machine manager and firmware, which is a cutting-edge technology. 

According to researchers, AMD's Secure Encrypted Virtualization (SEV) program, which protects processor memory from prying eyes in virtual machine (VM) environments, is capable of being tricked into letting someone access the contents of its encrypted memory using a test rig which costs less than $10 and does not require additional hardware. It is important to note that AMD is among the first companies to leverage the capabilities of chipset architecture to improve processor performance, efficiency, and flexibility. 

It has been instrumental in extending and building upon Moore's Law performance gains and extending them further. As a result of the firm's research, performance gains under Moore's Law have been extended and built upon, and the company announced in 2018 that the first processor would have a chipset-based x86 CPU design that was available. Researchers at the University of Lübeck, KU Leven, and the University of Birmingham have proposed a conceptually easy and cheap attack called “BadRAM”. 

It consists of a rogue memory module used to trick the CPU into believing that it has more memory than it does. Using this rogue memory module, you get it to write its supposedly secret memory contents into a "ghost" space that is supposed to contain the hidden memory contents. In order to accomplish this task, researchers used a test rig anyone could afford to buy, composed of a Raspberry Pi Pico, which costs a couple of dollars, and a DIMM socket for DDR4/5 RAM modules. 

The first thing they did was manipulate the serial presence detection (SPD) chip within the memory module so that it would misreport the amount of memory onboard when the device was booted up – the “BadRAM” attack. Using reverse engineering techniques to locate these memory aliases, they had access to memory contents by bypassing the system's trusted execution environment (TEE), as this created two physical addresses referencing the same DRAM location. 

According to the CVE description, the issue results from improper input validation of DIM SPD metadata, which could potentially allow an attacker with certain access levels to overwrite guest memory, as the issue is described as a result of improper input validation. It has been deemed a medium severity threat on the CVSS, receiving a 5.3 rating owing to the high level of access that a potential attacker would need to engage to successfully exploit the problem. 

According to AMD, the issue may be a memory implementation issue rather than a product vulnerability, and the barriers to committing the attack are a lot higher than they would be if it were a software product vulnerability. AMD was informed of the vulnerability by the researchers in February, which has been dubbed CVE-2024-21944, as well as relates specifically to the company’s third and fourth-generation EPYC enterprise processors. According to AMD’s advisory, the recommendation is to use memory modules that lock SPD and to follow physical security best practices. 

A firmware update has also been issued, although each OEM's BIOS is different, according to AMD. As the company has stated on several occasions, it will make mitigations more prominent in the system; there is specific information on the condition of a Host OS/Hypervisor, and there is also information available on the condition of a Virtual Machine (Guest) to indicate that mitigation has been applied.

The AMD company has provided an in-depth explanation of the types of access an attacker would need to exploit this issue in a statement given to ITPro, advising clients to follow some mitigation strategies to prevent the problem from becoming a problem. The badRAM website states that this kind of tampering may occur in several ways — either through corrupt or hostile employees at cloud providers or by law enforcement officers with physical access to the computer. 

In addition, the badRAM bug may also be exploited remotely, although the AMD memory modules are not included in this process. All manufacturers, however, that fail to lock the SPD chip in their memory modules, will be at risk of being able to modify their modules after boot as a result of operating system software, and thus by remote hackers who can control them remotely. 

According to Recorded Future News, Oswald has said that there has been no evidence of this vulnerability being exploited in the wild. However, the team discovered that Intel chips already had mitigations against badRAM attacks. They could not test Arm's modules because they were unavailable commercially. An international consortium of experts led by researchers from KU Leuven in Belgium; the University of Luebeck in Germany; and the University of Birmingham in the United Kingdom conducted the research.
Read more »
Personal Data Breach
Cybernews Data Breach Data Leak Financial Data healthcare data breach Healthcare Industry Personal Data Breach

Data Breach at Datavant Exposes Thousands of Minors to Cyber Threats

 

While cybercriminals often target adults for their valuable financial and personal information, children are not exempt from these risks. This was made evident by a recent data breach involving health IT company Datavant, which exposed sensitive information of thousands of minors. This incident highlights the vulnerabilities of even the youngest members of society in today's digital age.

The Datavant Breach: A Timeline of Events

The breach occurred in May following a phishing attack targeting Datavant employees. Hackers sent deceptive emails to trick employees into revealing their login credentials—a tactic relying on human error rather than exploiting technical vulnerabilities. While most employees recognized the phishing attempt, a few fell victim, granting attackers unauthorized access to one of the company’s email accounts.

An investigation revealed that between May 8 and 9, the attackers accessed sensitive data stored in the compromised inbox. Over 11,000 minors were affected, with stolen information including:

  • Names and contact details
  • Social Security numbers
  • Financial account details
  • Driver’s licenses and passports
  • Health information

Implications of the Breach

The stolen data poses severe risks, particularly identity theft and targeted scams. Among these, medical identity theft is particularly alarming. Hackers can use health data to file fraudulent insurance claims or manipulate medical records, which may disrupt access to healthcare services and create significant financial and administrative challenges for victims.

Unlike standard identity theft, medical identity theft carries unique dangers, such as incorrect medical information being added to a person’s records. This could lead to inappropriate treatments or delayed care, further complicating the recovery process for affected families.

Datavant’s Response

In response to the breach, Datavant has implemented additional security measures, including:

  • Strengthened cybersecurity protocols
  • Enhanced employee training on phishing awareness

While these steps aim to prevent future incidents, the emotional and financial toll on affected families remains substantial. For many, the breach represents a loss of security that is not easily restored.

Protecting Affected Families

Families impacted by the breach are advised to take proactive measures to safeguard their children’s identities, including:

  • Monitoring credit reports regularly
  • Freezing their child’s credit if necessary
  • Remaining vigilant against phishing attempts and unusual account activity

Lessons from the Breach

The Datavant breach is a stark reminder of the evolving tactics used by cybercriminals and the devastating consequences of compromised data. Organizations handling sensitive information, particularly data about children, must prioritize cybersecurity practices and invest in training to mitigate risks. For individuals, heightened awareness and vigilance are crucial defenses against potential threats.

Conclusion

As cyberattacks become increasingly sophisticated, incidents like the Datavant breach underscore the importance of robust security measures and proactive steps to protect sensitive information. The digital age brings immense benefits, but it also demands constant vigilance to ensure the safety of personal data—especially when it comes to protecting our youngest and most vulnerable populations.

Read more »
User Privacy
AWS Credentials Data Breach Data Leak Data Sale User Privacy

Misconfigured AWS Cloud Instances Lead to Sensitive Data Breaches

 

Misconfigured cloud instances have once again enabled cybercriminals to steal sensitive data, including credentials, API keys, and proprietary source code. This time, numerous Amazon Web Services (AWS) users fell victim, highlighting a lack of understanding regarding the shared responsibility model in cloud infrastructure.

Discovery of Vulnerabilities

Independent security researchers Noam Rotem and Ran Loncar uncovered open flaws in public websites in August 2024. These flaws could be exploited to access sensitive customer data, infrastructure credentials, and proprietary source code.

Data Exploitation and Sale on Telegram

Further investigation revealed that French-speaking threat actors, potentially linked to hacker groups Nemesis and ShinyHunters, scanned "millions of websites" for vulnerabilities. By exploiting these flaws, they harvested an array of sensitive information, including:

  • AWS customer keys and secrets
  • Database credentials and data
  • Git repository data and source code
  • SMTP credentials for email sending
  • API keys for services like Twilio, Binance, and SendGrid
  • SSH credentials
  • Cryptocurrency-related keys and mnemonics
  • Other sensitive access data

The stolen data was sold via a private Telegram channel, reportedly earning "hundreds of euros per breach." Investigators noted that the perpetrators might need the funds for legal defense once apprehended.

Investigation and Response

Rotem and Loncar traced the incident to specific individuals and reported their findings to Israel's Cyber Directorate and AWS Security. The researchers stated: "Our investigation has identified the names and contact information of several individuals behind this incident. This could help in further actions against the perpetrators."

AWS promptly took action to mitigate risks and emphasized that the vulnerability stemmed from user-side misconfigurations rather than AWS systems: "The AWS Security team emphasized that this operation does not pose a security issue for AWS, but rather is on the customer side of the shared responsibility model – a statement we fully agree with," vpnMentor reported.

The Shared Responsibility Model

The shared responsibility model in cloud computing divides security responsibilities between the cloud service provider and the customer. AWS ensures the security of its infrastructure, while customers are responsible for securely configuring and managing their data and applications.

Irony in Misconfiguration

Ironically, the stolen data was discovered in an unprotected AWS S3 bucket—another misconfiguration. According to the researchers: "The data collected from the victims was stored in an S3 bucket, which was left open due to a misconfiguration by the owner. The S3 bucket was used as a 'shared disk' between the members of the attack group, based on the source code of the tools they used."

Lessons for Cloud Security

Cybersecurity experts emphasize that cloud misconfigurations remain a leading cause of data breaches. Organizations must take proactive steps to secure their cloud environments:

  • Implement strict access controls and regular audits of cloud configurations.
  • Use tools to detect misconfigurations and vulnerabilities in real-time.
  • Educate employees about the shared responsibility model and best practices for cloud security.

This incident underscores the critical need for customers to take their share of responsibility in safeguarding sensitive data and highlights the risks of negligence in cloud security practices.

Read more »
User Privacy
23andMe Data Breach Data Leak DNA Analysis Firm User Privacy

What’s Happening with 23andMe? Data Privacy and Uncertain Future

 

23andMe, a DNA analysis company, has been in turmoil lately. This September, the entire board of directors left due to differences with the CEO, and data was compromised in a 2023 hack.

Anne Wojcicki, the CEO, had previously stated that she was open to third-party acquisition ideas; however, she altered her stance this week. The company is not currently for sale, but nothing looks promising—and it's unclear what will happen to consumer data if the company fails.

Is 23andMe Data Being Sold?

So far, there has been no official indication on whether the company will be sold with or without its data. However, it is realistic to expect the company to be sold and the data to be inherited by the new owner. Something similar occurred when MyHeritage acquired Promethease, another DNA analysis company, in 2020.

Your data may already be shared with other parties. If you signed up for research projects through 23andMe, "de-identified" data about you (including genetic data) was most likely shared with research institutes and pharmaceutical firms. For example, 23andMe has a data licensing deal with GSK (formerly GlaxoSmithKline) to utilize the 23andMe database to "conduct drug target discovery and other research.”

This is not a hypothetical future scenario, but rather the existing state of the firm. These types of licensing agreements account for a significant portion of 23andMe's revenue—or plans to make money. Alternatively, they may have made money previously. They're not making much money these days.

How to Download Your Data and Delete Your Account

If you want to retain any of your data, start by logging into your account and going to your user settings page. There, you can also choose not to participate in studies. On the 23andMe Data card, click View.

To validate your identity, you’ll need to enter your date of birth. In theory, this is where you can download your data, but issues may arise. For instance, I have a 23andMe account, but I must have given the firm a false date of birth years ago. The page simply directs me to call Customer Care. This seems like a significant impediment, but here we are.

According to a Reddit user, Customer Care may request a copy of your ID for verification. This process could be problematic if you used a fake date of birth. Nonetheless, the company’s documentation indicates that if you can get past this step, you can download your data and cancel your subscription. Good luck!

Read more »
Visual Studio Code
CyberCrime cybercriminals Cyberespionage Operation Cyberhackers CyberThreat Data Breach IT Service Operation Digital Eyes Visual Studio Code

Operation Digital Eye Reveals Cybersecurity Breach

 


It has been recently reported that a Chinese group of Advanced Persistent Threats (APTs) has carried out a sophisticated cyberespionage operation dubbed "Operation Digital Eye" against the United States.  Between the end of June and the middle of July 2030, a campaign targeting large business-to-business (B2B) IT service providers in southern Europe between late June and mid-July 2024 was reported by Aleksandar Milenkoski, Senior Threat Researcher at SentinelLabs, and Luigi Martire, Senior Malware Analyst at Tinexta Cyber. 

Several threats are targeting business-to-business IT service providers in southern Europe, according to Tinexta Cyber and SentinelLabs, both of which have been tracking these activities. As a result of assessing the malware, infrastructure, techniques used, victimology, and timing of the activities, it has been concluded that there is a high likelihood that a cyberespionage actor of the China nexus conducted these attacks. 

A group of Chinese hackers has been observed utilizing Visual Studio Code (VSCode) tunnels to maintain persistent remote access to compromised systems at large IT service providers in Southern Europe. There is no information regarding which hacker group aligned with China is behind the attacks at this time, which is complicated by the fact that many of those aligned with the East Asian nation share a multitude of toolsets and infrastructure. 

VS Code is the latest version of Microsoft's code editor that is optimized for building and debugging modern web and cloud applications that utilize modern web technologies. VS Code is a lightweight but feature-rich source code editor that runs on your desktop and is available for Windows, Mac OS X, and Linux clients. It is available on most major platforms. In addition to these built-in support technologies, it also comes with a rich ecosystem of extensions that can be used with other languages and runtimes, including JavaScript, TypeScript, and Node.js. According to companies, most breaching chains that firms observe entail using SQL injections as a first point of access for breaching systems connected to the internet, such as web applications and databases. 

To inject code into the target computer, a legitimate penetration testing tool called SQLmap was used. This tool made it possible to detect and exploit SQL injection flaws automatically. Following gaining access to the system, PHPsert was deployed, which was a PHP-based web shell that would allow them to execute commands remotely or to introduce additional payloads once they fully established access. To move laterally, the attackers used RDP and pass-the-hash attacks to migrate from one target to another, specifically using a custom version of Mimikatz ('bK2o.exe') in addition to RDP. 

Using the 'WINSW' tool, the hackers installed a portable, legitimate version of Visual Studio Code on the compromised computers ('code.exe') and set it up as a persistent Windows service to make sure it would run on every device. VSCode was configured with the tunnel parameter, enabling remote development access on the machine, and then the tunnel parameter was configured to be enabled by default. Visual Studio Code tunnels are a feature of Microsoft's Remote Development feature. 

This feature allows VSCode developers to select files on remote systems for editing and working via Visual Studio Code's remote servers. As a powerful development tool, RemoteDeveloper allows developers to run commands and access the file systems of remote devices, which makes it a viable option for developers. With the use of Microsoft Azure infrastructure for the tunnel creation and the signing of executables, trustworthy access to the network can be assured. 

"Operation Digital Eye" illustrates the concept of lateral movement using techniques linked to a single vendor or a "digital quartermaster" operating within the Chinese APT ecosystem in the form of lateral movement. During the study, the researchers discovered that the attackers used Visual Studio Code and Microsoft Azure for command-and-control (C2) to evade detection, which they considered to be a matter of good judgment. 

There has never been an observation of a suspected Chinese APT group using Visual Studio Code for C2 operations before, signalling a significant change in what China is doing about APTs. According to recent research conducted by Unit 42, it has been discovered that Stately Taurus has been abusing popular web development software Visual Studio Code in its espionage operations targeting government organizations in Southeast Asia. Defending the Chinese government from attacks by Stately Taurus, a group of advanced persistent threats (APTs) involved in cyber espionage. It seems that this threat actor relied on Microsoft's Visual Studio Code embedded reverse shell feature to gain an entry point into the target network. 

An expert in the field of security discovered this technique as recently as 2023, which is relatively new. Even though European countries and China have complex ties, there is also a great deal of cooperation, competition, and undercurrent tension in areas like trade, investment, and technology, due to the complex relationships between them. China-linked cyber espionage groups target public and private organizations across Europe sporadically to gather strategic intelligence, gain competitive advantages, as well as advance the geopolitical, economic, and technological interests of China. 

In the summer of 2024, a coordinated attack campaign dubbed Operation Digital Eye was carried out by Russian intelligence services, lasting approximately three weeks from late June to mid-July 2024. As a result of the targeted organizations' capabilities to manage data, infrastructure, and cybersecurity for a wide range of clients across various industries, they are prime targets for cyberespionage activities.

As part of Operation Digital Eye, researchers highlight how Chinese cyberespionage groups continue to pose an ongoing threat to European entities, with these actors continuing to use high-value targets as targets of espionage. Even though the campaign emphasizes the strategic nature of this threat, it is important to realize that when attackers breach organizations that provide data, infrastructure, and cybersecurity services to other industries, they gain access to the digital supply chain, allowing them to extend their influence to downstream companies. 

This exploit relies on SSH and Visual Studio Code Remote Tunnels, which were used by the attackers to execute remote commands on their compromised endpoints by using their GitHub accounts as authentication credentials and connections. By using the browser-based version of Visual Studio Code ("vscode[.]dev"), they were able to access the compromised endpoints. Despite this, it remains unclear whether the threat actors used freshly created GitHub accounts to authenticate their access to the tunnels or if they had already compromised GitHub accounts. 

In addition to mimicking, several other aspects point to a Chinese presence, including the presence of simplified Chinese comments within PHPsert, the fact that M247 provides the infrastructure for this server, and the fact that Visual Studio Code is being used as a backdoor, the last of which has been attributed to the actor who portrayed Mustang Panda. The investigation uncovered that the threat actors associated with Operation Digital Eye demonstrated a notable pattern of activity within the networks of targeted organizations. 

Their operations were predominantly aligned with conventional working hours in China, spanning from 9 a.m. to 9 p.m. CST. This consistent timing hints at a structured and deliberate approach, likely coordinated with broader operational schedules. One of the standout features of this campaign was the observed lateral movement within compromised environments. This capability was traced back to custom modifications of Mimikatz, a tool that has been leveraged in earlier cyberespionage activities. 

These tailored adjustments suggest the potential involvement of centralized entities, often referred to as digital quartermasters or shared vendors, within the ecosystem of Chinese Advanced Persistent Threats (APTs). These centralized facilitators play a pivotal role in sustaining and enhancing the effectiveness of cyberespionage campaigns. 

By providing a steady stream of updated tools and refined tactics, they ensure threat actors remain adaptable and ready to exploit vulnerabilities in new targets. Their involvement underscores the strategic sophistication and collaborative infrastructure underlying such operations, highlighting the continuous evolution of capabilities aimed at achieving espionage objectives.
Read more »
sensitive data theft
brain cipher Data Breach Data Theft Deloitte Ransomware attack Ransomware group Ransomwares sensitive data theft

Brain Cipher Ransomware Group Claims Deloitte UK Data Breach

 

Brain Cipher, a ransomware group that emerged in June 2024, has claimed responsibility for breaching Deloitte UK, alleging the exfiltration of over 1 terabyte of sensitive data from the global professional services firm. This claim has raised significant concerns about the cybersecurity defenses of one of the “Big Four” accounting firms. 

Brain Cipher’s Rising Notoriety 
 
Brain Cipher first gained attention earlier this year with its attack on Indonesia’s National Data Center, disrupting operations across more than 200 government agencies, including critical services like immigration and passport control. 

Its growing record of targeting high-profile organizations has heightened concerns over the evolving tactics of ransomware operators. 
 
Details of the Alleged Breach 

According to Brain Cipher, the breach at Deloitte UK revealed critical weaknesses in the company’s cybersecurity defenses. The group claims to have accessed and stolen more than:
  • 1 terabyte of compressed data,
  • Confidential corporate information,
  • Client records, and
  • Sensitive financial details.
Brain Cipher has promised to release detailed evidence of the breach, which reportedly includes:
  • Alleged violations of security protocols,
  • Insights into contractual agreements between Deloitte and its clients, and
  • Information about the firm’s monitoring systems and security tools.
In its statement, Brain Cipher mocked Deloitte’s cybersecurity measures, claiming, “We will show excellent (not) monitoring work and tell what tools we used and use there today.” 

Potential Implications 

If substantiated, the breach could result in:
  • The exposure of sensitive client data,
  • Confidential business information,
  • Financial records, and
  • Severe damage to Deloitte UK’s professional reputation.
Deloitte’s Response 
 
Deloitte UK has not confirmed or denied the breach. However, a company spokesperson issued a statement on December 7, 2024, downplaying the incident: 

"The allegations pertain to a single client’s external system and do not involve Deloitte’s internal network. No Deloitte systems have been impacted." The spokesperson emphasized that the company’s core infrastructure remains secure. 

Ransomware Threats Escalating 
 
Brain Cipher’s ability to target high-profile organizations demonstrates the increasing sophistication of ransomware groups. Their tactics often involve leveraging stolen data to exert pressure on victims, as seen in their apparent invitation for Deloitte representatives to negotiate via corporate email channels. 

Key Takeaways for Organizations 

This incident serves as a critical reminder for organizations to:
  • Implement advanced cybersecurity defenses,
  • Continuously monitor networks,
  • Detect potential breaches early, and
  • Stay ahead of emerging threats.
As the situation unfolds, the cybersecurity community will closely watch Brain Cipher’s next steps, particularly its promised release of evidence. For Deloitte UK and other global organizations, this incident underscores the urgent need for vigilance and robust security measures in an increasingly interconnected digital landscape.
Read more »
Ransomeware Attacks
British Telecommunication attacked cyber attacks news Data Breach Ransomeware Attacks

BT Group Confirms Cyberattack by Black Basta Ransomware Group

British telecommunications giant BT Group has confirmed it was targeted by the notorious ransomware group Black Basta in a cyberattack on its Conferencing division. The breach forced BT to isolate and shut down parts of its infrastructure to limit the damage. While BT has minimized the reported impact, Black Basta claims otherwise, alleging they exfiltrated 500GB of sensitive data during the attack. The group asserts that the stolen data includes:

  • Financial records,
  • Organizational details,
  • Non-disclosure agreements,
  • Confidential files, and
  • Personal documents.
To substantiate these claims, the group has shared screenshots, folder listings, and other materials online, threatening to leak the data unless their ransom demands are met. The exact ransom amount remains undisclosed. 
  
BT’s Response 
 
In a statement to BleepingComputer, BT emphasized its swift action to contain the breach: "We identified an attempt to compromise our BT Conferencing platform. This incident was restricted to specific elements of the platform, which were rapidly taken offline and isolated. The impacted servers do not support live BT Conferencing services, which remain fully operational, and no other BT Group or customer services have been affected."

The company is actively investigating the breach and is collaborating with regulatory and law enforcement agencies to address the incident. 
  
Black Basta’s Growing Threat 
 
The FBI and CISA have identified Black Basta as a significant ransomware threat. A joint report earlier this year revealed the group has attacked over 500 organizations globally since its emergence in **2021. Their victims span 12 of the 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) sector. High-profile targets have included:
  • Hyundai Europe,
  • Capita,
  • The American Dental Association, and
  • Yellow Pages Canada.
Cybersecurity experts speculate that Black Basta originated from the disbanded Conti ransomware group, which dissolved amid geopolitical tensions stemming from the Russian invasion of Ukraine. 
  
Addressing Escalating Cyber Threats 
 
BT’s spokesperson assured the public of ongoing efforts to address the breach: "We are continuing to actively investigate all aspects of this attack and are working closely with the relevant authorities." As ransomware attacks like these continue to rise, organizations are urged to strengthen their cybersecurity defenses to safeguard critical data and operations against evolving threats. 
Read more »
Personal Information
Data Breach Data Services database Internet Personal Information

Database Service Provider Leak Results in Exposing Over 600,000 Records on Web

Database Service Provider Leak Results in Exposing Over 600,000 Records on Web


SL Data Services, a U.S.-based data broker, experienced a massive data breach, exposing 644,869 personal PDF files on the web. The leaked records included sensitive information such as personal details, vehicle records, property ownership documents, background checks, and court records. Alarmingly, the exposed files were not encrypted or password-protected.

Cybersecurity expert Jeremiah Fowler discovered the breach, identifying sample records in the 713.1 GB database. Remarkably, 95% of the documents were labeled as “background checks.”

"This information provides a full profile of these individuals and raises potentially concerning privacy considerations," Fowler stated.

Details of the Leaked Data

The breached documents contained the following sensitive information:

  • Residential addresses
  • Contact details and emails
  • Employment data
  • Full names
  • Social media accounts
  • Family members
  • Criminal record history

Fowler confirmed the accuracy of the residential addresses associated with named individuals in the leaked files.

How the Leak Happened

According to Fowler, property reports ordered from SL Data Services were stored in a database accessible via a web portal for customers. The vulnerability arose when a threat actor, knowing the file path, could locate and access these documents.

SL Data Services used a single database for multiple domains without proper segmentation. The only separation was through folders named after the respective websites. After Fowler reported the breach, database access was blocked for a week, but during that time, over 150,000 additional records were exposed. It remains unclear how long the data was publicly accessible or what information was accessed by unauthorized parties.

When Fowler contacted SL Data Services, he was only able to reach call center agents who denied the breach, claiming their systems used SSL and 128-bit encryption. Despite these assurances, the exposed records suggest serious lapses in data security practices.

The Risks of Exposed Data

Fowler warned about the dangers posed by the leaked information:

"The criminals could potentially leverage information about family members, employment, or criminal cases to obtain additional sensitive personal information, financial data, or other privacy threats."

Publicly exposed data allows threat actors to:

  • Launch phishing campaigns or social engineering attacks
  • Fake identities using stolen information
  • Target victims whose data appeared in background check documents

Staying Safe

To protect personal data when working with data brokers, Fowler recommends the following:

  1. Research Data Storage Practices
    Understand how the company stores and secures sensitive data.
  2. Conduct Vulnerability Scans
    Ensure the broker performs regular scans to detect potential security issues.
  3. Request Penetration Testing
    Verify whether the company tests its systems to prevent unauthorized access.

Conclusion

This breach underscores the importance of robust data security practices for companies handling sensitive information. By adopting proactive measures and holding data brokers accountable, both organizations and consumers can mitigate the risks of future breaches.

Read more »
Information Breach
Cyberattacks CyberCrime Cyberhackers Cyberthreats Data Breach Electric Ireland FBI GNCCB Information Breach

Woman Charged in Electric Ireland Customer Information Breach

An Irish national utility service provider, Electric Ireland, is investigating a significant data breach involving customer information. This breach, first reported last year, has led to arrests and an ongoing investigation by the Garda National Cyber Crime Bureau (GNCCB) and the Garda National Economic Crime Bureau (GNECB). The incident has raised concerns about the misuse of personal and financial data and potential risks for affected customers.

Details of the Data Breach

Electric Ireland disclosed that an employee of a company working on its behalf may have inappropriately accessed data from approximately 8,000 residential customer accounts. The compromised information includes personal and financial details, potentially exposing customers to fraud. While the company has not released the names of affected customers, it is actively identifying and contacting individuals who may be at risk. The breach has left many customers concerned about identity theft and financial security.

Electric Ireland has apologized for the breach and is providing guidance to impacted customers. Those not contacted by the company are advised to remain cautious and avoid taking immediate action until they receive official communication. In addition, Electric Ireland has encouraged customers to report any fraudulent activity related to their accounts and to consult their banks for potential security measures.

Investigative Efforts by Authorities

The Garda National Cyber Crime Bureau and GNECB are at the forefront of the investigation. The GNCCB specializes in analyzing digital evidence and has collaborated with international agencies like Europol, Interpol, and the FBI in similar cases. During the probe, investigators discovered evidence on the phone of a Nigerian national allegedly linked to the breach. Further scrutiny led to a focus on his girlfriend and her associates, indicating a wider network of individuals potentially involved in the unauthorized access of data.

The GNECB, which handles financial crime cases, is assessing the fraud's extent and coordinating with Electric Ireland to mitigate the impact on customers. Despite limited details from the authorities, the case highlights the growing challenges of safeguarding sensitive data in an increasingly digital landscape.

Company Response and Customer Guidance

In addition to addressing the data breach, Electric Ireland is dealing with separate issues of overcharging due to incorrect tariff rates and smart meter data errors. The company has issued apologies for these errors and is offering credit notes to affected customers. Regulatory authorities are reviewing the matter to ensure compliance and prevent similar occurrences in the future.

Electric Ireland remains committed to transparency and is collaborating with Garda Síochána to resolve the breach. Customers are urged to stay vigilant, monitor their financial accounts, and report any suspicious activities to the company and their banks.

Read more »
User Security
Data Breach Data Leak Data Privacy Data Theft National Public Data User Security

Over 600,000 People Impacted In a Major Data Leak

 

Over 600,000 persons were impacted by a data leak that took place at another background check company. Compared to the 2.9 billion persons impacted by the National Public Data theft, this is a minor breach, but it's still concerning. SL Data Services, the company in question, was discovered online. It was neither encrypted or password-protected and was available to the public.

Jeremiah Fowler, a cybersecurity researcher, uncovered the breach (or lack of protection on the files). Full names, residences, email addresses, employment data, social media accounts, phone numbers, court records, property ownership data, car records, and criminal records were all leaked.

Everything was stored in PDF files, the majority of which were labelled "background check." The database had a total of 713.1GB of files. Fortunately, the content is no longer publicly available, however it took some time to be properly secured. After receiving the responsible disclosure warning, SL Data Services took a week to make it unavailable. 

A week is a long time to have 600,000 people's information stored in publicly accessible files. Unfortunately, those with data in the breach might not even know their information was included. Since background checks are typically handled by someone else, and the person being checked rarely knows whose background check company was utilised, this might become even more complicated. 

While social security numbers and financial details are not included in the incident, because so much information about the people affected is publicly available, scammers can use it to deceive unsuspecting victims using social engineering.

Thankfully, there is no evidence that malicious actors accessed the open database or obtained sensitive information, but there is no certainty that they did not. Only time will tell—if we observe an increase in abrupt social engineering attacks, we know something has happened.
Read more »
User Data
Cloud Firm Cloudfare Data Breach Data Loss User Data

Faulty Upgrade at Cloudflare Results in User Data Loss

 

Cloudflare has disclosed a severe vulnerability with its logging-as-a-service platform, Cloudflare Logs, which resulted in user data loss due to an improper software update. The US-based connectivity cloud firm acknowledged that around 55% of log data generated over a 3.5-hour period on November 14, 2024, was permanently wiped out. This loss was caused by a succession of technical misconfigurations and system failures. 

Cloudflare logs collects event metadata from Cloudflare's global network and makes it available to customers for troubleshooting, compliance, and analytics. To speed up log delivery and avoid overloading users, the organisation uses Logpush, a system that collects and transmits data in manageable sums. An update to Logpush caused a series of system failures, disrupting services and resulting in data loss. 

The incident started with a configuration upgrade to enable support for an additional dataset in Logpush. A defect in the configuration generation system resulted in Logfwdr, a component responsible for forwarding logs, receiving an empty configuration. This error informed Logfwdr that no logs needed to be delivered. Cloudflare discovered the bug within minutes and reverted the update. 

However, rolling back the update triggered a separate, pre-existing issue in Logfwdr. This flaw, which was linked to a fail-safe technique designed to "fail open" in the event of configuration mistakes, caused Logfwdr to process and attempt to transmit logs for all customers, not just those with active setups. 

The unexpected rise in log processing overloaded Buftee, Cloudflare's log buffering system. Buftee is intended to keep distinct buffers for each customer to ensure data integrity and prevent interference between log operations. Under typical circumstances, Buftee manages millions of buffers worldwide. The large influx of data caused by the Logfwdr mistake boosted buffer demand by fortyfold, exceeding Buftee's capacity and rendering the system unresponsive. 

According to Cloudflare, addressing the issue needed a complete system reset and several hours of recovery time. During this time, the company was unable to transfer or recover the affected logs, which resulted in permanent data loss.

Cloudflare attributed the incident to flaws in its system security and configuration processes. While systems for dealing with such issues existed, they were not set up to handle such a large-scale failure. Buftee, for example, offers capabilities designed to handle unexpected surges in buffer demand, but these functions were not enabled, leaving the system vulnerable to overflow.

The company also stated that the fail-open mechanism in Logfwdr, which was established during the service's early development, has not been updated to match the much bigger user base and traffic levels. This error enabled the system to send logs for all clients, resulting in a resource spike that exceeded operational constraints. 

Cloudflare has apologised for the disruption and pledged to prevent similar instances in the future. The company is implementing new alerts to better detect configuration issues, improving its failover procedures to manage larger-scale failures, and doing simulations to verify system resilience under overload scenarios. 

Furthermore, Cloudflare is improving its logging design so that individual system components can better withstand cascading failures. While faults in complex systems are unavoidable, the company's priority is to minimise their impact and ensure that services recover fast. 

Last month, Cloudflare claimed successfully managing the largest recorded distributed denial-of-service (DDoS) assault, which reached 3.8 terabits per second (Tbps). The attack was part of a larger campaign aimed at industries such as internet services, finance, and telecommunications. The campaign consisted of over 100 hyper-volumetric DDoS attacks carried out over the course of a month, overwhelming network infrastructure with massive amounts of data.
Read more »
insurance
CyberCrime Cybersecurity Cyberthreats Data Breach data security HDFC insurance

HDFC Life Responds to Data Leak, Engages Cybersecurity Experts

 


According to HDFC Life Insurance, the company recently reported a cyberattack resulting in stolen confidential customer data. Cybercriminals allegedly accessed sensitive policyholder information and demanded extortion from the insurance company, so the company submitted a complaint to the South Region Cyber Police. As per the complaint, there was a breach of security at the company between November 19 and November 21, 2024. 

The cybercriminals, operating under the alias of bsdqwasdg@gmail.com and using a WhatsApp account to send unencrypted communications, managed to steal the

personal data of HDFC Life's clients. In a news release on Monday, HDFC Life Insurance Company, the country's second-largest private insurer by premiums, reported that customer information had been stolen from their system. 

In recent months, there has been a second major data breach within the insurance sector following thee leak of many gallons of personal information by Star Health & Allied Insurance a few months ago. Star Health and Allied Insurance had previously been subject to a cyberattack, as well as a forensic investigation conducted by independent cybersecurity experts, into the incident.

The data breach that occurred at Star Health's servers reportedly resulted in the sale of sensitive information about 31 million customers - an amount of 7.24 terabytes estimated - on the messaging network Telegram as part of the breach.  In its article, the Insurance Regulatory and Development Authority of India (IRDAI), which controls the insurance industry in India, had indicated that, even though insurers have not been named, it takes security breaches very seriously and is committed to continuing its engagement with the companies to ensure the interests of policyholders are protected fully. 

There was a lot of personal information leaked, including names, addresses, phone numbers, tax details, and sometimes even medical records of the insurance policyholders. It was reported that Star Health's chief information security officer (CISO), Amarjeet Khanuja, had sold the company's data for $150,000 after a hacker allegedly accessed the data through the company's network. There was another incident involving the loss of data at Tata AIG as well. 

A few days after the presidential election, HDFC Life Insurance received several emails claiming to have been sent by an anonymous sender who claimed to have stolen the sensitive information of its customers. A hacker attached data to the email that included the names, policy numbers, addresses, and phone numbers of 99 of his victims. 

As outlined in the email, unless negotiations are conducted, the data of the company will be leaked or sold to third parties. According to the hacker, the company has two days to respond to the threat and its reputation could be jeopardized. A series of messages had been sent over the weekend of November 20 and 21 by the extortionist, warning the company that if they failed to negotiate, a massive leak would occur. As stated in one of the messages, the company will have to suffer losses of "hundreds of billions of rupees" if the transaction goes through, along with a damaged reputation and regulatory pressure from the government. 

It was requested by the hacker that he pay money in exchange for preventing the exposure of the information. A security expert examined the breach and verified its authenticity with the help of HDFC Life Insurance, which then decided to engage the police and inform the appropriate authorities of the breach. 

As a result, the company has given its customers the assurance that it is taking all possible measures to ensure their information is protected and that the impact of the data theft is minimized. It was decided to file a case under sections 308(3) (extortion) as well as 351(4) (criminal intimidation) of the Bharatiya Nyaya Sanhita, 2023 along with the relevant provisions of the Information Technology Act, 2000, for the commission of the offence. 

There was a statement from HDFC Life that stated the company is committed to safeguarding the interest of its customers and will take swift action to resolve this matter. In recent months, other insurers, including Star Health Insurance and Tata AIG, have also admitted to data breaches as a result of intrusions into their systems. 

It is because of these incidents that IRDAI is constantly monitoring insurers' data security frameworks and ensuring that the necessary corrective actions are being taken as soon as possible. A growing number of cyber threats are posing serious risks to the privacy of customers and the accountability of organizations in the insurance sector. 

HDFC Life's proactive measures reflect the industry's recent push to enhance cybersecurity measures continuously to ensure that the risk of these breaches in the future is diminished. A number of cybersecurity measures have been put in place by the IRDAI to ensure that data protection is robust and that millions of policies are protected
Read more »
Subscribe to: Posts (Atom)