Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Third-party breach. Show all posts

Crypto Exchange Gemini Confirms Third-Party Data Breach

 

Cryptocurrency exchange Gemini has issued a warning about a data breach incident that resulted from a cyberattack at its Automated Clearing House (ACH) service provider. The identity of the attacker was kept confidential. On June 26, 2024, the American cryptocurrency exchange started notifying the affected parties. 

However, a sample of the letters was sent to the California Attorney General's Office yesterday. The warning states that between June 3 and June 7, 2024, an unauthorised actor gained access to Gemini's vendor's systems, resulting in a third-party data breach. 

The incident impacted some of Gemini's customers' banking details, including their full name, bank account number, and routing number, which Gemini utilized for ACH fund transfers. 

According to the cryptocurrency exchange, the systems of the service provider did not host or compromise any additional information, including date of birth, physical address, social security number, email address, phone number, username, or password. 

The data breach incident has been contained, and an outside team of experts is assisting with the inquiry. But as of right now, no other details are available. Recipients of the notices are urged to watch out for any suspicious activity using any of the data disclosed and to be on the lookout for incoming messages. 

In order to safeguard against future hacks, users are also advised to activate multi-factor authentication on the bank accounts they gave Gemini and get in touch with their bank to request the implementation of additional safety precautions or a new account number.

If suspected or unauthorised activity is identified on the impacted bank account, notify the banks immediately. Gemini also suggests that letter recipients consider placing scam alerts or security freezes on their credit reports, but it has not provided any identity theft protection services to the affected individuals. Gemini issued a statement following publication, stating that the incident impacted 15,000 individuals. 

"The incident at a third party involved information of approximately 15K Gemini customers," Gemini stated. "Although we notified the customers involved out of an abundance of caution, our analysis found no evidence of customer impact.”

Fidelity Faces Second Data Breach Linked to Third-Party Provider: Infosys McCamish

 

Fidelity Investments Life Insurance Company (FILI) faces another data breach challenge as it discloses a breach affecting a significant number of individuals. The breach, linked to third-party service provider Infosys McCamish (IMS), heightens worries over data security in today's digital landscape. 

Approximately 28,268 individuals have been notified by Fidelity regarding the breach. Although IMS could not pinpoint the exact data accessed, it is suspected to include sensitive information like names, Social Security numbers, states of residence, bank account and routing numbers, and dates of birth. 

This unfortunate incident marks the second instance this year alone where Fidelity has had to inform customers of data compromise due to a third-party breach involving IMS. Last month, Bank of America faced a similar ordeal following a ransomware attack on IMS, affecting over 57,000 customers. 

Remarkably, the data accessed in both breaches appears to be of a similar nature, prompting concerns over the underlying vulnerability in IMS's systems. As investigations into the breach continue, questions loom over whether IMS's woes are linked to the same cyber incident. 

What exactly is a third-party data breach? 

Essentially, it occurs when a vendor or supplier's system is compromised, resulting in the theft of data belonging to you or your organization. This means that even though you may have entrusted your data to a third party for various services or goods, their system becomes a target for cybercriminals. 

But who exactly are these third parties? 

They are organizations with which your company has established a business relationship to provide goods, access, or services for your use. These critical third parties often require access to sensitive data to fulfil their services, thereby increasing your company's attack surface. 

Why is this a cause for concern? 

Well, when a critical third party experiences a breach, it can have severe repercussions for your organization. Not only does it compromise the security of your data, but it also exposes you to significant risks. This underscores the importance of thoroughly vetting and monitoring third-party vendors to mitigate potential security threats. 

In essence, understanding third-party data breaches is crucial for safeguarding your organization's data and reputation. By implementing robust security measures and carefully managing your business relationships, you can better protect yourself against the risks posed by third-party breaches. 

Now Little Information Regarding Fidelity Company 

Fidelity Investments, headquartered in Boston, Massachusetts, has been a powerhouse in the financial services sector since its founding in 1946. Boasting $4.3 trillion in assets under management and $10.3 trillion under administration as of December 2022, Fidelity is globally recognized as one of the largest asset managers. Offering a comprehensive suite of financial solutions, including brokerage services, mutual funds management, investment advice, retirement planning, wealth management, and life insurance, Fidelity caters to a wide range of clients, from individual investors to institutional entities. 

Despite its robust security measures, the company has encountered cybersecurity challenges in the form of occasional breaches, impacting its operations and raising concerns about the security of customer data.

Apple warns app developers over screen recording





Apple has given an ultimatum to all its app developers who secretly record the screens of the customers, to quit snooping or get kicked off the Apple store.

The company has taken this decision after TechCrunch reported about the apps like  Expedia, Hollister, and Hotels.com who are using third-party analytics software to record a user's taps and swipes on the screen.

The report also mentioned that none of the apps had prior explicit permission from the users to record screen activity or disclose that their apps use such software.

According to the report, most of these apps are using an analytics tool called Glassbox, which is also known as "session replaying,"  it records all the user's activity and they let snoopers replay how a user interacted with the apps. The tool is completely a violation of Apple's privacy policies.

In a statement, Apple said: “Protecting user privacy is paramount in the Apple ecosystem. Our App Store review guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging or otherwise making a record of user activity. We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary.”

However reacting to the claims,  Glassbox has said that they are not interested in 'spying' on customers, but their goal is to improve the online experiences.

“Since its inception, Glassbox has helped organizations improve millions of customer experiences by providing tools that record and analyze user activity on websites and apps. This information helps companies better understand how consumers are using their services, and where and why they are struggling. We are strong supporters of user privacy and security. Glassbox provides its customers with the tools to mask every element of personal data. We firmly believe that our customers should have clear policies in place so that consumers are aware that their data is being recorded — just as contact centres inform users that their calls are being recorded.”

Over 30 Thousand Patient Records Exposed; Third-Party Breach To Blame




Cyber-cons recently targeted another health target. ‘Managed Health Services of Indiana Health Plan’ in recent times went public regarding the third-party data breach they had gotten imperiled by, which exposed 31,000 patients’ personal details out in the open. 


This breach was the result of one of the two security incidents that the institution had to face.



There are two major healthcare programs, namely, ‘Indiana’s Hoosier Healthwise’, and ‘Hooseir Care Connect Medicaid’ which this organization runs.


The MHS were informed about the breach by one of its vendors. The information was regarding someone having illegitimately gained access to their employees’ email accounts.


Disconcertingly, according to the reports, the unauthorized accessed had occurred between the month of July and September, last year.


During the investigation initiated by the MHS, it was found out that patients’ personal data including their names, insurance ID numbers, dates of birth, dates of services provided and their addresses were all potentially out in the open.


As the investigation unfolded, it was discovered that the incident was caused due to a phishing attack on the vendor’s system.


Rapid steps were taken by the vendor to counter the attack by the aid of a computer forensic company.


Some of the information in the email accounts that were affected was laid out pretty bare to be accessed. The email accounts “hacked” were the main source of information.


The easiest trick to harvesting personal data is performing a phishing attack. The phishing attack anywhere in the entire chain could affect all the people involved.


As a result of the overall effect on the chain, 31,ooo people got affected and had their data exposed and out in the open.


 Reportedly, this has been the 4th in the list of attacks made on the health plans, that too in the last month alone.


It gets evident after such an attack, that the health-care industry exceedingly requires better management and security cyber systems.