While some were enjoying summer vacations, others were enjoying a haul of sensitive data. Cloud4Y has prepared a brief overview of the sensational data breaches this summer.
June
1.
More than 400 email addresses and 160 phone numbers, as well as 1200 login-password pairs for accessing the personal accounts of Fesco's largest transport company's clients, have become publicly available. There is probably less real data, because entries may be repeated.
Logins and passwords are valid, they allow you to get complete information about the transportation performed by the company for a specific customer, including acts of work performed and scanned invoices with stamps.
The data was released to the public through logs left behind by the CyberLines software used by Fesco. In addition to logins and passwords, the logs also contain personal data of representatives of Fesco client companies: names, passport numbers, phone numbers.
2.
On June 9, 2019 it became known of data leakage of 900 thousand clients of the Russian banks. Passport data, phone numbers, places of residence and work of citizens of the Russian Federation turned out to be in the public domain. Clients of Alfa-Bank, OTP-Bank and HKF-Bank, as well as about 500 employees of the Ministry of Internal Affairs and 40 people from the FSB, were affected.
The experts found two databases of Alfa-Bank clients: one contains data on more than 55 thousand clients from 2014-2015, the second contains 504 entries from 2018-2019. The second base also contains data on the account balance, limited by the range of 130–160 thousand rubles.
July
Most people seem to be on vacation in July, so there was only one notable leak in the entire month. But what!
3.
At the end of the month, it became known about the largest data breach of the bank's customers. The financial holding Capital One suffered, which estimates the damage at $100-150 million. As a result of the hack, attackers gained access to the data of 100 million Capital One customers in the US and 6 million in Canada. Information from applications for credit cards and the data of current holders of such cards was compromised.
The company claims that the data of the credit cards themselves (numbers, CCV codes, etc.) remained safe, but 140 social security numbers and 80 bank accounts were stolen. In addition, the scammers obtained credit histories, statements, addresses, dates of birth and salaries of the clients of the financial institution.
In Canada, about a million social security numbers were compromised. Also, hackers got data on card transactions, scattered over 23 days for 2016, 2017 and 2018.
Capital One conducted an internal investigation, as a result of which it stated that the stolen information was unlikely to be used for fraudulent purposes. Interesting, but in what then was it used?
August
Having rested in July, they returned in August with renewed vigor. So.
So much has already been said about the storage of biometrics, and here it is again ...
4.
In mid-August 2019, more than a million fingerprints and other sensitive data were leaked. Employees of the firm claim to have accessed biometric data from the Biostar 2 software.
Biostar 2 is used by thousands of companies around the world, including the London Police, to control access to secure facilities. Suprema, developer of Biostar 2, claims to be working on a solution to this problem. The researchers note that along with fingerprint records, they found photographs of people, facial recognition data, names, addresses, passwords, employment history, and records of visits to protected sites. Many affected are concerned that Suprema did not report a possible data breach so that its customers could take action on the ground.
In total, 23 gigabytes of data containing almost 30 million records were discovered on the network. The researchers note that biometric information can never become confidential after such a leak. Among the companies whose data was exposed were Power World Gyms, a gym in India and Sri Lanka (113 user records including fingerprints), Global Village, an annual festival in the UAE (796 fingerprints), Adecco Staffing, a Belgian recruitment company (15 fingerprints). Most of all, the leak affected British users and companies - millions of personal records were in the public domain.
The Mastercard payment system officially notified the Belgian and German regulators that on August 19 the company recorded the data leakage of a “large number” of customers, “a significant part of which” are German citizens. The company indicated that they took the necessary steps and deleted all the personal data of customers that got on the Internet. According to Mastercard, the incident is related to the loyalty program of a third-party German company.
5.
Meanwhile, our compatriots are also on the alert. As they say: "Thanks to Russian Railways, but no."
Leakage of data of employees of the Russian Railways, which , became the second largest in Russia in 2019. SNILS numbers, addresses, phone numbers, photos, full names and positions of 703 Russian Railways employees out of 730 have been made publicly available.
Russian Railways checks the publication and prepares an appeal to law enforcement agencies. Passengers' personal data was not stolen, the company assures.
6.
And just yesterday, Imperva reported a leak of confidential information from a number of its customers. The incident affected users of the Imperva Cloud Web Application Firewall CDN service, formerly known as Incapsula. According to a publication on the Imperva website, the company became aware of the incident on August 20 this year after a data breach was reported for a number of customers who had accounts in the service before September 15, 2017.
The compromised information included email addresses and password hashes of users who registered before September 15, 2017, as well as API keys and SSL certificates of some customers. The company did not disclose details of how exactly the data was leaked. Cloud WAF users are advised to change passwords for accounts, enable two-factor authentication and implement single sign-on (Single Sign-On), as well as upload new SSL certificates and reset API keys.
When collecting information for this collection, the thought involuntarily surfaced: how many wonderful leaks will autumn bring us?
What else can you read on the blog?
→
→
→
→
→
Subscribe to our -channel, so as not to miss the next article! We write no more than twice a week and only on business.
Source: habr.com