October 2017 : Security Breaches
The data security breaches occurred/disclosed in October 2017.
The popular commenting system was breached in 2012. Disqus got notified by Troy Hunt, a security expert, who obtained a copy of the data. According to the company, the data exposed are from 2007 and involve 17.5 million users. Among the user's information stolen include email addresses, usernames, sign-up dates and last logins. However, about one third or approximately 5.8 million users, also got their passwords in the wild. At least, the passwords were not in clear text but hashed with a salt with the now weak SHA-1 algorithm. They seem to have handled the situation well with a public disclosure in 24 hours and they asked the affected users to reset their password account. They have also mentioned that they are now using the bcrypt algorithm which is now the best practice.
Far Eastern International Bank
A malware infected this Taiwanese bank which instructed the SWIFT terminal to move $60 million into different bank accounts based in Sri Lanka, Cambodia and the United States. SWIFT is the main global banking network where it is possible for banks to exchange funds between them. It is not the first time this situation occurs and a well-know breach occurred in 2016 with a Bangladesk bank where the attempt was to steal $951 million. The Far Eastern International Bank was able to retrieve most funds. Mostly since the breach in 2016, the SWIFT organization has developed a more stringent security requirements for their customers with the Customer Security Programme (CSP) but many banks are still in the process of getting certified.
This is another big name in the IT consulting industries. Accenture offers consulting services for the largest organizations and often seen as a leader in cloud consulting services. UpGuard reported that AWS S3 buckets were configured for public access. In total, 4 buckets were available for everyone. These buckets contained confidential API data, customer information, private keys, 40 000 passwords mainly in clear text and even logs from a monitoring solution. One bucket contained more than 137 gigabytes of data.
Remember the data breach that occurred in 2013 at Yahoo? It was first disclosed by the company that someone had access to information on one billion accounts. This number was revised by Verizon, the now parent company of Yahoo, at 3 billion accounts. It was possible to retrieve the usual information such as names, email addresses and hashed passwords. Some hash would still be with the weak MD5 algorithm.
It was possible to obtain the information from cards manually entered or swiped at the front desk. This situation occurred between March 18, 2017, and July 2, 2017, in 41 properties across 11 countries. As expected, it was possible to get the cardholder name, card number, expiration date and verification code. This is the second security breach for this company.
About 60 000 customers might have been impacted by a security breach that would have occurred from the morning October 1, 2017, to midday October 2, 2017. Data including customer names, billing postal code, delivery addresses, email addresses, and payment card information. Pizza Hut notified by email customers impacted only 2 weeks after the situation and they are offering a free credit monitoring service for a year.
66 million records were obtained on South African. What, wait, the population is only about 56 million people? The obtained database also included 9 million people with a deceased status. The database was openly available on a web server owned by Jigsaw Holdings and was probably bought from a credit bureau in 2014. Information available include South African ID number, name, gender, age, location, marital status, estimated income, address, phone numbers, employers, etc.
Patient Home Monitoring Corporation
An estimated 150,000 American patient files were available through an unsecured AWS S3 bucket. It is hard to know for how long this bucket was available with public access but Kromtech Security Researchers have discovered the breach on September 29, 2017. 47.5 gigabytes of data with about 316,000 PDF files including mainly blood test results. These documents contained names, addresses, contact information, dates of birth, diagnoses and names of physicians. All this information is strictly regulated by the Health Insurance Portability and Accountability Act (HIPAA).
When you are a major company who is developing software and hardware, you have a central database somewhere to track and document all vulnerabilities related to your products. Of course, this database contains critical information about your products and you probably prefer to keep it secret. Well, this database at Microsoft was hacked in 2013.