November 9, 2021

Monthly Breach Report: November 2021 Edition

PKWARE

Businesses and retailers are gearing up for an earlier holiday shopping season this year, which puts additional stress on protecting the cardholder data of online shoppers. Some companies have already experienced breaches, including several detailed here. Plenty more could be at risk.

Another Small Online Company Targeted

Aquila Technology, a New Zealand-based online technology store, has confirmed a data breach that compromised its 12,000 customers’ personal and credit card information. Aquila provides a virtual storefront offering major national and international vendors’ technology products, including PCs, mobile phones, and business communications equipment. As of press time, Aquila could not confirm the cause and extent of the breach, but acknowledged it occurred when hackers accessed customers’ confidential information through the consumer-facing site. Aquila Technology has notified customers to reset their login password for the online store and on any other site where they may have used the same password. This advice draws focus to a cardinal rule in personal online security: Never use the same password twice.

Small online retail businesses like Aquiline are a prime target for cyber criminals. According to CPO Magazine, “half of all cyber attacks are targeted at small businesses.”  They note that “small businesses make up to 13 percent of the entire cyber security market,” and yet, “surprisingly, small businesses invest less than $500 in cyber security.” The main reasons cited by small business owners for lack of cyber security is that they “can’t afford professional IT solutions, have limited time to devote to cybersecurity, or they don’t know where to begin,” according to the US Small Business Association (SBA).

Sources

 

Luxury Retailer Attack

Luxury retainer Neiman Marcus recently alerted millions of customers that “an unauthorized party” breached their online accounts in May of 2020. The breach impact includes:

  • A total of 4.6 million customers
  • 3.1 million payment card numbers (CVV numbers were not included in the hack) and virtual gift cards
  • Names, addresses, and contact numbers
  • Usernames and passwords

The company offered relatively good news for some of their customers—85 percent of the hacked card information is expired or invalid. Also, there is no indication its subsidiaries Bergdorf Goodman or Horchow were affected. Customers were instructed to change passwords and directed to a dedicated webpage addressing the hack. Although Neiman Marcus is not offering free credit monitoring, the company offers a link to receive a credit report at no charge.

Over the last three decades, customers, unfortunately, are used to receiving notices that their personally identifiable information (PII) has been compromised in the online marketplace. And despite major security vigilance by the largest corporations, cybercriminals continue to exploit weak links. Among online cybercrimes, the top three in 2020 were phishing scams, non-payment/non-delivery swindles, and extortion, according to the Federal Bureau of Investigation (FBI).  Massive breaches subject companies like Neiman Marcus to legal liability if the crime causes harm through stolen identities or fraud.

Sources

 

Cryptocurrency Heist

In October, cryptocurrency exchange Coinbase reported that hackers heisted cryptocurrency from at least 6,000 customers. CNBC reports that one account user lost as much as $700,000. The attack on Coinbase, the largest cryptocurrency exchange in the US, occurred between March and May of this year when hackers transferred the stolen funds to crypto wallets outside of the company. The company has reimbursed customers for lost funds and worked with them to regain control of their accounts. The company acknowledged hackers exploited a flaw in the cryptocurrency exchange’s two-factor authentication system that relies on sending the code via SMS messages. The hack, however, required knowledge of customers’ email addresses, passwords, and phone numbers, as well as access to personal emails. On their company website, Coinbase stressed there is no evidence to suggest hackers breached the company itself. The culprit, they said, was phishing:

The Coinbase security team observed a significant uptick in Coinbase-branded phishing messages targeting users of a range of commonly used email service providers . . . . Though the attack was broad, it demonstrated a higher degree of success bypassing the spam filters of certain older email services . . . . The messages used a wide variety of different subject lines, senders, and content. It sometimes sent multiple variations to the same victims. Depending on the variant of email received, hackers used different techniques to steal credentials as well.

Once the attackers had compromised the user’s email inbox and their Coinbase credentials, in a small number of cases they were able to use that information to impersonate the user, receive an SMS two-factor authentication code, and gain access to the Coinbase customer account.

Coinbase reminded consumers of the need to use:

  • Strong passwords
  • Password managers
  • Two-factor authentication
  • Caution and vigilance when asked to send funds or share information

Coinbase has focused on phishing and that the company had little to no culpability as part of their initial denial to reimburse losses, according to CNBC.

Sources

 

Personal Information of All Argentines up for Sale

The PII of Argentina’s entire population, 46 million people, is up for grabs to the highest bidder. In October, a hacker entered the country’s IT network and accessed its national ID database, the National Registry of Persons. Silicon.co.uk reports this database “acts as a backbone for most government queries for citizen’s personal information.” The hacker exposed the breach by boldly using a fake Twitter account to display the photos and personal details of 44 Argentinian celebrities, including the country’s president, Alberto Fernandez, and popular national soccer players Lionel Messi and Sergio Aguero. The hacker has also posted an ad on a dark web forum offering to sell the information, which includes:

  • Full names
  • ID photos
  • Home addresses
  • National ID numbers used for tax and employment purposes
  • Processing bar codes

The Argentinian government has stated the crime is not a traditional data breach—hackers did not find a way to penetrate the network. Instead, officials believe that at least one government agency employee with authorized access to the database illegally accessed the information to sell it. Eight employees are currently being investigated. Argentine officials told the public the actual database is not up for sale. Instead, they claimed the hacker would sell the information on a per-name basis, offering a lookup service. “The theory of an employee with access beyond one particular login makes more sense than an outside party sticking around attempting to use one compromised VPN indefinitely to do ongoing lookups for money,” says CPO Magazine.
The hacker, however, has contradicted the government’s assertion, according to The Record. A Record reporter contacted the hacker directly through the dark web ad. The hacker stated that the government is incorrect—they are not simply accessing the database but possess a full copy of the database. The criminal concluded with a threat: “Maybe in a few days I’m going to publish [the data of] 1 million or 2 million people.”

Sources

 

Keep your holiday shoppers protected and your business out of the headlines with expert data protection from PKWARE. See how our full suite of solutions can keep your data safe wherever it lives and moves. Request a personalized demo to learn more.

Share on social media
  • Data Retention: Aligning Data Protection Strategies with Compliance Requirements
    Ben Meyers March 13, 2024
  • Data Breach Report: March 2024
    PKWARE March 8, 2024
  • PCI DSS 4.0 Compliance: Safeguarding the Future of Payment Security
    PKWARE February 22, 2024
  • Data Breach Report: February 2024
    PKWARE February 15, 2024