Security Breach Report: May 15, 2015

As organizations continue to lobby for increased regulations and protections in the U.S. and in other parts of the world, we bring you some of the latest news in cyber security and data breaches resulting from network vulnerabilities, social engineering attacks, and insider threats.

• Last month, point-of-sale (POS) vendor Harbortouch announced a data breach related to malware-infected POS systems used in restaurants and bars. According to KrebsOnSecurity, more than 4,200 customers across the U.S. have been impacted.
• The Hard Rock Hotel & Casino Las Vegas recently announced that credit card payment systems at some of its retail and service locations were compromised between September 2014 and April 2015. According to the company’s legal representatives, approximately 173,000 unique debit and credit cards were used at the affected locations during the breach time frame, but it’s not clear how much information (including names, account numbers, and CVV codes) was stolen.
• Sally Beauty, an international retailer and distributor of professional beauty supplies, has confirmed a data breach resulting from an illegal intrusion into payment systems used in some of its U.S. stores. The company said it is working with affected customers but that it cannot reveal any further details.
• Budget airline Ryanair revealed last month that hackers siphoned £3.3M from one of its bank accounts. According to the company, the funds were taken via a fraudulent electronic transfer from a Chinese bank.
• In an emerging story first reported by CNN Money, a whistleblower at Tiversa, a cyber security company, has accused his former employer of faking security breaches and hacking attacks in order to extort business. Tiversa has denied these claims, including a series of events that put medical testing company LabMD out of business.
• Following a tip received from an anonymous source, KrebsOnSecurity is reporting a significant data breach at mSpy, a developer of mobile spying software. According to the report a “huge trove of data” — including user emails, location data, and payment information — appears to have been stolen from the company’s servers and posted on the DeepWeb.
• Email delivery service SendGrid announced that network intruders gained access to corporate servers as well as customer and employee user names, email addresses, and passwords earlier this year. According to The Hill, SendGrid sends 18 billion online messages per month.
• The U.S. Senate is concerned that personally identifiable information of U.S. citizens may have been compromised in recent White House network intrusions. According to Senator John Thune, visitors to the White House often submit personal details — including Social Security numbers and addresses — via email in order to obtain clearance.
• Since April, three educational institutions — the University of California Berkley, Metropolitan State University, and Auburn University — have announced data breaches that, together, compromised the personal information of more than 500,000 individuals.  
• UK officials were investigating an incident at the Manchester Airport after cellphone video was released showing that a planeload of passengers on a flight from Madrid were able to enter the country without having their passports checked.
• Weaponized Microsoft Word documents masquerading as resumes have been discovered on the CareerBuilder website. According to reports, the attackers were using the malware-laden files to gain access to cash-transfer systems and information with black-market value.
• Premera Blue Cross is facing at least five class-action lawsuits as a result of a data breach it disclosed in March. According to the company, a cyber attack in May 2014 compromised a system that housed medical records of 11 million customers. Participants in the suits claim that Premera was negligent in protecting personal data and in providing timely notification of the breach.
• The Irish Times reported that the country’s Department of Social Protection mistakenly sent personal data — including bank statements and payslips — of three strangers to a Limerick man who had requested his own information.
• In mid-March, Advantage Dental notified more than 150,000 customers that a hacker had breached a database that contained their personal information. The company stated that a malware infection opened the system to unauthorized access for a few days in late February 2015.
• Approximately 98,000 customers of the Army and Air Force Exchange Service (AAFES) concessionaire in Germany were victims of a data breach that was discovered after an “unidentified individual” emailed the compromised data to AAFES headquarters. The data was related to mobile phones and telecommunication services managed by SIGA Telecom, including accounts of 27,500 current customers.
• A social engineering attack compromised information associated with 50 to 70 Rogers Communications business accounts. An IT support agent was reportedly tricked into revealing the access credentials of one of the company’s account managers. Contracts and other details related to the medium-sized business were posted to an anonymous Twitter account within days of the attack.
• More than 39,000 individuals were impacted by the theft of two backup drives belonging to the Indiana State Medical Association (ISMA). According to ISMA, the drives — which held life insurance databases and assorted personal information — were stolen during transport to an offsite storage facility.

Want to lower your organization’s end-user security risk? Research from the Aberdeen Group has shown that Wombat’s Continuous Training Methodology can change behaviors and reduce business risk and impact by up to 50%.