Hello and welcome to the May edition of NewsScam. It has been an active month, so let's dive right in! Unfortunately, May was popular for data leaks and data breaches and that's due to some pretty big organizations announcing they were victims; Toyota, Dish Network and T-Mobile to name a few.
The top auto maker, Toyota, recently disclosed it leaked millions of customer records for more than ten years. The data leak is being blamed on a misconfigured cloud bucket. Another noteworthy incident was at Dish Network, which recently announced in a data breach notification it had "received confirmation" that data stolen by threat actors in a February ransomware attack was deleted. This suggests the company had paid a ransom. Then we jump over to telecoms giant T-Mobile, which reported its second data breach of the year. Still, it's worth remembering T-Mobile was supposedly hacked more than 100 times last year so let's hope they get its cybersecurity posture under control and soon to prevent further incidents.
In addition, London-based international business process outsourcing provider, Capita, also reported a data breach. As many as 350 U.K. pension funds may have been affected by the incident, which could make it one of the worst breaches in British history. Victims range from consumer products giant Unilever and popular UK retailer Marks and Spencer, to numerous local government agencies.
But we can also mention a recent ransomware incident at manufacturing giant ABB. In May, the firm reported it was recently impacted by a Black Basta ransomware attack that interrupted ABB's business operations. (It turns out that the Black Basta ransomware group is also responsible for the April cyber attack at German arms company Rheinmetall.)
In a new low for hackers, threats were made against a five-year-old in an attack on industrial cybersecurity firm Dragos (I am turning on my “what is wrong with you??” sign). The incident appears to have emanated from a hacked email of a new Drago employee. No Dragos systems were compromised, including those connected to the Dragos Platform.
Finally, an interesting end to the case of Uber's former CSO, Joe Sullivan. He was given three years’ probation by a U.S. federal judge earlier this month following a headline-grabbing conviction last year over his handling of a data breach in 2016. In that incident hackers stole the personal details of 57 million customers and the personal information of 600,000 Uber drivers. The court ultimately decided against giving Sullivan any prison time, despite a “tense hearing”, regarding how cybersecurity executives should handle law enforcement investigations.
Toyota Ten: Top automaker leaked customer data for more than a decade
Toyota has disclosed that for more than 10 years, a misconfigured cloud bucket left more 2.15 million customer records exposed to the open Internet.
According to the disclosure, the sensitive data from Toyota's cloud-based Connected services was open to unauthorized access from November 2013 to this April. The Toyota Connected offering allows drivers to stream entertainment, use location data to find stolen vehicles, receive flash maintenance reminders, and send for emergency help in case of an accident.
Toyota spokesperson Hideaki Homma told Associated Press that the Connected service breach only impacts customers in Japan. Any unauthorized access to the data would not identify individual customers, the carmaker said in its statement, adding that there has not been any observed use or abuse of the data from a third party.
Did Dish Pay a Ransom? Sure Sounds Like It Did.
Dish Network said in a data breach notification this week that it had "received confirmation" that data stolen by threat actors in a February ransomware attack was deleted, suggesting the company had paid the ransom.
The satellite television provider revealed on 28 February via an 8-K filing that it had suffered a ransomware attack. Dish initially reported network and service disruptions on 23 February, and it was one of many major U.S. enterprises hit by ransomware attacks that month. In the 8-K filing, the company revealed that the attack affected internal servers and communications, including customer call centers and Dish websites, and that personal data might have been affected.
A breach notification letter was sent to those affected this week provided additional clarification regarding the nature of the attack. Dish said customer databases were not accessed during the attack, but it had confirmed that "certain employee-related records and personal information (along with information of some former employees, family members and a limited number of other individuals) were among the data extracted."
In addition, the notification letter included language suggesting Dish paid the ransom.
T-Mobile suffers another data breach. Are they going for a record??
T-Mobile has revealed a second data breach that occurred in 2023, which reportedly exposed customer data and account PINs, leaving many T-Mobile users vulnerable to potential fraud and identity theft.
The attack started on 24 February and lasted until 30 March, and affected 836 customers. “In March 2023, the measures we have in place to alert us to unauthorized activity worked as designed and we were able to determine that a bad actor gained access to limited information from a small number of T-Mobile accounts between late February and March 2023,” T-Mobile explained in a letter to customers affected by the breach.
The company assured that no personal financial account information or call records have been compromised.
Capita Data Breach Reverberates Across Britain
Capita has warned the pension schemes of Marks and Spencer, Diageo, Unilever and Rothesay that their members’ personal data was likely to have been stolen by hackers during a cyber-attack at the UK outsourcer. The pension funds were among hundreds of private sector retirement schemes that used Capita to support their pension administration services. The M&S pension scheme said on Thursday the attack may have affected the security of personal data for a “large proportion” of scheme members including the “majority” of pensioners who had worked at the retailer. Meanwhile, Derby city council became the latest local authority to reveal that it had been affected by a separate data security incident in which files, including details on benefit payments, were left exposed on an unsecured Amazon Data Bucket controlled by Capita. The council said it was reviewing its arrangements with Capita.
According to an article in Bleeping Computer, “BleepingComputer has learned from multiple employees that the ransomware attack has affected the company’s Windows Active Directory, affecting hundreds of devices.”
Multinational tech firm ABB hit by Black Basta ransomware attack
Swiss multinational company ABB, a leading electrification and automation technology provider, has suffered a Black Basta ransomware attack, reportedly impacting business operations.
Headquartered in Zurich, Switzerland, ABB employs approximately 105,000 employees and has $29.4 billion in revenue for 2022. As part of its services, the company develops industrial control systems (ICS) and SCADA systems for manufacturing and energy suppliers.
Not a good look: Hackers Attempt to Extort Dragos’ CEO's Family, including a 5-year old
A cybercriminal group obtained contracts from cybersecurity firm Dragos Inc. as part of an extortion attempt that involved contacting the chief executive officer’s wife and 5-year-old.
For industrial control systems, including power grids, water treatment facilities, and pipelines, Dragos excels in offering cybersecurity services. According to the reports, a newly hired Dragos salesperson’s email account was compromised, giving hackers access to internal documents. The company didn’t compensate the hackers. No Dragos systems were compromised, including those connected to the Dragos Platform.
Dragos stopped the hackers from deploying ransomware, which was thought to be their primary objective, and from further infiltrating the company’s network.
Ex-Uber CSO given three-year probation sentence, avoids prison after guilty verdict
Former Uber chief security officer Joe Sullivan was given three years’ probation by a U.S. federal judge on Thursday following a headline-grabbing conviction last year over his handling of a data breach.
Federal judge for the Northern District of California William Orrick decided against giving Sullivan any prison time in a tense hearing that involved deep debates over how cybersecurity executives should handle law enforcement investigations.
A federal jury convicted Sullivan of two charges related to his attempted cover-up of a 2016 security incident at Uber, where hackers stole the personal details of 57 million customers and the personal information of 600,000 Uber drivers.
Uber was mandated by the Federal Trade Commission to report all breaches after a 2014 hack exposed the names and driver's license numbers of 50,000 people.