ReportWire

Tag: Data breaches

  • Hackers Allegedly Steal Access Tokens, Confidential Documents From European Space Agency

    [ad_1]

    The European Space Agency (ESA) suffered a security breach of its science servers, with a hacker group claiming they have stolen 200 gigabytes worth of data that includes confidential documents and source code.

    Earlier this week, ESA confirmed the breach following reports on social media. “Our analysis so far indicates that only a very small number of external servers may have been impacted. These servers support unclassified collaborative engineering activities within the scientific community,” the space agency wrote on X.

    Although ESA claims that the recent cybersecurity issue had minimal impact, an alleged hacker is offering to sell 200 gigabytes of data from the agency’s servers on the BreachForums cybercrime website. The compromised data includes source codes, access tokens, hardcoded credentials, Terraform files, and confidential documents, according to screenshots shared on X by French cybersecurity expert Seb Latom.

    Some of the data may be related to ESA’s upcoming space telescope Ariel, or Atmospheric Remote-sensing Infrared Exoplanet Large-survey, which is due to launch in 2029. The data for sale online compromises the security of space projects and risks the reuse of the code for malicious purposes, according to Latom.

    Wanted for cybercrime

    This isn’t the first time ESA’s servers have been compromised. In December 2024, hackers created a fake payment page on the agency’s online shop to gain access to customers’ information. In 2015, a hacker group breached several ESA websites to collect the information of the agency’s staff and hundreds of subscribers.

    The cybersecurity attacks against ESA have all affected platforms hosted outside the agency’s internal network. Still, there have been too many incidents, suggesting the agency’s data security needs improvement.

    ESA’s American counterpart, NASA, has also suffered its fair share of security breaches over the years. The latest one took place in 2018 when hackers gained access to personal information, including social security numbers, belonging to the agency’s staff members.

    ESA says it has initiated a forensic security analysis and put measures in place to secure any potentially affected devices. “All relevant stakeholders have been informed, and we will provide further updates as soon as additional information becomes available,” the space agency added.

    [ad_2]

    Passant Rabie

    Source link

  • Hundreds of People With ‘Top Secret’ Clearance Exposed by House Democrats’ Website

    [ad_1]

    The sensitive personal details of more than 450 people holding “top secret” US government security clearances were left exposed online, new research seen by WIRED shows. The people’s details were included in a database of more than 7,000 individuals who have applied for jobs over the last two years with Democrats in the United States House of Representatives.

    While scanning for unsecured databases at the end of September, an ethical security researcher stumbled upon the exposed cache of data and discovered that it was part of a site called DomeWatch. The service is run by the House Democrats and includes videostreams of House floor sessions, calendars of congressional events, and updates on House votes. It also includes a job board and résumé bank.

    After the researcher attempted to notify the House of Representatives’ Office of the Chief Administrator on September 30, the database was secured within hours, and the researcher received a response that simply said, “Thanks for flagging.” It is unclear how long the data was exposed or if anyone else accessed the information while it was unsecured.

    The independent researcher, who asked to remain anonymous due to the sensitive nature of the findings, likened the exposed database to an internal “index” of people who may have applied for open roles. Résumés were not included, they say, but the database contained details typical of a job application process. The researcher found data including applicants’ short written biographies and fields indicating military service, security clearances, and languages spoken, along with details like names, phone numbers, and email addresses. Each individual was also assigned an internal ID.

    “Some people described in the data have spent 20 years on Capitol Hill,” the researcher tells WIRED, noting that the information went beyond a list of interns or junior staffers. This is what made the finding so concerning, the researcher says, because they fear that if the data had fallen into the wrong hands—perhaps those of a hostile state or malicious hackers—it could have been used to compromise government or military staffers who have access to potentially sensitive information. “From the perspective of a foreign adversary, that is a gold mine of who you want to target,” the security researcher says.

    WIRED reached out to the Office of the Chief Administrator and House Democrats for comment. Some staff members WIRED contacted were unavailable because they have been furloughed as a result of the ongoing US government shutdown.

    “Today, our office was informed that an outside vendor potentially exposed information stored in an internal site,” Joy Lee, spokesperson for House Democratic whip Katherine Clark, told WIRED in a statement on October 22. DomeWatch is under the purview of Clark’s office. “We immediately alerted the Office of the Chief Administration Officer, and a full investigation has been launched to identify and rectify any security vulnerabilities.” Lee added that the outside vendor is “an independent consultant who helps with the backend” of DomeWatch.

    [ad_2]

    Lily Hay Newman, Matt Burgess

    Source link

  • Exposed United Nations Database Left Sensitive Information Accessible Online

    Exposed United Nations Database Left Sensitive Information Accessible Online

    [ad_1]

    A database containing sensitive, sometimes personal information from the United Nations Trust Fund to End Violence Against Women was openly accessible on the internet, revealing more than 115,000 files related to organizations that partner with or receive funding from UN Women. The documents range from staffing information and contracts to letters and even detailed financial audits about organizations working with vulnerable communities around the world, including under repressive regimes.

    Security researcher Jeremiah Fowler discovered the database, which was not password protected or otherwise access controlled, and disclosed the finding to the UN, which secured the database. Such incidents are not uncommon, and many researchers regularly find and disclose examples of exposures to help organizations correct data management mistakes. But Fowler emphasizes that this ubiquity is exactly why it is important to continue to raise awareness about the threat of such misconfigurations. The UN Women database is a prime example of a small error that could create additional risk for women, children, and LGBTQ people living in hostile situations worldwide.

    “They’re doing great work and helping real people on the ground, but the cybersecurity aspect is still critical,” Fowler tells WIRED. “I’ve found lots of data before, including from all sorts of government agencies, but these organizations are helping people who are at risk just for being who they are, where they are.”

    A spokesperson for UN Women tells WIRED in a statement that the organization appreciates collaboration from cybersecurity researchers and combines any outside findings with its own telemetry and monitoring.

    “As per our incident response procedure, containment measures were rapidly put in place and investigative actions are being taken,” the spokesperson said of the database Fowler discovered. “We are in the process of assessing how to communicate with the potential affected persons so that they are aware and alert as well as incorporating the lessons learned to prevent similar incidents in the future.”

    The data could expose people in multiple ways. At the organizational level, some of the financial audits include bank account information, but more broadly, the disclosures provide granular detail on where each organization gets its funding and how it budgets. The information also includes breakdowns of operating costs, and details about employees that could be used to map the interconnections between civil society groups in a country or region. Such information is also ripe for abuse in scams since the UN is such a trusted organization, and the exposed data would provide details on internal operations and potentially serve as templates for malicious actors to create legitimate-looking communications that purport to come from the UN.

    [ad_2]

    Lily Hay Newman

    Source link

  • The Slow-Burn Nightmare of the National Public Data Breach

    The Slow-Burn Nightmare of the National Public Data Breach

    [ad_1]

    Data breaches are a seemingly endless scourge with no simple answer, but the breach in recent months of the background-check service National Public Data illustrates just how dangerous and intractable they have become. And after four months of ambiguity, the situation is only now beginning to come into focus with National Public Data finally acknowledging the breach on Monday just as a trove of the stolen data leaked publicly online.

    In April, a hacker known for selling stolen information, known as USDoD, began hawking a trove of data on cybercriminal forums for $3.5 million that they said included 2.9 billion records and impacted “the entire population of USA, CA and UK.” As the weeks went on, samples of the data started cropping up as other actors and legitimate researchers worked to understand its source and validate the information. By early June, it was clear that at least some of the data was legitimate and contained information like names, emails, and physical addresses in various combinations.

    The data isn’t always accurate, but it seems to involve two troves of information. One that includes more than 100 million legitimate email addresses along with other information and a second that includes Social Security numbers but no email addresses.

    “There appears to have been a data security incident that may have involved some of your personal information,” National Public Data wrote on Monday. “The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024 … The information that was suspected of being breached contained name, email address, phone number, Social Security number, and mailing address(es).”

    The company says it has been cooperating with “law enforcement and governmental investigators.” NPD is facing potential class action lawsuits over the breach.

    “We have become desensitized to the never-ending leaks of personal data, but I would say there is a serious risk,” says security researcher Jeremiah Fowler, who has been following the situation with National Public Data. “It may not be immediate, and it could take years for one of the many criminal actors to successfully figure out how to use this information, but the bottom line is that a storm is coming.”

    When information is stolen from a single source, like Target customer data being stolen from Target, it’s relatively straightforward to establish that source. But when information is stolen from a data broker and the company doesn’t come forward about the incident, it’s much more complicated to determine whether the information is legitimate and where it came from. Typically, people whose data is compromised in a breach—the true victims—aren’t even aware that National Public Data held their information in the first place.

    In a blog post on Wednesday about the contents and provenance of the National Public Data trove, security researcher Troy Hunt wrote, “The only parties that know the truth are the anonymous threat actors passing the data around and the data aggregator … We’re left with 134M email addresses in public circulation and no clear origin or accountability.”

    [ad_2]

    Lily Hay Newman

    Source link

  • Hackers Claim to Have Leaked 1.1 TB of Disney Slack Messages

    Hackers Claim to Have Leaked 1.1 TB of Disney Slack Messages

    [ad_1]

    A group calling itself “NullBulge” published a 1.1-TB trove of data late last week that it claims is a dump of Disney’s internal Slack archive. The data allegedly includes every message and file from nearly 10,000 channels, including unreleased projects, code, images, login credentials, and links to internal websites and APIs.

    The hackers claim they got access to the data from a Disney insider and named the alleged collaborator. A person with that name who lists Disney as their current employer did not return WIRED’s request for comment. Whether the hackers actually had inside help remains unconfirmed; they could also have plausibly used info-stealing malware to compromise an employee’s account. Disney did not confirm the breach or return multiple requests for comment about the legitimacy of the stolen data. A Disney spokesperson told the Wall Street Journal that the company “is investigating this matter.”

    The data, which appears to have been first published on Thursday, was posted on BreachForums and later taken down, but it is still live on mirror sites.

    Roei Sherman, field CTO at Mitiga Security, says he isn’t surprised that a giant like Disney could have a breach of this scale and significance. “Companies are getting breached all the time, especially data theft from the cloud and software-as-a-service platforms,” he says. “It is just easier for attackers and holds bigger rewards.”

    Sherman, who reviewed the data in the leak, added that “all of it looks legit—a lot of URLs, conversations of employees, some credentials, and other content.”

    The NullBulge site says that it is a “hacktivist group protecting artists’ rights and ensuring fair compensation for their work.” The group claims it hacks only targets that violate one of three “sins.” First: “We do not condone any form of promoting crypto currencies or crypto related products/services.” Second: “We believe AI-generated artwork harms the creative industry and should be discouraged.” And third: “Any theft from Patreons, other supportive artist platforms, or artists in general.”

    The group’s “wall of knowledge,” where it lists its data dumps, summarizes the philosophy: “What better way to punish someone than getting them in trouble eh?” Previously, the group targeted the Indian content creator Chief Shifter with a “first shaming.” Then in May, NullBulge posted a “second punch” and teased the Disney breach. “Here is one I never thought I would get this quickly … Disney. Yes, that Disney,” NullBuldge wrote, suggesting that the group may be a single person. “The attack has only just started, but we have some good shit. To show we are serious, here is 2 files from inside.”

    In addition to the alleged Slack data, NullBulge posted what appears to be detailed information about the individual whom they claim provided the insider access and data. The leak includes medical records and other personally identifying information, plus the alleged contents of the alleged Disney employee’s 1Password password manager. NullBulge claims to have doxxed the individual in retaliation for cutting off communication and access, although whether the employee actually collaborated with the group in the first place remains unconfirmed.

    Security researchers have long warned about corporate Slack accounts as a treasure trove for attackers if compromised. The popular team communication platform is owned by Salesforce and is used by an array of prominent organizations, including IBM, Capital One, Uber, and Disney rival Paramount.

    “Disney will probably be targeted a lot more now by opportunistic threat actors,” Sherman warns.

    [ad_2]

    Lily Hay Newman

    Source link

  • Citrix software bug leads to outages at 60 credit unions

    Citrix software bug leads to outages at 60 credit unions

    [ad_1]

    Digital banking functions at approximately 60 credit unions have been interrupted by a ransomware attack on a third-party service provider, but there is no evidence that consumer data has been misused, according to the company whose system was compromised.

    Ongoing Operations, a credit union information-technology firm, says it experienced a cybersecurity incident on Nov. 26. Ongoing Operations added that it has “no evidence of any misuse of information,” although it is “reviewing the impacted data to determine exactly what information was impacted and to whom that information belonged.”

    Neither Ongoing Operations nor its parent company, Trellance, responded to requests for comment.

    A spokesman for the National Credit Union Administration confirmed the number of affected entities in a statement Tuesday, adding that the regulatory agency is “in close contact with affected credit unions.” He also said member deposits at affected federally insured credit unions are covered up to $250,000.

    The incident was a ransomware attack, according to a Nov. 30 statement from Maggie Pope, the CEO of Mountain Valley Federal Credit Union in Peru, New York. Pope said the next day that online banking and bill-pay services had been interrupted by the attack, but members could still use their debit cards and get cash from ATMs or in a branch. Online banking remains down for the credit union.

    The core-banking software provider FedComp notified Mountain Valley of the attack against Trellance, according to Pope. FedComp did not respond to a request for comment.

    FedComp’s own services appear to have been disrupted by the attack. Its data center was “experiencing technical difficulties and is under a country wide outage,” according to a notice on the company’s website Nov. 30 that was later removed but is still visible as a Google cached file.

    FedComp said at the time that “Trellance is still working on resolving the issue.” FedComp has not clarified whether its data center is still disrupted, but one credit union said Tuesday it expected to regain access to its own FedComp server “soon.”

    The credit union, NY Bravest Federal Credit Union, serves New York firefighters and is based in Albany. It uses FedComp’s core-banking services and has been affected by the attack against Trellance. NY Bravest was anticipating an estimate on Tuesday regarding when its services would return, according to a notice on its website.

    NY Bravest told members it “went above and beyond” in responding to the outage to ensure members “felt as little disruption as possible,” claiming the credit union built its own database after the disruption to give staff and members who reached out to the credit union up-to-date balances.

    “While the other credit unions that were affected by this outage sat and waited, NY Bravest FCU went above and beyond and ensured members felt as little disruption as possible,” the credit union’s notice said.

    Before the ransomware attack, Ongoing Operations had failed to patch a vulnerability in the cloud-networking software NetScaler, according to Kevin Beaumont, a cybersecurity researcher who until October served as head of cybersecurity operations at the telecommunications company Vodafone.

    Cloud Software Group, the company that owns NetScaler, warned users on Oct. 10 about the NetScaler vulnerability, later dubbed Citrix Bleed, saying it could result in “unauthorized data disclosure.” Cloud Software Group provided information about how to patch the vulnerability with the announcement.

    On a 0 to 10 scale used to rate the severity of cybersecurity vulnerabilities, Citrix rated the NetScaler vulnerability a 9.4, which is at the high end of the scale.

    On Oct. 23, Cloud Software Group followed up by saying it had reports of “targeted attacks” exploiting the Citrix Bleed vulnerability. A month later, on Nov. 21, federal agencies including the FBI warned that the ransomware group LockBit and its affiliates had been exploiting Citrix Bleed, emphasizing that the move could allow bad actors to “bypass password requirements and multifactor authentication.”

    Ongoing Operations is not the only firm that appears to have neglected these warnings about Citrix Bleed. An attack last month against the U.S. arm of the Industrial and Commercial Bank of China (ICBC), which prevented some U.S. debt brokers from conveying trade contracts, also stemmed from the Citrix Bleed vulnerability, according to a report by The Wall Street Journal.

    For his part, Beaumont pointed out multiple pathways for preventing vulnerabilities like Citrix Bleed and the fallout they can produce, including having software vendors better secure their products and outlawing ransom payments. At the moment, he said, ransomware actors — often teenagers receiving huge sums of money in ransom payments — are far more powerful than they ought to be thanks to companies accepting ransomware attacks as somewhat normal.

    “We shouldn’t have normalized ransomware like we have, especially given the escalating nature of the problem,” Beaumont said.

    [ad_2]

    Carter Pape

    Source link

  • TitleMax hack exposes 4.8 million customers’ data

    TitleMax hack exposes 4.8 million customers’ data

    [ad_1]

    TMX Financial, which operates title loan brand TitleMax and other services, publicly disclosed on Thursday that it suffered a data breach exposing the personal information of 4.8 million people, including their Social Security numbers.

    The company said in a letter to affected consumers that it detected suspicious activity on Feb. 13 and concluded on March 1 that there had been a breach starting in December. Hackers stole the data between Feb. 3 and Feb. 14, according to the letter.

    The specific information involved in the breach, according to TMX, “may have” included names, dates of birth, passport numbers, driver’s license numbers, federal or state identification card numbers, tax identification numbers, Social Security numbers, financial account information, phone numbers, street addresses and email addresses.

    One measure financial companies can take to protect personally identifiable information (PII) on consumers is to collect less of it, according to James McQuiggan, a security awareness advocate for cybersecurity awareness training platform KnowBe4.

    “One of the most critical steps companies can take to protect PII is collecting only the data necessary to conduct business and storing it securely so unauthorized parties cannot access it,” said McQuiggan. “Organizations should also ensure that any third-party vendors or partners they work with are implementing strong cybersecurity measures.”

    Among financial companies, the breach is the largest so far this year to be reported to the Maine attorney general’s office, which publishes reports about data breaches affecting any Maine resident.

    The data breach is not the only trouble TMX has faced this year. The Consumer Financial Protection Bureau announced on February 23 that it would fine TitleMax $10 million for violating the Military Lending Act. TitleMax allegedly provided title loans to military families illegally and, oftentimes, by charging nearly three times the 36% annual interest rate cap, according to the CFPB — a practice that it has allegedly engaged in since 2016.

    Debt collector NCB Management Services also reported a large data breach earlier this month. On March 24, the company told the Maine attorney general that hackers stole data from 490,000 consumers, specifically information about their ID cards and Bank of America credit card accounts. That breach did not impact Bank of America’s systems, NCB emphasized in a letter to affected consumers.

    So far this year, 10 other financial companies have reported data breaches affecting more than 500 people. The bank or credit union with the largest breach so far this year is Hatch Bank, which had 140,000 consumers’ data stolen. In that case, hackers exploited a zero-day vulnerability in file-transfer software known as GoAnywhere, according to a letter the bank sent to affected customers.

    [ad_2]

    Carter Pape

    Source link

  • Meta faces record EU privacy fines

    Meta faces record EU privacy fines

    [ad_1]

    This Christmas is bound to be an expensive one for U.S. tech giant Meta.

    The Big Tech firm looks set to soon face a huge regulatory bill for all three of its social networks, Facebook, WhatsApp and Instagram. Europe’s privacy regulator body, the European Data Protection Board, is expected to issue decisions on Monday that target the three platforms, after which Meta’s lead regulator in Ireland will issue a final decision within a month.

    The detail and possible value of the monetary penalty will remain under wraps until then, but the triplet of fines could add up to over €2 billion, financial statements by Meta indicate — setting a new record for the highest fines under the European Union’s feared General Data Protection Regulation (GDPR) received by a single company in one go.

    According to filings in Ireland, Meta has set aside €3 billion for EU privacy fines in 2022 and 2023. Its platform Instagram already got slapped with a €405 million fine in September for violating kids’ privacy, and Facebook so far has accumulated €282 million in penalties for data breaches as well as a 60 million hit from the French. That leaves well over €2 billion earmarked by the firm for regulatory action.

    That’s a substantial hit for Meta, which announced last month it was laying off 11,000 employees globally amid lower sales and major costs linked to the firm’s pivot to the metaverse.

    Beyond hitting Meta’s pocket, the three fines expected within weeks could also put a bomb under its broader business model. The decisions stem from complaints filed by Austrian activist Max Schrems accusing the company of failing to have proper legal grounds to process millions of Europeans’ data. If the final decisions invalidate Meta’s argument that it’s processing data as part of a contract with users, the company would have to seek another legal basis for its data-fuelled ad targeting model.

    The cases have also revealed deep fissures between Europe’s data watchdogs.

    Ireland’s data protection commission largely backed Meta’s argument that it could claim it needs data to fulfill a “contract” with its users to provide personalized ads, in its draft decision issued a year ago. But that reasoning has long put Ireland in the minority amongst its colleagues. The Norwegian data protection authority said the Irish interpretation would render European data protection law “pointless,” according to a document obtained by POLITICO last year. The Irish regulator was also alone in voting against EU guidelines that banned companies from using the contract legal basis to use data to target ads.

    The three decisions are likely to lay into the Irish regulator’s initial position and, more worryingly for Meta, amp up the pressure for the company to go scrambling for new legal ways to gather and process data on Europeans.

    Meta also still faces an ongoing, high-profile probe into the company’s transfers of Europeans’ data to the U.S.

    Meta declined to comment. It can still appeal the fines coming out of the coming decisions.

    [ad_2]

    Vincent Manancourt

    Source link