The British holiday firm, Truly Travels, has admitted to suffering a data breach due to an unsecured Amazon Web Services server. The data in the unsecured AWS server was left open to the internet for over three years, exposing the personal details of over 200,000 customers.
Many airlines allow passengers to view and make adjusts to flight details by using a unique identifier often called the booking reference, or passenger reference number, and the customers last name. Unfortunately, there are several airlines that have not implemented mechanisms that would prevent someone from obtaining the PNR through a brute force attack on an airlines' booking management system.
Hy-Vee experienced a hack that impacted some of its payment processing systems that are associated to transactions at various Hy-Vee fuel pumps and drive-thru coffee shops. Hy-Vee detected unusual and unauthorized activity on some of its PoS systems which caused them to hired a cybersecurity firm and immediately launched an investigation into the activities.
A data breach is a security incident where sensitive, protected confidential information is copied, transmitted, viewed, stolen or used by a person or persons with unauthorized access. Data breaches can involve financial information like credit card numbers or bank account details, personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.
A biometrics system used to secure more than 1.5 million locations around the world – including banks, police forces, and defence companies in the United States, UK, India, Japan, and the UAE – has suffered a major data breach, exposing a huge number of records. South Korean firm Suprema runs the web-based biometric access platform BioStar 2, but left the fingerprints and facial recognition data of more than one million people exposed on a publicly accessible database.
Hospitality franchisor Choice Hotels, the parent organization of those franchise chains, has confirmed a breach in which attackers stole 700,000 guest records from a publicly available MongoDB database without a password or any authentication. The affected data includes full names, addresses, email addresses and telephone numbers. No credit cards, passwords or Social Security numbers were compromised. The database held 5.6 million records.
Online retailer CafePress, which specializes in custom T-shirts and merchandise, is reported to have suffered a data breach involving sensitive information of more than 23 million customers in February of 2019. According to HIBP (Have I Been Pwned), CafePress was hacked in February of 2019 and the personal information for 23,205,290 users was exposed including Email addresses, Names, Passwords, Phone numbers, and Physical addresses.
Cybersecurity breaches and regulatory compliance are this year’s themes. Marriott was sued and fined $124 million for their data breach back in 2014, according to The Wall Street Journal. Capital One leaked 100 million credit applications including Social Security Numbers. Both LabCorp and Quest Diagnostics exposed millions of patients’ medical records.
When malware sneaks inside your network, it needs to communicate back to the internet whether to exfiltrate sensitive datasets it found, accept commands of its evil masters or even simply let them know it has successfully infiltrated your infrastructure (with ransomware being one of the rare exceptions that doesn’t need such connection).
A selection of this week’s more interesting vulnerability disclosures and cyber security news. Such an amazing choice of juicy news articles this week! I will skip the seriously weird and rapidly escalating circumstances of the Capital One breach, and instead dive into the some of the more low key, but nevertheless interesting items. First up, and for those of you who post infosec articles, something you will understand: stock photos.
