At a glance.
- Data breach disclosures in the news.
- Indian grocery giant BigBasket's hacked customer data show up for sale on the dark web.
- Hotel booking software exposes guest information.
Breaches abound.
Informing customers or employees that their data has been compromised in a data breach is becoming a rite of passage for many companies. A small selection of notifications that have been recently issued by US organizations:
- Shipping company Matson Navigation released a statement to their employees that their network had been infiltrated by a threat actor. Human resources data including social security numbers and insurance info might have been exposed.
- LeMoyne College in Pennsylvania announced to its constituents that the school was one of the many involved in the infamous Blackbaud breach that occurred last summer. The attack on the Blackbaud fundraising software provider has impacted hundreds of its clients, all of whom have had the messy job of dealing with the fallout.
- Oregon architecture firm Goody Clancy & Associates suffered a cyberattack when a hacker broke into a company email account. Though it’s unclear exactly which emails were accessed, any messages and attachments are considered fair game, so the firm had to notify all potentially impacted parties.
Milk, eggs, bread, SQL database...
BloombergQuint reports that BigBasket, an Indian online grocery shopping platform, has suffered a breach possibly affecting up to 20 million customers. The breach came to light when researchers from Cyble cyberintelligence firm discovered a BigBasket SQL database for sale on the dark web. The data’s price tag was set at $40,000 and included customer login info and IP addresses. The password information might not be as valuable as it seems, as BigBasket assigns a unique password via SMS for every new login. In their official statement, the grocery platform claimed that financial data is not stored in their systems and is therefore not impacted. BigBasket is working with Crime Cell in Bengaluru to further investigate the breach.
Cybercriminals need vacations, too.
Prestige Software, a firm based in Madrid and Barcelona, Spain has exposed the data of millions of travelers through its Cloud Hospitality hotel booking platform, reports Website Planet. As a channel manager, Cloud Hospitality automates the reservation processes of online travel giants like Expedia and Hotels.com by keeping track of hotel bookings across sites. HackRead explains, Prestige left traveler payment data and booking info unprotected on a misconfigured Amazon Web Services S3 cloud storage bucket. Though it’s unclear exactly how many customers were impacted, the exposed data goes back to 2013 and includes over ten million records. In addition to the typical dangers of identity theft or phishing scams, the impacted customers could also be at risk for reservation takeover, wherein the thief essentially hijacks the traveler’s booking to either go on vacation themselves or sell the booking to a third party.
We heard this afternoon from Warren Poschman, senior solutions architect with comforte AG, who commented:
“The Prestige breach is the latest in a long trail of data leaked due to misconfigured cloud resources and S3 buckets in particular. Historical log data was dumped to the S3 bucket and contained large amounts of PII and PCI related data. While this could have been mitigated by simply accepting the default S3 permissions to deny access, the root of the issue is that hotels and other organizations are playing with live data when they should instead be leveraging a data-centric security model to allow data to be protected as it is acquired and traverses through the organization regardless of where it is stored or accessed. Data-centric protection using technologies like tokenization allows the organization to use the protected data for day-to-day operations, analytics and data sharing – in this case it could have meant avoiding a breach entirely because the S3 bucket would have only contained de-identified, secure data.”