At a glance.
- Experts guess DarkSide behind Guess cyberattack.
- Spreadshop breached, warns customers that their data may be at risk.
- ClearBalance phished for patient data.
- Gaming venue operator Dotty's sustains data breach.
Guess breached, with data exposed.
US fashion retailer Guess has begun notifying customers that a February data breach resulted in theft of customer data, Bleeping Computer reports. The compromised data potentially includes Social Security numbers, driver's license numbers, passport numbers, and financial account numbers, and a filing with Maine's Attorney General indicates that about 1,300 people were impacted. PYMNTS adds that the retailer, which operates stores in one hundred countries globally, has beefed up its security measures and is collaborating with authorities to investigate the incident. Though Guess has not yet confirmed that the breach was the result of a ransomware attack, ZDNet notes that ransomware group DarkSide boasted on their data leak site in April that they’d stolen 200GB from the retailer in February. DarkSide ceased operations in May after their attack on Colonial Pipeline, but that fact only demonstrates how the impact of an attack can outlive its perpetrators. “The significant amount and very personal types of data being collected by the organization...is an extremely valuable dataset for cybercriminals if they want to steal identities," stated KnowBe4 security awareness advocate Erich Kron.
Casey Ellis, CTO, and founder of Bugcrowd, thinks that rapid digital transformation is often accompanied by insufficient testing, and that a "neighborhood watch" approach to security can help redress that shortfall:
“The pandemic has accelerated digital transformation for retailers and further shifted consumer buying habits online, which has expanded their attack surface and heightened the number of vulnerabilities and risks of a breach. This breach should serve as a reminder for all retailers to evaluate their security processes.
"Many retailers are relying on new systems that were built on the fly as organizations adapted to the customer requirements of the pandemic. As a result, these systems often haven’t been properly tested in high-volume transaction environments before. Speed is the natural enemy of security, and retailers must beware of increased risks of DDoS attacks, ransomware, fraudulent purchases, phishing campaigns impersonating retailers.
"Retailers can adopt a 'neighborhood watch”'approach to security, engaging outside ethical hackers and even the general public to proactively disclose vulnerabilities before cybercriminals can exploit them. This allows retailers to discover security issues before the adversary does, protect their users, and avoid a disrupting breach. As we have seen with this attack, failing to ensure security at the scale needed will grant attackers access to large quantities of customer information and data such as social security numbers, driver's license numbers, passport numbers, and/or financial account numbers, as well as the ability to inject ransomware into the retailer’s networks."
Update: 7.14.21: Guess has clarified that it does not maintain customers' Social Security Numbers, passport numbers, or driver's licence numbers. Those data elements, mentioned in the company's disclosure, applied only to some employee records, not to customer information.
Spread Group exposes payment data.
German-based print-on-demand firm Spread Group has announced that it experienced a cyberattack that compromised customer, partner, and staff data. The exposed info includes financial data for users who made online payments via bank transfer or received commission payments from the company. Spread Group reports that their operations have not been interrupted and their systems are fully functional.
Trevor Morgan, product manager with comforte AG, thinks that personal responsibility with respect to passwords and digital hygiene is all well and good, but that businesses ought to step up and perform their own due diligence:
“The reported data breach affecting Spreadshirt, Spreadshop, and TeamShirts emphasizes just how important it is for clothing and retail vendors to protect customer data effectively. These industries thrive on online transactions, which also requires them to collect sensitive PII that threat actors are always targeting.
"Yes, it’s good to encourage that users have strong passwords and to change them from time, but these companies also need to carry out the due diligence of protecting the data they have already collected and processed. Keeping it secure behind a perimeter is one thing, but applying data-centric security like tokenization, which replaces sensitive data elements with innocuous tokens, helps to mitigate situations like these when data breaches actually occur. Even if hackers get their hands on tokenized sensitive data, they can’t do anything with it and thus it becomes worthless (and protects data subjects from potentially catastrophic consequences). The investment for organizations into data-centric security is a much better scenario than losing their shirts on the fallout from a data breach.”
Patient data exposed in ClearBalance phishing incident.
Becker’s Health IT reports that US medical loan provider ClearBalance is dealing with the repercussions of a March phishing attack that resulted in a third-party data breach. An intruder gained access to company email accounts and attempted an unsuccessful wire transfer of ClearBalance funds. An investigation determined that personal data was present in the infiltrated email accounts including Social Security numbers, driver's license information, and healthcare account numbers. ClearBalance secured the email system as soon as the breach was detected, and they’ve also improved their network access controls. None of their medical record databases were impacted.
Gambling operator suffers bad beat.
US gaming venue operator Dotty’s has suffered a malware attack that leaked player data, Gambling News reports. The incident was detected in January, but Dotty’s parent company Nevada Restaurant Services (NRS) has now begun notifying customers their personal data, including names, driver’s license numbers, and dates of birth, might have been impacted. NRS has not disclosed the number of individuals affected, but Dotty’s database contains the information of approximately 300,000 users. “We have security measures in place to protect the information in our care, and we have worked to add further technical safeguards to our environment,” NRS states.