At a glance.
- Possible data leak at the University of Kashmir.
- Insurance company vulnerable to data exposure.
- Third-party data breach hits Priority Health.
Possible data leak at the University of Kashmir.
The Kashmir Monitor reports that the University of Kashmir has launched a probe into an alleged data leak. “Just spotted an alleged database of The University of Kashmir being sold on a hacking forum. Threat actor goes by the name “ViktorLustig” selling the database of @KmrUniversity for $250. He shared a Database index showing what he has,” said Abhishek Verma, a journalist at DroidMaze, in a tweet. According to a subsequent tweet from Verma, it is revealed that if the database is legitimate, the threat actor has student information, registration numbers, emails, passwords, employees, and more data. The administrator of the forum asserts that the database is legitimate, but the university claims that in their preliminary investigation, they found the data to be unmodified. A spokesperson for the university said, “The alleged breach is being analyzed and as per the preliminary analysis, it has been found that the data is unmodified. Any breach on data read (which is already accessible in the public domain) is being analyzed in-depth and depending upon the analysis, University will take further course of action and take an appropriate legal recourse accordingly.”
Insurance company vulnerable to data exposure.
A cybersecurity startup has found critical vulnerabilities in a major Indian insurance broker’s network, the AP reports. CyberX9, the startup that discovered the vulnerabilities, did what any ethical hackers would do and gave Policybazaar, the brokerage involved, time to remedy the flaws and inform the authorities. CyberX9 did not ask to test the system, rather, they believed they were justified in their access because they were customers of the brokerage. Policybazaar notified India’s stock exchange of the breach, and noted that there was “no significant customer data” exposure. It also says it patched the vulnerabilities. CyberX9 says that the accessible data were more than just phone numbers, addresses, and emails – they also included scans of photo identifications, and health and financial documents such as tax returns, bank statements, and birth certificates, since these are all collected when people apply for insurance.
It is unclear how this will pan out for CyberX9, as India’s laws draw little distinction between ethical hacking and malicious hacking. Apar Gupta, executive director of the nonprofit Internet Freedom Foundation, said, “There is ambiguity in the law — it says you can’t test without permission and only after that can you probe.” Security experts seem to find CyberX9’s actions justified because they were customers, as long as they did their evaluation responsibly. The startup says they would be pleased to receive a “bug bounty” for their work, although none has been paid.
Third-party data breach hits Priority Health.
Priority Health, a plan serving over one million members in Michigan each year, issued a notice about a third-party data breach that took place at law firm Warner Norcross & Judd (WNJ) in October of 2021. HealthITSecurity reports that unauthorized activity was discovered on the law firm’s network on October 22, 2021, and steps were taken to secure the network. The firm disclosed the incident to Priority Health on June 6, 2022. While there has been no evidence of misuse of the breached data, data affected included first and last names, pharmacy and claim information, drug names, and prescription dates from certain prescriptions filled in 2012. Over 120,000 Priority Health members were impacted. The notice from the firm stated, “WNJ has sent notification of the incident to potentially impacted individuals and has provided resources to assist them.”