IRS accidental data exposure. Samsung discloses data breach. Data breach sacks 49ers. Third-party data breach exposes KeyBank customer data.

Summary

By the CyberWire staff

At a glance.

IRS accidental exposure compromises data of IRA holders.
Samsung says data breach exposed US customer data.
(Not-so-)instant replay reveals football fan data interception.
Third-party data breach exposes KeyBank customer data.

IRS accidental exposure compromises data of IRA holders.

The Wall Street Journal reports that the US Internal Revenue Service (IRS) inadvertently exposed the private data of approximately 120,000 individuals. According to a letter sent to Congress on Friday, the data originated from 990-T forms, which are required for certain individual retirement account holders, and included names, contact information, and financial details. While these forms are typically confidential, data on 990-T forms from charities are shared with the public, and the IRS says the breach was caused by a human coding error that allowed the private data to be shared as well. Though the coding error occurred last year, the exposure was detected last week. The data were immediately removed upon discovery, and impacted individuals will be notified in the coming weeks. Anna Canfield Roth, the Treasury Department’s acting assistant secretary for management, stated, “The Treasury Department has instructed the IRS to conduct a prompt review of its practices to ensure necessary protections are in place to prevent unauthorized data disclosures.”

Samsung says data breach exposed US customer data.

Electronics megacorp Samsung suffered a data breach in July when an unauthorized third party accessed their systems, and the company has now confirmed that US customer data were compromised in the breach. Reuters reports that the exposed data included customer names, contact and demographic details, dates of birth, and product registration info, but the number of impacted individuals has not been disclosed. Samsung spokesperson Chris Langlois told TechCrunch that the demographic data are related to customer information used for marketing and advertising, and that the registration data include product purchase date, model, and device ID. Samsung’s FAQ page reads, "On or around August 4, 2022, we determined through our ongoing investigation that personal information of certain customers was affected. We have taken actions to secure the affected systems, and have engaged a leading outside cybersecurity firm and are coordinating with law enforcement.” As Bleeping Computer explains, Samsung has advised impacted individuals to be wary of any unsolicited communications requesting personal information, avoid clicking on links in suspicious emails, and review their accounts for any suspicious activity. Newsweek notes that this is Samsung’s second breach of 2022. The first incident, possibly connected to the LAPSUS$ threat group, occurred in March and exposed internal company data.

We heard from Chad McDonald, Chief of Staff and CISO of Radiant Logic, who emailed comment on the incident:

“For many organizations, breaches like this are the result of failing to manage identity data and implement strong Identity Access Management principles. It is extremely serious that an unauthorized user was able to get their hands on Samsung customers’ personal information. Many organizations suffer from identity sprawl, where identity data is spread across different applications which cannot communicate with each other, which ultimately means that systems - and therefore data - is siloed. This poses a huge security risk, with siloed systems increasing the attack surface of an organization and creating gaps for threat actors to exploit Heavily siloed systems result in organizations failing to build complete and accurate user profiles. Security teams then struggle to properly identify users and give them the correct access, ultimately leading to security breaches such as this one on Samsung. Organizations need an Identity Access Management solution which can unify and streamline their identity data to provide complete and accurate user profiles. With complete visibility over systems, security teams are then able to properly track who should be accessing what, therefore reducing the risk of a serious breach.”

(Not-so-)instant replay reveals football fan data interception.

National Football League team the San Francisco 49ers has begun notifying over 20,000 individuals impacted in a ransomware attack carried out by threat group BlackByte the week before the Super Bowl last February. The Record by Recorded Future notes that, at the time of the breach, team representatives said the attack appeared to be limited only to its corporate network and that there was “no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders.” However, according to notification letters, the subsequent investigation revealed that the breach, which lasted six days, may have compromised stadium visitor data. The team has not disclosed exactly what types of individual data were exposed, but after the attack, BlackByte posted 292 MB worth of invoices and other business documents on the ransomware gang’s leak site.

Third-party data breach exposes KeyBank customer data.

US bank KeyBank has disclosed that a July third-party breach compromised customer data including Social Security numbers, account information, names, and street addresses. The hackers infiltrated the systems of Overby-Seawell, a company that handles tracking and insurance monitoring for KeyBank clients, and gained access to the data of KeyBank home mortgage loan clients. A statement from the bank reads, “We learned recently that a vendor that supports our home lending business, Overby-Seawell Company (”OSC”), suffered a cybersecurity incident that compromised data of its corporate clients, including personal information associated with KeyBank mortgage clients. This incident does not affect any Key systems or operations.” According to WPXI, some customers were apparently unaware the breach had even occurred until now. KeyBank client James Grammer told WPXI, “I was surprised when you told me they got hacked because I didn’t even know.”

We received some comment from security industry leaders on the incident. Roger Grimes, data-driven defense evangelist at KnowBe4, commented on why the stolen data would have been attractive to the criminals. "The stolen information is definitely very valuable and likely to be used by hackers to steal money from victims," he wrote. "All potential victims should be given free credit monitoring and aggressive education in how to spot and defeat related social engineering attacks. The social engineering attacks will be coming. So, teach potential victims about the common types of attacks that they may expect, how to spot them, how to defeat and who report the scams to."

Sami Elhini, senior product manager at Cerberus Sentinel, drew a lesson about organizational self-awareness. “Evaluating your own organization’s cybersecurity posture is not enough in our hyper connected world. As demonstrated by this attack, the posture of your close partners is also critical. It is essential that organizations that exchange sensitive information are coordinated not only in their preventative measures, but also their ability to respond quickly and effectively.”

Selected Reading

LAUSD hit by hackers in apparent cyber attack (FOX 11 Los Angeles) LAUSD reveals hackers targeted the district in an apparent cyber attack. Officials suspect the incident was "criminal in nature."

Privacy advocates unhappy with Fog Reveal App pattern-of-life tracker (USA Herald) The Fog Reveal app is being used by police agencies nationwide without a search warrant. And there are definite privacy issues.

IRS mistakenly published confidential info for roughly 120K taxpayers (Security Affairs) The Internal Revenue Service (IRS) mistakenly leaked confidential information for approximately 120,000 taxpayers. Bad news for approximately 120,000 taxpayers who filed a form 990-T as part of their tax returns, the Internal Revenue Service has accidentally leaked their confidential information. Form 990-T is a form that a tax exempt organization files with the IRS to report its unrelated business income and to figure the tax owed on that income. On Friday, the IRS announced it has […]

IRS Says It Exposed Some Confidential Taxpayer Data on Website (Wall Street Journal) The IRS revealed it had inadvertently disclosed information about more than 100,000 taxpayers in a database available on its website.

Fremantle apologise for AFL data breach (Bega District News) Fremantle have apologised for an embarrassing ticketing data breach that resulted in the personal details of members being...

‘Disgusted’: Dockers fans fume over ticketing data breach (The West Australian) Fans have been left reeling after their personal information and ticket barcodes were sent to the wrong members, resulting in a grovelling apology from the club.

More than 20,000 SSNs stolen during ransomware attack on San Francisco 49ers (The Record by Recorded Future) The San Francisco 49ers began sending breach notification letters out yesterday to more than 20,000 people who had their SSNs leaked during a ransomware attack on Super Bowl Sunday.

Samsung says some U.S. customer data was exposed in July breach (Reuters) Samsung Electronics Co suffered a cybersecurity breach in late July that exposed personal information of some customers in the United States, the company said on Friday.

Samsung suffers second data breach of year; here's what was exposed (Newsweek) Samsung said that the recent data breach did not reveal consumers' Social Security numbers or credit and debit card information.

Samsung says customer data stolen in July data breach (TechCrunch) The technology giant said the incident occurred in late-July.

Irish watchdog fines Instagram 405M euros in teen data case (KSAT) Irish regulators are slapping Instagram with a big fine after an investigation found the social media platform mishandled teenagers’ personal data.

Walmart is facing a class action suit for allegedly violating an Illinois privacy law by using surveillance cameras and Clearview AI's facial recognition database (Business Insider) Walmart is facing a class action lawsuit over its alleged use of surveillance cameras and Clearview AI's facial recognition database.