At a glance.
- IRS accidental exposure compromises data of IRA holders.
- Samsung says data breach exposed US customer data.
- (Not-so-)instant replay reveals football fan data interception.
- Third-party data breach exposes KeyBank customer data.
IRS accidental exposure compromises data of IRA holders.
The Wall Street Journal reports that the US Internal Revenue Service (IRS) inadvertently exposed the private data of approximately 120,000 individuals. According to a letter sent to Congress on Friday, the data originated from 990-T forms, which are required for certain individual retirement account holders, and included names, contact information, and financial details. While these forms are typically confidential, data on 990-T forms from charities are shared with the public, and the IRS says the breach was caused by a human coding error that allowed the private data to be shared as well. Though the coding error occurred last year, the exposure was detected last week. The data were immediately removed upon discovery, and impacted individuals will be notified in the coming weeks. Anna Canfield Roth, the Treasury Department’s acting assistant secretary for management, stated, “The Treasury Department has instructed the IRS to conduct a prompt review of its practices to ensure necessary protections are in place to prevent unauthorized data disclosures.”
Samsung says data breach exposed US customer data.
Electronics megacorp Samsung suffered a data breach in July when an unauthorized third party accessed their systems, and the company has now confirmed that US customer data were compromised in the breach. Reuters reports that the exposed data included customer names, contact and demographic details, dates of birth, and product registration info, but the number of impacted individuals has not been disclosed. Samsung spokesperson Chris Langlois told TechCrunch that the demographic data are related to customer information used for marketing and advertising, and that the registration data include product purchase date, model, and device ID. Samsung’s FAQ page reads, "On or around August 4, 2022, we determined through our ongoing investigation that personal information of certain customers was affected. We have taken actions to secure the affected systems, and have engaged a leading outside cybersecurity firm and are coordinating with law enforcement.” As Bleeping Computer explains, Samsung has advised impacted individuals to be wary of any unsolicited communications requesting personal information, avoid clicking on links in suspicious emails, and review their accounts for any suspicious activity. Newsweek notes that this is Samsung’s second breach of 2022. The first incident, possibly connected to the LAPSUS$ threat group, occurred in March and exposed internal company data.
We heard from Chad McDonald, Chief of Staff and CISO of Radiant Logic, who emailed comment on the incident:
“For many organizations, breaches like this are the result of failing to manage identity data and implement strong Identity Access Management principles. It is extremely serious that an unauthorized user was able to get their hands on Samsung customers’ personal information. Many organizations suffer from identity sprawl, where identity data is spread across different applications which cannot communicate with each other, which ultimately means that systems - and therefore data - is siloed. This poses a huge security risk, with siloed systems increasing the attack surface of an organization and creating gaps for threat actors to exploit Heavily siloed systems result in organizations failing to build complete and accurate user profiles. Security teams then struggle to properly identify users and give them the correct access, ultimately leading to security breaches such as this one on Samsung. Organizations need an Identity Access Management solution which can unify and streamline their identity data to provide complete and accurate user profiles. With complete visibility over systems, security teams are then able to properly track who should be accessing what, therefore reducing the risk of a serious breach.”
(Not-so-)instant replay reveals football fan data interception.
National Football League team the San Francisco 49ers has begun notifying over 20,000 individuals impacted in a ransomware attack carried out by threat group BlackByte the week before the Super Bowl last February. The Record by Recorded Future notes that, at the time of the breach, team representatives said the attack appeared to be limited only to its corporate network and that there was “no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders.” However, according to notification letters, the subsequent investigation revealed that the breach, which lasted six days, may have compromised stadium visitor data. The team has not disclosed exactly what types of individual data were exposed, but after the attack, BlackByte posted 292 MB worth of invoices and other business documents on the ransomware gang’s leak site.
Third-party data breach exposes KeyBank customer data.
US bank KeyBank has disclosed that a July third-party breach compromised customer data including Social Security numbers, account information, names, and street addresses. The hackers infiltrated the systems of Overby-Seawell, a company that handles tracking and insurance monitoring for KeyBank clients, and gained access to the data of KeyBank home mortgage loan clients. A statement from the bank reads, “We learned recently that a vendor that supports our home lending business, Overby-Seawell Company (”OSC”), suffered a cybersecurity incident that compromised data of its corporate clients, including personal information associated with KeyBank mortgage clients. This incident does not affect any Key systems or operations.” According to WPXI, some customers were apparently unaware the breach had even occurred until now. KeyBank client James Grammer told WPXI, “I was surprised when you told me they got hacked because I didn’t even know.”
We received some comment from security industry leaders on the incident. Roger Grimes, data-driven defense evangelist at KnowBe4, commented on why the stolen data would have been attractive to the criminals. "The stolen information is definitely very valuable and likely to be used by hackers to steal money from victims," he wrote. "All potential victims should be given free credit monitoring and aggressive education in how to spot and defeat related social engineering attacks. The social engineering attacks will be coming. So, teach potential victims about the common types of attacks that they may expect, how to spot them, how to defeat and who report the scams to."
Sami Elhini, senior product manager at Cerberus Sentinel, drew a lesson about organizational self-awareness. “Evaluating your own organization’s cybersecurity posture is not enough in our hyper connected world. As demonstrated by this attack, the posture of your close partners is also critical. It is essential that organizations that exchange sensitive information are coordinated not only in their preventative measures, but also their ability to respond quickly and effectively.”