At a glance.
- Pegasus spyware used in Mexico.
- Former employee exposes data of US banking giant.
- Kiwi healthcare network experiences cyberattack.
- Samsung hit with class action data breach lawsuit.
Pegasus spyware used in Mexico.
The Citizen Lab reports that Mexican digital rights organization Red en los Defensa de los Derechos Digitales (R3D) has uncovered that Pegasus spyware was used to track the devices of journalists and a human rights defender. This is not the first instance of Pegasus targeting in Mexico; in 2017, the Citizen Lab partnered with R3D to release a series of reports on widespread Pegasus use in the country targeting teachers, journalists, lawyers, and international investigators, and an investigation is ongoing. Then in 2021, as part of the Pegasus Project it was reported that at least fifty individuals connected to Mexican President Andrés Manuel López Obrador, including his children and spouse, had been targeted between 2016 and 2017. R3D’s latest findings indicate that abuses of the spyware have continued, and unlike previous evidence, it appears the infections were perpetrated using no-click attacks. Targets of the spyware include human rights defender Raymundo Ramos, journalist and author Ricardo Raphael, and an unnamed journalist at Animal Politico, a news website focused on unveiling corruption. What’s more, there is evidence of recent contracts between Mexico’s Secretary of National Defense and companies connected to prior sales of Pegasus to the Mexican government.
Former employee exposes data of US banking giant.
TD Bank, one of the largest banks in the US (based on deposits), has disclosed it suffered a data breach in May at the hands of a former employee. It is unclear how many individuals were impacted, but the compromised data includes full names, street addresses, Social Security numbers, dates of birth, and account numbers, and transaction information. iTech Post reports that the former employee shared the information to an outside party, and the bank has launched an internal investigation to determine the scope of the breach. Victims have been offered reimbursement for fraudulent transactions linked to the incident, as well as assistance with creating new accounts if necessary.
Kiwi healthcare network experiences cyberattack.
Pinnacle Midlands Health Network, a large New Zealand medical network that operates dozens of general practitioner offices across the North Island, has suffered a cyberattack that potentially exposed patient data including names, addresses and National Health Index (NHI) numbers. Though it’s unclear how many individuals were affected, it’s estimated to be in the thousands, and Dr. Bryan Betty, Director of the Royal New Zealand College, told Stuff that the attack should be a “wake up call to the sector.” RNZ explains that upon discovery of the attack, the impacted IT systems were immediately contained, but it appears the attackers likely accessed the patient data before the breach was detected. Pinnacle Incorporated chief executive Justin Butcher stated, "At this point in time, we cannot confirm what specific data or information may have been accessed, but we are working through a process to better understand that.” The police have been informed and are working with Te Whatu Ora Health New Zealand to determine exactly what happened and what data was compromised. Services are continuing uninterrupted, but patients can expect some delay in communications.
Samsung hit with class action data breach lawsuit.
Compliance Week reports that electronics giant Samsung is facing a class action lawsuit connected to two recent data breaches it suffered earlier this year. The plaintiffs allege that Samsung violated the California Consumer Privacy Act (CCPA) by failing to protect the personally identifiable information of California residents, and that Samsung collects superfluous customer data by requiring users to register for an account in order to access basic device features. The lawsuit, filed last month, also alleges Samsung was in violation of the Michigan Identity Theft Protection Act because it failed to disclose the second of the two breaches in a timely manner. As the Register recounts, the personal records of over half of Samsung's US user base were potentially exposed after a February cyberattack perpetrated by the cyber-extortion gang Lapsus$, who subsequently published nearly 200GB of internal documents. Though no private data were leaked at that time, the lawsuit alleges that Samsung neglected to adequately secure its systems after that attack, allowing for a second attack in July that exposed user data.