At a glance.
- Fashion company fined for data breach.
- Arizona city suffers data breach after hacker breaks into user account.
- Massive trove of credit card data dumped on dark web.
Zoetop finds style comes at a price.
Zoetop, the company behind fast fashion retail giants Shein and Romwe, has been ordered to pay the US state of New York $1.9 million for a breach that exposed the data of over 40 million customers, 800,000 of which were New York residents. As the Verge recounts, in 2018 a hacker stole credit card and personal customer information from Zoetop’s systems including names, emails, and hashed passwords. The charges allege that Zoetop failed to protect customers’ data, neglected to properly inform customers of the breach, and tried to hide details about the scope of the incident. The Office of the Attorney General (OAG) conducted an investigation into the breach and found that Zoetop contacted only a portion of the impacted customers and failed to reset passwords for any of the accounts. It wasn’t until two years later, when Zoetop discovered stolen customer login info on the dark web, that the company informed customers of the breach and reset their account credentials. The company is also accused of misrepresenting the number of victims and claiming there was no evidence that credit card information was stolen. OAG also says Zoetop used inadequate password management systems and failed to monitor for security issues or establish a comprehensive attack response plan.
Raghu Nandakumara, Head of Industry Solutions at Illumio, sees the fine as a warning to businesses of the reality of regulatory risk:
“The Shein data breach should act as a warning for all businesses to strengthen security practices. Increased focus on cyber incident disclosure means that organizations that fail to proactively prioritize the right security controls and suffer a breach, can no longer get away with hiding details to save their reputation. And in the current climate, no businesses can afford unnecessary financial penalties.
“History has shown that cyber attackers leverage the same weaknesses and vulnerabilities time and time again. Something needs to change. It’s imperative organizations can see all risks and isolate breaches quickly when they do occur, and this requires a shift away from the traditional 'find and fix approach' to 'limit and contain.' Ultimately, the longer it takes to identify, mitigate and resolve an attack, the higher the cost, so companies must always start with an 'assume breach' mindset.”
Arizona city suffers data breach after hacker breaks into user account.
The city of Tucson, located in the US state of Arizona, has disclosed it experienced a data breach that potentially exposed the personal information of 123,500 individuals, the Arizona Daily Star reports. Principal Assistant City Attorney Roi Lusk says on May 29 the city detected that someone had hacked into a user’s account and may have copied data from the city’s network. In response, the city shut down its website and online services for two days after discovering the activity. Forensic specialists were enlisted to investigate, and after a five-week probe, it was determined that the intruder could have copied personal information including individuals’ names, Social Security numbers, driver’s license or state identification numbers and passport numbers, though, as Lusk explained, “we can’t determine for certain that information even left the network.” Impacted individuals include current and former city employees and licensees of the city. Due to a verification process the Department of Revenue conducts to ensure people aren’t operating businesses in cities where they don’t pay taxes, even individuals who haven’t conducted business in Tucson could be affected. The city has sent letters to all impacted individuals, and has hired third-party forensic specialists to monitor more than 6,000 city servers, laptops and PCs in order to determine how to better protect its data in the future.
Massive trove of credit card data dumped on dark web.
Researchers at Singaporean threat intelligence firm CloudSEK discovered a database containing over one million credit and debit cards published for free on a Russian-speaking dark web cybercrime forum dubbed BidenCash. This follows a recent dump of 7.9 million cards on the site, but unlike the first leak, this new post includes personally identifiable information like email addresses and Social Security numbers, in addition to card details, the Siasat Daily reports. “State Bank of India, Fiserv Solutions LLC, American Express were some of the top banking institutions which were affected. There were approximately 508,000 debit cards breached with 414,000 records of Visa payment network followed by Mastercard,” the security researchers said. They added that by offering the data up for free, the site is likely aiming to attract publicity and increase traffic. “The subject release of the credit and debit cards data by BidenCash shop is one of the largest leaks of its kind on any of the cybercrime/underground forums in recent times,” researchers at Cyble Research & Intelligence Labs stated. As 7NEWS notes, it’s believed that the attackers used web-skimmers to steal the credit card data, and the most impacted countries include the US, India, Brazil, and the UK.