MyDeal discloses breach. Election software CEO charged. FamilySearch discloses data breach. University of P.R. student involved in privacy violation.

Summary

By the CyberWire staff

At a glance.

Data cleanup on aisle 5.
Election software CEO charged with embezzlement.
Hacking down the family tree.
College student sentenced for stealing explicit photos.
Ex-police officer abuses power to blackmail Snapchat users.

Data cleanup on aisle 5.

Australian grocery chain Woolworths disclosed on Friday that its online retailer MyDeal experienced a breach that potentially exposed the data of nearly 2.2 million users, the Star reports. The intruder used compromised user credentials to access the MyDeal customer relationship management system, which contains customer names, email addresses, phone numbers, delivery addresses, and in some instances dates of birth. Woolworths says its website and other related platforms were not impacted, and that all affected customers have been contacted. As ABC notes, the incident comes just one month after millions of customers of Australian telecom giant Optus were exposed in what some are calling the largest data breach in the country’s history.

Election software CEO charged with embezzlement.

As we previously noted, Eugene Yu, CEO at election worker scheduling software maker Konnech, was arrested last week under suspicion of data theft. NPR.org reports that Yu has now been charged with conspiracy to embezzle public funds and grand theft by embezzlement of public funds. Prosecutors say that a massive data breach led Konnech to give its contractors in China access to sensitive data on election workers, and that in doing so, Konnech violated not only its contract with Los Angeles County, but also criminal law. It’s worth noting that the prosecution does not allege that Yu stole money, but rather that he misappropriated government funds. Konnech has come under fire from election conspiracy theorists who have circulated unfounded claims that Konnech has ties to the Chinese Communist Party, and the company’s defense attorney says the prosecution is relying on dubious information from these election deniers. A Los Angeles Superior Court judge has ordered Yu to remain in home confinement because he allegedly poses an "extensive flight risk" due to his "deep ties to China."

Hacking down the family tree.

FamilySearch, a genealogy website operated by The Church of Jesus Christ of Latter-day Saints, says an intruder gained unauthorized access to its network in March. As Komando explains, an investigation has been underway, and law enforcement this week lifted its confidentiality restrictions, allowing FamilySearch to share the incident with the public. The company says a state-sponsored hacking group could be behind the breach, and compromised data includes usernames, legal names, gender, email addresses, and dates of birth.

College student sentenced for stealing explicit photos.

A Puerto Rico judge has sentenced a former University of Puerto Rico student to thirteen months in prison for cyberstalking his female classmates, Bleeping Computer reports. The defendant, Iván Santell-Velázquez, admitted to hacking the email and Snapchat accounts of over one hundred students by engaging in phishing and spoofing schemes. As iTech Post explains, he then used his access to steal nude photos from the accounts, which he shared on Twitter and Facebook and, in at least one case, harassed the victim over text. US Federal Bureau of Investigation Special Agent in Charge Joseph González stated, “Cyberstalking can have a major impact on its victims, which can range from suicidal ideation, fear, anger, depression, to PTSD. This is why, at the FBI we are committed to investigating these terrible crimes and we urge the public to report incidents to law enforcement immediately."

Ex-police officer abuses power to blackmail Snapchat users.

On a similar note, Bryan Wilson, a former Louisville Metro Police Department (LMPD) officer in the US state of Kentucky, pled guilty in June hacking the Snapchat accounts of several women to steal sexually explicit photos, and the recently released court documents shed light on the case. Wilson obtained information about the victims through Accurint, a powerful data-combining software issued to law enforcement agencies, to which Wilson still had access for some time after he left the LMPD. As the Louisville Courier Journal explains, He then passed the data on to a hacker, who used the info to gain access to the women's private Snapchat accounts and steal explicit images and videos. Wilson then used the content to blackmail the women into sending him more explicit content, and in one case he forwarded stolen images to a victim’s employer. A statement from the police department says that after the incident, procedures were implemented to ensure all access to such software is suspended once a member separates from LMPD. The court documents state, "Wilson caused his victims untold psychological trauma, not only by extorting them and publishing their explicit photographs and videos online, but also by demeaning and insulting them during his text exchanges…" the document states. Prosecutors asked for Wilson’s sentence to be lightened in exchange for his guilty plea in another federal case in which he violated the civil rights of pedestrians through the arbitrary use of force.

Selected Reading

Student Pleads Guilty to Cyberattacks Against Multiple Accounts at University of Puerto Rico (iTech Post) A hacker that goes by the name of “Slay3r_r00t” is sentenced to 13 months in prison for cyberattacks.

Student jailed for hacking female classmates’ email, Snapchat accounts (BleepingComputer) On Thursday, a Puerto Rico judge sentenced a former University of Puerto Rico (UPR) student to 13 months in prison for hacking over a dozen email and Snapchat accounts of female colleagues.

Election software CEO is charged with allegedly giving Chinese contractors data access (NPR.org) The Los Angeles County district attorney alleges that the CEO of Konnech, which makes scheduling software for poll workers, improperly gave Chinese contractors access to sensitive employee data.

Secret agents targeting drug cartels in Australia exposed in data hack (The Sydney Morning Herald) A massive leak of classified government documents has exposed the identities and methods of secret agents working to stop major drug importations to Australia.

Woolworths says data of online unit's 2.2 million users breached (The Star) Australia's Woolworths Group Ltd said on Friday its majority-owned online retailer MyDeal identified that a "compromised user credential" was used to access its systems that exposed data of nearly 2.2 million users.

Woolworths subsidiary MyDeal is the latest target of a cyber attack. Here's what you need to know (ABC) The cyber attack has left about 2.2 million MyDeal customers affected. Here's the latest on the data breach and what to do if you're impacted.

Genealogy site FamilySearch suffers data breach - Are you at risk? (Komando.com) Your data could be at risk if you've ever used the genealogy site FamilySearch. A massive data breach exposed user information.

CommonSpirit readies $1.5 billion deal after upgrade, cyberattack (Bond Buyer) The nation's largest not-for-profit health system returns to the market with a mix of new money and refunding debt offering tax-exempts and taxables.

Chinese hackers are scanning state political party headquarters, FBI says (Washington Post) U.S. government warns that Chinese group are probing Democrats, Republicans for vulnerabilities