At a glance.
- Even cybercriminals appreciate a good Riesling.
- Disabilities support organization experiences data breach.
- Vision insurer pays for turning blind eye to security.
Even cybercriminals appreciate a good Riesling.
Australian wine dealer Vinomofo was targeted in a cyberattack that potentially exposed customer names, dates of birth, street addresses, email addresses, phone numbers, and genders of customers, the Guardian reports. Vinomofo has about 500,000 customers, but it’s unclear how many were impacted by the breach. “Vinomofo experienced a cybersecurity incident where an unauthorised third party unlawfully accessed our database on a testing platform that is not linked to our live Vinomofo website,” the chief executive, Paul Edginton, said in a statement emailed to customers. He added that the wine dealer does not retain identity or financial data such as passports, driver’s licenses, or credit cards, and that no passwords were exposed. The attack is just the most recent in a long list of recent high-profile cyber incidents in the country, including attacks on telecom giant Optus and infotech firm Dialog IT earlier this month, and grocery retailer Woolworth’s last week.
Erfan Shadabi, cybersecurity expert with comforte AG, commented that those whose data are stolen don't really care who handled them, only that they were lost:
“For the past few weeks, many Australian companies have been the target of cyberattacks. In this case, it seems that Vinomofo has experienced a cybersecurity incident where an unauthorized third party unlawfully accessed their database on a testing platform. This incident highlights the risks inherent in having an outside organization work with and have potential access to your data. Vetting partners thoroughly and ensuring that their data handling processes, procedures, and protection methods are superior isn’t something to take lightly. At the end of the day, your customers or the data subjects whose information you work with ultimately don’t care who is actually handling the data—they look to you to fulfill your obligation and bear the lead responsibility in case of incidents like this.”
Disabilities support organization experiences data breach.
Lifespire Services, Inc, an organization based in the US state of New York that provides support services for individuals with intellectual or developmental disabilities, has disclosed it suffered a data breach last February that exposed participant data. After detecting unusual activity on its systems, the organization suspended its networks and conducted an investigation that revealed that an intruder had gained unauthorized access to sensitive consumer information including names, street addresses, Social Security numbers, dates of birth, driver’s license numbers, financial details, and some medical data. JDSupra reports that Lifespire sent notification letters last week to the approximately 15,000 individuals who were impacted.
Vision insurer pays for turning blind eye to security.
US vision insurance provider EyeMed Vision Care has agreed to pay a $4.5 million penalty to New York State for violations related to a June 2020 data breach that impacted approximately 2.1 million individuals. After a successful phishing attempt, the threat actor gained access to a company email account containing consumer data including Social Security numbers and medical treatment info dating back as far as six years, Health IT Security explains. An investigation conducted by the Department of Financial Services (DFS) Cybersecurity Regulation determined that EyeMed had violated the DFS Cybersecurity Regulation by failing to implement multifactor authentication on its email network. “Moreover, EyeMed failed to limit user access privileges by allowing nine employees to share login credentials to the affected email mailbox and failed to implement sufficient data retention and disposal processes, resulting in over six years’ worth of consumer data being accessible through the affected email mailbox,” the DFS stated. The company previously reached a settlement agreement with the New York Attorney General’s Office to resolve allegations relating to the breach which required EyeMed to pay or $600,000 and beef up its cybersecurity stature by conducting regular penetration testing, encrypting sensitive consumer information, and updating its security protocols.