At a glance.
- DEA investigates potential law enforcement system data breach.
- Settlement reported in Capital One breach.
DEA investigates potential hack of law enforcement inquiry system.
The US Drug Enforcement Administration (DEA) has disclosed that it’s investigating the possible compromise of the Law Enforcement Inquiry and Alerts (LEIA) system, a DEA portal with access to sixteen federal law enforcement databases. LEIA provides search capabilities for both the DEA’s El Paso Intelligence Center (EPIC) systems (which are available for use by federal, state, local and tribal law enforcement, and the Department of Defense and intelligence community) and external database repositories. KrebsOnSecurity reports that the hack could be tied to the Doxbin, an online community focused on looking up personal information and posting it publicly. Doxbin’s previous administrator was identified as the leader of the infamous LAPSUS$ ransomware group, responsible for recent attacks on tech giants like Microsoft, NVIDIA, and Okta. LAPSUS$ members have also been connected to a service selling fraudulent Emergency Data Requests, allowing hackers to use compromised police and government email accounts to file fraudulent data requests demanding user data from social media platforms, mobile phone providers, and other tech companies. The data in LEIA and EPIC would be extremely valuable to these cybercriminals, as well as organized crime rings and drug cartels. “I don’t think these [people] realize what they got, how much money the cartels would pay for access to this,” said Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley.
Capital One reaches settlement for 2019 data breach.
American Bank Capital One has agreed to pay $190 million in a settlement linked to a 2019 data breach in which an intruder (later captured by the US Federal Bureau of Investigation) gained unauthorized third-party access to the bank’s systems, compromising the personal data of approximately 98 million customers. Top Class Actions explains that the exposed data included sensitive information like names, birth dates, addresses, phone numbers, credit scores, and Social Security numbers. In the class-action lawsuit, the impacted customers argued the bank neglected to properly safeguard their data, putting them at risk for fraud. Though Capital One has not admitted to any wrongdoing, it agreed to the settlement, which grants class members access to a cash payment of up to $25,000 for expenses and lost time, and requires the bank to implement extensive cyber security practices for at least two years.