At a glance.
- MPD FM database found unsecured on the public web.
- US university health plan suffers MOVEit-linked breach.
- Dissidents allegedly in possession of stolen PSNI data.
MPD FM database found unsecured on the public web.
The Cybernews research team has discovered that MPD FM, a leading provider of guardian and facility management services in the UK, left an Amazon S3 storage bucket unprotected, exposing over 16,000 sensitive documents. Security Affairs notes that the UK’s National Health Service, HM Revenue & Customs, a number of UK boroughs and councils, and popular British retailer WHSmith are among MPD FM’s clients. While the compromised data is associated with the company’s employees, it’s within reason this info could be used to access corporate data. The exposed info includes passports, VISAs, national IDs and driver’s licenses, birth certificates, and bank statements.
The researchers explain, “Threat actors could use employee data to devise targeted emails or launch social engineering attacks. Information about people’s private and professional lives allows scammers to coax victims into disclosing additional sensitive information or performing actions that compromise the organization’s security.” The database has now been secured, but it’s unclear whether it had already been accessed by malicious actors.
US university health plan suffers MOVEit-linked breach.
Stateside, the recently discovered (and now patched) MOVEit bug has claimed yet another victim. University of Utah Health Plan (U. Health) has disclosed that member data were accessed by an intruder who exploited the vulnerability in the popular file transfer platform. KSLTV.com reports that the attacker downloaded the data of approximately four thousand individuals between May 30 and June 2, and the impacted members have been sent letters notifying them of the compromise. At least 545 organizations across the globe have reported breaches connected to the MOVEit vulnerabilities, exposing approximately 38 million individuals.
Dissidents allegedly in possession of stolen PSNI data.
As we saw last week, the Police Service of Northern Ireland (PSNI) has disclosed that the private info of all 10,000 of the force's serving officers and staff were accidentally leaked to the public when an employee made an error in responding to a freedom of information request. Within days, stolen info was allegedly posted on messaging platform WhatsApp. RTE.ie reports that dissident republicans claim to be in possession of some of the information leaked in the recent data breach. PSNI Chief Constable Simon Byrne stated, "We are now aware that dissident republicans claim to be in possession of some of this information circulating on WhatsApp, and as we speak we are advising officers and staff about how to deal with that and any further risk that they face."
Byrne spoke at a meeting of Northern Ireland's Policing Board in Belfast addressing two recent data breaches (the second of which involved the theft of a police-issue laptop containing a spreadsheet with the names of over two hundred officers and staff). No officers have yet been removed from their homes for safety, but PSNI has established a service focused on disseminating real-time information about the risks of the breach, and there have been over five hundred referrals to the service so far. Byrne added, "I think we recognise that the data breach raises quite legitimate concerns absolutely for our workforce. There was also a broader question of trust with the public that data that you would expect to be held and guarded preciously has got into the public domain. And yes, we have to accept for some people there is a breach of trust which is exploding out at the moment."