At a glance.
- Topgolf hits the ball into a digital sand trap.
- Higher education institutions hit with third-party data breaches.
- IBM faces lawsuit for MOVEit incident.
- Freecycle discloses data breach affecting users.
Topgolf hits the ball into a digital sand trap.
Leading golf gear manufacturer Topgolf Callaway Brands Corp has disclosed an “IT system incident” that exposed the data of over one million individuals. The breach was discovered on August 16, and the US-based company says users of its e-commerce websites, which include “Callaway, Odyssey, Ogio, and/or Callaway Golf Preowned sites,” were potentially impacted. The Record reports that the compromised data include account passwords, answers to security questions, names, mailing addresses, email addresses, phone numbers, and order histories; fortunately no payment card or Social Security numbers were accessed. In addition to resetting all user passwords, Topgolf Callaway says it “has taken a number of additional steps to further secure its data, including adding protective security layers around its data, improving security protocols that govern access to its systems, and is continuing to work with outside experts to enhance the security of its systems.”
Higher education institutions hit with third-party data breaches.
Three universities have recently disclosed third-party data breaches, two of which involved the mass-hack of the MOVEit file transfer application that has impacted hundreds of organizations worldwide.
Drake University, a private university located in the US state of Iowa, has disclosed that student and staff data might have been compromised by a data breach impacting the National Student Clearinghouse (NSC) and the Teachers Insurance and Annuity Association (TIAA). The compromised data potentially include names, dates of birth, and academic transcripts of current and former students, The Times-Delphic reports. An alert issued by NSC and TIAA says at least one thousand US schools have been impacted by the breach.
Remaining in the US, over the weekend the University System of Georgia USG released a statement about a MOVEit-linked data breach that occurred in June. Data belonging to students, faculty, and staff data were exfiltrated including, names, addresses, email addresses, phone numbers, salary and benefit information, Social Security numbers and other personally identifiable information. The Red and Black reports that USG has been working with the US Cybersecurity and Infrastructure Security Agency in responding to the incident.
In Australia, the University of Sydney (USYD) says a breach at a third-party service provider compromised the personal data of a limited number of international applicants. Bleeping Computer reports, the identity of the vendor has not been disclosed, but the investigation so far indicates that no local students, staff, or alumni were affected. The university's statement reads, "The issue was isolated to a single platform and had no impact on other University systems.” However, as Security Affairs notes, the school is still working to determine exactly which data were compromised, and the NSW Privacy Commissioner has been notified.
IBM faces lawsuit for MOVEit breach.
The Cyber Express reports that IBM is being sued over a data breach that was reportedly caused by vulnerabilities in the popular file transfer software. The plaintiff, Jennifer Wedeking, claims that IBM was negligent in using the software despite being aware of the platform’s security issues. The class-action lawsuit reads, “Further, the only remediation here was not even offered by IBM: a meager 24 months of identity theft protection for victims of the data breach when the impact of the theft … will ripple for many years, if not decades.” It’s worth noting that Progress Software Corp., which provides the MOVEit app, has also been hit with multiple class action lawsuits due to the exploitation of the platform’s software vulnerabilities. Plaintiffs allege the company first learned of the bugs back in 2021 but failed to address them.
Freecycle discloses data breach affecting users.
Freecycle, a platform on which users can trade stuff they no longer themselves want or need, has disclosed a data breach that affects around seven-million users. The data exposed includes "usernames, User IDs, email addresses, and MD5-hashed passwords." Freestyle urges users to change their passwords at once, and also warns them to be alert for social engineering attempts.
Two industry experts contacted us with comments on the breach. Darren James, senior product manager at Specops, an Outpost24 company, is troubled by what seems to be a tendency. “This trend of hitting popular services is worrying as the impact can be so large, not just on the company, but its user base as well. This breach has confirmed the loss of passwords, amongst other Personally Identifiable Information (PII)," James said. "Hopefully, these passwords are hashed (according to one report), but this may only buy the affected users a limited amount of time to change those passwords as hashes can be cracked fairly quickly these days with advances in modern computing, particularly if they are less than 15 characters. We are all aware many people re-use the same password across multiple systems, so they may have to change passwords across multiple sites. If you are affected and do need to change your password, think instead about switching to a passphrase, for example 3 words that mean something to you, but nothing to anyone else. This will make it a lot harder for the bad guys to crack, but easier for you to remember. Even if you are not affected it’s still a good reminder to not re-use passwords and consider changing them to an unbreached passphrase instead.”
Freecycle is a not-for-profit. Erfan Shadabi, cybersecurity expert with comforte AG, points out that it's a mistake to assume that not-for-profits aren't interesting enough to criminals to be subjects of attack. “The notion that non-profits might be less attractive targets for cybercriminals is a misconception. Non-profit organizations, like their commercial counterparts, handle vast amounts of sensitive data. This data can include donor information, financial records, and potentially personal details of the individuals they serve or support. Just like in any other industry, a data breach in a non-profit can lead to significant reputational damage, financial loss, and legal repercussions. This vulnerability makes it imperative for non-profits to take data security seriously. And the best security approach is the data-centric approach," Shadabi wrote. "Data-centric security, as opposed to just relying on perimeter defenses, is a comprehensive approach that focuses on safeguarding the data itself. It involves encryption, access controls, data classification, and ongoing monitoring to protect data at all stages of its lifecycle. This approach is particularly effective because it prioritizes data protection as the primary goal, regardless of where the data resides or how it's accessed.”