At a glance.
- Running Room unable to outrun hackers.
- Hackers access patient data in third-party breach.
- US telecom giant impacted in vendor breach.
- Those trainers could be even more expensive than initially thought.
Running Room unable to outrun hackers.
Canadian running gear retailer the Running Room experienced a data breach in which intruders might have accessed personal customer data over the last several months, CTVNews reports. The company on Friday sent an email to customers stating it "recently identified and addressed" a security incident involving "a subset of user data." Running Room says between November 19 2022 and January 18, 2023 the hackers accessed and “skimmed” the customer emails, names, addresses, phone numbers, and credit card information. The breach impacts customers who made purchases on the company's Canadian website during that period, though it’s unclear just how many individuals that includes. The company added that it has launched an investigation into the incident and is working with law enforcement, privacy commissions, and the Canadian Centre for Cyber Security.
Hackers access patient data in third-party breach.
UCHealth, a leading healthcare center located in the US state of Colorado, announced on Friday that a data breach involving one of its vendors might have impacted its patients, employees, and vendors. The Fort Collins Coloradoan explains that an unidentified cybercriminal breached business operations software company Diligent Corp, which provides online hosted services for UCHealth. The compromised data include patient names, addresses, dates of birth, treatment details, and “in very limited cases” Social Security numbers. Diligent says it has taken steps to increase the security of its client data.
US telecom giant impacted in vendor breach.
In another third-party data breach, data allegedly stolen from a vendor serving American telecommunications and mass media company Charter Communications appeared on a hacking forum website last week. A forum user on Thursday posted records related to repairs and sales that included the names, account numbers, and addresses of approximately 550,000 customers. A spokesperson for Charter, which is the second largest cable operator in the US, stated, “We are aware of the post and following our security protocol in response. The initial evidence suggests that one of our third-party vendors had a security breach. At this time, we do not believe that any customer proprietary network information or customer financial data was included.” Details are few, and it’s unclear which vendor was hacked, when the incident occurred, or when impacted individuals will be notified. The Record by Recorded Future notes that just two weeks before the breach the Federal Communications Commission voted unanimously to consider changes to the telecom breach notification rules. FCC Chairwoman Jessica Rosenworcel said the current rules, which were created over fifteen years ago, are in need of modernization now that telecom companies have access to massive amounts of customer data. “The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements,” Rosenworcel said.
Those trainers could be even more expensive than initially thought.
The Guardian reports that data belonging to approximately 10 million customers were leaked in the recent breach of UK sportswear retailer JD Sports. The exposed info is related to online orders made between November 2018 and October 2020 of products in several of the company’s lines including Size?, Millets, and Blacks. While the compromised data could include customer names, addresses, phone numbers, order details, and partial payment card numbers, JD Sports says the “affected data is limited” as it did not hold full payment data and the company “has no reason to believe that account passwords were accessed.” The company has notified the Information Commissioner’s Office and is in the process of notifying impacted individuals. Chief financial officer Neil Greenhalgh stated, “We want to apologise to those customers who may have been affected by this incident. We are advising them to be vigilant about potential scam emails, calls and texts and providing details on how to report these.”
The breach attracted a fair amount of industry comment. A retailer like JD Sports inevitably holds a significant quantity of customer data, and that makes it an attractive target, as Javvad Malik, security awareness advocate at KnowBe4, commented. “Any organization which holds any form of customer information can make an attractive target for criminals. This is by no means a small breach, and while JD Sports doesn't believe passwords were stolen, it would be good practice for people to change their password, especially if they have re-used the same password on different websites," he wrote. "Users should also be mindful of any emails or messages they receive which may claim to be from JD Sports. Criminals are always looking to piece together information from breaches to create convincing and authentic phishing scams. If anyone receives such emails, they should not respond, and rather seek to verify the authenticity directly with the company.”
Oz Alashe MBE, CEO of CybSafe wrote to warn that people should expect sequelae in the form of social engineering attempts for months to come:
"Due to the nature of the data collected as a result of this attack, consumers will need to be vigilant for potentially fraudulent emails, texts and calls over the coming weeks and months.
"While this event is, of course, unfortunate, it is one of many attacks against the retail and manufacturing sector, highlighting a clear need for the industry to assess how it handles cyber security and the personal information of its customers. According to a CybSafe analysis of ICO data, the retail and manufacturing sector is by far the most vulnerable to attack. In the 2021/2022 financial year, the industry accounted for more than 1 in 5 total cyber attacks (21%). Furthermore, the sector has seen a notable increase in ransomware attacks, rising 7% compared to the previous year, accounting for 32% of total cyber attacks.
"Within the retail sector, trust is essential. Customers want to be confident that their personal information is protected, especially in the new age of online shopping. As a result, retailers must ensure that their employees are equipped with the right tools and education to display positive security behaviors. The days of viewing cyber security as an annual tick-box exercise are over. To ensure the trust of consumers, cyber security must become an active, ongoing process within the organization."
Chris Denbigh-White, Security Strategist at data protection firm Next DLP, wrote to point out that security through obscurity is pretty much just wishful thinking:
"Often in situations like this the headline will read something like “Hacker Exposes millions of users’ personal and sensitive data” yet rarely does the headline read 'Misconfiguration of company datastore leads to data being ‘copied and pasted’.
"According to the security researcher @0xyzqt, a JD Sports database containing customer information was identified as exposed directly to the internet as early as July 2022. One may think, “Well surely an attacker would need to know the specific IP address of an internet connected database to gain any access? “Security through obscurity, right?” Well, actually, no.
"Databases that are directly exposed to the internet are not difficult to find. Shodan.io is a search engine for the ‘internet of things’ ( like a “Google for servers and appliances on the internet”). It allows users to find devices and systems connected to the internet, including databases, which can be easily accessible if not adequately secured. Whilst this site is an essential tool for those who secure corporate environments, it can (and often is) used by would-be attackers.
"This incident highlights the critical importance of robust database security measures and the consequences when these measures fail (or are absent), including data breaches and unauthorized access to sensitive information.
"In JD Sports' press release, the company took great steps to reassure customers that the extent of potentially compromised information was 'limited.' While payment card details were not fully compromised, personal data such as full names, addresses, email addresses, and order histories were exposed. To a consumer, this exposure of personal information, which cannot be changed, is not a trivial matter and is likely to lead to further phishing and fraud attempts. Companies should be cautious not to underestimate (or attempt to downplay) the significance of a loss of Personally Identifiable Information (PII), which may pose greater risks in the long term.
"Recent high-profile fines handed out for GDPR non-compliance are a stark reminder that GDPR regulations apply to this kind of data. This requires companies to maintain continuous visibility to sensitive data and ensure that security controls are in place to protect that data from loss or misuse."
Lior Yaari, CEO and co-founder of Grip Security, analogized a breach of customer data with a breach of employee information.
“Retailers should approach a breach of customer data similar to an internal breach of employees--requiring every customer to reset their account credentials. Rather than sending an email asking them to do this, it would be better to force a reset with at least two factor authentication or some sort of secondary verification. The official announcement form JD and the news coverage sets the stage for the hackers to start sending out password reset phishing emails to the 10 million customers to harvest their credentials. Disclosing the breach is the right thing to do and necessary, but it can also help the hackers by priming the customers for a password reset email that will trick them into divulging their passwords and payment information. There is likely to be additional fallout from this breach that will play out in the future.”