At a glance.
- Peruvian tax data exposed on web forum.
- Update on the Rackspace ransomware attack.
Peruvian tax data exposed on web forum.
The cybersecurity team at the SafetyDetectives reports they found a database containing 1.2GB of unencrypted Peruvian government data shared on a clear web forum for free. The database appears to belong to SUNAT (Superintendencia Nacional de Aduanas y de Administración Tributaria), Peru’s national tax administration agency, and contains information on an estimated 15 million Peruvian citizens, available for download to anyone with access to the forum post. What’s more, this was not the first time the database was posted, as the discovered post was an update from a December 2022 message. The sample shared, which was analyzed to confirm it is authentic Peruvian citizen data, contained tax identification numbers, individual or business names, taxpayer status, and tax domicile condition. The researchers contacted Peruvian authorities on February 13 to notify them of the data leak, but so far no response has been received.
Update on the Rackspace ransomware attack.
As we noted previously, popular US cloud computing company Rackspace suffered a cyberattack at the hands of the Play ransomware group in December. The company confirmed at the time that the attackers used an MS Exchange exploit chain to breach Rackspace’s Hosted Exchange email environment, disrupting email services and compromising customer data. Heimdal reports that as Rackspace works to recover from the attack, most impacted customers have regained access to some or all of their email data, but more than 5% have downloaded malware into their mailboxes. It appears that Rackspace delayed applying a patch that would have resolved the exploited vulnerability due to reports that it caused “authentication errors,” which Rackspace was concerned could shut down its Exchange Servers. However, the company had already implemented Microsoft’s recommended mitigations, which Microsoft claimed should have been enough to prevent attacks. It’s unclear whether Rackspace met Play’s ransom demands, but the stolen data are not currently listed on Play’s leak site. The company decided not to rebuild the compromised Hosted Exchange email environment, opting instead to migrate to Microsoft 365, as it had planned to do before the attack. More than half of the email data from the compromised servers has been recovered, but unfortunately for Rackspace, the company has been hit with several class-action lawsuits as a result of the incident.