At a glance.
- High street retailer WH Smith discloses employee data breach.
- Austrian hotel chain leaks customer data on unprotected server.
- Hatch Bank becomes second victim of Fortra’s Go Anywhere bug.
- GunAuction.com data breach.
High street retailer WH Smith discloses employee data breach.
Bleeping Computer reports that British retailer WH Smith suffered a cyberattack earlier this week that exposed current and former employee data including names, addresses, National Insurance numbers, and dates of birth. The company, which is a regular fixture on the UK’s high streets, says its website and customer data were not impacted by the incident. "WH Smith takes the issue of cyber-security extremely seriously and investigations into the incident are ongoing,” the firm stated. The nature of the incident and the number of individuals impacted are unclear, but with seventeen hundred locations across the United Kingdom, WH Smith staffs approximately 12,500 employees.
Lauren Wills-Dixon, a data privacy expert at law firm Gordons, told BBC News that retailers are lucrative prey for hackers because of the large amount of customer and employee data they must store. "There is also enhanced reputational risk and potential for disruption because retailers are so reliant on public trust and confidence, which cyber incidents threaten to undermine,” she adds. Some experts speculate that the incident has the hallmarks of a ransomware attack, and the Record from Recorded Future News notes that in a major law enforcement operation last month the UK and the US sanctioned seven people connected to ransomware attacks. Referencing the rise in recent ransomware attacks in the UK, British officials have said they’ve witnessed an “increasingly successful business model” with “ransom demands increasing” and “payments increasing” and it becoming “harder to avoid paying a ransom because the entire ecosystem is pushing that way.”
KnowBe4's lead awareness advocate Javvad Malik, sees this as an instance of a surge of social-engineering attacks against organizations in the UK. “While details of the hack are limited at present, it does show how criminals are increasingly attacking UK organizations across a variety of industries solidifying the fact that no vertical or size or organization is safe from attacks," he said. "The most common ways criminals will breach organizations is through social engineering attacks such as phishing or by exploiting poor passwords or unpatched software. So it's important that organizations work on addressing the common root causes of attacks, and ensure they have a layered and defensible security strategy in place.”
John Stevenson, Senior Product Marketing Manager at Skybox Security, sees the incident as a lesson in the importance of understanding an attack surface. "While the details are still sketchy, it seems likely the attackers have accessed Personally Identifiable Information (PII) from corporate databases," he said. "This might be because the attackers have exploited a network path into those databases, perhaps because instances of the data have been poorly secured in the cloud. In any event, the results can be devastating for the individuals concerned. While less newsworthy than ransomware attacks or the theft of credit card information, the theft of PII exposes the individual to the possibility of repeated and highly targeted attacks, as well as exposing the organization risk of being penalized by the Information Commissioners Office (ICO)."
Austrian hotel chain leaks customer data on unprotected server.
Anurag Sen, a researcher at cloud security firm CloudDefense.AI, has discovered an unprotected server storing the personal information of a significant number of customers of Falkensteiner, an Austria-based hotel chain with hotels in Central and Eastern Europe.
Sen’s analysis of the server showed that the exposed data were associated with Gustaffo, a company that offers hotel industry IT solutions. Although Sen says neither Gustaffo nor Falkensteiner responded when notified about the leak, the researcher noticed that the server was secured shortly after he contacted the companies. The exposed Elasticsearch server hosted more than 11 GB of data containing 102,000 records including customer names, phone numbers, email addresses, and booking details, and Sen says the impacted individuals have not yet been notified about the leak.
Gustaffo, however, told Security Week that they secured the server after being informed about the leak by a different researcher, and the company’s assessment indicates the breach impacted only one system and approximately 13,000 individuals, as many of the records were actually duplicates. Falkensteiner issued the following statement: “We have been informed about a possible weakness in the database access systems at one of our subcontractors. FMTG takes the security of our customer’s data very seriously. Therefore, we are looking closely into this issue and cooperating with the subcontractor to improve their IT systems. We also informed the relevant data protection authority.”
Hatch Bank becomes second victim of Fortra’s Go Anywhere bug.
Bleeping Computer reports that Hatch Bank, a banking platform that provides credit card support for fintech companies, suffered a data breach when hackers exploited a vulnerability in the company's Fortra GoAnywhere MFT secure file-sharing platform. The attackers made off with the personal information of nearly 140,000 customers. Hatch Bank says that Fortra informed the company on February 3 that its files contained on Fortra’s GoAnywhere site had been compromised, and a subsequent review of the data confirmed that customers' names and social security numbers were among the information stolen.
Hatch is only the second known victim of the Fortra bug, as US healthcare provider Community Health Systems disclosed a breach last month. Although Hatch has not disclosed the identity of the attacker, the Clop ransomware gang has claimed responsibility for this hack as well as similar attacks targeting over one hundred thirty other organizations. TechCrunch notes that security experts are comparing the Fortra bug to the recent zero-day flaw discovered in tech company Accellion’s legacy file transfer appliance, which led to breaches at over one hundred organizations including Qualys, Shell, and Morgan Stanley.
James McQuiggan, security awareness advocate at KnowBe4, sees the incident as a case of third-party vulnerability. “Organizations not only need to focus on their products and infrastructure vulnerabilities but also the third-party products they use within their environments," he said. "Maintaining an up-to-date risk register and a process to generate an alert of vulnerabilities within their infrastructure where vendors can alert them to new exploits is critical." Commodified attack tools have lowered the criminals' barriers to entry. "With current technology, sophisticated cybercriminals can leverage automation tools to quickly scan for organizations using particular products and target them if they haven't updated their software. Within their cybersecurity program, organizations will benefit from change control programs and mitigation plans to quickly update external facing software and systems to reduce the risk of a successful cyber attack by cybercriminal groups.”
GunAuction.com customer data exposed.
TechCrunch reports that GunAuction.com has been breached, exposing the identities of people who have bought or sold guns through the service. Jamie Boote, Associate Software Security Consultant at Synopsys Software Integrity Group, offered advice to those who might have been affected, with particular reference to their increased vulnerability to vishing. “GunAuction.com customers have had enough information about their accounts, phone numbers, addresses, and transactions exposed that they are all now potential victims for a social engineering scam known as 'Vishing,’ where an attacker uses a combination of targeted, personal email and phone-based communications to trick the victim into giving up more information or influence them to transfer funds," he wrote. "Users of this site should change their usernames and passwords and treat any communications from people claiming to represent the site or its partners with suspicion.”