At a glance.
- Australian consumers hit by another data breach.
- NBA warns fans of data breach.
Australian consumers hit by another data breach.
Melbourne-headquartered financial services firm Latitude Financial has taken its systems offline following a cyberattack the company sustained last week, Reuters reports. The Australian Federal Police and the Australian Cyber Security Centre (ACSC) are investigating the attack. The ABC reports that over 300,000 customers have been affected by the breach, with at least 100,000 driver's licenses stolen.
The attackers gained access through a major vendor used by Latitude, which the ABC says was a back-end infrastructure provider. They then used a Latitude employee's credential to steal customer data from two of the firm's service providers. The ABC notes, "The company has not clarified what it means by service providers, but there is speculation it involves data hosting partners or brokers who onsold the lender's products."
NBA warns fans of data breach.
The National Basketball Association (NBA) has disclosed that some fans' personal information was stolen after a third-party newsletter service was breached, BleepingComputer reports. It's not clear how many users were affected. So far, it appears that only names and email addresses were exposed. The NBA said in its breach notification letter, "We recently became aware that an unauthorized third party gained access to, and obtained a copy of, your name and email address, which was held by a third-party service provider that helps us communicate via email with fans who have shared this information with the NBA. There is no indication that our systems, your username, password, or any other information you have shared with us have been impacted."
The NBA warns, however, that threat actors may use this information to launch phishing attacks against impacted users:
"Given the nature of the information, there may be heightened risk of you receiving 'phishing' emails from email accounts appearing to be affiliated with the NBA, or of being targeted by other so-called 'social engineering' attacks (where an individual seeks to trick the target into sharing confidential information or otherwise taking actions contrary to his or her own interest."
Erich Kron, security awareness advocate at KnowBe4, observed some of the ways in which even a relatively unpromising set of data could be exploited for social engineering. “This is an unfortunate instance of a vendor not securing information provided by an organization," he wrote. "Unfortunately, this is all too common. However, in this case, limited information was made public. Even though the information did not contain much sensitive information, by using a name and email address, along with the knowledge that this individual has an interest in the NBA, social engineers could put together a much more appealing phishing attack than if they had none of this information. People whose information was leaked by this vendor should keep a wary eye open for targeted email phishing attacks related to NBA topics.”