At a glance.
- Spa gift certificate breach is anything but relaxing.
- US university releases few details about recent data breach.
- Even more stolen data dumped from Oakland ransomware attack.
- Pirate streaming service leaks customer data.
Spa gift certificate breach is anything but relaxing.
CTV News Ottawa reports that Canadian health spa Nordik Spa, located in Chelsea, Quebec, has experienced a data breach involving its gift card system. The spa has notified customers that the “event” might have allowed an intruder access to personal customer data including full names, street addresses, and credit card info. Nordik Spa first detected the suspicious activity in late February and responded by shutting down the gift card system and enlisting a third-party firm to launch an investigation. Impacted individuals are those who purchased a gift card between November 4, 2022 and February 27, 2023. However, customers can rest assured that the gift cards in question are still valid. "We will also work with third-party experts to continuously strengthen security measures and maximize the protection of our clients' data. We have reported the incident to the relevant authorities and corporations," Nordik Spa stated.
US university releases few details about recent data breach.
American private Catholic University Our Lady of the Lake has disclosed it suffered a breach that exposed personal data, but, as GovTech reports, details about the incident are sparse. Though the breach was first reported last month, the school, which is located in the US state of Texas, published its first statement about the incident on its website last week. It is unclear how many individuals were impacted, although it is believed that the data of faculty, staff, students, and even prospective attendees were exposed. The school has declined to discuss the nature of the attack, but the AvosLocker ransomware group has taken credit for the incident. The school has stated that their investigation of the attack revealed that a "limited amount of personal information was removed" and that that data include full names, Social Security numbers, driver's license and passport info, dates of birth, and bank account details. Impacted individuals are being notified, but the lack of details about the nature of the attack have some members of the school community concerned.
Even more stolen data dumped from Oakland ransomware attack.
As we previously discussed, the US city of Oakland, located in the state of California, suffered a ransomware attack in February that led to the publication of stolen data, and , and now Engadget reports that the hackers have released more data stolen in the attack. The Play ransomware group has dumped a second batch of approximately 600GB of data including confidential Oakland Police Department files, council members' communications, and staff medical records. The first dump consisted of 10GB of data, and the police union is demanding $25,000 per officer in damages. The attack forced the city to take its network offline, leaving the city in a state of emergency with many buildings closed and non-emergency services unavailable. The city has not disclosed Play’s ransom demands, but has stated it has no intention of paying.
Pirate streaming service leaks customer data.
China’s Z2U, an online retailer that resells access to streaming services like Netflix, HBO, and Disney Plus, was found to be exposing private customer information in a database on the open web, the Desk reports. Cybersecurity researcher Jeremiah Fowler says the database could be viewed by anyone on the net, and that the exposed data include credit card numbers and government documents belonging to over 600,000 customers. Z2U’s business model seems to fall into a sort of legal gray area, as the customer base is partly individuals looking to access to services or products in countries where they are not offered, while others appear to purchase login information that has been stolen from account holders without their knowledge. Fowler explained, “All of these companies have some form of data policy or terms of use agreement that prohibits selling, licensing, or the purchase of any account or access to services using someone else’s account. Although Z2U claims to not sell stolen, hacked, or cracked accounts, it is unclear what the verification process is other than buyers requesting a refund when the account is restricted, suspended, or no longer works.” Fowler added that the exposed data, much of which appears to be used for customer identification verification purposes, could be used by cybercriminals to commit identity fraud, and that the incident demonstrates the risks involved with sharing such info with companies that do not have adequate data security measures in place.