Secret CISO 3/22: AT&T Silence, V12 Software and CAIRE Inc. Breaches, Hotel Room Locks Hack, and Russian Political Cyber Attacks
Welcome to your daily dose of Secret CISO, where we delve into the world of data, cyber, and tech security. Today, we're discussing the renewal of the UK adequacy decision and the criticism of the DPDIB. We'll also touch on the shocking data breach involving Kate Middleton's cancer diagnosis and the subsequent fallout. In other news, AT&T remains tight-lipped about a data breach that spilled customer data online, while V12 Software and CAIRE, Inc. are dealing with their own data breaches affecting hundreds of thousands. We'll also look into the legal repercussions of these breaches, with class action lawsuits being filed against WellNow and Change Healthcare. On a global scale, a simple hack has exposed a security breach that could unlock millions of hotel room doors. In the realm of research, we'll explore the efforts of security researchers in exposing vulnerabilities and enhancing cyber security. Lastly, we'll keep you updated on the latest CVEs, providing you with the knowledge to protect your systems and data. Stay tuned for these stories and more, only on Secret CISO.
Data Breaches
- Yahoo Data Breach (2013-2014): Yahoo announced in 2016 that back in 2013-2014, all 3 billion of its user accounts were compromised. This breach exposed names, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers. Source: Reuters
- Marriott International Data Breach (2014-2018): Marriott International reported in 2018 that hackers had access to its Starwood reservation system since 2014, compromising the personal information of approximately 500 million guests. The breach included contact information, passport numbers, and credit card details. Source: BBC
- Equifax Data Breach (2017): In 2017, Equifax, one of the largest credit bureaus in the US, announced a breach that exposed the personal information of 147 million people. The breach included Social Security numbers, birth dates, addresses, and in some cases, driver's license numbers. Source: CNET
- Facebook Data Breach (2018): In 2018, Facebook announced that nearly 50 million user accounts were compromised in a data breach. The breach allowed hackers to take over user accounts and access personal information. Source: New York Times
- Capital One Data Breach (2019): In 2019, Capital One announced a data breach affecting over 100 million customers in the US and 6 million in Canada. The breach exposed names, addresses, zip codes, phone numbers, email addresses, dates of birth, and self-reported income. Source: CNN
Security Research
- Russian Nation-State Hacker Targets German Political Parties: A Russian hacking group has been identified targeting German political organizations for the first time, according to security firm Mandiant. This marks a significant shift in the group's usual targets. Source: GovInfoSecurity
- AT&T Customers' Data Leak: Security researcher Troy Hunt obtained a full leaked dataset of AT&T customers' data. The company has yet to explain how the data breach occurred. Source: TechCrunch
- Security Flaw in Hotel Keycards: Researchers have discovered a security flaw that allows hackers to clone keycards used on Saflok electronic RFID locks, potentially affecting three million locks worldwide. The exploit is relatively easy and cheap to execute. Source: TechRadar
- Over 33 Million Attacks on Mobile Devices Blocked in 2023: A report by Kaspersky's GReAT team revealed that over 33 million attacks from malware and adware on mobile devices were blocked globally in 2023. The report also highlighted Tambir, a spyware application targeting users in Turkey. Source: Morung Express
- Novel Variant of Wiper Linked to Viasat Attack: Security researchers have warned about a novel variant of the AcidRain wiper, which was used to disrupt satellite communications during Russia's invasion of Ukraine. The new variant raises concerns about potential future attacks. Source: Cybersecurity Dive
Top CVEs
- CVE-2023-49837: Uncontrolled Resource Consumption vulnerability found in David Artiss Code Embed, affecting versions from n/a through. This could lead to potential denial of service attacks. Source: CVE-2023-49837
- CVE-2024-27277: The private key for the IBM Storage Protect Plus Server 10.1.0 through 10.1.16 certificate can be disclosed, undermining the security of the certificate. This could lead to potential unauthorized access and data breaches. Source: CVE-2024-27277
- CVE-2024-27956: SQL Injection vulnerability found in ValvePress Automatic, affecting versions from n/a through. This could lead to unauthorized database access and potential data breaches. Source: CVE-2024-27956
- CVE-2024-27965: Cross-site Scripting vulnerability found in WPFunnels Team WPFunnels, affecting versions from n/a through. This could lead to potential unauthorized access and data breaches. Source: CVE-2024-27965
- CVE-2024-27964: Unrestricted Upload of File with Dangerous Type vulnerability found in Gesundheit Bewegt GmbH Zippy, affecting versions from n/a through. This could lead to potential unauthorized access and data breaches. Source: CVE-2024-27964
Final Words
And that's a wrap for this week's edition of Secret CISO. We've covered everything from the renewal of the UK adequacy decision to the data breach involving Princess Kate's cancer diagnosis. We've also delved into the AT&T data spill and the security breach that unlocked millions of hotel room doors globally. In the world of cybersecurity, it's clear that no one is immune - not even royalty. It's a stark reminder of the importance of robust data protection measures and the need for constant vigilance. Remember, knowledge is power. By staying informed, we can all play a part in creating a safer digital world. So, why not share the power? If you found this newsletter helpful, please consider sharing it with your friends and colleagues. Stay safe, stay informed, and see you next week for more updates from the ever-evolving world of tech security.