Inboxes of Canadian Home Depot customers were flooded with hundreds of order confirmation emails revealing the personal information of random shoppers earlier this week.
According to social media reports, the emails contained names, home addresses, emails, and even partial credit-card information that could be viewed by unauthorized recipients.
The incident caused a stir, as worried customers flocked to the Home Depot Twitter page expressing their concerns:
“@HomeDepotCanada Hey um… I’m pretty sure I received a reminder email for literally every online order that is currently ready for pick up at literally every Home Depot store in Canada. There are 660+ emails. Something has gone wrong,” one worried customer tweeted.
“@HomeDepotCanada I’m up to 100 emails AND COUNTING of shipping confirmations for other people’s orders from your store, received within the last hour. This is absurd. One every 5 seconds. Huge data breach,” another customer said.
A different user noted additional concerns. “This is a VERY serious data breach that has affected at least 900 consumers, not just in-store pick-up,” she said. “My ONLINE ORDER was sent to 300 people, and I received the ONLINE ORDERS of 43 others. Names, home addresses, order info and credit card info was all shared 🙁 @HomeDepot.”
The home-improvement retailer said the issue impacted a limited number of customers and has now been addressed.
“We are aware of what occurred this morning and can confirm that this issue has now been fixed,” Home Depot tweeted. “This issue impacted a very small number of our customers who had in-store pick-up orders.” Paul Berto, corporate communications director at The Home Depot Canada, also told BleepingComputer that, while “some customers may have received multiple emails for orders they did not place”, “none of the emails contained passwords or un-hashed payment card information.”
ICO initially fined Marriott International £99.2 million
Fine massively reduced in part due to COVID-19’s impact on hotel industry
Marriott International has been fined £18.4 million (US $23.8 million) for its failure to adequately protect the personal records 339 million guests.
The fine, imposed by UK data regulator, the Information Commissioner’s Office (ICO), is a massive 81% less than the £99.2 million fine originally imposed upon the hotel group last year.
It is now two years since Marriott warned the public that hackers had managed to gain unauthorised access to the Starwood guest reservation database since 2014, exposing guests’ names, mailing addresses, phone numbers, email addresses, Starwood Preferred Guest (“SPG”) account information, dates of birth, genders, arrival and departure information, reservation dates, and communication preferences. In addition, millions of encrypted payment card numbers and passport numbers were also breached.
The hackers continued to exfiltrate sensitive data from the system after Marriott acquired Starwood in 2016, continuing to steal personal data unnoticed by Marriott until 2018.
The ICO determined that Marriott “failed to undertake sufficient due diligence” when it bought Starwood and should have done more to secure its systems from cybercriminals, but has now dramatically reduced the fine it is imposing on the international company.
Why the massive reduction from $99.2 million to £18.4 million? According to the ICO, it has now taken into account steps Marriott has taken to mitigate the effects of the incident and the economic impact COVID-19 has had on the hotel business.
A similar decision was made two weeks ago by the ICO in relation to British Airways, which has had its 2018 data breach fine reduced from £183 million to £20 million, despite a catalogue of errors.
The UK’s Information Commissioner, Elizabeth Denham, said:
“Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.”
I certainly can’t disagree with that.
And although I’m sympathetic with those who hold the view that Marriott has dodged something a financial bullet – due to the coincidence that it was being investigated for a massive data breach while the hotel industry was struggling from a global pandemic – I do hope that even this reduced fine will help wake up other companies to the need to always treat data security as a priority.
Maybe other companies also need to more carefully consider the importance of security audits when merge, and not take for granted that it is already secured against hackers.
US hospitals have come under a new wave of ransomware attacks that has interrupted healthcare operations at facilities in New York and Oregon.
Earlier this week, St. Lawrence Health System hospitals in New York and Sky Lakes Medical Center in Oregon confirmed a ransomware attack forced the health systems to disconnect and shutdown their systems.
The center issued a statement on Wednesday:
“Earlier today, Sky Lakes Medical Center was the victim of a ransomware attack on its computer systems. The entire Sky Lakes team is working to counter this attack, and we will keep you updated on the ongoing details of our efforts to return business back to normal,” a news bulletin reads.
Meanwhile, the Sky Lakes Medical CenterSky Lakes Medical Center says computer systems at the Canton-Potsdam, Massena and Gouverneur hospitals were attacked by ransomware on Tuesday morning.
“The Health System’s Information Systems (IS) department disconnected all systems and shut down the affected network to prevent further propagation,” the New York-based healthcare provider said. “These locations are utilizing their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively.”
Although many ransomware gangs are known to exfiltrate data before encrypting files, the two medical facilities state that they have found no evidence that indicates patient or employee information was compromised.
Despite downtimes and technical limitations, administrators say that emergency and urgent care remains available to patients.
“Please be patient,” added. “We are working to ensure all medical needs are taken care of during this time. Sky Lakes is open and, as always, Sky Lakes is safe and is here to care for you.”
Sky Lakes and St. Lawrence have yet to say what type of ransomware infected them. However, on October 28, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) published a joint alert warning of “imminent” ransomware attacks targeting the US healthcare industry.
The alert provides details on Trickbot and Ryuk ransomware operators’ activity and instructs healthcare organizations on best practices and mitigations steps.
The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory about Russian state-sponsored advanced persistent threats (APT) identified in various state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks.
The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory about Russian state-sponsored advanced persistent threats (APT) identified in various state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks.
The interference of APT actors in the US infrastructure seems to have increased in the past few weeks. Law agencies issued a similar advisory a couple of weeks ago, although of a more limited scope. Now, there are more targets. Early reports say hackers managed to exfiltrate some data as well.
The activity, coming from a Russian state-sponsored APT actor known under names such as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti and Koala, started in September 2020. The hackers targeted numerous state, local, tribal, and territorial (SLTT) governments and aviation networks, attempted intrusions at several SLTT organizations, and successfully compromised network infrastructure.
What really sets this attack apart is that, on October 1, the Russian-sponsored APT actor managed to exfiltrate data from two servers, although the agencies did not specify where the intrusion took place.
“The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data,” states the advisory.
“The FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.”
For now, it’s unclear whether the attackers have a clear target in mind or whether they are trying to compromise as many victims as possible in the hopes of getting something more important along the way. The fact that the intrusions occurred so close to the upcoming November 3 US elections also raises questions.
The agencies also published the indicators of compromise, along with possible mitigations.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have issued a joint advisory warning the healthcare sector of increased ransomware attacks by ransomware threat actors.
In the notice (AA20-302A) the feds claim they “have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The advisory describes the tactics, techniques, and procedures used by cybercriminals against targets in the healthcare and public health sector (HPH) to infect systems with Ryuk ransomware for financial gain.
“CISA, FBI, and HHS are sharing this information in order to provide a warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats,” the advisory states. “CISA encourages users and administrators to review CISA’s Ransomware webpage for additional information.”
Threat actors are said to be targeting the HPH sector with Trickbot malware leading to ransomware attacks, data theft, and the disruption of healthcare services, according to the notice. CISA and the FBI believe these targeted attacks will only be exacerbated by the current pandemic, “therefore, administrators will need to balance this risk when determining their cybersecurity investments.”
AA20-302A includes a bit of history behind the malware employed by threat actors, followed by a long list of technical details for administrators to use to better understand the hackers’ breach tactics, complete with indicators of compromise. Three full pages are entirely dedicated to a close inspection of the Ryuk ransomware.
CISA, FBI, and HHS encourage the HPH organizations to maintain business continuity plans and identifying and addressing their security gaps to help keep them functioning during cyberattacks or other emergencies. A list of mitigation steps is also provided to IT administrators in the healthcare industry, including network best practices, ransomware mitigation, and user awareness tips.
The FBI recites the don’t-pay mantra saying, “Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”
Healthcare organizations are instructed to keep regular, password-protected, offline backups of their data, and to have a recovery plan at hand.
Cybercriminals are getting creative during the Covid-19 social-distancing measures, taking advantage of popular video-conference tools such as Zoom to strengthen their pitch in a fresh sextortion scam.
Bitdefender Antispam Lab spotted a new cyber-extortion campaign that has seemingly spread across the globe over the past week. The campaign targeted a quarter-million recipients, mostly in the United States, starting October 20.
The subject line ostensibly reads “Regarding Zoom Conference call,” to make sure you do not disregard the message.
“You have used Zoom recently, like most of us during these bad COVID times,” the scammers said. “And I have very unfortunate news for you.”
Indeed, many remote workers, students, teachers and families have used Zoom during the past year to connect, work or do business, creating a large pool of potential victims for the hoax.
“There was a zero day security vulnerability on Zoom app, that allowed me a full time access to your camera and some other metadata on your account,” the message continues. “I found a few interesting targets through random lookups. You were just unlucky to be on the list.”
The extortionist has clearly done his homework. Multiple zero-day vulnerabilities have been reported this year, including some that even allow a full takeover of devices. Moreover, the company which announced over “300 million daily Zoom meeting participants,” has been in the spotlight for quite some time, making headlines with topics ranging from Zoom-bombing in online classrooms to phishing campaigns to steal login credentials from users.
Moving forward, the extortionist reveals his actions, hinting at the keynote of the entire message.
“After that, I did some creepy stuff and a few recordings, just for fun and to test a few things,” the scammer adds. “And as you can imagine in your worst dreams, this happened. I have made a recording, where you work on yourself.”
There is nothing unique in this extortionist’s methodology, except for his need to make up excuses for his deeds by blaming the “stupid virus.” He even apologizes and attempts to exploit your empathetic side by claiming he lost his job and is about to be evicted.
“Please dont blame me or yourself for this, I didn’t have any bad intentions,” he said. “I got very sick, lost my job, about to be evicted and have no money to survive. All of this because of the stupid virus. I’m sorry. I have no other choice.”
This extortionist gests additional creativity points by also mentioning the Jeffrey Toobin Zoom scandal, in which the top legal analyst from CNN unknowingly exposed himself in front of co-workers during a Zoom conference.
“I do not want you to be the next Jeffrey Toobin,” he adds. “I’m sure you don’t want to be embarrassed. And I dont want to make this video public so your friends and colleagues can see it.”
The deal is you have three days to pay $2,000 in bitcoin unless you want the “video” revealed to your close family and workplace. He says the amount is non-negotiable and promises to delete the sensitive file once payment is received in his bitcoin wallet.
You are advised not to contact police or reply to the message. “If you do something stupid, I will distribute the video,” he threatens.
Individuals are likely to respond to blackmail messages that threaten to expose sensitive information about them publicly, be they true or not. As such, cyber-extortion has gained more and more traction in recent years, harnessing millions of dollars from victims’ pockets.
However, it’s important not to panic as there is little chance the blackmailer could have spied or recorded you in reality. Cyber-extortionists usually send out threats at random, using large batches of email addresses from data breaches and leaks in the hopes of duping users.
If you are one of the unfortunate recipients, immediately delete the email, and report the extortion attempt to local authorities and email service providers.
The ransomware gang behind the recent attack on Sopra Steria is making new headlines this week, this time for an attack on the world’s top office furniture maker, Steelcase.
An unnamed source in infosec reportedly told Bleeping Computer last week to watch for confirmation that Steelcase had suffered a ransomware attack.
The group behind the hack was none other than the infamous Ryuk operatives known to infect companies with the BazarLoader and TrickBot trojans.
The company has confirmed the incident, without naming names, in a filing with the US Securities and Exchange Commission (SEC).
“On October 22, 2020, Steelcase Inc. (the “Company”) detected a cyberattack on its information technology systems,” the disclosure reads. “The Company promptly implemented a series of containment measures to address this situation including temporarily shutting down the affected systems and related operations.”
“The Company is actively engaged in restoring the affected systems and returning to normal levels of operations,” Steelcase adds.“At this time, the Company is not aware of any data loss from its systems or any other loss of assets as a result of this attack. Although cyberattacks can be unpredictable, the Company does not currently expect this incident will have a material impact on its business operations or its financial results.”
Not being aware of any data loss doesn’t equate to no data loss, so it’s not out of the question that Ryuk actors could claim responsibility for the hack and try to extort Steelcase by threatening to sell or publish their data.
Steelcase’s core business pillar is production of office furniture and is the largest such player in the industry, with facilities and factories in the Americas, Europe, Asia, the Middle East, Australia and Africa. The company also churns out architectural and technology products for various work and academic environments, as well as for the healthcare and retail industries.
Donald Trump’s campaign website was hijacked by hackers who claimed to have evidence discrediting the president and proving his cooperation with foreign actors to manipulate the November elections.
“we have evidence that completely discredits mr trump as president. proving his criminal involvement and cooperation with foreign actors manipulating the 2020 elections,” the hackers wrote, in broken English.
On Tuesday, criminals seized and defaced DonaldJTrump.com, posted a message reading “this site was seized” alongside the logos of the Federal Bureau of Investigation and Department of Justice.
Before the website was taken down, visitors were greeted with a message vilifying the president and condemning what it called “fake news” spread by the Trump administration.
“the world has had enough of the fake-news spreaded daily by president Donald j trump. It is time to allow the world to know truth,” the message reads.
The hackers went on to say they have compromised multiple devices of Trump’s relatives, revealing classified information proving that the president’s cabinet is involved in the origin of COVID-19.
“multiple devices were compromised that gave full access to trump and relatives. most internal and secret conversations strictly classified information is exposed proving that the trump-gov is involved in the origin of the corona virus,” the attackers added.
The post continued with what seems to be a cryptocurrency scam that urges visitors to decide whether the stolen information should be made public or not. The hackers included two cryptocurrency wallet links associated with Monero and asked people to “vote.” Whichever link raised the most amount of money will determine their next move.
Tim Murtaugh, Director of Communications for President Trump’s re-election campaign, has also confirmed the attack, stating that no data has been stolen.
“Earlier this evening, the Trump campaign website was defaced and we are working with law enforcement authorities to investigate the source of the attack. There was no exposure to sensitive data because none of it is actually stored on the site. The website has been restored,” Murtaugh tweeted.
The state of Louisiana called in the National Guard to stop a few ransomware attacks affecting government offices, according to a Reuters report.
With less than a week until US general elections on November 3, the state of Louisiana faces a serious ransomware problem directly affecting some government offices. The situation is so bad that the National Guard was called in to deal with the situation.
Since the general elections are just a week away, the possibility that the events are somehow related can’t be dismissed. The local government officials are not saying anything about the current situation, and they won’t even confirm the little that’s already out there.
The Reuters report mentions that the infection occurred through a RAT (remote access trojan) that’s usually deployed through infected emails. The investigation revealed that parts of the trojan’s code belong to KimJongRat, a malware used by North Korean hackers. This particular piece of code is available on public repositories, so the link to North Korea is not clear.
Also, the first information confirms that the infection was stopped in its tracks and that it didn’t affect many offices. Neither the state’s police, the governor nor the Louisiana National Guard wanted to comment on the situation, stating only that it’s an ongoing investigation.
At this point, it’s difficult to determine the true intentions of the attackers. Ransomware attacks are common, especially in the public sector, and the threat actors may be only looking for a ransom, with no connection to the elections.
Recently, US security officials issued a warning regarding the use of ransomware in attacks against the election system, which is why the Louisiana official has to treat the situations as if that’s the case.
Immigration law firm Fragomen, Del Rey, Bernsen & Loewy has disclosed a data breach that compromised personal identifiable information of current and former Google employees.
In a notice filed with the California Attorney General’s Office, the New York-based law firm claimed an unauthorized individual accessed a file containing information relating to I-9 employment information on a “limited number” of Google employees.
“We recently became aware of suspicious activity within our computer network,” the notice reads. “While our investigation is ongoing, we discovered that an unauthorized third party gained access to a single file containing personal information relating to I-9 employment verification services. This file contained personal information for a discrete number of Googlers (and former Googlers), including you.”
The company did not say how many employees were affected or what type of information was accessed. However, Form I-9 is used to verify the identity and employment authorization of individuals working in the US, and can include an employee’s name, address, date of birth, email address, phone number, Social Security number, passport number and driver’s license data.
Since the information is highly sensitive, current and ex-employees could suffer attacks such as identity theft and fraud.
Although, Fragomen said it will provide a free 12-month credit monitoring subscription to all affected Google employees, victims should start checking their credit reports for fraud.
As with any data breach, it’s advised to closely monitor Inboxes for unsolicited correspondence, and look out particularly for spear-phishing emails appearing to come from Fragomen, Google or the US government.