Leaky Pharma Giant Database Exposes Personal Information of US Prescription-Drug Users

Pharmaceutical giant Pfizer has been exposing private medical information of US prescription-drug users for months, according to vpnMentor’s cybersecurity research team.

The sensitive data was stored on a misconfigured Google Cloud Storage bucket. Researchers even found some information dating back to October 2018, speculating that the database could have been accessible for nearly two years.

“The exposed data related to conversations between Pfizer’s automated customer support software and people using its prescription pharmaceutical drugs, including Lyrica, Chantix, Viagra, and cancer treatments Ibrance and Aromasin,” researchers said.

“In total, there were 100s of transcripts from individuals across the USA, with more being uploaded during our investigation.”

A review of the transcripts revealed additional personal Identifiable Information (PII), including full names, home addresses, email addresses, phone numbers and details of patients’ health and medical status.

The database was secured on September 23, after several failed attempts to contact the pharma giant. The researchers emphasized that it took Pfizer two months to reply to their initial report.

“From the URL you gave, I failed to see how it is important Pfizer data (or even an important data at all),” Pfizer said.

However, after vpnMentor’s investigator sent a sample containing customer information, Pfizer immediately secured the database.

“We then shared a file with a sample of their customers’ PII data that we found in the Google bucket,” researchers added. “After this, they finally secured the bucket, but never replied to our messages again.”

If criminals had stolen the information, customers could face targeted phishing attacks that could lead to further data exposure and even financial losses. Bad actors could have easily tricked victims into revealing financial data by posing as Pfizer customer support representatives and referring to the information in the transcripts.

“If cybercriminals succeeded in tricking a victim into providing additional PII data, they could use this to pursue various forms of fraud, including total identity theft,” vpnMentor researchers noted. “In doing so, they could destroy a person’s financial wellbeing and create tremendous difficulty in their personal lives.”

NCSC Says GRU Operatives Attacked 2018 and 2020 Olympic and Paralympic Games

The National Cyber Security Centre (NCSC) says that operatives of Russia’s GRU military intelligence service performed cyber reconnaissance directed at the 2020 Olympic and Paralympic Games, which had been scheduled to take place this summer.

The COVID-19 pandemic changed the 2020 Olympic and Paralympic Games organizers’ plans, which postponed the event. The NCSC believes that GRU’s Main Centre for Specialist Technologies (GTsST) group, also known under Sandworm and VoodooBear, is responsible for the attack.

The statement from the NCSC came immediately after the US Department of Justice announced criminal charges against Russian military intelligence officers, responsible for some of the most destructive and costly cyber-attacks in history.

“The GRU’s actions against the Olympic and Paralympic Games are cynical and reckless,” said UK’s Foreign Secretary Dominic Raab. “We condemn them in the strongest possible terms. The UK will continue to work with our allies to call out and counter future malicious cyber attacks,” he concluded.

The modus operandi of the same threat actors in 2018 was different, as they tried to pose as Chinese or North Korean hackers. NCSC assess with certainty that these are the same hackers as those targeting the current edition. The attackers intended to deploy malware capable of wiping data and disable computers and networks.

The reason for the attacks is not difficult to guess, as Russia was banned from competing in the 2018 Winter Olympics in PyeongChang and the 2020 Summer Games in Tokyo. Russian authorities manipulated the data submitted to the World Anti-Doping Agency (WADA), in an attempt to protect athletes caught doping.

Unfortunately, all of the threat actors indicted by the US Department of Justice and named by NCSC are outside of their jurisdiction, which means they will likely continue their attacks.

Montreal’s Public Transport Service Hit by Ransomware Attack

Société de transport de Montréal (STM) has suffered a ransomware attack that crippled most of its computer systems, the public transport agency disclosed earlier this week.

As of Monday afternoon, the STM website was inaccessible, and users were redirected to lastm.info, where they can check for updates on the cyberattack and customer service operations.

“Since the afternoon of October 19, the STM has been dealing with a ransomware computer virus that has caused a major failure affecting multiple platforms, including our website,” the notification read.

“We will update this page as the situation changes. Rest assured that our teams are working tirelessly to resolve the situation as quickly as possible so that you can keep riding with us.”

The STM said the attack had no impact on the bus and metro network, and transport operations continued as scheduled, except for the paratransit service, which uses an online registration system.

According to the latest updates, the ransomware attack only impacted STM’s online services and telephone lines. No signs of employee or customer data comprise have been observed.

“We have done everything in our power to protect our data,” STM added. “Initial analyses indicate that our customer and employee information has not been affected. We ensured data protection as soon as we were made aware of the situation. However, the investigation is not complete, and we will continue our analyses.”

The company has alerted local authorities and promised to provide additional details as soon as their online systems are restored.

NSA Walks IT Admins Through Common Vulnerabilities Exploited by Chinese State-Sponsored Hackers

The US National Security Agency (NSA) has issued a cybersecurity advisory listing a range of vulnerabilities known to be recently leveraged by Chinese state-sponsored actors to hack US entities.

Most of the vulnerabilities listed by the agency “can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks,” the NSA says.

“The majority of the products are either for remote access or for external web services, and should be prioritized for immediate patching,” according to the notice.

The NSA says it is aware that National Security Systems, Defense Industrial Base, and Department of Defense networks are consistently scanned and targeted by Chinese state-sponsored hackers. The agency therefore recommends that “critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage.”

In a bid to get IT administrators to listen, the NSA notes that the same process for planning the exploitation of a computer network by any sophisticated cyber actor is also actively being used by Chinese state-sponsored hackers against American entities.

“They often first identify a target, gather technical information on the target, identify any vulnerabilities associated with the target, develop or re-use an exploit for those vulnerabilities, and then launch their exploitation operation,” the NSA warns.

A list of general mitigation steps is also provided, including rule-of-thumb tips like keep systems up to date, apply patches, make password changes to compromised accounts, disable external management capabilities and set up out-of-band management networks, block obsolete or unused protocols, use proper network configurations and monitor logs for signs of compromise.

In a press release issued this week, NSA Cybersecurity Director Anne Neuberger said the agency hopes the document will enable cybersecurity professionals to “gain actionable information to prioritize efforts and secure their systems.”

Twitter 2020 Hack Caused by Fake VPN Login Page

The investigative report of the infamous Twitter hack of July 2020 has revealed that the attackers used social engineering skills and phishing links to dupe remote Twitter employees into providing their credentials.

On July 15, 2020, a 17-year old hacker and his accomplices seized control of dozens of high-profile users’ accounts, including Barack Obama, Kim Kardashian West, Jeff Bezos, Elon Musk, and Bill Gates, stealing over $118,000 worth in bitcoin from unsuspecting users.

How did the culprits penetrate Twitter’s internal network?

According to a New York State Department of Financial Services report, the hackers posing as Twitter IT department workers deceived several employees working remotely to access a fake VPN login page.

“The Twitter Hack started on the afternoon of July 14, 2020, when one or more Hackers called several Twitter employees and claimed to be calling from the Help Desk in Twitter’s IT department,” the report said.

“The Hackers claimed they were responding to a reported problem the employee was having with Twitter’s Virtual Private Network (“VPN”). The Hackers then tried to direct the employee to a phishing website that looked identical to the legitimate Twitter VPN website and was hosted by a similarly named domain.”

The report underlines that most employees entered their credentials on the fake webpage, allowing the cybercriminals to simultaneously log in on the legitimate Twitter website. Although these logins also required MFA authentication from Twitter employees, the cyber-thieves convinced them to authenticate, leaving Twitter’s internal network exposed.

“The Department found no evidence the Twitter employees knowingly aided the Hackers,” the financial services regulatory authority added. “Rather, the Hackers used personal information about the employees to convince them that the Hackers were legitimate and could, therefore, be trusted. While some employees reported the calls to Twitter’s internal fraud monitoring team, at least one employee believed the Hackers’ lies.”

FBI Warns of 63 Spoofed Domains Impersonating the US Census Bureau

Cybercriminals register fake US Census Bureau domains to dupe unsuspecting citizens to provide personal information and install malware, the FBI warns.

In a flash alert published in coordination with the federal government statistical agency, the FBI notes that they have observed around 63 domains impersonating the US Census Bureau.

Partial list of suspicious domains impersonating the US Census Bureau

“Spoofed domains (aka typosquatting) mimic legitimate domains by either altering character(s) within the domain or associating another domain with similar characteristics to the legitimate domain, such as ‘Censusburea[.]com’ or “census-gov[.]us’,” the FBI said.

Although the Census Bureau is working hard to disable these spoofed domains, the alert emphasized the dangers of accessing look-alike websites. Threat actors will “attempt to exploit respondents and users of the data for financial gain and other nefarious purposes,” such as harvesting usernames, passwords, email addresses and spread malware.

“As part of the US government’s facilities sector, the Census Bureau remains a target for both criminal and nationstate actors aiming to negatively affect the US Government and create distrust among US citizens,” the FBI added.

The warning also provides a list of recommended mitigations to help users and businesses fend off malicious activity:

• Pay close attention to the spelling of websites you access
• Regularly patch operating systems and software
• Make sure that the SSL (Secure Sockets Layer) certificate is present, and the top-level domain for the website is “.gov”
• Keep security solutions up to date on all devices
• Use two-factor or multi-factor authentication where possible
• Audit networks and systems for unauthorized remote communication
• Disable or remove unneeded software, protocols, macros, and portals

Last but not least, report any suspicious activity to your local FBI field office or Internet Crime Complaint Center (IC3).

Albion Online gamers told to change passwords following forum hack

Albion Online gamers told to change passwords following forum hack

  • Hacker exploited forum vulnerability, and offered stolen database for sale
  • Players advised to change their passwords

Sandbox Interactive, the developers of the free medieval fantasy video game Albion Online, have warned players that a hacker managed to break into its systems and gain access to its user database.

In a post on the Albion Online forum, players were advised that a hacker was able to exploit a vulnerability to gain access to the forum’s user database.

Exposed data included players’ email addresses, as well as passwords that had been salted and hashed with bcrypt.

At the very least this means that the hacker now has in their hands a list of Albion Online users’ email addresses – information which could be exploited in phishing and social engineering attacks in an attempt to trick players into handing over more information.

However, if some players chose weak passwords for their Albion Online forum account (which, lets face it, is hardly unlikely) then they might still be singled-out by a determined hacker.

If a hacker was able to correctly determine a user’s forum password it can also be used to play the Albion Online game itself. But more worryingly, it might be put to malicious use if the player has made the mistake of reusing the same password elsewhere on the internet.

The confirmation by Sandbox Interactive of a security breach came at approximately the same time that it was reported a hacker was offering the Albion Online database for sale on a hacking forum.

Sandbox Interactive is recommending that affected users can update their password via the Albion Online website. My advice would be for affected Albion Online players to do so, but also to ensure that they choose a strong, complex password and that they are not reusing passwords anywhere else on the internet.

That’s good advice whether there has been a security breach or not. All passwords should be hard-to-crack, hard-to-guess, and unique.

The use a good password manager can help ensure that passwords are being chosen sensibly rather than dreamt up by the human brain, and that unique, sensible and secure choices are made.

Albion Online says that it is contacting affected users via email. Of course, a malicious hacker might be contacting affected users at the same time – using the stolen email address list – so please be on your guard.

According to Sandbox Interactive, the vulnerability used by the hacker to access the sensitive data from the Albion Online forum has been patched, and a full security review is under way.

Rapper Who Bragged About Defrauding US CARES Act Program Could Face Up to 22 Years in Prison

A rapper who bragged about fleecing the US Pandemic Unemployment Assistance (PUA) on YouTube was arrested for allegedly defrauding the government of $1.2 million in benefits, the Department of Justice (DOJ) disclosed on Friday.

According to a press release, Fontrell Antonio Baines, AKA “Nuke Bizzle,” is accused of fraudulently applied for unemployment benefits using the stolen identities of multiple individuals.

“Baines possessed and used debit cards pre-loaded with unemployment benefits administered by the California Employment Development Department (EDD),” the DOJ said.

“The debit cards were issued in the names of third-parties, including identity theft victims. The applications for these debit cards listed addresses to which Baines had access in Beverly Hills and Koreatown.”

During the investigation, the DOJ discovered 92 debit cards totaling over $1.2 million in illegally obtained benefits, including $704,000 that was withdrawn and used to purchase merchandise and services.

Baines added fuel to the flames when he bragged about his new-found fortune in a music video posted on YouTube and two of his Instagram accounts.

“For example, Baines appears in a music video called “EDD” in which he boasts about doing “my swagger for EDD” and, holding up a stack of envelopes from EDD, getting rich by ’go[ing] to the bank with a stack of these‘ – presumably a reference to the debit cards that come in the mail,” the DOJ added.

Baines is charged with access device fraud, aggravated identity theft, and interstate transportation of stolen property. If found guilty, he could face a maximum sentence of 22 years in federal prison.

BBB Warns of Health Insurance Open Enrollment Scams

With health insurance open enrollment season just around the corner, US consumers preparing to change or add to their health coverage should watch out for scammers, the Better Business Bureau (BBB) warns.

According to the consumer protection organization, fraudsters call unsuspecting citizens and pose as official Medicare agents or “health care benefits advocates.”

During the phone call, these so-called agents will try to “sell” you a better Medicare program by offering the same benefits at a lower price.
What do you need to do? Provide your personal information alongside your Medicare ID number, and you’re all set.

To assure success, some scammers deploy petty scare tactics by insisting that your health insurance will be canceled unless you re-enroll. The advisor also provides a quick fix – share your personal information, and you will be set up with a renewed health insurance plan.

By offering your Medicare ID number and additional personal identifiable information, consumers may fall victim to identity theft.

How to protect against open enrollment scams

A seasoned fraudster can be very convincing, both in person and over the phone. However, you can safeguard your personal and financial information by paying attention to the most common red flags:

• Unsolicited emails or phone calls from individuals representing Medicare or ACA (Affordable Care Act) that ask for personal information. Usually, individuals already enrolled in a health insurance plan will not be contacted by Medicare advisors

• Professional health insurance providers will not threaten or seek to scare you into registering for specific health insurance plans

• Refuse any promotional gifts or free health screenings in exchange for your personal information

• Never provide your Medicare ID number, Social Security number, health plan details, or financial information by phone or email to unverified individuals

• When in doubt, hang up the phone and visit the official website of your health insurance provider for guidance

Having Saved Credit Card Details in Plaintext Since 2015, British Airways Is Fined £20 Million

Having Saved Credit Card Details in Plaintext Since 2015, British Airways Is Fined £20 Million

  • British Airways broke data protection laws, and failed to detect attack for more than two months
  • Sensitive information left exposed with no encryption

British Airways has been fined £20 million (US $26 million) following a data breach which saw its systems hacked and the personal and payment card information of 400,000 customers stolen.

It’s the biggest fine ever handed out by the UK’s Information Commissioner’s Office (ICO), which – by comparison – smacked Facebook’s wrist for a mere £500,000 over the Cambridge Analytica scandal.

But many will consider that British Airways got away lightly, having initially faced a £183 million ICO fine over the breach which occurred in 2018.

British Airways’ fine may be the biggest on record, but it’s still a 90% drop from what it could have been.

Announcing the final penalty, the ICO explained that it had taken into account representations from British Airways and “the economic impact of COVID-19 on their business.”

Reading between the lines, if British Airways’ fortunes hadn’t been hit so hard by the global pandemic then the fine it would have been walloped for its enormous security failure.

And British Airways’ failure was monumental.

Amongst the airline’s blunders identified by the ICO’s redacted report on the incident included:

  • a failure to enforce the use of multi-factor authentication (MFA) on accounts that provided remote access to British Airways’ internal systems.
  • a failure to prevent the exploitation of a Citrix vulnerability that allowed the attacker to launch unauthorised tools and scripts to conduct network reconnaissance.
  • the storage of login details (username and password) for a privileged domain administrator account in plaintext, giving the attacker “virtually unrestricted access to the relevant compromised domain.”

And perhaps most astonishingly of all, British Airways recklessly stored customers’ payment card details – including CVV numbers – as plaintext files.

Approximately 108,000 payment cards were available to the attacker because the data had been stored by British Airways with no encryption whatsoever.

This security breach, alongside the planting of malicious Magecart skimming code on the airline’s payment webpage which stole the personal and payment card details of hundreds of thousands of travellers as they made bookings via BA’s website and mobile app, leads ultimately to today’s record fine.

Yes, £20 million is nothing like as big as the £183 million fine that British Airways was originally facing. But it’s still the largest fine ever meted out for a data breach in the UK, and will hopefully go some way to make other companies put more effort into securing their systems better.

Posts navigation

1 2 3 4 5 6 7
Scroll to top