Last week, breaches and cyberattacks occurred across several industries from life insurance, semiconductor, financial to the public sector. Devastating consequences have been uncovered from earlier data breaches and attacks, such as the Play ransomware attack that resulted in 65,000 Switzerland government documents leaked, and UniCredit being fined $3.1 million for data breach by Italy privacy watchdog. Furthermore, new vulnerabilities have been found and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them as soon as possible. Read on to receive a quick summary of what happened this week in the space of cybersecurity.
American Express customer data exposed in third-party breach. Due to a hack at American Express’ merchant processor in which American Express Card member data was processed, American Express is warning customers that due to the 3rd party breach, customers’ credit cards were exposed. In a data breach notification filed with the state of Massachusetts, the company warned customers that their account information may have been compromised. The compromised data includes customers’ credit card account numbers, names and card expiration dates. However, it is not clear the amount of customers impacted, the merchant processor that was breached, and when the attack occurred. American Express stated that they have begun investigation into the breach, and that they have notified relevant authorities. Furthermore, the company stated that if a cardmember’s credit card is used to make fraudulent purchases, the customers would not be responsible for the charges. It is highly advised for customers to regularly review their bank statements for the next 12-24 months, and report any suspicious behaviour. The company also suggests enabling instant notifications via the American Express mobile app to receive fraud and purchase alerts. Furthermore, it is encouraged to request a new card number if your card information was stolen to prevent usage of your card from bad actors. Canada’s anti-money laundering agency hit by a cyberattack: Forced to go offline. The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) announced that they had to take their corporate systems offline as a precaution due to a “cyber incident”. FINTRAC is a Canadian government agency that operates as their financial intelligence unit. In a statement posted on their website, the agency stated that intelligence or classified systems were not accessed. FINTRAC is collaborating with federal partners to restore their operations and enhance their defences to prevent similar incidents from reoccurring. Fidelity Investments Life Insurance Company (FILI) informing roughly 28,000 individuals of data breach. FILI is notifying 28,268 individuals that their personal information has been compromised due to a third party breach from services provider Infosys McCamish System (IMS). In their notification letter, FILI noted that the threat actor had obtained information held by IMS about the individual and their policy. The compromised information includes customers' names, birthdates, state of residence, social security numbers, bank account and routing numbers, and credit card numbers. However, as investigation is still ongoing, they are unable to determine with certainty exactly what personal information was accessed during the attack. The impacted individuals are offered a free 2 years of credit monitoring. Switzerland reports that the Play ransomware attack resulted in 65,000 government documents leaked. The National Cyber Security Centre (NCSC) of Switzerland released a report on their investigation of a data breach following a ransomware attack by the Play ransomware gang on Xplain, a Swiss technology and software solutions provider for various Swiss government departments. It was disclosed that 65,000 sensitive Federal government files were leaked in the breach. It was stated that out of approximately 1.3 million files published by Play ransomware, about 5% (65,000 documents) are relevant to the Federal Administration. 95% of those files impact the administrative units of the Federal Department of Justice and Police: the Federal Office of Justice, the Federal Office of Police, the State Secretariat for Migration, and the internal IT service centre. 3% of the data were from the Federal Department of Defence, and the Civil Protection and Sport. Around 5,000 documents contained sensitive information such as personal data (e.g. names, email addresses, telephone numbers, and addresses), technical details, classified information, and account passwords. A small set of a few hundred files contained IT system documentation, software or architectural data, and passwords. Jersey finance regulator suffers a data breach: Allowing access to nonpublic names and addresses. The Jersey Financial Services Commission (JFSC) has been hit by a data breach which allowed access to nonpublic names and addresses. In a statement, the watchdog stated that they detected a vulnerability in their registry system on 23 January 2023, and took action to resolve the issue. With an independent cybersecurity partner, they conducted a forensic review and identified that the vulnerability was caused by a misconfiguration in their 3rd party supplied registry system. In an update on their website, it was said that the JFSC’s corporate network was not compromised, and the breach did not link any individuals to a specific registered entity or any role held. However, 66,806 individuals did have their names and addresses accessed where it was not already public on the register. North Korea hacks 2 South Korean chip firms and stole engineering data. South Korea’s National Intelligence Service (NIS) warns that North Korean hackers are targeting domestic semiconductor manufacturers. NIS stated that these attacks have increased in the latter half of 2023 until recently, whereby they target internet-exposed servers vulnerable to flaws to access corporate networks. NIS mentioned that in December 2023 and February 2024, at least 2 cyberattacks on separate entities occurred, whereby the company’s configuration management and security policy servers were hacked. Reportedly, this resulted in sensitive data being compromised such as product design drawings and facility site photos. The 2 victims were not named in the report. However, NIS reports that they postulate that these cyberattacks are aimed at collecting valuable technical data which North Korea could utilise to develop their own chip-making program which can help to develop weapons. Italy privacy watchdogs fines UniCredit $3.1 million for data breach. Italy’s data protection authority has fined UniCredit, Italy’s second-largest bank, US$3.1 million for a 2018 data breach that resulted in approximately 788,000 customers and former customers. The bank responded that they will appeal the decision to court as no bank data had been compromised, and the incident had been immediately resolved. The 2018 data breach on their mobile banking platform resulted in approximately 788,000 customers and former customers’ data such as names, tax codes, and other identification codes. The authority stated that the sanctions took into account the large number of people involved in the data breach and the seriousness of the breach, as well as the timely adoption of corrective measures. Apple was fined $1.95 million by the European Commission for “abusive” App store rules. The European Commission has fined Apple US$1.95 million for allegedly abusing their market dominance in music streaming app distribution to prevent developers from promoting cheaper services outside the app. The Commission found that Apple applied restrictions on app developers which prevented them from informing iOS users about alternative and cheaper music subscription services available outside of the app, which is illegal under EU antitrust rules. The investigation began after Spotify and an e-book/audiobook distributor issued complaints on 2 Apple App Store policies: (1) charging a 30% commission fee on all subscription fees through Apple’s in-app purchase system, and (2) preventing developers from promoting cheaper membership options outside the app. The European Commission stated that although market dominance is not illegal under EU antitrust rules, dominant companies do have a special responsibility to ensure that they do not abuse their position. However, Apple stated that they believe that the European Commission has not found any evidence of consumer harm or proof of anti-competitive behaviour. Instead, Apple stated that Spotfiy is the primary benefactor of this decision, and that Spotify chose not to promote in-app subscriptions even though they were involved in the initial complaints. Furthermore, Apple stated that Spotify has the largest music streaming app in the world, and has met with the European Commission more than 65 times during the investigation. Furthermore, Spotify has 56% of Europe’s music streaming market, and pays Apple for none of the services that have helped them become one of the most recognisable brands in the world. Apple also attributed their App Store for Spotify’s pop[u;larity, and that Spotify utilises Apple’s tools and technology to build, update and share their app with Apple users around the world. Apple stated they respect the Commission’s decision, but they will be appealing the fine. Apple released emergency security updates to fix 2 zero-day vulnerabilities. Apple released emergency security updates to fix 2 iOS zero-day vulnerabilities (tracked as CVE-2024-23225 and CVE-2024-23296) which are exploited in attacks on iPhones. Both vulnerabilities allow bad actors to bypass kernel memory protections. Apple stated they addressed the flaws for devices running iOS 17.4, iPadOS 17.4, iOS 16.76 and iPad 16.7.6. The list of impacted devices includes:
That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|