The Week in Breach News: 09/06/23 – 09/12/23
This week: Ransomware leads to sensitive military data exposure in the UK and a cyberattack knocks out MGM Resorts.
Johnson & Johnson
Johnson & Johnson: Pharmaceutical Company
Risk to Business: 1.676 = Severe
Pharma and medtech conglomerate Johnson & Johnson has experienced a data breach that impacts consumers who use its CarePath platform. IBM, the developer of the platform, notified customers that their data may have been accessed by unauthorized parties after the pharma giant discovered an exploitable flaw. IBM fixed the problem and investigated the incident. That investigation showed that bad actors had snatched data from users who enrolled before July 2023. The stolen data includes a user’s full name, contact information, date of birth, health insurance information, medication information and medical condition information. IBM is offering a free year of credit monitoring to those who may be affected by the incident.
How It Could Affect Your Business: Companies need to be prepared for a supply chain or third-party data breach.
Sabre: Travel Booking Platform
Risk to Business: 1.832 = Severe
Major travel booking platform Sabre has experienced a data breach caused by a ransomware attack. The Dunghill Leak ransomware group claimed responsibility for the attack. The gang said on its dark web leak site that it had stolen 1.3 terabytes of data, including databases on ticket sales and passenger turnover, employees’ personal data and corporate financial information. The group posted several screenshots as proof of the July 2023 hack. Some included passport images, employee records and tax forms. The incident is under investigation.
How It Could Affect Your Business: Companies that hold a wide variety of data like personal data and financial data are very attractive targets.
Freecycle: Consumer Goods Exchange Platform
Risk to Business: 2.873 = Moderate
Freecycle, a nonprofit organization that enables members to exchange reusable items to prevent them from ending up in landfills, has disclosed a data breach that may impact seven million people. The company said that some user data was stolen in the attack including usernames, User IDs, email addresses and passwords. Freecycle said that it became aware of the data breach on August 30, 2023, although its data has been available on the dark web since May 2023.
How It Could Affect Your Business: It’s not a good look for organizations to not discover that their data is available on the dark web for months.
MGM Resorts: Hotel & Casino Operator
Risk to Business: 1.210 = Extreme
MGM Resorts, operator of hotels like the MGM Grand in Las Vegas, has announced that it is experiencing a cyberattack that drastically impedes its business. Major systems are impacted at its hotels and casinos as well as online, including its main website, online reservations, and in-casino services, like ATMs, slot machines and credit card machines. Some guests reported problems with room keys. MGM said that the attack began on September 10, and systems remained down as of September 11.
How It Could Affect Your Business: This is a huge, expensive disaster for MGM with this cyberattack not only impacting their hotel business but their casinos too.
United Kingdom – Zaun
Zaun: Fencing Manufacturer
Risk to Business: 1.673 = Severe
The LockBit ransomware gang is responsible for an August 2023 ransomware attack on UK fencing company Zaun that may have resulted in sensitive military data becoming exposed. The company, a contractor for The Ministry of Defense, said that the breach occurred through a Windows 7 PC that was running software for one of its manufacturing machines. Zaun says that nothing was encrypted but confirmed that LockBit has stolen some very sensitive data. Reports say that the group accessed information that could help bad actors access HMNB Clyde nuclear submarine base, Porton Down chemical weapons lab and a GCHQ listening post. Detailed drawings of other military sites and high-security prisons were also included among the stolen data. LockBit demanded payment by August 29. When that deadline passed, the gang began publishing data on its dark web leak site.
How it Could Affect Your Business: A successful cyberattack or data security incident impacting a government contractor can have major repercussions.
Holland – NXP Semiconducors
NXP Semiconductors: Technology Manufacturer
Risk to Business: 2.612 = Moderate
Dutch semiconductor company NXP has informed customers that they may have had their personal information exposed in a data breach. The affected customers appear to have an online NXP account, which provides access to technical content and community support. The exposed data includes customers’ full names, email addresses, postal addresses, business phone numbers, mobile phone numbers, company names, job titles and descriptions and communication preferences. The hack occurred on July 11, 2023, and was discovered by NXP a few days later on July 14. It remains under investigation.
How it Could Affect Your Business: Specialized information like job titles can help bad actors conduct more effective spear phishing operations.
Australia – Dymocks
Risk to Business: 1.802 = Severe
Dymocks, a venerable bookstore chain, has announced that it experienced a data breach that may impact 836k customers. The company discovered the hack after researchers informed it that its customer data had appeared on the dark web on September 6, 2023. The company said that it sees no intrusion of its own systems and contends that the data may have come from a third-party service provider. The exposed data includes a customer’s full name, date of birth, email address, postal address, gender and specialty membership details (gold expiry date, account status, account creation date, card ranking). The company says the incident has been reported to the relevant authorities and it remains under investigation.
How it Could Affect Your Business: Companies can still be in for a world of trouble if their data is stolen from one of their service providers.
Australia – TissuPath
Exploit: Supply Chain Attack
TissuPath: Pathology Laboratory Chain
Risk to Business: 2.382 = Severe
TissuPath is investigating a data security incident that led to the exposure of sensitive health data going back a decade. The company says that the data was exposed due to one of its storage drives being illegally accessed by compromised user accounts at one of its service providers. TissuPath stressed that its main database and reporting system that stores patient diagnoses was not compromised. Stolen data includes scanned pathology request forms with information such as patient names, dates of birth, contact details, Medicare numbers and private health insurance details. The BlackCat/ALPHV group has claimed responsibility, claiming that it stole 446GB of data which has been published on the dark web.
How it Could Affect Your Business: Supply chain risk has been steadily increasing for organizations, and they need take action now to mitigate it.