carnival: The cruise operator on Thursday announced in a letter to its customers that it had discovered “unauthorized third-party access to a limited number of e-mail accounts” in mid-March, which may contain certain personal data of guests, employees and crew members on its Carnival reveals Cruise Line, Holland America Line and Princess Cruises. Information potentially compromised included social security numbers, passport numbers, dates of birth, addresses, and health information.
Carnival said it “acted quickly to prevent … further unauthorized access,” hired a cybersecurity firm to investigate the matter and notified the relevant authorities. “There is evidence that the likelihood of misuse of the data is low,” said the company.
In August 2020, the company announced in a government filing that it had discovered a ransomware attack that had also resulted in “unauthorized access to personal data of guests and employees”. The hackers had accessed and encrypted part of the cruise line’s IT systems, including the download of some of their data files.
Wegmans: The grocery chain alerted customers on Wednesday to a security incident “due to a previously undiscovered configuration problem” in which two of their cloud databases, which were intended for internal business purposes, were “inadvertently exposed to potential outside access” . Affected customer information included names, addresses, phone numbers, dates of birth, club numbers, email addresses and passwords for Wegmans.com accounts.
Wegmans said it was first informed of the vulnerability by an outside security researcher.
In response, the company said it worked with a forensics company to investigate the matter. “We have since corrected the configurations and saved all affected information,” said Wegmans. “We have also taken steps to avoid similar problems in the future.”
MC Donalds: The fast food giant confirmed on June 11 – after the Wall Street Journal reported – that hackers had accessed “a small number of files” that contained the names, emails, phone numbers and addresses of customers and employees in the United States, South Korea and Taiwan. McDonald’s stated that hackers could use a phishing email to gain unauthorized access to an internal security system.
Volkswagen: Volkswagen Group of America announced on June 11th in Notifications of Data Breaches in California and Maine that an unauthorized third party had received certain personal customer data. The company was made aware of the problem in May.
Volkswagen said it believed the data was obtained when a provider used by Audi, Volkswagen and some authorized dealers in the US and Canada “left electronic data unsecured sometime between August 2019 and May 2021”.
Curriculum vitae: The retail pharmacy this week confirmed an incident that exposed more than a billion records of sensitive information.
On March 21, security researcher Jeremiah Fowler and an investigative team from WebsitePlanet discovered “a non-password-protected database containing more than a billion records” linked to CVS Health.
When CVS Health was notified of the vulnerability, CVS Health took immediate action that same day and restricted public access. According to CVS, the database was maintained by a provider on behalf of CVS Health.
“We are not implying any wrongdoing by CVS Health, its contractors or suppliers,” wrote Fowler. “We also don’t imply that customers, members, patients, or website visitors were at risk. … We’re just highlighting our discovery to raise cybersecurity awareness that something as simple as search logging and a misconfigured database can potentially collect and disclose data. “
Broader lessons
When a security incident is discovered by an outside party, the victim company often indicates quickly that the likelihood of misuse of the stolen data is low. That misses the point. As Fowler noted, “Each information record serves as a piece of the puzzle to provide a fuller picture of an organization’s network or data storage practices.”
Anurag Kahol, chief technology officer and co-founder of the cloud security company Bitglass, added that disclosing sensitive data “is more than enough for hackers to launch targeted phishing attacks against those affected, and underscores the importance of keeping everyone safe Records”. . “
For example, in the case of CVS Health, while proprietary health information was not directly disclosed, “the information disclosed could be cross-referenced for email phishing campaigns or social engineering-style hacks,” said Stephan Chenette, co-founder and chief executive officer Technology officer of the security optimization platform AttackIQ. “Organizations that manage sensitive health data need to be proactive to protect their data.”
“Robust, flexible, and versatile cybersecurity platforms that prevent data leaks; authenticate all users; and monitoring their behavior are essential to defending business operations and securing resources, ”says Kahol. “Following cybersecurity best practices and implementing mandatory employee training can also help minimize additional attack vectors and enforce stricter security standards.”
The incidents at Volkswagen and CVS also highlight third-party cyber security gaps.
“CVS Health’s disclosure of over a billion records underscores the importance of protecting sensitive customer information and ensuring that your company and any third-party vendors involved in security and cloud migration are in place,” said David Pickett , Senior Cyber Security Analyst at the cloud solution provider Zix | AppRiver.
“Another component to consider when working with third-party vendors who have access to corporate data is reviewing and understanding the vendor’s agreements on security practices,” said Pickett. “These solutions will help prevent companies from becoming another statistic in a long list of companies whose data has been disclosed online.”
source https://collegeeducationnewsllc.com/big-week-for-breaches-mcdonalds-carnival-and-more-article/
No comments:
Post a Comment