The most significant data breaches in 2018. Part Two (July-December)
In the first part of the review of leaks in 2018, I considered the most significant data leaks for the first half of the year and now the time has come for the second part.
As mentioned earlier, only major cases of information leaks around the world were reported to the review and the month of the incident was not indicated according to the time of its occurrence, but according to the time of disclosure (public announcement).
Let's see how the second half of the year proceeded ...
Personal data flowed to 1.3 million buyers of UK online fashion stores (brands such as Jaded London, AX Paris, Elle Belle Attire, Perfect Handbags, Dirty Little Style Bitch and Traffic People) served by Fashion Nexus and its subsidiary White Room Solutions.
Names, dates of birth, phone numbers, email addresses, MD5 and SHA-1 password hashes have suffered.
American retail chain warned customers with accounts on the retailer’s website that unknown people had access to these accounts.
After logging into the account, the attackers received such client data as the full name, address, telephone number, email address, date of birth, payment card number and expiration date.
Level One Robotics and Controls
Incorrect configuration of the rsync program, designed for remote backup and file synchronization, led to the leakage of 157 gigabytes of confidential information from automakers such as Toyota, Tesla, GM, Ford, VW and many others.
The data was left in the open access by the Canadian manufacturer of robots Level One Robotics and Controls.
Leaked assembly line schemes, plans and shop layout, robot configuration, personnel access forms, non-disclosure agreements, personal data and documents (driving licenses, passports) of some Level One Robotics and Controls employees, invoices, contracts and banking information.
In Singapore, hackers broke into a database of patients who visited the SingHealth clinic network from May 1, 2015 to July 4, 2018.
The names, addresses, gender, race, date of birth of more than 1.5 million people were kidnapped.
In addition, stolen data on medical prescriptions of 160 thousand people.
attackers took advantage of the vulnerability of the computer network of the largest Spanish operator Telefonica and managed to get all the personal data of millions of the company's customers. Telefonica is one of the 10 largest telecommunications companies in the world.
Leaked data includes names, contact information, contact numbers, payment data, and anything that contains a standard bill for communication services.
Telefonica customer data is easily downloaded as an unencrypted spreadsheet (CSV).
The Timehop service, which collects "memories" from social networks, revealed a leak of 21 million users.
Leaked user names, email addresses and authorization tokens in social networks.
A small number of entries included the name, phone number and email address, and a slightly larger number — the name and phone number, and a larger number — the name and email address.
This leakage was made possible by the compromise of an administrator account for accessing the cloud computing environment.
Huazhu Hotels Group
Data leaks from Chinese hotels affected about 130 million people.
13 hotels owned by the management company Huazhu Hotels Group, suffered from the leakage of customer data.
A 192 GB MongoDB database file owned by one of ABBYY’s customers and containing more than 200 thousand scanned documents was freely available.
The database contained contracts, confidentiality agreements, letters, internal documentation and other documents recognized using ABBYY OCR.
The 14.8 million Texas voters were publicly available. A total of 19.3 million voters are registered in Texas. Database file size of about 16 GB just left on the open server.
The database was originally collected by the analytical company Data Trust, which serves the Republican Party.
Personal data (names, e-mail addresses, postal addresses, etc.) flowed from 2 million accounts of the US mobile operator T-Mobile.
The data leakage was caused by an error in the interaction code between the Apple online store and the T-Mobile server responsible for checking user accounts. The check function allowed an unlimited number of checks entered by the user of the data, which allowed attackers to search through PIN codes and the last 4 digits of the social security number.
Facebook officially confirmed the data leakage of 50 million accounts, with up to 90 million accounts potentially affected.
Hackers were able to access the profiles of the owners of these accounts thanks to a chain of at least three vulnerabilities in the Facebook code.
In addition to Facebook itself, those services that used accounts of this social network for authentication (Single Sign-On) suffered.
More than 10 million records containing user names, phone numbers and mailing numbers were stolen from the Cainiao Network company, which is part of the Alibaba Group holding.
It was discovered that the attackers had installed malware that stole personal data in barcode scanners. Then the stolen data was resold on the black market.
In the open access in the Amazon cloud was discovered MongoDB database, owned by the company Veeam.
The 200 GB database contained 445 million records containing names, email addresses and in some cases IP addresses. Data was collected for the period from 2013 to 2017.
Error in API of social network Google+ allowed developers to get access to such data of 500 thousand users as: logins, email addresses, place of work, dates of birth, photos from a profile, etc.
Google claims that none of those 438 developers who had access to the API knew about this error and could not use it.
An online archive of Sberbank files containing official documents on the integration of software development and operation processes, in particular, data on checks of the bank systems, was found in the Internet.
In addition, an open source CSV file with an Active Directory upload, containing the names and e-mail addresses of approximately 420 thousand Sberbank employees, was released.
Sberbank itself does not consider this incident a leak. However, the bank notified the European Commission of the incident, as among the compromised information were data from EU citizens.
social knowledge sharing service reported a data leak of 100 million user accounts.
External penetration into the service system was discovered, which resulted in: names, email addresses, hashed passwords, data from connected networks (Facebook, Google); public content, including questions, answers, comments, positive voices; non-public content, including requests for responses, communication between users, negative votes.
Marriott International stated that hackers gained access to the Marriott-Starwood Hotels database, which contains personal customer data from 2014 to the present.
In total, the data of 500 million guests who used the services of Starwood Hotels leaked, while the 327 million leaked records contain passport numbers, email addresses, postal addresses, and in some cases even bank card details.
American Express India American Express
payment system allowed leakage of personal data of 2.3 million Indian customers through MongoDB database, which was freely available.
The database contained Aadhaar identifiers (the unique identifier of a citizen of India), names, email addresses, addresses, names of relatives, account numbers.
Nixi Technology The
Chinese company Nixi Technology, which produces the Boomoji mobile app for creating animated 3D avatars, has made publicly available two Elasticsearch databases with personal data of 5.3 million iOS and Android versions of Boomoji worldwide.
In addition to the data (user name, age, gender, country, phone model, and even the name of the institution) directly by the application users themselves, 125 million contacts of their address books (a copy of the phone numbers) were stored in the databases, as well as the history of geography for 375 thousand. users.
On December 5, the Foreign Ministry of France unknown persons got access to a database with contacts (names, email addresses and phone numbers) for emergencies, all (540 thousand) citizens registered in the Ariane system.
Ariane is an online service, created in 2010, which allows French citizens traveling to “unsafe” countries to notify the country's foreign ministry.
Data & Leads
Another leak of US voters' personal data. The open Elasticsearch database contained almost 60 million records containing names, surnames, email addresses, home addresses, phone numbers and IP addresses. The total amount of data exceeded 73 GB.
The database is most likely owned by a Canadian company, Data & Leads, which collects and processes data.
The names, addresses, passwords, phone numbers and other personal data of 32 million customers of the Brazilian pay-TV and mobile Internet operator Sky Brasil were found in the freely accessible Elasticsearch database.
Freeze Pro Shop The
Scottish online ski equipment store Freeze Pro Shop leaked 4 million records with personal data (names, email addresses, postal addresses, phone numbers and order details) to their customers, leaving the Elasticsearch database publicly available.
Another Google Google+ vulnerability that caused data leakage of 52.5 million users.
The vulnerability allowed applications to retrieve information from user profiles (name, email address, gender, date of birth, age, etc.), even if this data was private. In addition, through the profile of one user it was possible to receive data from other users.
Regular news about individual cases of data leakage, promptly published on the channel Information Leaks .