January 21, 2021
By: Kim Morgan
Tiger King, Megxit, toilet paper, murder hornets, COVID-19, Quibi, and for once, instead of cake being a lie EVERYTHING WAS CAKE are just a few of the most bonkers parts of 2020. With all that, it is no wonder that major cybersecurity breaches barely cracked the headlines. Unfortunately, we know at least 36 billion data records were exposed in 2020.
Today we will look at a rundown of some of the most major breaches of the first quarter of 2020 and examine the weakness in cybersecurity that led to those hacks.
In January of 2020 30 million records containing customers’ details were made available for sale online by hackers on Joker’s Stash, the internet’s largest carding fraud forum. Hackers were able to access this data via malware from Wawa’s OS (point-of-sale) system. The malware then collected card details of all customers who bought goods at all their 860 locations.
The most troubling part? The malware ran from March of 2019 to December 2019 undetected. This prolonged infection period, along with a massive compromise of hundreds of different locations, appears to have allowed the criminal group behind this hack to amass a huge trove of payment card details.
“Since the breach may have affected over 850 stores and potentially exposed 30 million sets of payment records, it ranks among the largest payment card breaches of 2019, and of all time,” Gemini Advisory said today when describing the breadth of the Wawa breach.
Gemini Advisory said that after analyzing the data, the Wawa card dump appears to include “30 million US records across more than 40 states, as well as over one million non-US records from more than 100 different countries.”
Though, like the Wawa breach, this breach occurred in 2019, the details were not made public until January of 2020. From December 5 to December 31, an internal customer support database that was storing anonymized user analytics was accidentally exposed online without proper protections.
This database consisted of 5 servers that appeared to have the same data stored on each. These servers contained roughly 250 million entries, with information such as email addresses, IP addresses, and support case details. Luckily, Microsoft said that most of the records didn’t contain any personal user information.
So what went wrong? Microsoft is a tech behemoth, surly there are systems in place from preventing even 10 records from exposure? Microsoft blamed the accidental server exposure on misconfigured Azure security rules it deployed on December 5, 2019. This underscores the fact that security breaches can happen to anyone, no matter how seemingly safe the environment.
The Department of Defense Defense Information Systems Agency (DOD DISA)
The Defense Information Systems Agency (DISA), a Department of Defense (DOD) agency tasked with providing secure telecommunications and IT support for the White House, US diplomats, and military troops, disclosed a data breach earlier this year. The incident took place between May and July of 2019 but wasn’t publicized until February of 2020.
DISA claimed that personal information of their employees, including social security numbers, was exposed during that timeframe, but did not specify how many individual records were compromised. DISA employs around 8,000 military and civilian employees, according to Reuters, which first spotted the notification letter in February.
No other details were provided about the breach including how hackers broke in they system, or if it was an internal or external attack.
On January 30, security researcher Jeremiah Fowler discovered a database online that contained what he says was “a massive amount of records.” That internet-facing database had no password protection in place, contained a total of 440,336,852 records, and was connected to the New York-based cosmetics giant, Estee Lauder.
Hackers entered the system of Estee Lauder (which includes subsidiaries MAC and Clinique) through a training platform used by employees. This platform was not customer facing and did not contain any customer data.
“The database appeared to be a content management system that contained everything from how the network is working to references to internal documents, sales matrix data, and more.,” Fowler says, “as soon as I saw email addresses, I was able to validate these were real people and immediately contacted Estee Lauder.”
According to his report on the incident, Fowler found 440,336,852 logs and records that should not have been in the public domain, including user email addresses. As well as references to reports and other internal documents, Fowler said IP addresses, ports and storage info that “cybercriminals could exploit to access deeper into the network,” were also exposed.
The data exposed pertained to “middleware”. Middleware is the software that provides common services and capabilities to applications outside of what’s offered by the operating system. Common middleware examples include database middleware, application server middleware, message-oriented middleware, web middleware, and transaction-processing monitors.
“A danger of this exposure is the fact that middleware can create a secondary path for malware,” Fowler says, “through which applications and data can be compromised.” In this case, anyone with an internet connection could see what versions or builds were being used, the paths, and other information that could, Fowler explains, “serve as a backdoor into the network.”
Many people aren’t familiar with who Clearview is, but are quite familiar with what they do. Clearview AI, a facial recognition software maker suffered a data breach in late February of 2020. The data stolen included its entire list of customers, the number of searches those customers have made and how many accounts each customer had set up.
Clearview’s clients are mostly law enforcement agencies, with police departments in Toronto, Atlanta and Florida all using the technology. The company has a database of 3 billion photos that it collected from the internet, including websites like YouTube, Facebook, Venmo and LinkedIn.
Clearview maintained that none of their image databases were hacked. “Unfortunately, data breaches are part of life in the 21st century,” said Tor Ekeland, the company’s attorney. “Our servers were never accessed. We patched the flaw and continue to work to strengthen our security.”
No details about how the system was breached were released.
This hack is just another in a growing trend of hackers treating personal data as a commodity they can peddle. Experts speculate that the photo database and AI technology make it a prime target for hackers.
The massive hotel chain suffered a breach between mid-January 2020 to about the end of February 2020. This hack was then reported in March of 2020. This breach impacted the records of 5.2 million guest who use the company’s loyalty app, Bonvoy.
The hacker(s) had direct access to loyalty data such as contact information, loyalty account info, personal details (company name, birthday, gender), partnerships and affiliations (linked airline data), and personal preferences (stay/room preferences and language preferences).
However, Marriot claims that the hacker did not gain access to account passwords, PINs, payment information, or passport information/driver’s license numbers. Marriott also launched a web portal where the app’s users can check if they’re one of the 5.2 million users impacted by the security breach, and what data the hacker might have accessed.
Marriot disclosed that the hackers were able to breach the system through the login credentials of two employees from a franchise property, and then accessed customer information through the app’s backend. This was the second breach Marriot suffered in a short time. In November of 2019, hackers accessed the Starwood system, where 383 million records were compromised.
The small appliance company fell victim to Magecart Group 8, a hacker collective under the Magecart umbrella.
The code was first spotted February 20, 2020 by RiskIQ. “Our IT team immediately sprang into action this morning (3/17/20) upon first learning from RiskIQ about a possible breach,” the company added. “The company’s IT team promptly identified malicious code and removed it. We have launched forensic investigations to determine how the code was compromised and have updated our security policies and credentials to include Multi-Factor Authentication (MFA) as a further precaution. Our team will work closely with outside cybersecurity specialists to prevent further incursions. We thank RiskIQ for bringing this issue to our attention.”
As of March 17th, all skimmers were removed from their payment pages.
Next week we will look at the second quarter of 2020, which was largely impacted by the COVID-19 pandemic.
Mindsight is industry recognized for delivering secure IT solutions and thought leadership that address your infrastructure and communications needs. Our engineers are expert level only – and they’re known as the most respected and valued engineering team based in Chicago, serving emerging to enterprise organizations around the globe. That’s why clients trust Mindsight as an extension of their IT team.
Visit us at http://www.gomindsight.com.
About the Author
Kim Morgan is part of the Marketing Department at Mindsight. Since 2007, she has devoted her career to using digital media to educate and effectively communicate a variety of topics at all levels of expertise. Kim’s favorite part about Mindsight is how team members are encouraged to always be curious, and continue developing not only professionally, but also personally. When not working, she can be found toting her 4 kids around in her sweet sweet minivan while rocking out to hits from the late 90’s and early 2000’s.