Fewer Marriott guest records that previously feared were compromised in the massive data breach, but the largest hotel chain in the world confirmed that approximately 5.25 million unencrypted passport numbers were accessed. The compromise of those passport numbers has raised alarms among security experts because of their value to state intelligence agencies.
The FBI is leading the investigation of the data theft and investigators suspect the hackers were working on behalf of the Chinese Ministry of State Security, the rough equivalent of the CIA. The hackers also accessed about 20.3 million encrypted passport numbers. There is no evidence that they were able to use the master encryption key required to gain access to that data.
Read more about the Marriott data breach investigation on SecurityWeek.
Singapore Airlines (SIA) says a software glitch was the cause of a data breach that affected 285 members of its frequent flyer programme, compromising various personal information including passport and flight details.
The “software bug” surfaced after changes were made to the Singapore carrier’s website on January 4 and enabled some of its Krisflyer members to view information belonging to other travellers, SIA told ZDNet in an email.
Read more about the Singapore Airlines data breach on ZDNet.
The website of Luas, the tram system operating in Ireland’s capital city of Dublin, has been taken offline this morning after hackers defaced the site and demanded a ransom be paid within five days.
Early morning visitors to the website were greeted with a message from the hackers, claiming that data had been stolen from operator Transdev Ireland, and would be published on the internet unless a ransom demand of one Bitcoin (approximately 3,300 Euros or US $3,800) was paid. In the message, the hackers claim that they previously contacted the tram operator about security vulnerabilities and were aggrieved that they received no response.
Read more about the attack on the Luas website on Tripwire.
A hacker has stolen the personal details of 7.6 million users of browser-based game the “Town of Salem,” BlankMediaGames (BMG) has admitted in a blog post. The hack came to light after a mysterious person sent a copy of the stolen data to DeHashed, a commercial data breach indexing service.
DeHashed says it spent all the Christmas and New Year holiday trying to contact BMG and alert the game maker of the hack and its still-compromised server. The hacked servers were finally secured and “multiple backdoors removed” this week. The compromised information appears to include, usernames, email addresses, encrypted passwords, IP addresses and more.
Read more about the Town of Salem data breach on ZDNet.
The first data breach of 2019 was reported less than 24 hours into the New Year. The details of an estimated 30,000 Australian civil servants were stolen when a directory was downloaded by an unauthorised third party – believed to have phished the email address of a government employee in the state of Victoria.
The Victoria Premier’s Department said it had referred the breach to police, the Australian Cyber Security Centre and the Office of the Victorian Information Commissioner, Australia’s ABC network reported.
Read more about the first data breach of 2019 on CBR.
Data thieves stole the personal information of nearly 5 million people from an unconfirmed number of Chinese online ticket reservation platforms, according to Beijing police, who arrested a suspect in the case.
According to media reports, China Railway’s (CR) official online booking platform 12306 suffered a massive data breach, with information later being sold on the dark web. Compromised data reportedly included names, ID numbers, and passwords. CR later denied the claims in a Weibo post, saying no users’ information was hacked. However, it warned passengers to avoid booking their tickets on unauthorized third-party platforms.
Read more about the alleged China Railway data breach on TechNode.
In the past, cyber attacks used to be so infrequent that hearing about just one breach in the news would be reason enough to invest in protection. Nowadays, not a day goes by without news of another hack being disseminated around the world. The temptation to roll your eyes, say ‘not another one’, and shut your browser is palpable.
But according to Real Business’s Mike Smith, becoming fatigued and showing complacency is one of the most dangerous things we can do. And if we need any more evidence than is already in the public realm, a recent report by UK’s National Cyber Security Centre revealed the sheer scale of the problem, admitting to thwarting around 10 attacks every single week.
Read more about the problem of “breach fatigue” on RealBusiness.
American alcohol retailer BevMo has suffered a breach that leaked credit card data, including security codes, belonging to 15,000 customers. A privately-held corporation based in Concord, California, BevMo sells mostly alcoholic beverages. As of 2013, the company operates 148 stores.
California attorney general’s office received a notice from BevMo this week that someone planted malware on its checkout page, the Associated Press reports. The code was designed to steal customers’ names, credit and debit card numbers, expiration dates, CVV codes, billing addresses, shipping addresses and phone numbers.
There’s no such thing as a quiet year when it comes to security, but 2018 has been particularly eventful. From systemic CPU vulnerabilities to hacks affecting hundreds of millions of people, the last twelve months have been a seemingly non-stop parade of cyber gaffes and security blunders.
Read about some of the year’s biggest and most embarrassing security snafus according to IT PRO staff on IT PRO.
Personal information belonging to over half a million students going back the 2008-2009 school year, parents, and staff members of San Diego Unified School District (SDUSD) may have been compromised in a data breach incident. An unauthorized person baited the staff with phishing emails to collect credentials to log into the district’s network services.
The data breach exposed personally identifiable details of student and selected staff, including names, dates of birth, mailing and home addresses, telephone numbers, social security numbers and/or state student ID numbers.