Category: Data Breach

The GoDaddy Data Breach

GoDaddy is a strange name for an American Internet company, but they are well known in the US and UK as they provide Internet domain names and web hosting for more than 20 million customers worldwide.

However, the email addresses of up to 1.2 million active and inactive Managed WordPress customers exposed in a data breach.

The company say they identified suspicious activity in the Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement.

They notified the potentially affected customers that their web hosting account credentials had been compromised by an “unauthorized individual” who had gained access to login credentials that meant they could “connect to SSH” on the affected hosting accounts. SSH is an acronym for secure shell, a network protocol used by system administrators to access remote computers. SSH is, as you might imagine then, quite a useful attack vector for hackers.

Which Accounts Are Affected

The GoDaddy email said that the breach is limited only to hosting accounts and did not involve customer accounts or their personal information. It noted that no evidence was found to suggest that any files were modified or added to the affected accounts but fell short of mentioning if files had been viewed or copied. However, all impacted hosting account logins have been reset, and the email contained the procedure customers need to follow in order to regain access to the hosting accounts concerned. GoDaddy has also recommended, “out of an abundance of caution,” that users audit their hosting accounts.

GoDaddy said it will provide free security services to those affected for a year at no charge.

“On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers’ credentials or modified any customer hosting accounts. The individual did not have access to customers’ main GoDaddy accounts.”

If you have any experiences with these scams do let me know, by email.

Fightback Ninja Signature

Compensation for a Data Breach

A data breach is where confidential information is copied and either released in public e.g.  on a web site or is stolen by criminals for identity theft, online blackmail or similar.

Many well-known organisations have suffered from data breaches, revealing confidential information such as login and password, payment card details, date of birth etc. of their customers

When this happens, the company has a legal obligation to inform the authorities and all users who may be affected by this.

If your data is lost and it causes you financial damage or distress, you may be able to make a claim for compensation from the organisation that was breached.

The criteria for a compensation claim for a data breach include:

  1. Financial losses.
  2. Loss of privacy.

The GDPR gives you a right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law. This includes both financial loss and other types of loss.

The Citizens Advice Bureau provides information on taking legal action in England and Wales, Scotland and Northern Ireland.

To Complain and Claim Compensation

  1. Complain to the company that lost your data

Explain any problems you believe have been caused by the data breach and include any distress you have suffered. It’s also useful to specify what compensation you want

  1. Complain to the Information Commissioner’s Office

You can take your issues with how the organisation dealt with your confidential information to the |Information Commissioner but it’s better for this to be after you have given the company a chance to review your claim first.

  1. Use the Small Claims Court

This is a cheap and simple process if you cannot reach agreement with the company.

If you have any experiences with these scams do let me know, by email.

Fightback Ninja Signature

Man United Ransomware Attack

Manchester United football club experienced a ransomware attack in late 2020. They were held to ransom for millions of pounds by cyberhackers who targeted the club’s computer systems and demanded payment to stop them from releasing sensitive data.

It is a difficult decision for any business – pay up or risk seeing highly sensitive information being wiped out or leaked into the public domain.

The club were clear from the start that the attack was very serious but it did not impact on their schedule of matches.

United brought in a team of technical experts to contain the attack and they informed the Police and the National Cyber Security Centre (NCSC).

The NCSC revealed that in 2019 an English Football league club was hit with a £5m ransomware demand. They were unable to access their CCTV or use entry turnstiles, but its’s not believed that they paid anything.

It took weeks of effort to get things back to normal following the attack and United could face fines of up to £18 million or two per cent of their total annual worldwide turnover from the Information Commissioner’s Office if the attack is found to have breached their fans’ data protection.

The NCSC has previously warned that there is a growing threat to sports clubs.

It took roughly 2 weeks for United IT staff and outside experts to regain control of the situation. It is believed they did not pay the attackers.

The episode was embarrassing for United and they are still under investigation by the Information Commissioner’s Office.

If you have any experiences with these scams do let me know, by email.

Fightback Ninja Signature

British Airways Fined for Data Breach

The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers.

An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.

The Data Breach

The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

Also, the usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were potentially accessed, but this is uncertain. It is often impossible to be certain which data the hackers copied.

The ICO concluded that there were numerous measures BA could have used to mitigate the risk of an attacker being able to access the BA network. These include:

  • limiting access to applications, data and tools to only that which are required to fulfil a user’s role
  • undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;
  • protecting employee and third party accounts with multi-factor authentication.

Since the attack, BA has made considerable improvements to its IT security.

BA did not detect the attack in June 2018 themselves but were alerted by a third party more than two months afterwards in September 2018. Once they became aware BA acted promptly and notified the ICO.

“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security,” said Information Commissioner Elizabeth Denman.

If you have any experiences with these scams do let me know, by email.

Fightback Ninja Signature

How Accidental Data Leaks Happen

It’s easy to assume that all data breaches are the result of criminal activity, but that’s far from true.

A study of data from 2016/17 showed that 92% of security data incidents and 84% of confirmed data breaches were due to accidents or mistakes.

Here are the most common problems leading to leaks of data:

1. Expired Security Certificates

These certificates are an essential component in protecting systems and Equifax found out the hard way in 2017 when hackers accessed huge amounts of confidential data through an expired certificate. This data included 143 million records exposed containing names, addresses, dates of birth, Social Security numbers, and driver license numbers.

The data was stolen by hackers who exposed a vulnerability in Equifax’s web servers. If the relevant security certificates had been updated as they should have been – the hackers couldn’t have used that way in.

2. Unsecured Third Party Vendors

Many websites and complex systems are a mix of the owner’s software plus a variety of third party plugins, addons and linked external services. As in any other part of life – the weakest link determines the safety level of the whole system. If the 3rd parties aren’t adequately secured then the whole system becomes vulnerable.

3. Poor Email Security

Most hackers still gain access through phishing – that is sending out emails that attract people to respond in some way that gives the hackers the information they need to access systems. Maybe it’s through a fake quiz that requires a login and password or an offer of a gift token etc.

Or could just be that people haven’t learned the need to use passwords that are unguessable and not to write them down by their desk.

A company named Nightfall protects systems data and they have created the following article to explain in more detail how accidental data leaks can happen: https://nightfall.ai/resources/accidental-data-leaks/

If you have any experiences with these scams do let me know, by email.

Fightback Ninja Signature

Easyjet Data Breach

EasyJet announced in May 2020 that the personal data of nine million customers from around the world had been exposed in a data breach. The breach itself occurred in January 2020 and EasyJet did notify the UK Information Commissioner’s Office at that time, but did not tell its customers till April.

Details stolen in the breach include full names, email addresses and travel data with departure dates, arrival dates and booking dates.

Also 2,208 customers had their credit card details accessed after EasyJet was hacked.

A class action claim has been brought against EasyJet by law firm PGMBM.

PGMBM said that the exposure of details of individuals’ personal travel patterns may pose security risks to individuals and is a gross invasion of privacy. Also that under Article 82 of the EU General Data Protection Regulation (EU-GDPR), customers have a right to compensation for inconvenience, distress, annoyance and loss of control of their personal data.

For any Easyjet customers who wish to join the claim there is information available at www.theeasyjetclaim.com.

  1. Are EasyJet customers at risk?

EasyJet says that “there is no evidence that any personal information of any nature has been misused”.

“This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted.  We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed”. 

“In April, we notified a small group of customers whose credit card details had been impacted and offered them support including a dedicated helpline and monitoring”.

“Passwords have not been impacted by this incident”.

Easyjet say that they have contacted all customers who have been impacted. If you have not heard from EasyJet directly, your information is not affected by the incident.

If you have any issues over this data breach, do let me know, by email.

Fightback Ninja Signature