Tag: data breach

Massive Data Release on Internet

Collection #1 is a data set that was dumped onto the Internet. It contains 773 million email IDs and 21 million passwords and anybody can see the data.

Security researcher Troy Hunt runs the Have I Been Pwned website that lets people check if their email address has been in a data breach and he has analysed the data and uploaded it to his website haveibeenpwned.com so anyone can check if their details are included in this or any other high profile data breach. He does make the actual data available to anybody.

His analysis shows that Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. It’s made up of many different individual data breaches from literally thousands of different sources”

After cleaning the data and removing duplicates, it seems that 772,904,991 unique email addresses, along with 21,222,975 unique passwords are available in plain text. This does not include passwords that were found still in their hashed form.

Importantly, anyone who gets their hands on the cache can easily test the plain-text passwords against actual accounts. Approximately 140 million email accounts and some 10.6 million passwords were not known from past breaches.

If one or more of your accounts are in this data breach, then it is likely that one or more of your old passwords are available for others to see. Make sure you are not still using passwords from years ago.

Check if your accounts are included in the breach and if necessary change passwords and delete unnecessary accounts.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

Morrison’s to Pay Staff after Data Breach

In 2014, the personal details of thousands of Morrison’s staff including salaries, bank account details and home addresses were stolen and published online.

At the time, Morrisons said that all the staff details published were put on an unspecified location on the web for a few hours and were taken down immediately when they were discovered. It said in a statement: “We can confirm there has been no loss of customer data and no colleague will be left financially disadvantaged.” It was working with police to identify the source of the theft.

The hacker posted the information – including names, addresses, bank account details and salaries – online and sent it to newspapers.

It turned out that it was an employee, Andrew Skelton, who had posted the data online. He was caught and jailed for eight years in 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data.

However, Morrisons faced a huge payout to staff whose personal data were posted on the Internet after workers brought a claim against the company for “upset and distress”.

The High Court ruling that Morrisons is liable for the data breach then the Court of Appeal upheld the original decision against the supermarket. Morrisons said it would now appeal to the Supreme Court.

This case is the first data leak class action in the UK.

Morrisons had argued that it could not be held liable for the criminal misuse of its data, but three Court of Appeal judges rejected the company’s appeal, saying they agreed with the High Court’s earlier decision.

They said Morrisons was “vicariously liable for the offences committed by Mr Skelton against the claimants”.

Skelton was given eight years in prison for fraud, securing unauthorised access to computer material and disclosing personal data at a criminal trial in 2015.

The case continues.

If you have any experiences with scammers, spammers or time-waster do let me know, by email.

Fightback Ninja Signature

Tesco Bank Fined for Data Breach

Tesco Bank was fined £16.4m by the City watchdog over a cyber-attack it suffered that netted cyber criminals £2.26m.

The Financial Conduct Authority (FCA) said deficiencies at the bank had left account holders vulnerable to the incident. The bank had received a specific warning that was not properly addressed until the attack had started and the response was “too little, too late”.

This is the first time the FCA has issued a fine for a cyber-related incident.

Tesco Bank said that since the incident in November 2016 it had “significantly enhanced” security measures, and apologised to customers.

Mark Steward, executive director of enforcement and market oversight at the FCA, said the fine “reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks”. Banks must ensure resilience against such crime reducing the risk of a cyber attack occurring in the first place, not only reacting to an attack.

Tesco Bank said the cyber attack in 2016 did not involve the theft or loss of any customers’ data but led to 34 transactions where funds were debited from customers’ accounts, and other customers having normal service disrupted.

The bank’s chief executive Gerry Mallon said: “We are very sorry for the impact that this fraud attack had on our customers.”

Banks and other financial institutions must learn that it’s cheaper to build proper protection that wait for a catastrophe to happen.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature

Data Breach Affects Major Fashion Brands

Brands including AX Paris, DLSB, Elle Belle Attire, Perfect Handbags and Traffic People are among those affected by a data breach at IT ecommerce supplier Fashion Nexus with White Room Solutions.

Fashion Nexus stated that that on or around 9 July a “white hat hacker” or “ethical hacker” breached one of company’s web servers. Fashion Nexus advised its clients using the software to file reports with the Information Commissioner’s Office and Fashion Nexus also filed a breach report.

Around 650,000 of its clients’ customers were believed to be affected.

The majority had their names and email addresses accessed, and one-fifth also had their home address details accessed. There was no payment card information stored in the databases. But the data did include hashed passwords, names, email addresses, phone numbers, and other data.

Rob Sherwood, director at Fashion Nexus, said: “Our experience with this as a small company has been extremely stressful and unsettling. Contrary to the way we’ve been portrayed in the IT security press, we care deeply about our clients and the rights of their customers.

“As a small business with limited resource and funding, we had put in place security measures but clearly, somehow, this wasn’t sufficient to prevent an attack, and we can’t apologise enough to our clients and their customers.”

The personally identifiable information accessed can lead to scammers carrying out identity fraud and identity theft.

If you are a customer of one of the affected brands, then change your password immediately and also the login and passwords of any other accounts using the same login details.

Do click on the Facebook or Twitter icons on top right to follow Fight Back Ninja.

Fightback Ninja Signature

Butlin’s Data Breach

Butlin’s – the holiday camps company has confirmed that the records of up to 34,000 guests have been accessed by hackers.

The stolen data does not include payment details, but does include customer names, holiday dates, postal and email addresses and telephone numbers.

The compromise is believed to have been caused by a phishing email.

Under the EU’s new General Data Protection Regulation (GDPR), British companies must notify the Information Commissioner’s Office of any data breaches within 72 hours or face a fine. Butlin’s say they have done so.

The company said its own investigations have not found any fraudulent activity related to this event, but anyone whose records have been accessed by hackers needs to beware of calls, emails etc. from people claiming to be from Butlin’s and seeking more information

Butlin’s says it is contacting all those affected by the data breach.

If you believe your data may have been included in the hacked data then contact Butlin’s directly and be careful over any contact from Butlin’s – ensure they are genuine not scammers looking to trick you.

Do Share this post on social media – click on the post title then scroll down to the social media share buttons.

Fightback Ninja Signature

Dixons Carphone Data Breach

Dixons Carphone admitted there had been a data breach in 2017 which included 5.8 million credit and debit cards.  105,000 of those cards are not the chip-and-pin type. The chip and pin cards are assumed to be safe from fraud but this may be a false assumption.

Apparently, the hackers had tried to gain access to one of the processing systems used by Currys PC World and Dixons Travel stores.

Dixons also announced that the personal details of 1.2 million people (name, address, email address) may have been exposed.

STOP PRESS: Dixons Carphone has just increased that estimate from 1.2 million to 10 million people whose information may have been compromised.

Dixons Carphone said it had no evidence that any of the cards had been used fraudulently following the breach.

The incident happened before the new GDPR regulation came into force or Dixons Carphone would be looking at potentially much higher fines than currently expected.

Dixons Carphone said that “unauthorised access” of data held by the company had prompted an investigation, the hiring of external security experts and efforts to shore up its security defences. It has informed police, regulators at the Information Commissioner’s Office and the Financial Conduct Authority.

The data about these cards that may have been compromised does not contain PIN numbers or the CVV number and does not contain authentication data that would enable cardholder identification or a purchase to be made.  At least that’s the theory, but hackers and scammers can use starting information to get access to more information and then perpetrate fraud.

“The National Cyber Security Centre is working with Dixons Carphone plc and other agencies to understand how this data breach has affected people in the UK and advise on mitigation measures.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

Ticketmaster Data Breach Failings

Ticketmaster is a well-known global ticket selling business and they suffered a data breach starting in February 2018 and continuing through to late June.

A piece of malware on a customer service system operated by a third party had been exporting customer data to a scammer and Ticketmaster claim to have known nothing about this until June 23rd.

However, Digital bank Monzo did spot in April that customers’ cards were being compromised and warned Ticketmaster but “couldn’t get any traction” out of the company.

Monzo contacted all of its customers who had ever dealt with Ticketmaster – about 5,000 – and replaced their cards.

It also told banks that are part of the UK Finance group in April that it was aware of what appeared to be a significant data breach at Ticketmaster.

Ticketmaster say they investigated at the time but found no problem. The fault was in third party software not Ticketmaster’s own software, but that doesn’t excuse their apparent lack of responsibility for their customers who were being compromised.

Ticketmaster eventually realised there was a serious problem and said customers who bought concert, theatre and sporting event tickets between February and 23 June 2018 may have been affected by the incident, which involved malicious software being used to steal people’s names, addresses, email addresses, phone numbers, payment details and Ticketmaster login details.

The breach also affects customers of two other UK websites owned by Ticketmaster: TicketWeb and the resale website Get Me In!

Ticketmaster claims that the data for less than 40,000 people was affected.

Ticketmaster could face questions over whether there was a delay in disclosing the breach after it emerged that some UK banks had known about the incident since early April.

Ticketmaster has subsequently warned customers: “We recommend that you monitor your account statements for evidence of fraud or identity theft.

Ticketmaster said it was offering affected customers a free 12-month identity monitoring service. There is a dedicated website at security.ticketmaster.co.uk, and customers can also email fan.help@ticketmaster.co.uk for further information or to register their concern.

Companies need to protect their customer’s data, but also how they deal with such problems when they occur,  can affect the outcome as much as the details of the actual problem. Ticketmaster have not come out of this very well.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature

MyFitnessPal Data Stolen

Sportswear brand Under Armour announced that its subsidiary MyFitnessPal suffered a significant data beach, compromising up to 150 million accounts.

The account information involved includes user names, email addresses and hashed passwords, but no financial information such as credit card numbers or identifiers such as social security numbers.

The breach has not exposed particularly sensitive user data, but it does affect a huge number of users and this has caused Under Armour’s stock to drop 4 percent. The breach occurred in February but was only identified in March. The company has been working to notify affected users and is expected to work with the police and data security firms to trace the source of the breach.

“Four days after learning of the issue, the company began notifying the MyFitnessPal community via email and through in-app messaging. The notice contains recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information,” Under Armour said in a statement. “The company will be requiring MyFitnessPal users to change their passwords and is urging users to do so immediately.”

In this case, the data storage was robust and the hackers have 150 million email addresses to sell but there’s little else they can do with the data.

If you are a registered user of MyFitnessPal – change your password immediately and if any of your other accounts have the same login and password then change them as well as hackers will try to find other accounts in your name.

Users of MyFitnessPal should be wary of emails in the coming weeks as there are likely to be scam messages and in particular may be messages that appear to be from MyFitnessPal but are from scammers.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

What If Your Business Has a Data Breach

If your business suffers a data breach i.e. hackers access your system and steal confidential information then you have a lot to do to deal with the breach, communicate with all affected parties and put in place better security to prevent another breach.

How well you deal with the breach often affects the total cost and the level of damage to your business reputation.

These four steps can help:-

1. Investigate the Breach

  1. How did it happen?
  2. What was stolen?
  3. Can the hackers regain entry to your systems?

You’ll need to know exactly what information was lost in the data breach.

Less sensitive information includes  name, address. phone number etc. This can be used by scammers and cold callers but that information is readily available for most people through the phone directory, social media and  the Electoral register.

More sensitive information includes date of birth, name, financial details, payment card details.  Combined with the less sensitive information this can be used for identity fraud.

If the stolen data includes names with login and passwords then you need to act fast to warn people to change their passwords.

2. Determine the Possible Damage

Once you know what data has been stolen, you need to understand how this can affect people i.e how this data can be used by criminals. Will they likely sell the information to a competitor or to other scammers or ransom it back to you?

3. Communicate with All Interested Parties

You need to inform all affected parties ASAP.  This may be customers, partners, staff, suppliers etc. If the breach is serious then you should inform the Information Commissioners Office.  If relevant inform the Police.

4. Increase Your Security

Unless you have security experts, you may need to hire experts to assess your systems and see how security can be improved. Start enacting those improvements straightaway and of course close off whatever method the hackers used to get into your systems.

A data breach can be very serious and must be dealt with quickly and efficiently to minimise damage to your reputation.

 Do click on the Facebook or Twitter icons on top right to follow Fight Back Ninja.

Fightback Ninja Signature

Equifax Data Breach

The personal data of up to 44 million British consumers was feared stolen by hackers in a massive cyber attack on Equifax.

The information commissioner said it was investigating how the hack on Equifax, a US credit rating firm, affected UK customers, many of whom will be unaware their data is held by the company.

Equifax and its UK subsidiary companies state on their websites that they represent British clients including BT, Capital One and British Gas.

The Information Commissioner’s Office has urged Equifax to alert affected UK customers as soon as possible, and said it will work with the relevant overseas authorities on behalf of British citizens.

Equifax admitted hackers had exposed the personal data of 143 million customers in the US, which was stolen between mid-May and July this year due to a vulnerability on its website. The hack was not made public until recently.

The stolen information includes names, social security numbers, dates of birth, addresses and, in some instances, driver’s license details. It is also thought that around 209,000 credit card numbers were stolen.

Equifax said: “limited personal information” from British and Canadian residents had been compromised.

A spokesman for BT said: “We are aware of the developing story and are monitoring the situation closely. Like many companies in the UK, BT uses Equifax services. We are working on establishing whether this breach has any impact on those services.”

Lenders rely on the information collected by credit bureaus such as Equifax to help them decide whether to approve financing for homes, cars and credit cards.

Equifax chief executive Richard Smith said in a statement “I apologise to consumers and our business customers for the concern and frustration this causes.”

How to check if you are affected – go online to https://trustedidpremier.com/eligibility/eligibility.html and type in your last name and last 6 digits of your social security number and it should tell you if you have been affected by the data breach.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.