Cybercriminals continue to take advantage of the global pandemic created by COVID-19 and are targeting government agencies and organizations via phishing emails and malware attacks.
Learn about some of this month’s most notable data breaches and cyberattacks in our monthly Data Breach Round-Up article series, the May edition.
GoDaddy Confirms Data Breach Involving SSH Access
GoDaddy confirmed earlier this month that an unauthorized user accessed login details used by an undisclosed number of its 19 million customers. The security incident occurred on October 19, 2019, but only came to light 7 months later after suspicious activity was spotted on some of the company’s servers. The unauthorized individual gained access to login credentials used to connect to SSH on the hosting site. SSH stands for secure shell which is used by administrators to access remote computers.
To learn more about this breach, visit our recent blog post: Go Daddy Data Breach Goes Undetected for 7 Months
Bank of America Exposes PPP Application Data
Bank of America announced last week that on April 22, the company exposed the personal details belonging to applicants applying for loans from the Paycheck Protection Program (PPP) during a test submission to the U.S. Small Business Administration (SBA) system. The company discovered that while testing, information on client applications may have been visible for a short period of time to a limited number of lenders and their vendors authorized by the SBA to participate in the PPP.
Information exposed in this breach includes business addresses and tax ID numbers, as well as personal information like Social Security numbers, phone numbers, email addresses and citizenship details. The number of impacted customers has not been disclosed and the California Attorney General’s office has been notified of the data breach.
For more information on this breach, read Bank of America’s Data Breach Notice
EasyJet Faces Class Action Lawsuit Over Data Breach Involving 9 Million Customers
An £18 billion class-action lawsuit has been filed in the High Court of London on behalf of EasyJet customers after the airline disclosed that information about up to nine million customers and credit card details belonging to more than 2,000 people may have been exposed in a cyberattack. The carrier has yet to explain how or exactly when the data beach occurred, but the BBC reports that the company learned of the attack in January, but waited until months later to disclose the attack.
In the article, the company suggests that the investigation into the incident shows that highly sophisticated hacks were targeting company intellectual property rather than customer information. The UK Information Commissioner’s Office is also investigating the incident. If found that the company neglected to follow the 72-hour breach notification requirement, the company could be fined under the European Union’s General Data Protection Regulation (GDPR).
Home Chef Roasted for Data Breach of 8 Million Records
Popular online-order meal kit company, Home Chef, is in the headlines after revealing that records belonging to eight million customers were leaked online after the company was attacked by the hacking group ShinyHunters. The company notified the public two weeks after the database of customers records was listed on the dark web. This information includes email addresses, names, phone numbers, encrypted passwords, the last four digital of credit cards, and in some cases information like mailing addresses and frequency of deliveries. The company claims that not all customers are impacted by this breach and that affected customers will be notified, but have advised customers in the meantime to change their passwords. The company has not offered details as to how the breach occurred, but the investigation is still ongoing at this time.
U.S. Unemployment Offices Suffer Data Breaches as Job Losses Mouny
As many Americans are forced to seek unemployment in the wake of COVID-19, many state unemployment websites have been the target of cyberattacks. The Arkansas Unemployment Office was forced to shut down unemployment benefits last week after a data beach was discovered, potentially exposing the PII belonging to 30,000 state residents. In this incident, an unauthorized user illegally accessed the PUA system, forcing the state to shut down the site. The breach was discovered by a computer science professional visiting the website looking for work. While on the site, he did a cursory review and found that the site was configured openly show claimants’ personal data on the website, including details like dates of birthday and Social Security numbers.
The State of Ohio Department of Job and Family Services also recently revealed that the personal data of Pandemic Unemployment Assistance (PUA) claimants was exposed in a data breach after a security vulnerability was found by Deloitte Consulting on May 15. The vulnerability allowed unauthorized access to two dozen PUA claimants when logged into the state’s website. Fortunately, the department was quick to resolve the issue and the vulnerability was fixed within one hour of discovery.
Start eliminate known vulnerabilities from your IT environment by downloading a complimentary license of Greenbone OpenVAS.
Share this post