A U.S. bank notifies over 800,000 people of a MOVEit hack, data stolen from a DNA testing service, and more.
Welcome to Cyber Security Today. It’s Monday, October 9th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
Today is Thanksgiving Day in Canada. For Canadian listeners, thanks for tuning in on this long weekend.
More news on the hacks of MOVEit file transfer servers. Flagstar Bank of Michigan is notifying over 837,000 people that their data was stolen. It was taken from the MOVEit server of a data processor called Fiserv that the bank uses. Fiserv sells payment and other services to financial companies around the world. Data stolen includes people’s names and Social Security numbers.
The Clop/Cl0p ransomware gang has taken credit for over 2,000 hacks of MOVEit servers since the end of May. This gang hit Flagstar Bank in 2021 when it stole data from the bank’s Accellion file transfer server.
Auto Club Trust, the banking arm of the Michigan branch of the American Automobile Association, is notifying 46,000 people that some of the personal data it holds was stolen in a MOVEit hack. The data was held by an unnamed information processor the bank uses. The bank operates in 13 U.S. states and two territories. Data stolen includes names, dates of birth, Social Security numbers, driver’s licence numbers and passport numbers.
Meanwhile, the province of Nova Scotia estimates the cost of being hit by the data theft from its MOVEit file transfer servers will be $3.5 million. That’s according to a regulatory filing with the U.S. Security and Exchange Commission made last week by the provincial auditor general. The statement doesn’t say if the estimate includes both IT costs as well as the cost of credit monitoring for the 165,000 people whose personal data was stolen.
Data of hundreds of thousands of people stolen from the American DNA testing service called 23andMe are being pedaled by crooks. According to NBC News, it includes a database of alleged celebrities of Jewish Ashkenazi descent. A spokesperson for the testing company confirmed to Bleeping Computer that some stolen data came from 23andMe. A threat actor used stolen credentials from other hacks to get into the individual accounts of 23andMe users to copy data, the company said.
Here’s another one of those ‘oopsy’ email incidents: An employee at the government of Newfoundland and Labrador’s Health Services department sent an email to the parents or guardians of 253 pediatric patients with diabetes. Unfortunately, the employee forgot to enable ‘blind copy’ on the email, so instead of it going individually to each recipient, it went to everyone on the list. That’s a big privacy violation. This comes at the start of Security Awareness Month.
Caesars Entertainment, which owns the Las Vegas Caesars Palace casino and hotel, has begun notifying patrons of a data breach stemming from an August cyber attack. However, the notice to Maine’s attorney general’s office doesn’t say how many victims are in the U.S., only that more than 41,000 people in Maine had personal data stolen. That hack started when a company providing IT support services fell to a social engineering attack. That allowed the attackers into the Caesars’ network. Information was stolen from Caesars’ loyalty program database. Bloomberg News says Caesars paid millions of dollars in ransom to get the data back.
The Chattanooga Heart Institute in Tennessee now says over 411,000 people are being notified of a data breach that happened in March. Originally it estimated 170,000 people’s data was stolen. The updated number is in a new filing with the state of Maine’s attorney general’s office. The filing doesn’t say exactly how the data was obtained but does say it was not stolen from the hospital’s electronic medical records system. Data copied includes people’s names, mailing addresses, dates of birth, driver’s licence numbers, Social Security numbesr, medical diagnoses, medications and other information.
Finally, software provider Blackbaud, whose clients include universities and museums, has agreed to pay US$49.5 million to 49 U.S. states and the District of Columbia to resolve complaints about a ransomware attack in 2020. The company also agreed not to make misleading statements about its data protection, privacy, security and other matters. It also promised to improve its cybersecurity programs. Victim organizations were also hit in Canada and the U.K.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.