Bitglass Security Spotlight: Canada’s Largest Credit Union Suffers Massive Data Breach

This post was originally published here by Will Houcheime .

Here are the top cybersecurity stories of recent weeks:  

  • Desjardins experiences data breach exposed by previous employee
  • Emuparadise forum member information disclosed
  • Venmo transactions scraped as privacy settings warning
  • Maryland medical records uncovered
  • The US Customs and Border Patrol claim hacked travelers

Desjardins, Canada’s largest credit union, exposed by ex-employee

Desjardins recently discovered that an employee gained access to a database containing information of 2.9 million accounts, which included 2.7 million home users and 173,000 business contacts. Since learning about the exposure, the credit union has fired the employee responsible. Desjardins representatives were able to report that no credit card numbers were uncovered, but that personally identifiable information (PII) had been exposed. This includes first and last names, dates of birth, Social Insurance Numbers (SINs), and addresses for home users. In addition, business accounts had their names, addresses, and phone numbers scraped. Those affected have been addressed by the Credit Union with notification letters. Despite this being the first documented data breach in Desjardins’ company history, the credit union has been quick to add procedure and policy changes to further protect their valued customers. 

1.1 million Emuparadise gaming accounts breached

Gaming site, Emuparadise, reportedly experienced a data breach that left 1.1 million accounts vulnerable. The breach was first discovered in April 2018, but was treated as an allegation. Community members were claiming notices from HackNotice that their information was at risk of exposure. The information included IP addresses, email addresses, passwords, and usernames. It was reported that the stolen information was stored as MD5 hashes. The validity of the exposure was brought to the attention of the gaming site about two weeks ago, when their personnel received notice from that a certain database was indeed infiltrated. 

Venmo transactions poached as privacy settings caution

Computer science student, Dan Salmon, accessed 7 million Venmo transactions to prove that privacy settings are not being implemented by Venmo users. This underlines that public activity on Venmo can easily be exposed and that users should pay closer attention to changing their account settings to set their transaction settings to private. Venmo users experienced a similar vulnerability a year ago, when a Mozilla user was able to download 207 million transactions. This showcases that Venmo has certain account settings set as a default, which can lead to easy exposure and information scraping. Since then, in an attempt to protect user data, Venmo has tried to make it more difficult for hackers to scrape information from their users instead of defaulting the transactions to private.

Maryland patients at risk of stolen medical records

Following a massive American Medical Collection Agency (AMCA) data breach, many Maryland patients have become at risk of exposure. The AMCA witnessed about 20 million accounts getting exposed last August, which included businesses such as Quest Diagnostics, LabCorp, BioReference Laboratories, and Carecentrix. The compromised data varies for each of the affected companies, but it included patient names, dates of birth, addresses, phone numbers, balances, payment card numbers, and bank accounts. Attorney General Brian E. Frost recently warned Maryland residents to be vigilant about their personal information, as it could be misused in adverse ways.  Patients are being urged to take steps such as obtaining a free credit report, putting a fraud alert on credit files, and considering an account freeze to limit financial risks. 

Unauthorized US Customs and Border Patrol server hacked

The US Customs and Border Patrol (CBP) has discovered that a subcontractor used for data storage was recently breached. The subcontractor transferred copies of license plates and facial recognition photos of those crossing the US-Mexico border. The subcontractor copied the information in violation of the Customs and Border Patrol policies and without the CBP’s authorization or knowledge. The network on which the copies were placed was shortly hacked by a cyberattack, and the CBP has placed full blame on the subcontractor. Although the subcontractor remains nameless, it was reported by The Register, that Boris Bullet-Dodger permeated Perceptics, the company which provides license plate reader technology. The CBP has reported that the hacker did not manage to further penetrate internal networks.   

Photo:The SSL Store


No posts to display