LocalBlox

LocalBlox, a company that collects data from public web profiles, left details of over 48 million users publicly accessible via an unsecured Amazon Web Services (AWS) S3 bucket. On February 28, an UpGuard researcher discovered the S3 bucket containing a 1.2 TB file of what appeared to be a backup of the LocalBlox database; UpGuard notified LocalBlox who secured the server that same day. The file contained publicly accessible data collected from Facebook, LinkedIn, Twitter, and Zillow, and included names, physical addresses, dates of birth, LinkedIn job history, Twitter handles, and some IP and email addresses. While the information contained in the S3 bucket is public information, it highlights the continued risk associated with misconfigured and unsecured AWS S3 buckets. The NJCCIC recommends administrators of AWS S3 buckets and other cloud databases review our previous NJCCIC Cyber Alert on the risks associated with misconfigured S3 buckets, audit their security settings, and implement the mitigation strategies provided as soon as possible. 

TaskRabbit

On Monday, April 16, a user of the online freelance marketplace TaskRabbit reported via her Twitter account that she had identified a phishing attack targeting TaskRabbit users along with a website that appeared to reveal TaskRabbit’s private GitHub account, daily transaction volumes, and key employee information. After disclosing these findings to the company, the TaskRabbit service was taken offline while an investigation into the incident took place. On April 17, TaskRabbit posted an account security update on its website to update its users on the status of the investigation. The NJCCIC recommends all TaskRabbit account holders who use the same login credentials for other online accounts proactively change those credentials and enable two-factor authentication (2FA) on any account that offers it to prevent additional account compromise.

Best Buy

Best Buy announced that a small number of customers who made online purchases between September 27 and October 12, 2017 may have had their payment information exposed. According to Best Buy’s statement, the data breach resulted from a cyber intrusion of [24]7.ai, a third-party vendor used to provide chat services for Best Buy’s customers via telephone or computer. Best Buy will offer free credit monitoring services to impacted customers who are interested and will notify affected individuals directly. The NJCCIC recommends all Best Buy customers monitor their financial accounts for suspicious activity and report any unauthorized charges immediately. We also recommend impacted customers take advantage of the free credit monitoring services offered.

Under Armour/MyFitnessPal

Under Armour announced that, in February 2018, an unauthorized party obtained access to data associated with MyFitnessPal user accounts. Information exposed in the breach includes usernames, email addresses, and hashed passwords. The NJCCIC recommends that MyFitnessPal users immediately change the passwords to their accounts and be on alert for phishing campaigns associated with, and resulting from, this breach.

Saks Fifth Avenue and Lord & Taylor


Saks Fifth Avenue and Lord & Taylor department stores released a statement regarding a data breach that resulted in the theft of customer payment card data. According to Gemini Advisory, a cybersecurity firm that specializes in tracking stolen financial data, the compromise likely occurred beginning May 2017 and the majority of stolen payment card information was obtained from the companies’ New York and New Jersey locations. Saks Fifth Avenue and Lord & Taylor will offer impacted customers free credit and web monitoring services, as well as free identity protection services. The NJCCIC recommends affected customers take advantage of the free credit and web monitoring services, as well as the identity protection services offered, monitor their financial accounts for suspicious activity, and notify their card issuers immediately if they notice unauthorized charges made to their accounts.

Panera Bread


On April 2, security researcher Brian Krebs reported that, for at least eight months, Panerabread[.]com had been leaking millions of customer records that included names, email addresses, home addresses, dates of birth, customer loyalty card numbers, and the last four digits of their payment card numbers. In August 2017, another security researcher, Dylan Houlihan, had reportedly notified the company about the data exposure but the company did not address the issue until April 2, 2018. Cybersecurity firm Hold Security suggests that the number of exposed records likely exceeds 37 million and that the data leak may also impact Panera’s commercial division. The NJCCIC recommends all Panera Bread customers monitor their financial accounts and loyalty accounts for suspicious activity and report any unauthorized charges immediately. Additionally, we recommend Panera Bread customers be on alert for phishing campaigns associated with, and resulting from, this data leak.

CareFirst

CareFirst BlueCross BlueShield reported that, on March 12, 2018, an employee within the company took action on a phishing email and, as a result, may have exposed the personal information of 6,800 of the insurer’s members. The employee’s account was used to send spam emails to recipients who are not associated with CareFirst. The unauthorized access of the employee’s email account could have potentially exposed CareFirst member names, identification numbers, and dates of birth. Eight members’ Social Security numbers may have also been exposed. CareFirst is offering two years of free credit monitoring and identity theft protection services to affected members. The NJCCIC recommends affected members take advantage of the free credit monitoring and identity theft protection services offered.

Orbitz

A legacy travel booking platform owned by Orbitz, the popular travel booking site, was accessed by an unauthorized party between October 2017 and December 2017. Data accessed from the company’s legacy systems includes customer information for purchases made between January 2016 to December 2017 including, names, dates of birth, postal and email addresses, gender, and payment card information. Orbitz revealed that approximately 880,000 payment cards were exposed in the hack, but there is currently no direct evidence that customers’ personal information was downloaded from the platform. Orbitz is in the process of notifying impacted customers and partners and is offering one year of complimentary credit monitoring and identity theft protection. The current orbitz[.]com site was unaffected by the breach. The NJCCIC recommends customers who made purchases through Orbitz during the impacted timeframe monitor payment card statements for unauthorized charges, consider placing a freeze on their credit, and immediately notify their banks if fraudulent activity is observed. Additionally, we recommend impacted customers take advantage of the free credit monitoring and identity theft protection services offered.

Walmart Partner MBM Company Exposes Data on 1.3 Million Customers

Security firm Kromtech revealed that Walmart partner MBM Company Inc., which operates Limogés Jewelry, left the personal information of 1.3 million customers exposed via an unsecured Amazon S3 bucket. The open S3 bucket, named “walmartsql,” contained customers’ names, addresses, ZIP codes, phone numbers, email addresses, IP addresses, plaintext passwords, encrypted credit card numbers, and payment details for purchases made between 2000 and early 2018. The database was left publicly available from January 13, 2018 until it was recently secured by Walmart. This latest incident follows many recent breaches resulting from unsecured or misconfigured S3 buckets. The NJCCIC highly encourages MBM Company Inc. customers immediately change their account passwords, enable two-factor authentication, and monitor their bank and credit card accounts for fraudulent activity. Additionally, we recommend administrators of Amazon S3 storage buckets review our previous NJCCIC Cyber Alert on the risks associated with misconfigured S3 buckets, audit their security settings, and implement the mitigation strategies provided as soon as possible. 

Applebee's

RMH Franchise Holdings announced that diners who visited one of their 167 Applebee’s restaurants between November 23, 2017 and January 2, 2018 may have had their payment card information compromised via point-of-sale malware. RMH Franchise Holdings discovered the incident on February 13, 2018 and took steps to investigate and remediate the infection. The breach does not impact payments made online or those made using tabletop self-pay devices. The NJCCIC recommends those who have dined at one of the impacted locations monitor payment card statements for unauthorized charges, consider placing a freeze on their credit, and immediately notify banks if fraudulent activity is observed on their accounts.

2,844 New Data Breaches Containing over 80 Million Records Discovered

Security researcher Troy Hunt recently discovered a collection of nearly 3,000 possible data breaches accompanied by data from previously confirmed breaches on a hacking forum located on the clear web. He states that almost all of the obtained files contain email addresses – 80,115,532 in total – and plaintext passwords. Hunt is still analyzing the data and has yet to determine where the possible breaches occurred, as there does not appear to be a direct correlation between the accounts and the associated source file at this time. Hunt owns and operates the website HaveIBeenPwned.com where users can check to see if their email addresses have been included in any previous data breaches. The NJCCIC recommends all users assume that their email addresses and passwords have been, or will be, involved in a data breach, and enable multi-factor authentication (MFA) on every account that offers it to protect themselves against credential compromise. For accounts that do not offer MFA, we recommend creating lengthy, complex passwords for those accounts and monitor them regularly for unauthorized activity. We strongly advise against password reuse.

Pivotal Spring

Lgtm security researchers discovered a critical vulnerability (CVE-2017-8046) affecting various projects in Pivotal Spring, a framework used to build web applications. If exploited, this vulnerability could allow a remote threat actor to execute arbitrary code on any system running an application built using Spring Data REST. Researchers liken this vulnerability to CVE-2017-5638 that affected Apache Struts and led to the Equifax data breach. This vulnerability impacts Spring Data REST components, versions prior to 2.5.12, 2.6.7, and 3.0RC3, as well as Spring Boot versions prior to 2.0.0M4, and Spring Data versions prior to Kay-RC3. The NJCCIC recommends all developers using affected Spring products and components review the lgtm blog and update to the latest versions as soon as possible.

Equifax

Equifax announced that an additional 2.4 million Americans were impacted by the data breach first disclosed in September 2017. The data stolen includes names and partial driver’s license numbers. Equifax will notify impacted customers and provide the same credit monitoring and identity theft protection services. The NJCCIC recommends those impacted by the Equifax breach take advantage of the credit and identity theft services offered and strongly consider placing a security freeze on their credit files in order mitigate the risk of identity theft and financial fraud.

NIS America

NIS America notified customers via email and social media that store.nisamerica[.]com and snkonlinestore[.]com sites were breached, compromising personal data for new accounts. The data breach occurred between January 23rd, 2018 and February 26th, 2018 and allowed unauthorized access to customer payment and address information corresponding to new credit card orders placed between those dates. The store pages have been taken offline by NIS America to prevent further unauthorized access. The NJCCIC recommends patrons that made purchases during the affected time frame closely monitor their financial accounts and immediately report any unauthorized activity to their financial institutions.

United States Marine Corps Forces Reserve

Marine Corps Times reported that an unencrypted email with an attachment containing  21,426 individual’s personally identifiable information was sent to the wrong email distribution list. The data in the attachment included social security numbers, bank electronic funds transfer and bank routing numbers, credit card information, mailing addresses, residential addresses, and emergency contact information. Andrew Aranda, spokesman for Marine Forces Reserve, said in a command release that the error was discovered quickly, and email recall procedures were implemented to reduce the number of accounts that received the email. The email was sent to addresses within the unclassified Marine domain as well as some civilian addresses. The Marine Corps Forces Reserve plans to notify those affected by the breach and provide guidance on ways to safeguard from identity theft. The NJCCIC recommends that those impacted by this breach enroll in a credit monitoring service, consider placing a freeze on their credit, closely monitor financial accounts, and report any suspected fraud.

23,000 Digital Certificate Private Keys Compromised

23,000 SSL/TLS certificates issued by digital certificate reseller Trustico are being revoked after Trustico emailed the private keys for the certificates unencrypted to certificate authority DigiCert. Trustico recovered the keys from “cold storage,” a term used to describe offline storage. Under CA/Browser Forum Baseline Requirements, resellers are not permitted to archive certificate private keys as only site owners should have access to this information. By storing these private keys, an issuer may be putting that site’s security at risk. Digital certificates are used by websites to create an encrypted connection using public key cryptography, ensuring that browsing traffic cannot be read. If a threat actor is able to obtain a site’s private key for their certificate, they may be able to conduct a Man-in-the-Middle (MitM) attack and intercept the site’s traffic. DigiCert is in the process of revoking the compromised certificates. If you receive an invalid certificate notification when browsing to a website, the NJCCIC recommends avoiding inputting sensitive personal or financial information into that site until they have obtained valid certificates in order to safeguard your information. 

Bongo International/FedEx

Kromtech security researchers discovered an Amazon S3 bucket set for public access originally belonging to Bongo International, a company that was bought by FedEx in 2014. The exposed bucket contained drivers' licenses, national ID cards, work ID cards, voting cards, utility bills, resumes, vehicle registration forms, medical insurance cards, firearms licenses, US military identification cards, and credit cards that customers used to verify their identity with the FedEx division. Kromtech contactedZDNet reporter, Zack Whittaker, who was able to get the bucket secured and removed from public access. The NJCCIC recommends administrators of Amazon S3 storage buckets review our previous NJCCIC Cyber Alert on the risks associated with misconfigured S3 buckets, audit their security settings, and implement the recommended mitigation strategies provided as soon as possible. Bongo International and FedEx customers whose information may have been exposed should closely monitor their financial banking statements and consider placing a security freeze on their credit files by contacting the three major credit bureaus.

US Immigration and Customs Enforcement

The US Immigration and Customs Enforcement (ICE) unintentionally disclosed the private information of hundreds of people who called the agency’s Victims of Immigration Crime Engagement Office (VOICE) hotline – used to report potential crimes committed by an individual with a nexus to immigration. ICE posted call logs of the VOICE hotline to the agency’s website which included private caller information, such as name, address, and phone number. ICE has offered identity-theft monitoring service to those affected and temporarily removed the call logs from its FOIA library. The NJCCIC recommends impacted callers take advantage of the free credit monitoring services offered.

Monticello Central School District

Monticello Central School District released a letter informing employees, students, and students’ families about a sophisticated phishing attack that occurred on or around November 1, 2017 and may have resulted in the compromise of personal information such as names, addresses, Social Security numbers, and dates of birth. The NJCCIC recommends that those impacted by this breach enroll in the free credit monitoring service being offered through ID Experts, consider placing a freeze on their credit, closely monitor financial accounts, and report any suspected fraud to ID Experts’ fraud resolution representatives as soon as possible.

National Stores, Inc.

National Stores, Inc., alerted patrons to the discovery of malware on its point-of-sale systems that is designed to steal payment card information. Their investigation revealed that payment cards used at some National Store locations between July 16 and December 11, 2017 may have been compromised. The affected payment card information may have included names, payment card numbers, expiration dates, and security codes. A list of potentially affected National Stores locations can be found hereThe NJCCIC recommends patrons who made purchases at potentially impacted National Stores locations closely monitor their financial accounts and immediately report any unauthorized activity to their financial institutions.