Category Archives: Data Breaches

Oregon Department of Human Services Suffered a Data Breach

Personal data of more than 645,000 Oregon, Department of Human Services (DHS) were exposed during a data breach that occurred in January 2019, the department said yesterday.

The data breach was initially reported to the authorities when it was estimated that there were more than 350,000 people affected, a number that has been significantly revised.

The department disclosed in an official statement that the information in violation of the data included names, residential addresses, birth dates, social security codes, personal health data and other documents used by the DHS systems.

DHS has set up a team of 70 law enforcement officers after the discovery of the original violation data in January to explore up to 2 million potentially compromised e-mails, a spokesman said.

The investigation was not completed until the data breach was announced in March, so the estimated number of victims was around 350,000.

DHS has announced that it will propose a year of monitoring and reinstatement of identity theft, including a $ 1 million reimbursement policy for victims exposed to their confidential information. Services must be provided by identity theft specialists, MyIDCare, according to the press release.

The January data breach was due to a phishing campaign that prompted nine DHS workers to click on a fraudulent link giving access to hacking for employee accounts. These accounts are only secured at the end of January.

Jake Sunderland, a DHS spokesperson, said:

“The data breach affected clients from all five of our divisions: Aging and People with Disabilities, Developmental Disabilities, Child Welfare, Self-sufficiency, and Vocational Rehab,” Sunderland said.

“The investigation by ID Experts cost the agency $485,000 and the credit monitoring and other protections being offered to impacted clients will cost $1,054,000. The cost to hire the outside lawyers and para-professional was $30K,” he added.

Many breaches occur when employees click on links in emails from an outside source, unknowingly giving the sender access to their account, a practice known as “phishing.”

Violations mostly occur when employees click on links in emails from an external source, giving the sender access to their account, a practice known as phishing. This way, a tax agency employee copied 36,000 Oregonians’ tax data, including Social Security numbers, and stored that information on a personal cloud account.

The DHS violation occurred when nine employees clicked on suspicious links and exposed information. Interestingly, these employees had been trained in cybersecurity and confidentiality, including phishing, prior to the breach.

Employees of the Oregon Health Authority, which shares an IT department with DHS, also received training and listened to phishing danger messages before and after the January breach.

However, an employee of the Oregon State Hospital clicked on a phishing link in May and on the medical data of potentially exposed patients. The Oregon Health Authority is investigating the amount of information that may be at risk, said spokesman Robb Cowie.

According to a database of the Oregon Department of Justice, at least five other state entities, including the Oregon Institute of Technology, have discovered data breaches affecting 250 or more people since 2017. The agency list includes particularly confidential information about everything from taxes to medical care.

State officials recognize their responsibility to protect consumer data.

What should you do?

Clients in the Department of Human Services affected by the January breach will receive letters in the coming weeks to inform them and provide them with access to government-provided identity and credit monitoring services.

OSPIRG officials said that whether they are victims or not, they should take steps to protect their information, as these security breaches occur very frequently in businesses and governments.

Security and Data limit

  1. Ensure the amount of data you really need to provide to a website or third-party service?
  2. If the third-party wants to store your payment information, do not take the risk.
  3. This means that data thieves will not have access to this information in case of a data breach. Otherwise, they will not be able to use it if they access your account with stolen login information.

In addition to payment information, think if you really need to provide information to a third party, such as:

  • Email address
  • Username
  • First Name and Surname
  • Address
  • Phone number

You might also want to think about what data you’re handing over just by using the service. Do not give the third-party the opportunity, but limit the information you give to third parties.

Also, Read:

The Big Data Breaches

The Worst Data Breach

The post Oregon Department of Human Services Suffered a Data Breach appeared first on .

Privacy Act: 5 Important GDPR Requirements to Remember

In May 2018, the General Data Protection Regulation (GDPR) was enforced by the European Union (EU) to protect its citizens from the misuse of their personal data. This breakthrough regulation completely changed the way that companies would handle personal data and laid down the GDPR requirements that companies worldwide must follow.

GDPR compliance must strictly be followed by companies that conduct business with EU citizens or organizations. Non-compliance to the General Data Protection Regulation comes with heavy penalties and legal accountabilities. If you’re a company that does business with EU citizens or organizations, here are five important GDPR requirements you must remember:

Personal Data Must Be Stored in a Secure and Organized Manner

The principal idea behind the General Data Protection Regulation is to make sure personal data on the citizens of the EU are safe and secure.

So, one of the GDPR requirements laid down by the regulation is that companies and organizations must safeguard the data they have by implementing appropriate data protection procedures. The regulation also states all personal data acquired by companies must be readily available whenever the owner of the data demands it.

Companies Must Get Consent for Use of Personal Data

The GDPR requirements impose that companies must get the consent of data owners before their personal data can be used for whatever purpose. The consent must be freely given, and data owners must be informed on what data are being taken, how they are being used, and who is using them.

The general data protection regulation classifies personal data as any data or information that can be used to identify a person. This includes names, addresses, IP addresses, and even a form of cookies.

Companies Must Comply With an Owner’s Right to Erasure

The general data protection regulation not only instructs organizations on how to handle personal data but also gives citizens rights on what they can do with the data acquired. One of these rights is the right to erasure.

If companies want to avoid violating GDPR compliance, they must comply with the data owner’s request for erasure. The company’s third-party providers who are using the data must also follow the request.

Companies Must Notify Data Owners of Data Breaches

If a company’s network becomes compromised by malware or a hacker, GDPR requirements state that the company must notify data owners of the breach within 72 hours after the company has become aware of the breach.

This provision ensures that data owners are aware of what is happening to their data and to compel companies to be transparent with data owners on what is happening to their data.

Certain Companies Must Employ a Data Protection Officer

While not all companies are required to have a data protection officer, certain types of companies are mandated by GDPR compliance to have one. Companies that deal with large-scale data on EU citizens or organizations and those that deal with special kinds of personal data are mandated to have a Data Protection Officer (DPO)

GDPR requirements provide certain qualifications for DPOs, like that DPOs must be provided with the resources needed to carry out their responsibilities and that DPOs must report directly to the highest level of company management.

Related Resources:

General Data Protection Regulation (GDPR) In A Nutshell

The Real Challenges Of GDPR Compliance

The post Privacy Act: 5 Important GDPR Requirements to Remember appeared first on .

Data Breach Hits Desjardins, 2.7 Million People Affected

A data breach that hit the Desjardins Group has affected around 2.7 million people.

Reports say that more than 40 percent of clients and members of the Quebec-based credit union Desjardins have been affected by a recent data breach.

A Facebook update by the Desjardins Group says that on June 14, 2019, the co-operative was contacted by the Laval police with information confirming the breach of personal information of 2.9 million members.

In a message to its members, the Desjardins Group says, “A Laval police investigation, which Desjardins has been closely involved with, has revealed that the personal information of 2.9 million members (2.7 million personal members and 173,000 business members) was disclosed to individuals outside Desjardins without authorization.”

It has been found that an employee, who has now been fired, was behind the breach. The official statement reads, “The investigation quickly traced the leak to a single source: an ill-intentioned employee who acted illegally and betrayed the trust of their employer. That person was fired.”
In the wake of the incident, the Desjardins Group has adopted additional security measures to ensure that all personal and financial data belonging to members remain protected.

Reports say that leaked data includes names, addresses, dates of birth, email addresses, social insurance numbers and information about transaction habits. It is also clarified that passwords, security questions and PINs were not compromised.

It’s reported that the employee who was behind the leak has been arrested by the police, but not yet charged. Reports even say that according to some experts, the Desjardins data breach looks to be one of the largest ever among breaches impacting Canadian financial institutions.

It was in December 2018 that Desjardins referred a suspicious transaction to Laval police. Later, in May 2019, police informed Desjardins that personal data belonging to some of its members had been leaked. An internal investigation was conducted with the help of the Laval police and the investigation helped identify the employee. The person was suspended and his access to the Desjardins Group’s information systems was frozen. Desjardins’ chief operating officer, Denis Berthiaume has stated that when the employee was suspended, the transfer of information also stopped. The Laval police continued with the investigation and later informed Desjardins of the scope of the breach and also shared the identities of those affected by the breach.

Desjardins CEO and president Guy Cormier has clarified that security procedures were all in place when the data breach occurred and the breach, which was a cause of internal fraud, occurred with the suspected employee winning the trust of his colleagues and using their access, plus his own, to assemble the data trove. He has reportedly clarified that otherwise a single employee cannot just turn on a system and get access to all information pertaining to members. Though details about the investigation or the identity of the suspect hasn’t been divulged, it’s reported that the suspect is a male who worked in the data department.

The Desjardins Group has stated that in addition to notifying authorities, additional monitoring and security measures have also been introduced to protect personal and financial information of its members. Procedures have also been enhanced to confirm members’ identity when they call Desjardins. Every member who has been affected will be contacted individually. Those who have been affected will receive a free 12-month credit monitoring plan, paid for by Desjardins. This service would include access to daily credit reports, alerts of any changes and identity theft insurance. It has been clarified that losses, if any, would be reimbursed for the members.

The Desjardins Group has asked members to be vigilant about activities happening in their accounts and notify the co-operative in case they notice anything unusual.

The Desjardins Group is the largest federation of credit unions in North America, with outlets across Quebec and Ontario.

Related Resources:

The Top 10 Worst Data Breaches of all Time

Ways to Prevent Healthcare Data Breaches

 

The post Data Breach Hits Desjardins, 2.7 Million People Affected appeared first on .

Collections Firm Behind LabCorp, Quest Breaches Files for Bankruptcy

A medical billing firm responsible for a recent eight-month data breach that exposed the personal information on nearly 20 million Americans has filed for bankruptcy, citing “enormous expenses” from notifying affected consumers and the loss of its four largest customers.

The filing, first reported by Bloomberg, comes from the Retrieval-Masters Creditors Bureau, the parent company of the American Medical Collection Agency (AMCA). Earlier this month, medical testing firm Quest Diagnostics said a breach at the AMCA between Aug. 1, 2018 and March 30, 2019 led to the theft of personal and medical information on 11.9 million patients.

On June 4, KrebsOnSecurity broke the news that another major AMCA client — LabCorp — was blaming the company for a breach affecting 7.7 million of its patients.

According to a bankruptcy filing, LabCorp and Quest Diagnostics both stopped sending the AMCA business after the breach disclosure, as did the AMCA’s two other biggest customers — Conduent Inc. and CareCentrix Inc.

Bloomberg reports the data breach created a “cascade of events,” which incurred “enormous expenses that were beyond the ability of the debtor to bear.”

“Those expenses included more than $3.8 million spent on mailing more than 7 million individual notices to people whose information had been potentially hacked,” wrote Jeremy Hill. Retrieval Masters CEO Russell H. Fuchs “personally lent the company $2.5 million to help pay for those mailings, he said in the declaration. In addition, IT professionals and consultants hired in connection with the breach had cost Retrieval-Masters about $400,000 by the time of the filing.”

Retrieval Masters said it learned of the breach after a significant number of credit cards people used to pay their outstanding medical bills via the company’s site ended up with fraud charges on them soon after. The company also reportedly slashed its staff from 113 to 25 at the end of 2018.

The bankruptcy filing may also be something of a preemptive strike: Retrieval-Masters is already facing at least three class-action lawsuits from plaintiffs in New York and California.

A copy of the bankruptcy filing is available here (PDF).

TalkTalk hacker Locked Up For Four Years

In December 2016, this teenager, Daniel Kelley, was warned that he will be detained for his involvement in hacking millions of pounds of TalkTalk data. Having said that Kelley

As a student, he participated in a massive £ 77m TalkTalk mobile network hack has been jailed for four years.

Daniel Kelley, 22, from South Wales, appeared before the Old Bailey in May after pleading guilty to 11 hacking-related crimes.

In the previous court, he said that he was motivated by “revenge” after being fired from a computer course at the university. Failing to obtain the necessary GCSE grades, he took up “black hat” hacking, and joined a group of cybercriminals who committed the data breach in October 2015.

They targeted large and small businesses, as far away as Canada and Australia, and tried to ransom the bosses. These include intentional hacking, six counts of blackmail, the promotion of hacking, the offer to provide data about fraud and the possession of objects for fraud.

Prosecutor Peter Ratliff described Kelley as a “prolific, skilled and cynical cyber-criminal ” who was willing to “bully, intimidate, and then ruin his chosen victims from a perceived position of anonymity and safety – behind the screen of a computer”.

Although he remained largely anonymous online, his crimes were revealed as fragments extracted from online chat logs, Bitcoin accounts and downloaded documents, according to the court. Mr Ratliff said Kelley had been “utterly ruthless”.

Kelley hacked TalkTalk and blackmailed Baroness Harding of Winscombe and five other Bitcoin executives, according to the court.

Confidential and sensitive information had been stolen in the hack – armed with personal and credit card details of the company’s clients – Kelly would threaten the company with the public release of the material, knowing and exploiting the fact that the release would ruin the company concerned,” said Mr Ratliff.

His activities resulted in, TalkTalk to lose tens of millions of pounds, while the small businesses have been forced to spend thousands of pounds to mitigate the damage.

The defendant, who suffers from Asperger syndrome and depression, received only £ 4,400 worth of Bitcoin for blackmail attempts and demanded more than £ 115,000.

The prosecutor said: “It is clear from the content of the emails that the defendant sent that he derived enjoyment and excitement from the power he wielded over those he sought to intimidate.”

How he did it?

Kelley mostly relied on an anonymous browser network known as the “Onion Router” and also hid his IP address, making it difficult to identify his criminal activities.

However, after careful examination of the evidence hidden in his digital devices such as chat logs and Bitcoin accounts, the CPS was able to prove his culpability. Other files on his computer contain thousands of credit card numbers and the holder’s detail. The authorities also recovered software and other tools that support or enable hacking, including SQL tools that allow for a quick analysis of the entire Internet.

Hiding behind the anonymity, Kelley believed he could go undetected and continue to target companies around the world whom he considered vulnerable to cyber attacks. Finally the law caught up with him yesterday.

Related Resources:

TalkTalk’s Databreach Made Secret, Exposed In A Google Search

 

The post TalkTalk hacker Locked Up For Four Years appeared first on .

LabCorp: 7.7M Consumers Hit in Collections Firm Breach

Medical testing giant LabCorp. said today personal and financial data on some 7.7 million consumers were exposed by a breach at a third-party billing collections firm. That third party — the American Medical Collection Agency (AMCA) — also recently notified competing firm Quest Diagnostics that an intrusion in its payments Web site exposed personal, financial and medical data on nearly 12 million Quest patients.

Just a few days ago, the news was all about how Quest had suffered a major breach. But today’s disclosure by LabCorp. suggests we are nowhere near done hearing about other companies with millions of consumers victimized because of this incident: The AMCA is a New York company with a storied history of aggressively collecting debt for a broad range of businesses, including medical labs and hospitals, direct marketers, telecom companies, and state and local traffic/toll agencies.

In a filing today with the U.S. Securities and Exchange Commission, LabCorp. said it learned that the breach at AMCA persisted between Aug. 1, 2018 and March 30, 2019. It said the information exposed could include first and last name, date of birth, address, phone, date of service, provider, and balance information.

“AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance),” the filing reads. “LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA. AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers.”

LabCorp further said the AMCA has informed LabCorp “it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed. AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them.”

The LabCorp disclosure comes just days after competing lab testing firm Quest Diagnostics disclosed that the hack of AMCA exposed the personal, financial and medical data on approximately 11.9 million patients.

Quest said it wasn’t until two weeks later that AMCA disclosed the number of patients affected and what information was accessed, which includes financial information (e.g., credit card numbers and bank account information), medical information and Social Security Numbers.

Quest says it has since stopped doing business with the AMCA and has hired a security firm to investigate the incident. Much like LabCorp, Quest also alleges the AMCA still hasn’t said which 11.9 million patients were impacted and that the company was withholding information about the incident.

The AMCA declined to comment for this story, and instead referred requests for comment to an outside PR firm. Representatives with that firm declined to answer any questions about whether the breach of the AMCA’s payment’s page impacted anyone who entered payment data into the company’s site during the breach.

“We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system,” reads a written statement attributed to the ACMA. “Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page.”

The statement continues:

“We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.”

ANALYSIS

The AMCA also does business under the name “Retrieval-Masters Credit Bureau,” a company that has been in business since 1977. Retrieval-Masters also has an atrocious reputation for allegedly harassing consumers for debts they never owed.

A search on the company’s name at the complaints page of the Consumer Financial Protection Bureau (CFPB) turns up almost 700 complaints for Retrieval-Masters. The company has an abysmal “F” rating from the Better Business Bureau, with 60 complaints closed against it in the last three years.

Reviewing a number of those complaints reveals some of the AMCA’s other current and/or previous clients, including New Jersey’s EZPass system. Recent consumer complaints about the AMCA also invoke the name of American Traffic Solutions, which services rental car fleets and processes some 50 million toll transactions per year. ATS did not respond to requests for comment.

My guess is we will soon hear about many other companies and millions more consumers impacted by this breach at the AMCA. Certainly, companies like Quest and LabCorp. have a duty to ensure contractors are properly safeguarding their patients’ personal, medical and financial information.

But this AMCA incident is the latest example of a breach at a little-known company that nevertheless holds vast quantities of sensitive data that was being shared or stored in ways that were beyond the control of affected consumers.

On May 24, KrebsOnSecurity broke the news that the Web site for Fortune 500 real estate title insurance giant First American Financial [NYSE:FAF] leaked 885 million documents related to mortgage deals going back to 2003, until notified by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.

Many readers wrote in to say they’d never heard of First American, but it is the largest title insurance company in the United States. Title insurance is generally required for all home mortgages, and it protects the buyer from any previously unknown claims against the property. First American currently handles about one in every four title insurance transactions — usually as part of the mortgage closing process — which means tens of millions of Americans were potentially exposed by the company’s inexplicably lax security.

NY Investigates Exposure of 885 Million Mortgage Documents

New York regulators are investigating a weakness that exposed 885 million mortgage records at First American Financial Corp. [NYSE:FAF] as the first test of the state’s strict new cybersecurity regulation. That measure, which went into effect in March 2019 and is considered among the toughest in the nation, requires financial companies to regularly audit and report on how they protect sensitive data, and provides for fines in cases where violations were reckless or willful.

On May 24, KrebsOnSecurity broke the news that First American had just fixed a weakness in its Web site that exposed approximately 885 million documents — many of them with Social Security and bank account numbers — going back at least 16 years. No authentication was needed to access the digitized records.

On May 29, The New York Times reported that the inquiry by New York’s Department of Financial Services is likely to be followed by other investigations from regulators and law enforcement.

First American says it has hired a third-party security firm to investigate, and that it shut down external access to the records.

The Times says few people outside the real estate industry are familiar with First American, but millions have entrusted their data to the company when they go to close the deal on buying or selling a new home.

“First American provides title insurance and settlement services for property sales, which typically require buyers to hand over extensive financial records to other parties in their transactions,” wrote Stacy Cowley. “The company is one of the largest insurers in the United States, handling around one in every four transactions, according to the American Land Title Association.”

News also emerged this week that First American is now the target of a class action lawsuit alleging the Fortune 500 mortgage industry giant “failed to implement even rudimentary security measures.”

Data Breach Hits Australian Tech Unicorn Canva

A massive data breach has hit Canva, the Australian tech unicorn based in Sydney.

It was ZDNet that reported, on May 24, 2019, the hack that had happened earlier that day. The hacker, known by the name GnosticPlayers, had tipped off ZDNet that during the breach at the Sydney-based start-up, data for roughly 139 million users had been breached.

The ZDNet report says, “Responsible for the breach is a hacker going online as GnosticPlayers. The hacker is infamous. Since February this year, he/she/they has put up for sale on the dark web the data of 932 million users, which he stole from 44 companies from all over the world.”

“Today, the hacker contacted ZDNet about his latest hack, involving Australian tech unicorn Canva, which he said he breached just hours before, earlier this morning, ” the report further reads.

The hacker had revealed that everything up to May 17 had been downloaded before Canva detected the data breach and closed their database server. The breached data includes details including customers’ real names and user names, email addresses, city and country information etc. Password hashes for 61 million users were also part of the database that was hacked. However, the passwords were hashed with the bcrypt algorithm, which is considered to be highly secure. The hacker had also stolen the Google tokens, which some users had used to sign up without setting a password. 78 million users of the total 139 million impacted users had a Gmail address associated with their Canva account.

ZDNet researchers had verified the hacker’s claims; the ZDNet report explains, “ZDNet requested a sample of the hacked data, so we could verify the hacker’s claims. We received a sample with the data of 18,816 accounts, including the account details for some of the site’s staff and admins. We used this information to contact Canva users, who verified the validity of the data we received.”

ZDNet then contacted Canva and informed them of the breach. Consequently, a Canva spokesman issued an email statement, which was sent to ZDNet via email. The statement says, “Canva was today made aware of a security breach which enabled access to a number of usernames and email addresses.”

“We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users’ credentials have been compromised. As a safeguard, we are encouraging our community to change their passwords as a precaution”, the company statement further read. The customers were also assured that further communication would happen as the company learns more about the situation.

Canva, founded in 2012, is one of Australia’s biggest tech companies and caters to numerous large companies and regular users in many ways. They have been depending on the Canva website for building websites, designing logos and such other services. The Canva website, which has been doing well since its launch, has recently entered the Top 200 in the Alexa website traffic rank. Moreover, a recent $70 million funding round has raised the company’s valuation to $US2.5 billion.

The Australian Financial Review, in a report authored by Technology Editor Paul Smith, says that Canva has been criticized post the data breach that had exposed so much of data. He writes, “High profile Australian technology company Canva has faced criticism for its handling of a cyber attack that saw the data of approximately 139 million users stolen by a hacker…The sizable data breach at the online design company came less than a week after a $70 million funding round saw its valuation soar to $US2.5 billion ($3.6 billion), catapulting its co-founders Melanie Perkins and Cliff Orbecht on to the Rich List with fortunes worth over $500 million.”

Paul Smith points out that though Canva’s handling of the breach from a technical perspective was commended, the company was widely criticized for the initial email it has sent to its customers, which “buried the details below self-congratulatory marketing content”. He explains, “News of the hack was hidden beneath talk of how Canva “empowers” people to do great designs, and the promotion of recent news about its acquisitions of two German stock photo libraries and a new product for the US market.”

However, later when some experts suggested on Twitter that the Canva email would be mistaken as just a regular marketing email by customers, the company came out with a more succinct message.

The Australian Financial Review report adds, “James Turner, the founder of CISO Lens – a forum for chief information security officers of large Australian organisations – said long-term impact for Canva customers should be minimal…He observed that it was not Canva’s fault that it was targeted and that the hack appeared to be an opportunistic attack that had “missed the critical organs””.

Related Resources:

The Big Data Breaches of 2018

Survey Says: Bad PR Due to Data Breach News, Very Bad for Businesses

Data Breaches in Healthcare Comes From Within

Data Breach at Georgia Tech Impacts 1.3 Million People

 

The post Data Breach Hits Australian Tech Unicorn Canva appeared first on .

First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records

The Web site for Fortune 500 real estate title insurance giant First American Financial Corp. [NYSE:FAF] leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified this week by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.

First American Financial Corp. Image: Linkedin.

Santa Ana, Calif.-based First American is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in more than $5.7 billion in 2018.

Earlier this week, KrebsOnSecurity was contacted by a real estate developer in Washington state who said he’d had little luck getting a response from the company about what he found, which was that a portion of its Web site (firstam.com) was leaking tens if not hundreds of millions of records. He said anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link.

And this would potentially include anyone who’s ever been sent a document link via email by First American.

KrebsOnSecurity confirmed the real estate developer’s findings, which indicate that First American’s Web site exposed approximately 885 million files, the earliest dating back more than 16 years. No authentication was required to read the documents.

Many of the exposed files are records of wire transactions with bank account numbers and other information from home or property buyers and sellers. Ben Shoval, the developer who notified KrebsOnSecurity about the data exposure, said that’s because First American is one of the most widely-used companies for real estate title insurance and for closing real estate deals — where both parties to the sale meet in a room and sign stacks of legal documents.

“Closing agencies are supposed to be the only neutral party that doesn’t represent someone else’s interest, and you’re required to have title insurance if you have any kind of mortgage,” Shoval said.

“The title insurance agency collects all kinds of documents from both the buyer and seller, including Social Security numbers, drivers licenses, account statements, and even internal corporate documents if you’re a small business. You give them all kinds of private information and you expect that to stay private.

Shoval shared a document link he’d been given by First American from a recent transaction, which referenced a record number that was nine digits long and dated April 2019. Modifying the document number in his link by numbers in either direction yielded other peoples’ records before or after the same date and time, indicating the document numbers may have been issued sequentially.

The earliest document number available on the site – 000000075 — referenced a real estate transaction from 2003. From there, the dates on the documents get closer to real time with each forward increment in the record number.

A redacted screenshot of one of many millions of sensitive records exposed by First American’s Web site.

As of the morning of May 24, firstam.com was returning documents up to the present day (885,000,000+), including many PDFs and post-dated forms for upcoming real estate closings. By 2 p.m. ET Friday, the company had disabled the site that served the records. It’s not yet clear how long the site remained in its promiscuous state.

First American wouldn’t comment on the overall number of records potentially exposed via their site, or how long those records were publicly available. But a spokesperson for the company did share the following statement:

“First American has learned of a design defect in an application that made possible unauthorized access to customer data.  At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”

I should emphasize that these documents were merely available from First American’s Web site; I do not have any information on whether this fact was known to fraudsters previously, nor do I have any information to suggest the documents were somehow mass-harvested (although a low-and-slow or distributed indexing of this data would not have been difficult for even a novice attacker).

Nevertheless, the information exposed by First American would be a virtual gold mine for phishers and scammers involved in so-called Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms in a bid to trick property buyers into wiring funds to fraudsters. According to the FBI, BEC scams are the most costly form of cybercrime today.

Armed with a single link to a First American document, BEC scammers would have an endless supply of very convincing phishing templates to use. A database like this also would give fraudsters a constant feed of new information about upcoming real estate financial transactions — including the email addresses, names and phone numbers of the closing agents and buyers.

As noted in past stories here, these types of data exposures are some of the most common yet preventable. In December 2018, the parent company of Kay Jewelers and Jared Jewelers fixed a weakness in their site that exposed the order information for all of their online customers.

In August 2018, financial industry giant Fiserv Inc. fixed a bug reported by KrebsOnSecurity that exposed personal and financial details of countless customers across hundreds of bank Web sites.

In July 2018, identity theft protection service LifeLock corrected an information disclosure flaw that exposed the email address of millions of subscribers. And in April 2018, PaneraBread.com remedied a weakness exposing millions of customer names, email and physical addresses, birthdays and partial credit card numbers.

Data: E-Retail Hacks More Lucrative Than Ever

For many years and until quite recently, credit card data stolen from online merchants has been worth far less in the cybercrime underground than cards pilfered from hacked brick-and-mortar stores. But new data suggests that over the past year, the economics of supply-and-demand have helped to double the average price fetched by card-not-present data, meaning cybercrooks now have far more incentive than ever to target e-commerce stores.

Traditionally, the average price for card data nabbed from online retailers — referred to in the underground as “CVVs” — has ranged somewhere between $2 and $8 per account. CVVs are are almost exclusively purchased by criminals looking to make unauthorized purchases at online stores, a form of thievery known as “card not present” fraud.

In contrast, the value of “dumps” — hacker slang for card data swiped from compromised retail stores, hotels and restaurants with the help of malware installed on point-of-sale systems — has long hovered around $15-$20 per card. Dumps allow street thieves to create physical clones of debit and credit cards, which are then used to perpetrate so-called “card present” fraud at brick and mortar stores.

But according to Gemini Advisory, a New York-based company that works with financial institutions to monitor dozens of underground markets trafficking in both types of data, over the past year the demand for CVVs has far outstripped supply, bringing prices for both CVVs and dumps roughly in line with each other.

Median price of card not present (CNP) vs. card-present (CP) over the past year. Image: Gemini

Stas Alforov, director of research and development at Gemini, says his company is currently monitoring most underground stores that peddle stolen card data — including such heavy hitters as Joker’s Stash, Trump’s Dumps, and BriansDump.

Contrary to popular belief, when these shops sell a CVV or dump, that record is then removed from the inventory of items for sale, allowing companies that track such activity to determine roughly how many new cards are put up for sale and how many have sold. Underground markets that do otherwise quickly earn a reputation among criminals for selling unreliable card data and are soon forced out of business.

“We can see in pretty much real-time what’s being sold and which marketplaces are the most active or have the highest number of records and where the bad guys shop the most,” Alforov said. “The biggest trend we’ve seen recently is there appears to be a much greater demand than there is supply of card not present data being uploaded to these markets.”

Alforov said dumps are still way ahead in terms of the overall number of compromised records for sale. For example, over the past year Gemini has seen some 66 million new dumps show up on underground markets, and roughly half as many CVVs.

“The demand for card not present data remains strong while the supply is not as great as the bad guys need it to be, which means prices have been steadily going up,” Alforov said. “A lot of the bad guys who used to do card present fraud are now shifting to card-not-present fraud.”

One likely reason for that shift is the United States is the last of the G20 nations to make the transition to more secure chip-based payment cards, which is slowly making it more difficult and expensive for thieves to turn dumps into cold hard cash. This same increase in card-not-present fraud has occurred in virtually every other country that long ago made the chip card transition, including AustraliaCanadaFrance and the United Kingdom.

The increasing value of CVV data may help explain why we’ve seen such a huge uptick over the past year in e-commerce sites getting hacked. In a typical online retailer intrusion, the attackers will use vulnerabilities in content management systems, shopping cart software, or third-party hosted scripts to upload malicious code that snarfs customer payment details directly from the site before it can be encrypted and sent to card processors.

Research released last year by Thales eSecurity found that 50 percent of all medium and large online retailers it surveyed acknowledged they’d been hacked. That figure was more than two and a half times higher than a year earlier.

BIG BANG VS. LOW-AND-SLOW

Much of the media’s attention has been focused on recent hacks against larger online retailers, such those at the Web sites of British Airways, Ticketmaster, and electronics giant NewEgg. But these incidents tend to overshadow a great number of “low-and-slow” compromises at much smaller online retailers — which often take far longer to realize they’ve been hacked.

For example, in March 2019 an analysis of Gemini’s data strongly suggested that criminals had compromised Ticketstorm.com, an Oklahoma-based business that sells tickets to a range of sporting events and concerts. Going back many months through its data, Gemini determined that the site has likely been hacked for more than two years — allowing intruders to extract around 4,000 CVVs from the site’s customers each month, and approximately 35,000 accounts in total since February 2017.

Ticketstorm.com did not respond to requests for comment, but an individual at the company who answered a call from KrebsOnSecurity confirmed Ticketstorm had recently heard from Gemini and from card fraud investigators with the U.S. Secret Service.

“It’s not just large sites getting popped, it’s mostly small to mid-sized organizations that are being compromised for long periods of time,” Alforov said. “Ticketstorm is just one of ten or twenty different breaches we’ve seen where the fraudsters sell what they collected and then come back and collect more over several years.”

In some ways, CVVs are more versatile for fraudsters than dumps. That’s because about 90 percent of dumps for sale in the underground do not come with other consumer data points needed to complete a various online transactions — such as the cardholder’s name or billing address, Gemini found.

This is particularly true when CVV data is collected or amended by phishing sites, which often ask unwitting consumers to give up other personal information that can aid in identity theft and new account fraud — including Social Security number, date of birth and mother’s maiden name.

All of which means e-commerce retailers need to be stepping up their game when it comes to staving off card thieves. This in-depth report from Trustwave contains a number of useful suggestions that sites can consider for a defense-in-depth approach to combating an increasingly crowded field of criminal groups turning more of their attention toward stealing CVV data.

“There is a lot more incentive now than ever before for thieves to compromise e-commerce sites,” Alforov said.