This week in Cybersecurity… 🗞️

Privacy Failures Endanger People Living with HIV: Urgent Action Needed Amid Persistent Data Breaches

The UK Information Commissioner John Edwards has highlighted ongoing significant privacy failures within health services that handle HIV-related data, putting patients' confidentiality at risk. Repeated data breaches have exposed the HIV statuses of individuals, undermining trust and subjecting them to stigma and discrimination.

Despite advancements in HIV treatment and support, the lack of privacy protection remains a grave concern. The ICO has demanded immediate improvements and better compliance with data protection laws across health services. Further, the ICO is working with HIV charities to enhance the guidance on handling sensitive information and ensuring victims of data breaches have access to remedial measures.

READ MORE

Nationwide Shutdown: London Drugs Closes All Stores Following Major Cyberattack

After a cyberattack disrupted operations over the weekend, Vancouver-based retailer London Drugs has indefinitely closed all of its 79 stores across Canada. This proactive measure aims to secure customer and employee data and prevent further damage.

The attack has halted both physical store operations and e-commerce sales, although pharmacists remain available for urgent needs. This incident underscores a broader trend of rising cyberattacks on Canadian businesses, highlighting the vulnerability of retail operations to such threats.

READ MORE

Over a Million Australians at Risk as ClubsNSW Suffers Major Data Breach

A significant data breach at ClubsNSW has potentially exposed the personal details of over a million Australians, increasing their risk of identity theft. The breach, involving a third-party IT provider, affected less than 20 clubs but compromised sensitive information like driver’s license details and contact information, which may have been shared internationally.

ClubsNSW is working with affected venues and authorities to manage the situation, while individuals are advised to remain vigilant against potential phishing attempts stemming from the breach.

READ MORE

Global Security Compromised: Cybercriminals Threaten Leak from Massive KYC Database

Cybercriminals have stolen and threatened to release data from the World-Check database, which contains sensitive information about individuals deemed high-risk for activities like terrorism and money laundering.

The breach, confirmed by the London Stock Exchange Group, occurred through a third-party vendor. The database serves as a critical resource for financial institutions performing Know Your Customer checks and contains over five million records. This breach raises significant concerns about privacy, security, and the potential misuse of the exposed data.

READ MORE

Massive Data Breach at FBCS Exposes Personal Information of Nearly 2 Million Consumers

Financial Business and Consumer Solutions (FBCS) reported a significant data breach initiated on February 14, 2024, affecting around 1.955 million people. North Korean hackers are suspected of accessing sensitive data, including full names, Social Security numbers, and driver’s license numbers.

The breach was contained by February 26 after FBCS detected unauthorised network access. Measures were taken to secure the network and mitigate potential misuse, with ongoing investigations and strengthened security protocols. FBCS has also notified federal law enforcement and affected individuals about the breach.

READ MORE

Potter Handy Law Firm to Represent Thousands in 23andMe Genetic Data Breach Case

Potter Handy LLP is representing nearly 5,000 clients in a lawsuit against 23andMe following a significant data breach that compromised the sensitive information of about seven million users. The stolen data, which includes genetic and personal details, was reportedly sold on the dark web.

The law firm accuses 23andMe of negligence in safeguarding user data and failing to meet reasonable cybersecurity standards, thereby violating consumer privacy rights and exposing clients to potential identity theft and discrimination. Impacted individuals are primarily from California and Illinois.

READ MORE

Change Healthcare Faces Massive Ransomware Attack Due to Security Lapses

Change Healthcare was hit by a ransomware attack executed by the BlackCat gang using stolen Citrix account credentials that lacked multi-factor authentication (MFA).

Initiated on February 12, 2024, the breach allowed unauthorised access for about ten days, enabling data theft and system encryption that caused significant operational disruptions and a financial impact estimated at $872 million. The breach highlighted critical security failures and triggered a comprehensive response, including massive system overhauls and increased security measures to prevent future incidents.

READ MORE

Finnish Hacker Sentenced for Blackmailing Therapy Patients in Massive Data Breach

Aleksanteri Kivimäki, a Finnish hacker, has been sentenced to six years and three months in prison for hacking into a psychotherapy centre's records and blackmailing patients. Kivimäki accessed the records of Vastaamo, a therapy centre affecting about 33,000 clients.

He initially demanded a ransom from Vastaamo and then from the patients directly, leading to widespread outrage in Finland. This case marks a significant breach of privacy and security, highlighting the severe consequences of cyberattacks on personal data.

READ MORE

FCC Levies Hefty Fines on U.S. Carriers for Unauthorized Location Data Sales

The FCC has fined major U.S. wireless carriers, including AT&T, Sprint, T-Mobile, and Verizon, a total of nearly $200 million for illegally selling access to customer location data. This action concludes an extensive four-year investigation triggered by Senator Ron Wyden's inquiries.

The carriers, which had passed the responsibility of obtaining customer consent to third parties, continued their practices even after acknowledgements of security flaws, leading to widespread unauthorised data access and potential privacy invasions.

READ MORE

Marriott Admits to Misrepresenting Encryption Standards in 2018 Data Breach Case

In a recent court hearing, Marriott International confessed that it had misrepresented using AES-128 encryption to protect customer data during the 2018 breach, which actually used the less secure SHA-1 hashing method.

This revelation came after a forensic investigation contradicted Marriott's long-standing claims. The misuse of SHA-1, which is prone to quick decryption, may have allowed hackers easier access to sensitive customer data. The disclosure has raised serious legal and security ramifications, potentially affecting ongoing lawsuits and Marriott's obligations under data protection regulations.

READ MORE

Enjoyed this week’s digest? Why not share it with a friend? Let these topical events lead your security conversations, and become the expert. Oh, and don’t forget to subscribe :)