Marriott Agrees $52m Settlement for Massive Data Breach | James Coker – Infosecurity Magazine | 10 Oct 2024
Hotel giant Marriott has agreed to pay a $52m settlement to 50 US states for a large multi-year data breach impacting 131.5 million American customers.
The 50-state settlement followed an investigation conducted by the Federal Trade Commission (FTC) and 50 state attorney generals into a breach of a Starwood guest reservation database that was discovered in September 2018.
Attackers accessed the database undetected from July 2014 to September 2018
Marriott acquired Starwood in 2016 and had control of the hotel group’s computer network from this time.
The globally impacted records included 339 million guests’ personal details and a limited number of unencrypted passport numbers and unexpired payment card information
The agreement with the US states settles allegations by the attorney generals that Marriott violated state consumer protection laws, personal information protection laws, and, where applicable, breach notification laws by failing to implement reasonable data security and remediate data security deficiencies.
As part of the settlement, Marriott has also agreed to strengthen its cybersecurity practices. This includes implementation of a comprehensive information security program that incorporates zero trust principals and regular security reporting to the board and C-suite.
In a separate settlement order with the FTC, Marriott and its subsidiary Starwood have agreed to implement a “robust” information security program.
This agreement will settle charges that data security failings by the companies led to three large data breaches from 2014 to 2020, impacting more than 344 million customers worldwide.
Personal information for more than 115,000 Texans leaked in DPS data breach
Texas’s Department of Public safety suffered a data breach, and 115,071 Texans were affected. SS numbers, licenses, ID numbers, names, and addresses were leaked. This is fairly new, so updates are not available yet.
In 2022, the same department got tricked into sending the drivers licences of 3000 texans to a Chinese organized crime group that then used it to create fake accounts. They were able to do this by first getting information from the dark web then using it to find the licenses they wanted. They bypassed the passwords of the DPS and then the DPS shipped the licenses to them instead of the intended people.
The cyber group in Russia, known as RomCom, has launched attacks against government institutions in Ukraine and multiple entities in Poland using a newly discovered form of malware called SingleCamper. This is the advanced version of the previous tools used by RomCom to steal information, monitor activities within the system, and even disrupt operations using ransomware. Operations usually begin with phishing emails sent by the organization that are crafted to trick the receiver into installing malicious software, which introduces backdoors like ShadyHammock and DustyHammock. The backdoors give the hackers the ability to take over systems, move laterally in the network, and steal information. The attacks linked to RomCom are escalating, indicating a long-running espionage campaign; SingleCamper is used for establishing remote access, conducting network lateral movements, and exfiltration of data. The attacks of the group are sophisticated, using different programming languages and tactics to breach systems. Simultaneously, another threat actor, UAC-0050, has conducted attacks against Ukrainian organizations to steal money through different kinds of malware, often in the form of fake banking transactions or some remote control tool. These organized cyber-attacks pose a grave danger to Ukrainian entities, combining espionage with financial crime.
Omni Family Health, a nonprofit healthcare provider in California, is notifying nearly 470,000 individuals of a data breach resulting from a cyberattack discovered on August 7, 2024. The breach, claimed by the Hunters International ransomware gang, exposed 2.7 terabytes of data, including names, addresses, Social Security numbers, and medical information. The stolen data was posted on the dark web on August 23. Omni immediately launched an investigation with cybersecurity experts and notified federal authorities. While no fraudulent activity has been reported, Omni is offering 12 months of free credit monitoring and identity protection services to those affected.
Fake Google Meet Conference Errors Push Info-stealers
A ClickFix campaign is using fake Google Meet pages to push info-stealing malware on both Windows and macOS systems. Victims are lured into executing PowerShell code under the guise of fixing errors. The malware delivered includes Stealc, Rhadamanthys, and AMOS, affecting various platforms. Attackers employ phishing emails and URLs mimicking legitimate Google Meet links to trick users.
Iranian hackers are targeting critical infrastructure systems like Microsoft 365 and Citrix using techniques such as brute force password spraying and MFA push bombing. They exploit weak passwords and repeatedly send MFA login requests until users mistakenly approve access. Once inside, the hackers maintain persistent access, steal credentials, and move laterally within networks using legitimate system tools to avoid detection. Their primary goal is to steal credentials and gather information for further malicious activities.
Man arrested in SEC social media account hack that led the price of bitcoin to spike.
A man from Alabama, Eric Council Jr., has been arrested for his role in the January hack of the US Securities and Exchange Commission’s account, which led to a spike in bitcoin prices. Council is accused of breaking into the SEC’s account on X, formerly known as Twitter, and allowing hackers to prematurely announce the approval of bitcoin exchange-traded funds. The price of bitcoin briefly spiked more than $1,000 after the post claimed the SEC grants approval for Bitcoin ETFs for listing on all registered national securities exchanges. The SEC later denied the post, and the first exchange-traded funds holding bitcoin were officially approved the following day.
Infosys is a US-based subsidiary of Infosys, an Indian multinational technology giant. IMS revealed that the ransomware attack impacted Wells Fargo and three other parties in November 2023. It is still unclear as to what information and how many people have been impacted by the breach. Bank of America suffered a data breach as a result of the IMS attack, with the breach affecting tens of thousands of customers. The attack on IMS happened in November 2023, when the Infosys subsidiary discovered that specific systems were encrypted by ransomware. In an official report by Infosys McCamish it was revealed that unauthorized activity occurred between October 29, 2023 and November 2, 2023. The investigation determined that the personal information included were: Social Security Number, date of birth, biometric data, email address and password, financial account information, along many more.
US Police Detective Charged With Purchasing Stolen Credentials
A Buffalo police detective was arrested for buying stolen information on the dark web. He used this information to commit crimes, such as accessing bank accounts and stealing money. The detective, Terrance Michael Ciszek, was accused of purchasing stolen credentials from an online marketplace called Genesis Market. He used these credentials to impersonate legitimate users and carry out fraudulent activities. Ciszek was caught when law enforcement agencies around the world shut down Genesis Market and arrested individuals associated with its operations.
North Korean IT Workers in Western Firms Now Demanding Ransom for Stolen Data
North Korean information technology (IT) workers who obtain employment under false identities in Western companies are not only stealing intellectual property, but are also stepping up by demanding ransoms in order to not leak it, marking a new twist to their financially motivated attacks.
The fraudulent IT worker scheme, orchestrated with the intent to advance North Korea’s strategic and financial interests, refers to an insider threat operation that entails infiltrating companies in the West for illicit revenue generation for the sanctions-hit nation. These North Korean workers are typically sent to countries like China and Russia, from where they pose as freelancers looking for potential job opportunities. As another option, they have been found to steal the identities of legitimate individuals residing in the U.S. to achieve the same goals.
Redbox easily reverse-engineered to reveal customers’ names, zip codes, rentals details
The article discusses the privacy risks associated with Redbox kiosks after the company’s bankruptcy. Redbox’s parent company, Chicken Soup for the Soul, filed for Chapter 7 bankruptcy, which left thousands of kiosks in the hands of various individuals and organizations. Some of these kiosks contain customer data stored locally, which could be easily accessed through reverse engineering. Programmer Foone Turing demonstrated this by retrieving over 2,000 transaction records, including customer names, zip codes, email addresses, and partial credit card numbers, using free tools. The data came from transactions dating back to at least 2015.
Cicada3301 has appeared as a new ransomware threat to succeed the notorious BlackCat ransomware group. The old ransomware has already attacked nearly 30 small and medium businesses in various industries.While BlackCat is already well known, it’s in a place where Cicada3301 can pick up where it left off with new capabilities. Similar to its forerunner, it has been noted that Cicada3301 has embraced methods that target organizations for extremely high ransom demands. This is a new development in the long line of ransomware groups, which continues to shape and evolve-and keeps cybersecurity experts on their toes, awaiting the next tactics and exploits. This latest ransomware serves as further evidence of ongoing sophistication in ransomware attacks. Therefore, robust cybersecurity measures, including periodic updates and backups, become an urgent necessity in protecting sensitive data and minimizing risk from potential disruptions. https://www.securityweek.com/blackcat-ransomware-successor-cicada3301-emerges/
“GeoServer vulnerability actively abused, CISA warns”
The Cybersecurity & Infrastructure Security Agency (CISA) has added a GeoServer vulnerability to its known exploited vulnerabilities. GeoServer is an open source server that allows users to edit geospatial data. A few government agencies use it for such tasks such as urban planning, environmental monitoring, and emergency response. The vulnerability allows Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation. Previous versions of GeoServer are affected by this vulnerability while two new patched versions have become available in recent weeks, versions 2.24.4, 2.25.2, and 2.23. Federal Civilian Executive Branch (FCEB) agencies were required to remediate this vulnerability to protect their networks against active threats. https://www.threatdown.com/blog/geoserver-vulnerability-actively-abused-cisa-warns/
The article I chose this week covers the British Airways disaster in 2017. An engineering contractor turned off an uninterruptible power supply, which then caused a power surge when the power was restored in an uncontrolled fashion. The power surge severely affected a key data center, and caused almost a week of downtime for British Airways. The downtime cost British Airways around $109 million (80 Million British Pounds). I chose this article to highlight the need for an effective and airtight disaster recovery plan. British Airways lost a hundred million dollars, however they also lost consumer trust, with many customers saying they would not return to the company after complications with their luggage lasted long after the IT failure.
Internet Archive: Digital Library of Free & Borrowable Texts gets Pummeled in ROUND 2 Breach!!
Internet Archive is a very popular nonprofit organization founded in 1996 by Brewster Kahle that runs a digital library website, archive.org.It provides free access to collections of digitized materials including websites, software applications, music, audiovisual, and print materials.
Just a few days after the Internet Archive told the public it was getting back on its feet after a data breach and a barrage of distributed denial-of-service (DDoS) attacks forced it to go offline, the digital library website is once again in trouble.
Unknown bad actors have allegedly claimed access tokens to the archive’s Zendesk implementation, using them to send a mass email on Oct. 20 to those who tried to interact with the archive’s platform. Internet Archive did not secure its authentication tokens, which enabled unauthorized access to their Zendesk instance (customer service software).
Marriott Agrees $52m Settlement for Massive Data Breach | James Coker – Infosecurity Magazine | 10 Oct 2024
Hotel giant Marriott has agreed to pay a $52m settlement to 50 US states for a large multi-year data breach impacting 131.5 million American customers.
The 50-state settlement followed an investigation conducted by the Federal Trade Commission (FTC) and 50 state attorney generals into a breach of a Starwood guest reservation database that was discovered in September 2018.
Attackers accessed the database undetected from July 2014 to September 2018
Marriott acquired Starwood in 2016 and had control of the hotel group’s computer network from this time.
The globally impacted records included 339 million guests’ personal details and a limited number of unencrypted passport numbers and unexpired payment card information
The agreement with the US states settles allegations by the attorney generals that Marriott violated state consumer protection laws, personal information protection laws, and, where applicable, breach notification laws by failing to implement reasonable data security and remediate data security deficiencies.
As part of the settlement, Marriott has also agreed to strengthen its cybersecurity practices. This includes implementation of a comprehensive information security program that incorporates zero trust principals and regular security reporting to the board and C-suite.
In a separate settlement order with the FTC, Marriott and its subsidiary Starwood have agreed to implement a “robust” information security program.
This agreement will settle charges that data security failings by the companies led to three large data breaches from 2014 to 2020, impacting more than 344 million customers worldwide.
https://www.infosecurity-magazine.com/news/marriott-settlement-massive-data/
Personal information for more than 115,000 Texans leaked in DPS data breach
Texas’s Department of Public safety suffered a data breach, and 115,071 Texans were affected. SS numbers, licenses, ID numbers, names, and addresses were leaked. This is fairly new, so updates are not available yet.
In 2022, the same department got tricked into sending the drivers licences of 3000 texans to a Chinese organized crime group that then used it to create fake accounts. They were able to do this by first getting information from the dark web then using it to find the licenses they wanted. They bypassed the passwords of the DPS and then the DPS shipped the licenses to them instead of the intended people.
https://www.houstonpublicmedia.org/articles/news/public-safety/2024/10/16/503095/personal-information-for-more-than-115000-texans-leaked-in-dps-data-breach/
https://www.dps.texas.gov/section/driver-license/dl-security-incident
https://www.texastribune.org/2023/02/27/texas-drivers-license-theft-dps/
The cyber group in Russia, known as RomCom, has launched attacks against government institutions in Ukraine and multiple entities in Poland using a newly discovered form of malware called SingleCamper. This is the advanced version of the previous tools used by RomCom to steal information, monitor activities within the system, and even disrupt operations using ransomware. Operations usually begin with phishing emails sent by the organization that are crafted to trick the receiver into installing malicious software, which introduces backdoors like ShadyHammock and DustyHammock. The backdoors give the hackers the ability to take over systems, move laterally in the network, and steal information. The attacks linked to RomCom are escalating, indicating a long-running espionage campaign; SingleCamper is used for establishing remote access, conducting network lateral movements, and exfiltration of data. The attacks of the group are sophisticated, using different programming languages and tactics to breach systems. Simultaneously, another threat actor, UAC-0050, has conducted attacks against Ukrainian organizations to steal money through different kinds of malware, often in the form of fake banking transactions or some remote control tool. These organized cyber-attacks pose a grave danger to Ukrainian entities, combining espionage with financial crime.
https://thehackernews.com/2024/10/russian-romcom-attacks-target-ukrainian.html
Omni Family Health, a nonprofit healthcare provider in California, is notifying nearly 470,000 individuals of a data breach resulting from a cyberattack discovered on August 7, 2024. The breach, claimed by the Hunters International ransomware gang, exposed 2.7 terabytes of data, including names, addresses, Social Security numbers, and medical information. The stolen data was posted on the dark web on August 23. Omni immediately launched an investigation with cybersecurity experts and notified federal authorities. While no fraudulent activity has been reported, Omni is offering 12 months of free credit monitoring and identity protection services to those affected.
https://securityaffairs.com/169972/data-breach/omni-family-health-disclosed-a-data-breach.html
Fake Google Meet Conference Errors Push Info-stealers
A ClickFix campaign is using fake Google Meet pages to push info-stealing malware on both Windows and macOS systems. Victims are lured into executing PowerShell code under the guise of fixing errors. The malware delivered includes Stealc, Rhadamanthys, and AMOS, affecting various platforms. Attackers employ phishing emails and URLs mimicking legitimate Google Meet links to trick users.
https://www.bleepingcomputer.com/news/security/fake-google-meet-conference-errors-push-infostealing-malware/?&web_view=true
Iranian hackers are targeting critical infrastructure systems like Microsoft 365 and Citrix using techniques such as brute force password spraying and MFA push bombing. They exploit weak passwords and repeatedly send MFA login requests until users mistakenly approve access. Once inside, the hackers maintain persistent access, steal credentials, and move laterally within networks using legitimate system tools to avoid detection. Their primary goal is to steal credentials and gather information for further malicious activities.
https://hackread.com/iranian-hackers-target-microsoft-365-mfa-push-bombing/
Man arrested in SEC social media account hack that led the price of bitcoin to spike.
A man from Alabama, Eric Council Jr., has been arrested for his role in the January hack of the US Securities and Exchange Commission’s account, which led to a spike in bitcoin prices. Council is accused of breaking into the SEC’s account on X, formerly known as Twitter, and allowing hackers to prematurely announce the approval of bitcoin exchange-traded funds. The price of bitcoin briefly spiked more than $1,000 after the post claimed the SEC grants approval for Bitcoin ETFs for listing on all registered national securities exchanges. The SEC later denied the post, and the first exchange-traded funds holding bitcoin were officially approved the following day.
https://abcnews.go.com/Technology/wireStory/alabama-man-arrested-sec-social-media-account-hack-114906593
Wells Fargo named in Infosys attack affecting 6M
Infosys is a US-based subsidiary of Infosys, an Indian multinational technology giant. IMS revealed that the ransomware attack impacted Wells Fargo and three other parties in November 2023. It is still unclear as to what information and how many people have been impacted by the breach. Bank of America suffered a data breach as a result of the IMS attack, with the breach affecting tens of thousands of customers. The attack on IMS happened in November 2023, when the Infosys subsidiary discovered that specific systems were encrypted by ransomware. In an official report by Infosys McCamish it was revealed that unauthorized activity occurred between October 29, 2023 and November 2, 2023. The investigation determined that the personal information included were: Social Security Number, date of birth, biometric data, email address and password, financial account information, along many more.
https://www.infosysbpm.com/mccamish/about/notice-of-cybersecurity-incident.html
https://cybernews.com/news/wells-fargo-named-infosys-breach/
US Police Detective Charged With Purchasing Stolen Credentials
A Buffalo police detective was arrested for buying stolen information on the dark web. He used this information to commit crimes, such as accessing bank accounts and stealing money. The detective, Terrance Michael Ciszek, was accused of purchasing stolen credentials from an online marketplace called Genesis Market. He used these credentials to impersonate legitimate users and carry out fraudulent activities. Ciszek was caught when law enforcement agencies around the world shut down Genesis Market and arrested individuals associated with its operations.
https://www.securityweek.com/us-police-detective-charged-with-purchasing-stolen-credentials/
North Korean IT Workers in Western Firms Now Demanding Ransom for Stolen Data
North Korean information technology (IT) workers who obtain employment under false identities in Western companies are not only stealing intellectual property, but are also stepping up by demanding ransoms in order to not leak it, marking a new twist to their financially motivated attacks.
The fraudulent IT worker scheme, orchestrated with the intent to advance North Korea’s strategic and financial interests, refers to an insider threat operation that entails infiltrating companies in the West for illicit revenue generation for the sanctions-hit nation. These North Korean workers are typically sent to countries like China and Russia, from where they pose as freelancers looking for potential job opportunities. As another option, they have been found to steal the identities of legitimate individuals residing in the U.S. to achieve the same goals.
https://thehackernews.com/2024/10/north-korean-it-workers-in-western.html
Redbox easily reverse-engineered to reveal customers’ names, zip codes, rentals details
The article discusses the privacy risks associated with Redbox kiosks after the company’s bankruptcy. Redbox’s parent company, Chicken Soup for the Soul, filed for Chapter 7 bankruptcy, which left thousands of kiosks in the hands of various individuals and organizations. Some of these kiosks contain customer data stored locally, which could be easily accessed through reverse engineering. Programmer Foone Turing demonstrated this by retrieving over 2,000 transaction records, including customer names, zip codes, email addresses, and partial credit card numbers, using free tools. The data came from transactions dating back to at least 2015.
https://arstechnica.com/gadgets/2024/10/redbox-hard-drive-hacked-to-reveal-customer-information-from-2471-rentals/?utm_source=tldrinfosec
Cicada3301 has appeared as a new ransomware threat to succeed the notorious BlackCat ransomware group. The old ransomware has already attacked nearly 30 small and medium businesses in various industries.While BlackCat is already well known, it’s in a place where Cicada3301 can pick up where it left off with new capabilities. Similar to its forerunner, it has been noted that Cicada3301 has embraced methods that target organizations for extremely high ransom demands. This is a new development in the long line of ransomware groups, which continues to shape and evolve-and keeps cybersecurity experts on their toes, awaiting the next tactics and exploits. This latest ransomware serves as further evidence of ongoing sophistication in ransomware attacks. Therefore, robust cybersecurity measures, including periodic updates and backups, become an urgent necessity in protecting sensitive data and minimizing risk from potential disruptions.
https://www.securityweek.com/blackcat-ransomware-successor-cicada3301-emerges/
“GeoServer vulnerability actively abused, CISA warns”
The Cybersecurity & Infrastructure Security Agency (CISA) has added a GeoServer vulnerability to its known exploited vulnerabilities. GeoServer is an open source server that allows users to edit geospatial data. A few government agencies use it for such tasks such as urban planning, environmental monitoring, and emergency response. The vulnerability allows Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation. Previous versions of GeoServer are affected by this vulnerability while two new patched versions have become available in recent weeks, versions 2.24.4, 2.25.2, and 2.23. Federal Civilian Executive Branch (FCEB) agencies were required to remediate this vulnerability to protect their networks against active threats. https://www.threatdown.com/blog/geoserver-vulnerability-actively-abused-cisa-warns/
The article I chose this week covers the British Airways disaster in 2017. An engineering contractor turned off an uninterruptible power supply, which then caused a power surge when the power was restored in an uncontrolled fashion. The power surge severely affected a key data center, and caused almost a week of downtime for British Airways. The downtime cost British Airways around $109 million (80 Million British Pounds). I chose this article to highlight the need for an effective and airtight disaster recovery plan. British Airways lost a hundred million dollars, however they also lost consumer trust, with many customers saying they would not return to the company after complications with their luggage lasted long after the IT failure.
https://skift.com/2017/06/06/human-error-caused-british-airways-computer-system-failure
Internet Archive: Digital Library of Free & Borrowable Texts gets Pummeled in ROUND 2 Breach!!
Internet Archive is a very popular nonprofit organization founded in 1996 by Brewster Kahle that runs a digital library website, archive.org.It provides free access to collections of digitized materials including websites, software applications, music, audiovisual, and print materials.
Just a few days after the Internet Archive told the public it was getting back on its feet after a data breach and a barrage of distributed denial-of-service (DDoS) attacks forced it to go offline, the digital library website is once again in trouble.
Unknown bad actors have allegedly claimed access tokens to the archive’s Zendesk implementation, using them to send a mass email on Oct. 20 to those who tried to interact with the archive’s platform. Internet Archive did not secure its authentication tokens, which enabled unauthorized access to their Zendesk instance (customer service software).
Read in detail at https://www.darkreading.com/cyberattacks-data-breaches/internet-archive-pummeled-round-2-breach