[Security Weekly] VW and Audi Expose 3.3 Million Personal Records Due to Vendor Mistake
3rd Week of June 2021
1. Volkswagen and Audi expose over 3.3 million personal records from North America
Volkswagen and its subsidiary Audi announced that over 3.3 million personal records of their North American customers and potential buyers were accidentally exposed by an undisclosed third-party vendor. The vendor serves both companies and their authorized dealers in the United States and Canada.
On June 11, Volkswagen Group announced that one of its associated vendors left its IT systems unsecured for nearly two years between August 2019 and May 2021. The situation was only discovered when VW and Audi discovered unauthorized access to their data by a third party.
Most of the exposed records included full names, postal addresses, phone numbers, and email addresses. Some of them also included information on the purchased vehicles, such as vehicle identification numbers (VIN), makes, models, and years.
What’s more serious is that about 90,000 Audi owners and potential buyers also had their proof of purchase eligibility leaked. This included their driver’s licence numbers, social security numbers (SSN), loan numbers, and tax identification numbers. VW has offered free credit monitoring service for all those affected.
Data breaches originating from suppliers are becoming increasingly common. Companies must ensure that their IT networks and data are protected from any supply chain attacks.
Sources: TechCrunch, ZDNet, Threatpost
2. McDonald’s suffers data breach affecting the US, South Korea, and Taiwan
Global fast-food chain McDonald’s suffered a cyberattack leading to a widespread data breach involving its operations in three countries.
Even though McDonald’s claimed that only a small number of files were accessed, the span of the breach was significant. The hackers managed to gain unauthorized access to the company’s IT network and steal business-related data from the US division, as well as customer and employee data from its operations in South Korea and Taiwan.
Data stolen from the US market included the employee’s business contact information and the franchisees’ store information. In South Korea and Taiwan, stolen data included customer phone numbers and delivery addresses, as well as employee names and contact details.
McDonald’s said that it had contacted local authorities in both South Korea and Taiwan, and that it would start to notify the impacted customers.
Sources: The Wall Street Journal, Infosecurity
3. REvil ransomware gang attacks US nuclear weapon consulting firm
Sol Oriens, a defence consulting firm that provides advanced nuclear technologies for national security, suffered a ransomware attack by operators of the REvil ransomware. Sol Oriens is a US Department of Energy subcontractor and works closely with the National Nuclear Security Administration (NNSA).
Sol Orien stated that it was aware of the incident since May, when an unauthorized third party exfiltrated documents from its IT systems. The company’s website has been down since June 3.
On its leak site, the REvil ransomware gang claimed to have stolen data with regards to Sol Oriens’ business and employees. This included some employee names, social security numbers (SSN), and salary payout information. However, it remains unclear whether the gang had obtained even more serious classified information that could pose threats to national security.
Sources: Threatpost, SC Media, Bleeping Computer
4. CVS Health exposes 1.1 billion records due to cloud misconfiguration by vendor
CVS Health, an American healthcare and pharmaceutical giant, disclosed a data breach that exposed roughly 1.1 billion records caused by a misconfigured cloud database. The database was managed by an unnamed third-party vendor.
Security researchers at Website Planet first discovered the database on March 21. With a size of 204 GB, the database was open to the public without any form of authentication. Most of the data were related to CVS Health and its brands such as CVS Pharmacy and insurance provider Aetna. After being notified, CVS Health immediately secured the database.
The exposed data were mostly cached data containing Visitor IDs, Session IDs, and the devices’ information. These data clearly indicate what the customers were searching for. Search queries included those for medications such as COVID-19 vaccines. With some effort, malicious parties could match this information with the exposed emails, which could then be used for highly targeted phishing attacks.
Sources: ZDNet, Infosecurity
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: ISign+
Car, Energy, Factory, City Solutions: Penta IoT Security