Macy's Breach Exposed Customer Data, Credit Card Numbers

  • Some Macy’s online customers have become victims of data theft that took place between April 26th and June 12th. That period of compromise is much longer than it should be for a company of this size.
  • An “unauthorized party” managed to obtain usernames and passwords to log onto Macy’s and Bloomingdale’s shoppers’ online profiles. Sorry, but I have to ask: are online thieves ever "authorized?"
  • While credit and debit card information was accessed, the company noted that neither Credit Verification Values (CVV) nor Social Security numbers were stored in its online customer profiles. There is no reason why an online merchant should have Social Security Numbers in the first place.
  • This breach is similar to the one that Adidas US site fell victim to last month. The increase in the number of data breach notification laws (at the state level and internationally) means these kind of stories will become more and more frequent.

Cryptocurrency Start-Up Suffers 'Security Breach'

  • Israeli start-up Bancor said that $12.5 million worth of Ethereum, $1 million of the lesser-known token Pundi X, and $10 million of Banco Network Tokens has been stolen. Crypto-currency sites are definitely one of the largest targets so far in 2018, along with the SWIFT network.
  • The company said it was able to prevent $10 million of its own BNT crypto tokens from being compromised by freezing the funds. I have not seen any details yet on how the attack occurred.
  • The company stated that “no user wallets have been compromised in the attack”.
  • Bancor’s initial coin offering (ICO) was worth almost $183 million today. There are a lot of companies trying to get into the crypto-currency business; security and trust will be a huge part of determining which startups become successful.

Timehop Admits that Additional Personal Data was Compromised in Breach

  • The company first acknowledged the breach on Sunday (July 01), saying that users’ names, email addresses, and phone numbers had been compromised. I give the leadership credit for not trying to hide from this disaster; one executive plainly said "we messed up."
  • Timehop now says that they have discovered that more information was initially compromised, including date of birth and gender. Ouch. Very ouch.
  • The breach occurred when someone accessed a database in Timehop’s cloud infrastructure that was not protected by two-factor authentication. This is a familiar theme- a company puts lots of sensitive data in a cloud service provider but fails to adequately protect it.
  • Of the 21 million accounts, 18.6 million email addresses were accessed, 15.5 million dates of birth, and 3.3 million included names, email addresses, phone numbers, and DOBs. Wow, this is a very large breach.

Hackers Caught Selling Access to Airport Security Systems for $10

  • Researchers at McAfee’s Advanced Threat Research team have discovered that credentials for systems at a major international airport are being sold on the dark web for $10. This is not at all a surprise.
  • The stolen credentials were for the airport’s remote desktop protocol (RDP), which allows employees to work through specific computers from outside the local network. RDP is a cheap and generally much less secure form of remote access. Organizations of all sizes and industries would be wise to not use RDP and invest in a robust Virtual Private Network platform.
  • It is unclear how the airport’s credentials were obtained, however McAfee suspects brute force attacks. Which is very possible, but dictionary attacks or social engineering are also likely candidates. Simplistic (read: poor) authentication is one of the many problems with using RDP.
  • The airport wasn’t the only site with an RDP problem; researchers also came across multiple government systems including health care institutions. So if my comments are not clear enough, allow me to end with this: please don't use RDP. Just say no.