Fintech company MobiKwik started investigating claims of a data breach after media reports said that 8.2 terabytes of MobiKwik user data are up for sale on the dark web. The data included phone numbers, email, passwords, transactions logs and partial banking card numbers. KYC documents including govt issues the Aadhaar card or PAN ID of 3.5 mn users are also included in the breach. KYC documents are mandatory in India to access few financial services without any limitations.
SITA, an aviation IT company serving about 90% of the world’s airlines, revealed that it was the victim of a data breach involving passenger data. The passenger data stored on the company’s U.S. servers had been breached after which the affected airlines were informed. But it is still unclear as to what data was accessed or stolen. SITA is one of the few companies in the aviation market providing passenger ticketing and reservation systems to airlines.
Ubiquiti, one of the biggest sellers of networking gear, emailed its customers to become aware of unauthorised access to its systems hosted by a third-party cloud provider. The company couldn’t be certain if the customers’ data-name, email address, and the one-way encrypted password to their account, address, phone number – had been exposed. It also asked the users to update their passwords and also enable two-factor authentication.
A Kaspersky report said that SMBs and enterprises that decide to voluntarily inform stakeholders and the public about a data breach, on an average, are likely to lose 40% and 28% less than, respectively, from their peers that saw the incident leaked to the media. Cost of damage suffered from a data breach to SMBs can come down to $93k if disclosed to stakeholders from $155k, if leaked to media. Similarly, for enterprises, it is $1.134 mn compared to $1.583 mn.
Sophos, in an email, has notified some clients about a data security breach this week, claiming a small number of customers were affected. Data exposure included customers’ names, email, and phone numbers. “On Nov 24, 2020, Sophos was advised of an access permission issue in a tool used to store information on customers who have contacted Sophos Support,” the email said. Sophos came to know about the breach after alerted by a security researcher.
Dr Lal PathLabs left private medical records of millions of customers on an unsecured cloud server for about a year. The publicly exposed S3 bucket contained 9000 files that included, names, contact details, patient UIDs, digital signatures, payment details etc. It is unclear if any malicious actors have accessed the data. In a note, India’s largest diagnostics chain, said it was notified about the exposure and fixed the vulnerability within hours.
Shopify has confirmed a data breach, in which two “rouge members” of its support team stole customer data from at least 100 merchants. The company has fired the two employees who were scheming to obtain customer transactional records of certain merchants. The stolen data included names, postal addresses, and order details, from less than 200 merchants, but financial data was unaffected. The two employees obtained data using Shopify’s Orders API.
Cyber research firm Cyble has claimed that Paytm has suffered a massive data breach after cybercriminals targetted digital payments giant’s PayTM mall database. Paytm, however, has denied any data breach. The attackers are demanding a ransom of 10 Ethereum cryptocurrency ($4000). Hacker group John Wick, which hacks databases under the pretext of offering help to fix bugs in systems, is said to be behind the breach.
The US DoJ has charged Joseph Sullivan for deliberately keeping the FTC from learning about the 2016 cyberattack that exposed the personal info of 57M of Uber’s customers and drivers. Joseph was the Chief Security Officer in Uber Technologies and this is the first time a security officer is charged for concealing an attack. Sullivan paid hackers with $100K under Uber’s bounty programme and made them sign NDAs that falsely stated they had not stolen data.