A data breach occurring at the Vacationland Vendors arcade games in Wisconsin Dells effected 40,000 credic and debit cards. The incident was caused by hackers who gained access to the card processing systems of the Wilderness Waterpark Resort in the Dells and Wilderness at the Smokies in Sevierville. The breach only affected the arcade systems, those using their credit cards for other services, such as reservations, eating at the resort restaurants or shopping for gifts have not been affected.
According to Vacationland Vendors, the hack was discovered on March 22, but it is believed that all cards used between December 12, 2008, to May 25, 2011. The good news is that the 40,000 cards exposed, company officials believe only 20 were actually impacted by the breach. Read more
We have recently written quite a few pieces on hacking, hacker-caused data breaches, and other such incidents. As we kick off the week and this first month of fall, more pieces of news along the same line come to our attention.
Two students hacked into the Birdville Independent School District’s servers and ran across a file containing 14,500 student names, ID numbers as well as social security numbers.
Borlas.net was also the playground of hackers. After managing to access their files, the hackers responsible for the security breach also leaked names, passwords, emails and phone numbers of nearly 15,000 registered users. Read more
Hackers targeting the Hong Kong stock exchange have managed to do enough damage to force them to close afternoon trading for seven listed companies. The attack targeted the news section of the stock exchange and managed to severely disrupt day-to-day activities.
The news website, which publishes companies’ regulatory filings, started going down at noon, however according to Hong Kong stock exchange representative, the trading part of the website had not been breached. The stop in trading that affected HSBC, Cathay Pacific Airways and the Hong Kong Exchanges & Clearing, which runs the stock exchange, was a necessary measure as all had released price-sensitive information earlier in the day. As the fresh news could not be accessed, it was safer to end the afternoon trading for the seven companies. Read more
After analyzing the couple of dozens of breaches that made it to the security news pages last week, we concluded hackers going wild on websites and stolen hardware, particularly laptops, were the most frequent causes for data loss last week. The Citigroup breach did take center stage, as it turned out they downplayed the number of exposed accounts a little. By a little we mean they almost cut them in half! The originally disclosed 200,000 turned out to be 360,000. Just a minor overlook, I’m sure.
But the Citigroup situation was far from feeling lonely last week. Here are part of the security fails caused by successful hacking attempts and lost hardware:
Hackers breaching security
Workspace reported a hack that breached its legacy platform and exposed client data.
Hackers also breached WriterSpace.com, accessed 12,000 members’ email addresses and then posted them online for everyone to see.
BioWare also dealt with a hacker breaching their security. The result was 18,000 user account names, passwords, email addresses, and birth dates being exposed.
According to the PlayStation blog, the 70 million users of Qriocity and PlayStation Network may have had their personal information compromised due to a successful hacker attack. Also the network has been shut down since April 20th and users have been unable to download content or play online.
The hacker attack resulted in personal information such as names, home addresses, e-mail addresses, birth dates and passwords being compromised, but the damage to credit card information has not yet been assessed. Read more
Military personnel included in exposed group of carpooling employees
A website built to help commuters carpool to work is exposing sensitive information of workers for hundreds of employers in Southern California, including at least one military installation. The reason for the data breach was caused by programming errors in the website code.
The bugs, discovered on the RideMatch.info website enable hackers to easily access personal information such as names, home addresses, phone numbers, the times they commute to and from work, and in some cases employee numbers. According to a recent article published by The Register, the SQL injection vulnerability was still active 2 days ago, although it has been discovered two weeks before and reported to a developer who runs the website.
The issue has been discovered and reported bu Kristian Hermansen, a security researcher. Upon receiving a form to fill in by his employer, apparently a legal requirement for all employees, he investigated the website where the information was to be posted.
RideMatch.info is a joint project developed by transit authorities in five regional governments in Southern California. Each individual using the website enters work and home addresses and the time they leave from each. Based on the data, the website then teams them with others who live and work nearby and commute at similar times, thus providing an effective carpool matchmaking services. Too bad the same range of data can be accessed by any hacker willing to exploit the vulnerability!
Did a data breach occur at T-Mobile USA? According to a group of hackers it did. They claimed to have gained access to all customer information of the company and posted network scans to prove it on the Full Disclosure web site. They also said they were trying to sell all the private records to T-Mobile’s competitors, who wouldn’t take them on the offer. Yet they’re still doing their best to sell all stolen info to the highest bidder.
T-Mobile has a different view on the story though. They said, and were quoted by ChannelWeb, that there is no proof whatsoever of any breach. And although the document posted online did in fact belong to T-Mobile, it contained to sensitive date, nor was it obtained while their system had been hacked into.
“The document in question has been determined to be a T-Mobile document, though there is no customer information contained in the document,” the company said in a statement. “There is no evidence to indicate that the T-Mobile security system was hacked into nor any evidence of a breach.”
While ChannelWeb seems to incline to believe T-Mobile on this one, their security experts say large mobile carriers often fall pray to hackers who harest their confidential customer records for their own benefit, mostly because the security systems they’re using are outdated. If I were T-Mobile right now, I’d make sure to check everything 100 times and find out exactly how the harmless file get posted online. Cause you can never know, can you?
Fashionably late, as the who’s who laws require, electronic payment services firm RBS WorldPay has admitted a breach that exposed 1.5 million payroll and gift card holders exposed to fraud and identity theft. The breach was caused by a group of hackers finding their way to the RBS network and accessing about 1.1 million social security records, along with other private details, reports The Register.
RBS disclosed the breach to law enforcement and regulators on November 10, but waited untill December 23rd to also let those affected know their private data was at risk. Great Christmas gift idea! Yet the company pledges strong commitment to prevent any fraud or identity theft attempts and offers 12 months complimentary membership to a credit monitoring service toall those whose personal information has been exposed by the hackers. Does this mean they will also take a good look at everything going on in their customer’s accounts between November 10 and December 23? 100 payroll cards have already been misused as a result of the breach, but have been deactivated since. We hope the toll does not go up.