Top Cyber Security Breaches So Far

Recap And Updates Of Enterprise Cyber-Attacks And Data Incidents

Add bookmark

Top Enterprise Cyber Security Breaches

Each Friday, Cyber Security Hub scours the internet to provide readers with a notable ‘Incident Of The Week.’ The popularity of this type of article is growing on the CSHub.com website, most likely due to the fact that they are loaded with best practices and tips on incident response — whether it’s how to handle the situation, as well as in some cases, what not to do.

After 18 months of data incident analysis, we are pausing to round-up what has happened so far. From password spraying to ransomware to data leaks (and everything in between), we looked into the numbers to see what is top-of-mind for Cyber Security Hub readers, and here are your top cyber security breach headlines so far starting with the most-viewed story and working our way down.

See Related: Cyber Security Hub Incident Of The Week Archive

Historic Capital One Hack Reaches 100 Million Customers Affected By Breach

[Records Exposed: 1066 Million | Industry: BFSI | Type of Attack: Cloud Vulnerability]

The Fast Facts: Capital One determined that a hacker broke into a server by exploiting a configuration vulnerability in a web application firewall on March 22 and 23, 2019. The person accessed personal information for more than 100 million Capital One customers in the U.S. and 6 million in Canada. The outcome makes this hack one of the biggest ever. Then, according to the criminal complaint, the person tried to share the stolen information with other people online.

Lessons Learned: Applications and services migrated to the cloud need to have as much scrutiny, if not more, placed upon them as internally-hosted servers. Any boundary layer or interface, such as a firewall, needs to have regular assessments performed to assure that patches have been applied and access to configuration settings are restricted.

State Farm Insurance Discloses Recent Credential Stuffing Attack

[Records Exposed: N/A | Industry: BFSI | Type of Attack: Credential Stuffing]

The Fast Facts: Insurance provider State Farm has notified policyholders that it recently observed login attempts to user accounts that were symptomatic of credential stuffing cyber-attacks. The company reset the passwords of affected accounts and has sent notifications alerting customers of the situation.

According to reports, the attack was discovered by State Farm in July 2019 and no personally identifiable information (PII) was exposed. The insurance company serves more than 83 million U.S. customers, though the number of policyholders impacted by the attack has not been disclosed.

Lessons Learned: The enterprise security team can no longer view insider threats and phishing attacks as the exclusive attack vectors for credential compromise. Increasingly, attackers are focusing their efforts on sites that deliver services to the individual in hopes that common credentials exist. How does an organization protect itself when it may not have been breached?

Our experts highlight multiple areas where security teams can hone their approach in anticipation of more credential stuffing attacks.

  • Augment security awareness training to explain “why” unique credentials are so important. Utilize credential stuffing attacks as proof points to demonstrate cyber hygiene objectives.
  • Require multiple forms of authentication that take location, the physical device/system asset, and the user identity into consideration. Re-authenticate users based on elapsed time and/or a change in these authentication parameters.
  • Review the need to provide email and external site access for every employee.
  • Restrict or eliminate access to applications, services, and sensitive data that do not pass these tests.

Dunkin Donuts Reports Credential Stuffing Attack

[Records Exposed: N/A | Industry: Restaurant & Hospitality | Type of Attack: Credential Stuffing]

The Fast Facts: Dunkin’ Donuts first reported a credential stuffing attack at the end of November 2018, and has notified users of more account breaches following a 2019 attack. This attack, which happened in January, is similar to the first in where hackers leveraged user credentials leaked at other sites to enter DD Perks rewards accounts.

The type of information stored in a DD Perks account, which provides repeat customers a way to earn points and get free merchandise or discounts, includes the user’s first and last names, emails (usernames) and a 16-digit DD Perks account number and QR code.

According to ZDNet, the hackers weren’t after users’ personal information stored in the rewards accounts; instead, they were after the account itself in order to sell on Dark Web forums.

Some Quick Tips: According to advice from Trend Micro, here are some ways to strengthen security against these types of attacks:

  • Practice good password hygiene. Avoid reusing the same email and password combination for multiple online accounts, and change your access credentials frequently.
  • Enable two-factor authentication (2FA) whenever possible. Layered protection is always better than single access authentication.
  • Observe your network traffic and system. A significant increase in network inquiries, access, or slowdowns may indicate an attack. Run security software to find and remove malware infection.

Passwords And Biometrics Info For One Million Users Exposed In BioStar 2 Data Breach

[Records Exposed: 1 Million | Industry: Software & Technology | Type of Attack: Cloud Vulnerability]

The Fast Facts: Employee ID cards can be replaced if lost or stolen. However, if the leaked data contains your face, fingerprints, or iris scan, the effects may be felt for life. This Cyber Security Hub Incident Of The Week examines data exposed for 1 million users of the BioStar 2 biometrics platform.

Lessons Learned: It goes without saying that this security breach should never have occurred. Cyber Security Hub sees two primary areas of concern that security leaders can action back to their teams:

  • Manipulation of access control systems and logs
    • The convenience of a SaaS control and management application should be weighed against the security risks. Have third-party risk assessments been completed for SaaS and PaaS providers?
    • Understand the risk and ramifications (for SIEM, for breach forensics, for compliance and reporting, etc.) of adding/changing/removing access log entries.
  • Compromising biometric user data that cannot be replaced
    • Does the biometrics database co-mingle with other authentication databases?
    • What alternative authentication factors are acceptable in the absence of biometrics?

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.

Oregon DHS Target of Phishing Attack

[Records Exposed: 645,000 | Industry: Government | Type of Attack: Phishing]

The Fast Facts: The Oregon DHS notified about 645,000 clients that their personal data was potentially breached during a spear-phishing attack. Nine employees fell for the email campaign providing their user credentials, giving hackers full access to more than 2 million emails.

Lessons Learned: The most common phishing emails incorporate two elements: a sense of urgency or a request for help. This could mean an email saying that an invoice was overdue, or an email purporting to be from a colleague asking for help on a project at work.

Some phishing emails are so clever IT professionals have been duped as well. Enterprises can reduce the likelihood of a successful phishing attack through ongoing employee education and phishing-filtering software. They should also reduce the impact to the organization of a successful attack through endpoint protection, two-factor (or multi-factor) authentication, security patches, and changing passwords regularly.

Multiple Yahoo Data Breaches Across 4 Years Result in a $117.5 Mn Settlement

[Records Exposed: 3 Billion| Industry: Software & Technology | Type of Attack: Unauthorized Access]

The Fast Facts: According to the website for the Yahoo data breach settlement, the company’s cyber security issues contained in this matter extended from 2012 to 2016. However, the information gets more specific and says data breaches involving stolen information occurred from 2013 and 2016, while so-called data security intrusions (where an infiltration happened without those responsible taking data) happened from at least January-April 2012.

Then, cybercriminals did not take the same kind of data in every case or behave the same way. For example, in 2012, two separate hackers broke into Yahoo's online infrastructure without taking anything.

The next year, cybercriminals behaved maliciously when they took records from all of Yahoo's accounts, which totaled about 3 billion. In that instance, the information seized by the hackers could have allowed them to access things like users' email accounts and calendars.

In 2014, hackers directly targeted Yahoo's user database, affecting about 500 million people. The cybercriminals reportedly got account details such as people's names, email addresses, passwords, phone numbers and birthdays.

Lessons Learned: The Yahoo data breach was, in part, as bad as it was because of poor security practices. Hackers gained access to Yahoo’s network through the use of a phishing scheme. All it took was one employee with network access clicking on a malicious link for a hacker to get through. Once in, the hackers were able to guarantee their continued access to the network. In addition, some confidential data — including security questions and answers — was stored unencrypted by Yahoo.

CISOs should prepare for attacks that use social engineering just as much as brute-force attacks. This will require CISOs to provide some level of cyber security education to non-cyber security and non-tech savvy staff. CISOs should also ensure that basic security measures — like the encryption of identifying information — are in place.

Dominion National Finds Evidence of Data Breach Nearly a Decade Later

[Records Exposed: Up To 900,000 | Industry: Healthcare | Type of Attack: Unauthorized Access]

The Fast Facts: In late April 2019, vision and dental insurance company and benefits administrator Dominion National investigated an internal alert with the assistance of an outside cyber security firm. The results showed that unauthorized parties could have had access to some of the company’s servers since August 25, 2010. The company did not disclose what triggered the initial alert. It also did not say how many of the company's 900,000 customers possibly had data on the servers.

However, Dominion National representatives assessed what kind of information got compromised during the breach. They say the potentially at-risk parties are the current and former customers of Dominion National, as well as the health providers that offer Dominion National plans to their clients. In one instance of a related party affected by the breach, the Delaware Department of Insurance said the incident could affect 10% of the state's population.

Lessons Learned: Data breaches are commonplace, but this one is arguably worse than most considering the length of time that the servers in question remained open to cybercriminals. People in the security industry should consider this issue a strong reminder of the need to diligently monitor their networks and all associated equipment for signs of trouble.

Six Lessons Learned From The Citrix Breach

[Records Exposed: N/A | Industry: Software & Technology | Type of Attack: Unauthorized Access]

The Fast Facts: On March 6, 2019, the FBI contacted Citrix to advise it had reason to believe that international cyber criminals gained access to the internal Citrix network, according to Stan Black, CISSP and the CSIO of Citrix.

While the FBI is still investigating the details, thehackernews.com reported that the Iranian-backed Iridium hacker group hit Citrix in December 2018 and again this time, stealing at least 6 terabytes of sensitive internal files, including emails, blueprints, and other documents.

The Iranian-linked hacking group was also behind recent cyber-attacks against more than 200 government agencies worldwide, oil and gas companies, technology companies and other targets.

The hacker group’s proprietary techniques include bypassing multi-factor authentications for critical applications and services for further unauthorized access to VPN channels and SSO (Single Sign-On).

Some Quick Tips: Here are six key learnings every enterprise should apply to their organizations to avoid being part of a password spraying cyber-attack:

  • Use strong passwords: Create a password that is not less than 10 characters and preferably 16 characters; avoid using a common phrase, your name, nickname or address. Always use a unique password, never repeat and never store passwords in your browser.
  • The NCSC advises firms to configure protective monitoring over externally-reachable authentication endpoints to look for password spraying attacks and enforce multi-factor authentication on externally-reachable authentication endpoints.
  • Encourage checks of common passwords through Troy Hunt’s HaveIBeenPwned password checker, or other free or commercial tools.
  • Consider using two or multi-factor authentication.
  • Perform a routine systems check to make sure there aren't any easy access points, back doors or areas where privileges could be escalated.
  • Check to make sure hackers have not added any additional user accounts.

Story Update: According to Securityweek.com, it is now being reported that the hackers had access to the company’s network for roughly five months:

“In a data breach notification submitted by Citrix this week to the California Office of the Attorney General, the company said the hackers had intermittent access to its network between October 13, 2018, and March 8, 2019.

The company also confirmed that the attackers removed files from its systems. Some of these files stored information on current and former employees and, in some cases, beneficiaries and/or dependents. The compromised data includes names, social security numbers, and financial information.

It’s unclear how many people have been impacted by the incident, but it’s at least 500 as California legislation requires companies to disclose breaches to authorities if more than 500 of the state’s residents are affected.”

Contacted by SecurityWeek, Citrix refused to say exactly how many are impacted. The company noted, “We are notifying all potentially impacted individuals out of an abundance of caution, and providing these individuals with credit monitoring and fraud protection services free of charge where possible.”

UNIQPLO Japan Suffers Credential Stuffing Cyber Attack

[Records Exposed: 460,000 | Industry: Retail | Type of Attack: Credential Stuffing]

The Fast Facts: Fast Retailing is the company behind multiple Japanese retail brands including Uniqlo, which it confirmed in an official statement, is the latest victim to a credential stuffing attack. The company said that from April 23 to May 10, 2019, there was fraudulent login to 461,091 accounts so far.

The personal information of customers who may have been browsed:

  • Customer's name (first name, last name, phonetic).
  • Customer's address (zip code, city, county, street address, room number).
  • Phone number, mobile phone number, e-mail address, gender, date of birth, purchase history, name and size registered in My Size.
  • Shipping name (first name, last name, address), phone number.
  • Part of credit card information (card holder, expiration date, part of credit card number). Credit card numbers are hidden except for the first four digits and the last four digits. CVV numbers (credit card security codes) are not displayed or stored, so there is no possibility of leakage.

Once the company identified the communication origin where unauthorized login was attempted, it blocked access, and strengthened monitoring on other accesses. For the 461,091 user IDs where personal information may have been viewed, the password has been invalidated on May 13, and e-mails were sent asking customers to reset passwords. In addition, the case was reported to the Tokyo Metropolitan Police Department.

Lessons Learned: Since the beginning of 2019, there have already been a handful of successful credential stuffing attacks, which managed to infiltrate the computing systems of TurboTax, Dunkin' Donuts, Basecamp, and Dailymotion, as reported by bleepingcomputer. It said that cyber criminals behind credential stuffing campaigns have designed them to be completely automated, making use of large collections of stolen credentials bought from undergrounds markets to be able to take over customer accounts.

According to Akamai Research, it recorded nearly 30 billion credential stuffing attacks in 2018. Some tips for businesses to avoid credential stuffing attacks include:

  • Partner with a solid solutions provider to help detect and stop credential stuffing attacks.
  • Ensure a defensive solution is tailored to the businesses, as criminals will adjust their attacks accordingly to evade out-of-the-box configurations.
  • Users need to be educated about credential stuffing attacks, phishing and other risks that put their account information in jeopardy.
  • Brands should stress the importance of unique passwords and password managers to customers and highlight the value of multi-factor authentication.

Cyber Attack Takes Weather Channel Offline

[Records Exposed: N/A | Industry: Media | Type of Attack: Ransomware]

The Fast Facts: On Thursday, April 18, 2019, The Weather Channel live broadcast went offline for about an hour according to The Wall Street Journal, which the company later confirmed in a Twitter statement was due to a ‘malicious software attack.’ The FBI subsequently started an investigation into the ransomware attack that shut down the Weather Channel’s live program, which forced the cable channel to resort to a taped program.

Lessons Learned: Jason Glassberg, the cofounder of the security firm Casaba Security, told Business Insider what to do if you accidently fall victim to a ransomware attack:  

  1. Alert law enforcement. While they might not be able to help you much, they should still be made aware of the crime.
  2. Turn off your infected computer and disconnect it from the network it is on. An infected computer can potentially take down other computers sharing the same network.
  3. Back up the data on a separate hard drive so you can at least recover the data you lost from the point of the last backup. While the malicious software itself can be removed, getting your data back is a whole different story.

Finally, you have to decide whether or not you are going to pay the ransom, which is a highly debated topic. “We have seen many scenarios where even if the user pays, they don't get the recovery keys. So it's one of the reasons we tell our customers that paying the ransom is not the best course of action,” says Steve Grobman, the chief technology officer of Intel's Security Group.

“For starters, paying the ransom may not result in you getting your keys back. And you are also providing additional incentives for the criminal element to continue to build ransomware and make it more effective and help it become an even bigger problem in the future.”

Toyota's Second Data Breach Affects Millions Of Drivers

[Records Exposed: 3.1 million | Industry: Manufacturing | Type of Attack: Not Disclosed]

The Fast Facts: Toyota revealed the issue on its official website on March 29, 2019, saying the breach potentially affected 3.1 million people. The company is still looking into whether the cybercriminals could access and read the data but says the compromised server did not contain credit card details.

February was a disruptive month for Toyota, too, but in the Australian market. On February 21, 2019, Toyota stated it experienced an attempted cyber-attack. The news came via a similarly brief press statement consisting of only five sentences.

The company said it did not believe the hackers accessed private customer or employee data in that instance. It also confirmed Toyota's IT team communicated with international cyber security experts for advice in getting to the bottom of the matter.

Lesson Learned: Since there are so few specifics about what happened surrounding Toyota's cyber security breaches, it is best for customers to be exceptionally vigilant regarding any communications from people claiming to be from Toyota or its subsidiaries. There is no way to know for sure, but the hackers could use the customer data obtained in the Japanese breach to orchestrate phishing attempts.

U.S. Customs And Border Protection Breach

[Records Exposed: 100,000 | Industry: Government | Type of Attack: Unauthorized Access]

The Fast Facts: U.S. Customs and Border Protection (CBP) officials said on June 10, 2019, that photos of travelers had been compromised as part of a ‘malicious cyber-attack.’ CBP uses cameras and video recordings extensively at airports and land border crossings, as part of a growing agency facial-recognition program. It is designed to track the identity of people entering and exiting the U.S.

Officials said that the data breach included images of people’s faces and license plates, which were compromised as part of an attack on a federal subcontractor.

Lessons Learned: The federal government, FBI and DHS, as well as a group of private contractors, all have access to a growing database of images such as those breached here — including biometric data.

While it is said to be necessary to enhance security, Rep. Bennie Thompson (D-Miss.), chair of the House Homeland Security Committee, said, “Government use of biometric and personally identifiable information can be valuable tools only if utilized properly. Unfortunately, this is the second major privacy breach at DHS this year.”

Thompson was referring to a separate breach in which more than 2 million U.S. disaster survivors had their information revealed by the Federal Emergency Management Agency. "We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public."

Investigation Of Walmart Email Breach

[Records Exposed: N/A | Industry: Retail | Type of Attack: Unauthorized Access]

The Fast Facts: The FBI is investigating allegations that employees from one of Walmart’s technology suppliers was illegally monitoring the retailer’s e-mail communication.

The New York Times reports that in late 2015 through early 2016, Compucom employees assigned to Walmart’s help desk were using their access to monitor specific e-mail accounts at the retailer and allegedly using that information to get an edge over competitors.

The scheme was discovered after a Compucom technician took a photo of an email about an internal Walmart disciplinary matter and sent it to a Walmart employee he had been chatting with on an instant messaging system, according to the FBI filing.

Lesson Learned: The case exposes a potential vulnerability for companies that rely on contractors for technical work, giving outsiders broad access to sensitive internal documents with little oversight in the process. It also raises questions about how technicians hired to support the computer system of one of the world’s largest and most insular corporations were able to gather information from employee emails.

“Companies with an extensive communications network like ours require the support of different partners and a high level of trust,” Walmart spokesman, Randy Hargrove, told the NYT. “We relied on this vendor but their personnel abused their access and we want those responsible to be held accountable.”

Millions of Hy-Vee Customer Payment Cards Appear For Sale Online

[Records Exposed: 5.3 Million| Industry: Retail | Type of Attack: PoS Terminal Malware]

The Fast Facts: An online carding bazaar transaction of 5.3 million payment card details corroborated recent reports that Midwestern U.S. retailer Hy-Vee customers paying at the store’s fuel pumps, coffee shop drive-thrus, and restaurants could have fallen victim to the attack and subsequent data breach.

Hy-Vee operates more than 240 retail stores in eight Midwestern states, including Illinois, Iowa, Kansas, Minnesota, Missouri, Nebraska, South Dakota and Wisconsin. Last week, the company announced it was investigating a payment card incident at some Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants where unauthorized activity on some of its payment processing systems had been detected. The timeframe for the breach and the scope of potential cardholders impacted is still under investigation.

Lessons Learned: Hundreds of millions of credit cards and debit cards are in circulation within the United States. The transition from swiping the card’s magnetic strip to requiring a chip + PIN combination (EMV) has essentially been completed. However, the point-of-sale transaction machines have not been mandated to make the conversion. The risk of skimming (double swiping to “skim” the card info into a separate database) still exists at fuel pumps and other legacy transaction terminals.

PCI transaction compliance has demonstrated resiliency for payment card transactions that adhere to the EMV chip + PIN authorization process. The combination of skimming and non-chip POS terminals remains a channel for attackers to gleam payment card data from unsuspecting users.

Impact Of Docker Security Breach

[Records Exposed: 190,000 | Industry: Software & Technology | Type of Attack: Unauthorized Access]

The Fast Facts: An estimated 190,000 users potentially affected by the issue may have had their usernames and hashed passwords compromised. But, the breached information did not include financial information.

An external analysis of the Docker issue asserts that the hackers could nonetheless do substantial damage without having access to bank details. That is because each autobuild has an associated token that grabs the data from the external source. The Docker release also said the issue affects some users who have GitHub and Bitbucket tokens associated with Docker autobuilds.

Some Quick Tips: DevOps teams that used those tokens need to go back through their pipelines and check for signs of unusual activity.

Lessons Learned: The possible widespread reach of incidents like this one makes companies seriously consider getting cyber breach protection. Even when enterprises take precautions, the damages caused by internet attacks can be substantial. Being insured could help companies recover faster than they otherwise might.

4 Million Bulgarian Citizens Affected By Tax Agency Data Breach

[Records Exposed: 4 Million | Industry: Government | Type of Attack: Unauthorized Access]

The Fast Facts: More than 4 million of Bulgaria’s 7 million citizens were affected by a security breach in June 2019, which compromised personally-identifiable information and financial records lifted from the country’s tax agency. An estimated 200 citizens had names, addresses, personal identification numbers, and ID card details shared with media outlets.

Legacy systems and a lack of preventative measures by the Bulgarian government are suspected as vulnerabilities leading to the citizen records database becoming exposed.

Lessons Learned: Key takeaways include:

  • Patch or remove outdated systems.
  • In addition to threat response mechanisms, implement preventative cyber security measures.
  • Assess security practices when considering data sharing with partners, suppliers, and service providers.
  • Cyber security awareness and education never ceases. Consider joining communities of a similar industry sector or geographic proximity to share best practices and learn about new threats.
  • Governments are imposing fiscal penalties for organizations (both public and private sector) that mismanage data.

Intruders Hack Into Charles River Labs

[Records Exposed: 1% Of Clients | Industry: Biotech | Type of Attack: Unauthorized Access]

The Fast Facts: Charles River Labs is American corporation specializing in a variety of preclinical and clinical laboratory services for the pharmaceutical, medical device and biotechnology industries. The company reported that portions of its IT systems were hacked into during April 2019 by intruders who managed to copy a portion of its client data before the company contained the hack.

Lessons Learned: In order to prevent more financial losses and more exposed patient data, Andrew Douthwaite, chief technology officer for Colorado-based VirtualArmour, a cyber security company, recommended:

  • It is essential for companies to implement security plans and procedures that could mitigate future losses.
  • Offerings such as log-in management and the provision of 24-hour security services can help prevent an attack.
  • Look at the current security tools in place and identify gaps that could provide hackers an easier entrance.
  • Add a response phase, which includes the necessary guidelines and confidence for the enterprise to respond to a threat.
  • Backup servers are essential tools that can thwart cyber hostage-taking attempts like the evolving ransomware tactics.

Millions Hit By Quest, LabCorp Data Breach

[Records Exposed: 19.6 Million | Industry: Healthcare | Type of Attack: Unauthorized Access]

The Fast Facts: The recent breaches of Quest Diagnostics and competitor Labcorp should get your attention because of the implications for those involved. Both companies point to the exploitation of the American Medical Collection Agency (AMCA) as the threat vector for the attacks. Quest claims up to 11.9 million people's data may have been stolen, while LabCorp cites a slightly lower 7.7 million bringing the total to nearly 20 million consumers at risk.

The documents exposed could contain patient's social security and insurance information, two valuable data points for those seeking to create false identities, which makes this a valuable haul for hackers who might resell the information on the dark web.

Lessons Learned: Because so much criminal activity online goes unnoticed, it's impossible to say exactly how frequently this sort of thing happens however we do know that Quest suffered a smaller breach in 2016. In that instance, Quest's lab information was compromised by a direct attack. Quest released a statement at that time claiming that they believed the potential harm to patients was low, due to the nature of information accessed and small number of patients exposed. However, the current situation is much more serious.

Quest is not alone is suffering from malicious activities by hackers. The credit card skimming scheme used in this most recent attack has been connected to the Magecart hacking group and has affected vendors like Newegg, British Airways and Sotheby's.

Inside The Phishy Wipro Breach

[Records Exposed: N/A | Industry: Software & Technology | Type of Attack: Phishing]

The Fast Facts: On April 15, investigative reporter Brian Krebs wrote about the breach of Indian IT outsourcing and consulting giant Wipro Ltd. According to KrebsOnSecurity.com, two trusted sources spoke anonymously to Krebs saying that Wipro’s systems were seen being used “as jumping-off points for digital phishing expeditions targeting at least a dozen Wipro customer systems. The security experts said Wipro’s customers traced malicious and suspicious network reconnaissance activity back to partner systems that were communicating directly with Wipro’s network.”

On April 17, Wipro was quoted in an Indian daily newspaper saying that it did in fact experience a phishing incident. Wipro confirmed its IT systems were hacked and said it hired a forensic firm to handle the situation, stating that it was ‘dealing with a multi-month intrusion from an assumed state-sponsored attacker’ and that Wipro’s systems were seen being used to attack at least a dozen of its clients.

Some Quick Tips: The handling of the incident (or lack thereof) has sparked some buzz among industry influencers, leaving Krebs compelled to later write a follow up article on the incident explaining that Wipro executives were asked on a quarterly investor conference call to respond to his reporting. Wipro COO Bhanu Ballapuram told investors that many of the details in Krebs’ reporting were in error, and implied that the breach was limited to a few employees who got phished.

Krebs decided to join the quarterly call and add a question on the incident to the queue to which Wipro gave him the opportunity to speak on the call. Security reporter Graham Cluley was able to record the bit of the call and post it on Twitter.

From the aforementioned series of events, Krebs offered a recap of Wipro’s public response so far in his follow up article of, “How not to acknowledge a data breach:”

  • Ignore reporter’s questions for days and then pick nits in his story during a public investor conference call.
  • Question the stated timing of breach, but refuse to provide an alternative timeline.
  • Downplay the severity of the incident and characterize it as handled, even when they have only just hired an outside forensics firm.
  • Say the intruders deployed a “zero-day attack,” and then refuse to discuss details of said zero-day.
  • Claim the IoCs you are sharing with affected clients were discovered by you when they were not.

Story Update: According to a more recent article published on May 2nd, the attackers were found to have used remote access tool ScreenConnect to compromise employee machines within Wipro. It has also been found that the attackers could be linked to older malicious activities from 2017 and even possibly 2015, and had reused most of the infrastructure of previous attacks for their current ones.

4.9 Million Records Exposed For Food Delivery Service DoorDash

[Records Exposed: 4.9 Million | Industry: Restaurant & Hospitality| Type of Attack: Unauthorized Access]

The Fast Facts: Food delivery service DoorDash announced that nearly 5 million user records were accessed by an unauthorized third party in May 2019. A combination of data from DoorDash merchants, its Dasher delivery personnel and end-user consumers were accessed. Users who joined the service after April 5, 2018 are not affected.

Lessons Learned: A spokesperson for the delivery service told TechCrunch that a “third-party service provider” was to blame, though no specific provider was named. Since the breach occurred, DoorDash removed access to the data from the third-party, added additional protective security layers around the data, improved security protocols that govern access to DoorDash systems and brought in outside expertise to increase the company’s ability to identify and repel threats.

See Related: Lessons Learned: The Cautionary Tales Of Enterprise Cyber-Attacks