WEEK OF MAY 30, 2022
US car giant General Motors hit by cyber-attack exposing car owners’ personal info
- US automobile manufacturer General Motors (GM) announced that it was hit by a credential stuffing attack last month that exposed customer information and allowed hackers to redeem rewards points for gift cards.
- GM said that they detected the malicious login activity between April 11-29 2022.
- A credential stuffing attack is a cyber-attack in which credentials obtained from a previous data breach on one service are used to attempt to log in to another unrelated service.
- The personal information of affected customers includes first and last names, personal email addresses, home addresses, usernames and phone numbers for registered family members tied to the account, last known and saved favorite location information, currently subscribed OnStar package (if applicable), family members’ avatars and photos (if uploaded), profile pictures and search and destination information.
Spirit Super member data exposed after security attack
- A Spirit Super data incident has resulted in approximately 50,000 member records from 2019/2020 being compromised.
- “In short it was human error during a malicious email attack posing as official correspondence. This was not the result of a material security control weakness or technology failure. The malicious email resulted in a staff member’s password being compromised,” Spirit Super said.
- The super fund also said it is continuing to investigate the extent of the breach and believes there was unauthorized access to a mailbox containing personal data.
- The personal data that may have been comprised is akin to the information found in an annual statement. It includes items like name, addresses, ages, email addresses, telephone numbers, member account numbers and member balances. Though the stolen data doesn’t include dates of birth, government identification numbers or any bank details.
Twitter fined $150M for misusing 2FA data
- The DOJ and FTC said the social media company misused consumers’ personal data for advertisement purposes, from which it gained benefit.
- Three years ago, Twitter admitted that personal information provided by users for two-factor authentication (2FA) purposes was “inadvertently” used in targeted advertisements. Now, it might be paying the penalty.
- The Department of Justice (DOJ) announced Wednesday that Twitter violated a 2011 Federal Trade Commission (FTC) order that prohibited the social media company from deceptively using personal information.
- Twitter and the DOJ agreed on a $150 million penalty that will now be reviewed in federal court.
Cyberattack downs Regina Public Schools’ computer systems
- Regina Public Schools has confirmed that what it described as a “network-wide incident” earlier this week is in fact a cybersecurity attack.
- In a statement published to social media networks on Thursday afternoon, officials said that after “several days of investigation” it has become clear that the incident that first began on Sunday is a cyberattack.
- The district says it immediately took its systems offline in order to assess the scope and nature of the attack and to ensure the systems can be brought back online.
- All affected systems have been secured in order to mitigate any impact to data and operations, Regina Public Schools said.
Microsoft finds severe bugs in Android apps from large mobile providers
- Microsoft security researchers have found high severity vulnerabilities in a framework used by Android apps from multiple large international mobile service providers.
- The researchers found these vulnerabilities (tracked as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601) in a mobile framework owned by mce Systems exposing users to command injection and privilege escalation attacks.
- The vulnerable apps have millions of downloads on Google’s Play Store and come pre-installed as system applications on devices bought from affected telecommunications operators, including AT&T, TELUS, Rogers Communications, Bell Canada, and Freedom Mobile.
SpiceJet postpones March quarter results after ransomware attack
- There was speculation regarding a possible compromise of credentials during the attack.
- SpiceJet on Friday said none of its crew and employee credentials were compromised or leaked during the attempted ransomware attack earlier this week, even as the company informed the stock exchange that the attack on its IT systems has affected its audit process, necessitating a delay in the release of quarterly earnings.
- According to a report by CloudSEK, a cyber-security start-up, the exposed PII (personally identifiable information), IP addresses, login and other confidential details could lead to compromised accounts and render systems vulnerable to future cybersecurity attacks and data leaks.
- “As per our initial investigation, there are no leaks of any of the above and there are no compromised accounts,” it said in response to Business Standard.