(In)Secure Digest: Pizza Lovers' Data Theft, a Million-dollar Fine and Aircraft Suppliers’ Data Leak

It's time for the traditional monthly review of "classic" and non-trivial IS incidents reported by the media. In September there were: the Airbus supplier data breach; a large-scale hack of the Freecycle platform and blackmailing of Pizza Hut Australia.


Pepperoni with a PDN flavour

What happened: hackers accessed the data on 1 million Pizza Hut Australia customers. 

How it happened: the attackers claim to have accessed Pizza Hut's data several months ago via Amazon Web Services using multiple entry points. As proof of the hack, the cybercriminals provided several data samples that contained 200,000 records. One of the samples contained information on 100,000 customers, including: 
•    Names
•    Email addresses
•    Postal addresses
•    Mobile phone numbers
•    Passwords
•    Type of service (delivery or pickup)
•    Credit card numbers. (The credit card data was encrypted and passwords were hashed.)

Presumably, hackers could have accessed 30 million records with details on orders and data on 1 million customers. It’s known that cybercriminals demanded $300,000 for deleting all the data. 
Experts from databreaches asked Pizza Hut Australia management, whether they are acknowledged about the hack and whether they plan to notify the affected customers, but there was no response to the enquiry.


Almost everyone

What happened: the Freecycle platform reported a massive data breach that affected more than 7 million users.

How it happened: Freecycle is an online platform for sharing things, its database contains data on 11 million users. On 30th of May, it became known that the biggest part of this data was exposed. The unknown person put the platform users’ data for sale on a hacker forum and warned victims to change their passwords. The attacker claimed, that he/she took over the account of the platform's founder and then managed to gain full access to the data on Freecycle members. According to the platform representatives, the stolen information included:

  • Usernames
  • Identifiers
  • Email addresses
  • Passwords. 

Freecycle's founder claimed that the company experts became aware of the leak on 30 August, almost three months after the data was exposed. The Freecycle platform officials apologized to affected parties and reported the incident to the authorities.


Book deanonymization

What happened: the data on 1.2 million customers of Australian book chain Dymocks was exposed as a result of the hack. 

How it happened: on 8th of September, Dymocks customers received messages on behalf of the company's managing director notifying that the data leak took place and that an investigation was launched. The stolen information included: 

  • Customers' names
  • Dates of birth
  • Email and postal addresses
  • Gender. 

Dymocks representatives claimed the incident didn’t affect users' financial data.

Cyber expert Troy Hunt, who notified Dymocks officials about the data leak, suggests that the hack could have occurred months ago, as some of the compromised accounts were created in June 2023. In addition, the expert raised the question of why the bookstore was collecting and storing customers' birthdates and gender. The expert believes that the company collected excessive data amount. Hunt also told that about a quarter of the 1.2 million records in the Dymocks dataset were labelled "inactive".


Personal data rolled away

What happened: golf equipment maker Callaway disclosed data on 1.1 million customers. 

How it happened: the leak came to light after Callaway representatives sent out a letter stating that as a result of the incident, on 1st of August some of the company's services were unavailable and unknown people gained access to customer data, kept within company’s IT systems. The compromised customer data included:

  • Full names
  • Shipping addresses
  • Email addresses
  • Phone numbers
  • Order histories
  • Account passwords.

The company’s representatives claimed they detected the incident at an early stage and took immediate actions to stop it. 

According to the leak notification, the incident affected the data on 1,114,954 users. Callaway representatives claim that no payment information, identification numbers or national insurance numbers were exposed as a result of the incident.


Data request 

What happened: Swedish regulators imposed a $3 million fine to an insurance company for leaking the data of 650,000 customers.

How it happened: the Swedish Privacy Authority (IMY) launched an investigation against Trygg-Hansa company after receiving a tip-off from Moderna Försäkringar customer (now part of Trygg-Hansa). It turned out that the customer, by clicking on links on the quote pages had revealed, that Trygg-Hansa's server was publicly available. The following customers’ data was exposed:

  • Health information
  • Financial information
  • Contact details
  • Social insurance numbers
  • Terms of social security insurance. 

The data was available for unauthorized users from October 2018 till February 2021. IMY experts detected 202 cases of access to customers' personal data by unauthorized users.

The insurer’s employees in charge didn’t solve the problems even after received the report on incident, so the $3 million fine was imposed.


Suppliers online

What happened: the data on several thousand suppliers of Airbus aircraft manufacturer ended up on the darknet following the hacking of a Turkish Airlines employee's account. 

How it happened: according to the Hudson Rock report, a hacker reported in early September that he gained access to the Airbus web portal after compromising the account of a Turkish Airlines employee. The attacker also claimed that he managed to obtain the personal information of 3,200 sensitive Airbus vendors, with contact details such as:

  • Names
  • Addresses
  • Phone numbers
  • Email addresses.

A spokesperson for the aircraft giant later confirmed that the hackers had breached the IT account of an Airbus customer. According to the official, the customer's account was used to download business documents from the Airbus web portal.

From the Hudson Rock report, we know that the computer of the Turkish airline employee that the hacker used to break into Airbus was infected with information-stealing malware in August 2023. Cyber investigators speculate that the employee attempted to download a pirated version of the Microsoft .NET Framework.

Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyberincidents.