(In)Secure Digest: Baguettes' Thief, Disney Sabotage, Credentials' Waterfall
03.12.2024

It's time to review November's most noticeable and high-profile information security incidents. In this digest, you’ll find: a multi-million-dollar scam by a former top manager, a “cyber-poisoner” at Disney World, echoes of the MOVEit hack at Amazon and others.

Allergy to dismissal

What happened: A former employee sabotaged the work of the Walt Disney Company.

How it happened: Michael Scheuer was a menu development manager at Disney when he was fired for disciplinary reasons in June of this year. He then used his remaining corporate login and password to access Menu Creator – the inventory and menu creation program for restaurants in Disney World.

Thus, using the software, he changed the prices in the menu, added swear words to the texts, and then changed the font of the menu to Wingdings. This made all versions of the menu in the database unusable and forced Disney to shut down Menu Creator to start restoring data from backups and resetting login credentials.

However, Scheuer did not stop there and soon hacked the contractor's FTP servers, which Disney used for printing. There he uploaded a slightly modified version of the menu. It had slightly different prices and distorted information about allergens. For example, Scheuer indicated that dishes containing peanuts were safe for allergy sufferers. Fortunately, the changes were discovered in time, and no one was hurt.

The saboteur also wrote a script that endlessly tried to guess the password to the employees' accounts on the internal Disney portal. As a result, the system automatically blocked 14 accounts of innocent users.

The attacker was identified, as usual, by IP: the attack was carried out from the same IP address from which Scheuer had worked previously. Now he faces up to 15 years in prison.

Why cancel? Better earn! 

What happened:An American government employee stole more than $400,000 from a state program.

How it happened:Brittany Joyce May, 35, worked as an administrative specialist for the Kentucky Department of Health and Human Services, assisting businesses that were eligible for funding under state programs.

Payments were made in two stages: first, Brittany entered the personal and other data of the company owners into the system and then waited for them to provide her with the relevant documents to complete the transaction. If the companies did not provide the documents on time or any difficulties occurred, the payment had to be canceled according to the regulations.

However, Brittany did not cancel the transaction in such cases but transferred the funds to her personal accounts. To avoid suspicion, she was issuing the bills in the name of companies that requested funding, but without their consent. Later, she began to falsify funding requests as well, rather than wait for a possible cancellation. In this case, she also used data from the system, but changed the companies’ addresses whose data she took, so that they would not receive written notifications.

Thus, from July 2021 to May 2023, Brittany made more than 540 payments totaling $444,663. Now, she received three years in prison.

With friends like that, who needs enemies

What happened:A hacker obtained data on 1.5 million patients of a large French medical clinic chain.

How it happened: On November 19th, an unknown person put up for sale on a hacker forum unauthorized access to an account on MediBoard belonging to a French clinic chain. MediBoard is a platform for managing medical data, which contains all the information about the work of clinics and the health of patients. As the intruder claimed, access to the account allowed viewing data of 1.5 million patients of five clinics, as well as changing the time of appointments and data in medical records.>

To confirm his words, an attacker put up for sale the data of more than 750 thousand patients. The leaked data included: name, date of birth, gender, address, phone number, email, information from the medical record, etc.

The MediBoard developer - Software Medical Group responded to the incident, confirming the data was compromised. However, as MediBoard said, the leaked data wasn't stored on its servers. Indeed, the data was stored on the medical clinic chain's servers. The developer also noted that the incident was caused by a compromised account on the client’s side, not because of a vulnerability or incorrect platform configuration. The affected organization did not comment on the incident.  

Houston, we have a leak

What happened: Maxar Technologies, satellite producer, experienced leak of employee data.

How it happened:In early October, an unknown attacker broke into one of Maxar's systems that stored employee data files.

Maxar’s information security service discovered the leak on October 11th and immediately took measures to locate the incident. It also notified employees about the leakage. Nevertheless, the hacker managed to gain access to employee data. The data leaked included name, gender, address, social security number (SSN), position, manager's contacts, company branch, employee personal number, etc.

It was also reported that some technical information was leaked too. Since Maxar is linked to NASA and its developments, the leakage of such type of data is especially critical and may undermine the construction process of aircraft.

The company reported the incident to government agencies and brought in third-party experts to investigate the incident. It offered current and former employees a free subscription to a personal data protection and financial monitoring service.

Close enough to get away with it

What happened: A former top manager at a Bridgestone subsidiary stole more than $14 million from his employer.

How it happened:Saju Khatiwada joined Bridgestone Americas in 2016. During his four years at the company, Khatiwada held several positions until he became head of financial operations.

In 2020, Khatiwada abused his new powers to take more than his fair share. Thus, he created a fake company, Paymt-Tech, LLC, which he used to steal corporate funds. To do this, he falsified invoices for reimbursement of bank fees to suppliers and sent them to Bridgestone Americas itself initiated the payment. This continued for four years until Khatiwada left the company.

After that, accountants noticed that the amount of commission compensation for suppliers for whom Khatiwada was responsible had become significantly smaller. The discrepancy was noticed, and the corporate investigation grew into a federal one.

As a result, the FBI found out that Khatiwada conducted 47 fraudulent transactions for a total of $15 million. Now the fraudster faces up to 30 years in prison and a fine of twice as much as he managed to steal.

Brand Power

What happened:A hacker stole 400 GB of data from British fintech giant Finastra.

How it happened:On November 7th, Finastra's SOC detected suspicious activity on an internal file transfer platform and initiated the investigation. The next day, a post appeared on a shadow forum the author of which claimed to hack Finastra and offered 400 GB of its data, including customer data for sale.

The company notified clients about the incident on the same day. According to Finastra, the operations were not undermined, and the company had brought in third-party security experts to investigate the breach. It was revealed that the hacker had gained access to the company's SFTP platform, which was used to transfer large files outside the corporate network. The preliminary cause of the breach was a compromised login and password for one of the accounts. Investigators found no evidence that the hack had spread beyond the file transfer platform.

The attacker had already tried to sell the data. On October 31st, he posted on the same forum but never found a buyer. The fact is that the intruder initially did not indicate that the data belonged to Finastra and its clients, which means that the “power” of the brand did not play to his benefit.

According to the timeline, the first post appeared on the forum a week before the company's SOC detected the incident. This may indicate that the attacker "returned" to the old location to steal even more data.

At the moment, the advertisement for the sale of Finastra data has been removed from the shadow forum, as has the hacker's account with all contact information.

Baguette deal

What happened:A hacker stole from French conglomerate Schneider Electric 40 GB of data and demanded ransom in baguettes.

How it happened:An unknown attacker hacked the Jira server of Schneider Electric, using stolen credentials. He reported this to the media and shared details in the public domain. 

It became known that, having gained access to the server, the hacker used the MiniOrange REST API to collect 400 thousand lines of user data. Among them are 75 thousand unique email addresses and names of employees and clients of the company. Also, projects, tasks, and plugins of developers were leaked from the company's Jira server.

The hacker also said that he was demanding $125,000 in “baguettes” to keep the data confidential, but the amount would be reduced if the company published an “official statement.” The latter is because the attacker wants to advertise his newly created hacker group. Its first victim was a French conglomerate.

Schneider Electric said it was investigating the incident, which it believes involved unauthorized access to one of its internal project tracking platforms.

Everything new is well-forgotten old

What happened:A hacker shared more than 2.8 million records containing Amazon employee data on a dark web forum.

How it happened: On November 8th, a hacker published 2.8 million rows of Amazon employee data on a dark web forum. The dump included names, contact information, work details, email addresses, etc. The hacker claims the data dates back to May of last year and is part of a larger leak called MOVEit.

A few days after the data was published, Amazon acknowledged the leak to the media. The company said the attacker stole data from systems belonging to a third-party service provider. However, an Amazon representative claimed that sensitive data such as social security numbers, ID cards, etc. were not stolen.

Notably, the hacker also published data from 25 other companies. According to him, the information was obtained from “third-party sources”, including unprotected AWS and Azure object storage, as well as extortionist group sites.

By hook or by crook

What happened: An American hacked several companies to offer them his information security services.

How it happened: Kloster, 31, was charged with “unlawful activities with protected computers”. According to court documents, Kloster hacked two companies, a chain of fitness clubs and a NPO to offer their owners his cybersecurity services.

The first incident occurred on April 26th. Kloster entered the territory of a fitness club and gained access to its systems. Afterwards, he sent an email to one of the company's owners, in which he reported what he had done and described how he had bypassed the authorization of video surveillance systems and gained access to the router settings using their visible IP addresses. At the end of the email, the attacker offered his information security services and attached a resume.

At the same time, Kloster "delicately" kept quiet about stealing an employee's badge, deleting his photo from the database, and reducing his membership fee to one dollar. The attacker also posted a screenshot of the video surveillance system under his control on social media, which showed the inscription "how to get a company to use your security services."

After failing to receive a job offer, Kloster attempted a second hack. On May 20, he broke into the nonprofit's premises, found a computer connected to the local network, and used a boot disk on it. Using the disk, he was able to change passwords for several users without authorization and set up a VPN. Court documents say this caused the nonprofit more than $5,000 in losses. If convicted, Kloster could face up to 15 years in prison.

IS tip of the month: Security tip of the month: as practice shows, employees working with a company's funds can pose a severe threat. For example, in the Bridgestone case, a top manager became a fraudster despite his rapid career growth and good position. Any company risks facing major losses if it does not control the actions of even trusted employees, especially privileged ones. A DLP system will help counter the threat: it will detect illegal activities and prevent damage caused by fraud. You can test the protective solution: it's free for 30 days.

Try now

Letter Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyber incidents.