In this July edition, we highlight persistent African extortionists, a ransomware attack that erased a century of history, an incident dubbed the 'greatest leak in history,' and more.

One shot, one opportunity

What happened: A hacker accessed the data of nearly 300,000 Texans through a compromised account.

How it happened: In May, the Texas Department of Transportation detected suspicious activity in one of its systems. An investigation revealed that an unknown individual had accessed an employee's account and used it to download nearly 300,000 accident reports, which contained names, addresses, insurance policy details, driver's license numbers, and vehicle information.

On June 6, the agency acknowledged the breach, confirmed it had blocked the compromised account, and warned those affected. It also began implementing additional security measures to prevent similar incidents in the future. While the department has not disclosed exactly how the attacker gained access, it’s clear that a single vulnerability can jeopardize the entire organization and its clients. Moreover, stolen personal data cannot be protected simply by changing passwords – once leaked, such information remains at risk.

Have you tried rebooting?

What happened: Cybercriminals stole data from 20 companies under the guise of a support service.

How it happened: On June 5, Google researchers released a paper on the methods of the UNC6040 hacker group. According to The Register, criminals obtained data from approximately 20 large transnational organizations, including Coca-Cola European Pacific Partners.

UNC6040's modus operandi involves voice phishing and social engineering, where fraudsters call IT specialists and impersonate support staff from an American CRM provider, Salesforce. Under various pretenses, they attempt to obtain credentials and a special code from the CRM setup page. This code enables the attackers to connect Data Loader, an application used for importing, exporting, and updating data in Salesforce, which they then exploit to steal data.

Cybercriminals then leverage the stolen credentials to expand their attack, gaining access to other cloud platforms such as Okta and Microsoft 365. Google's research aims to alert Salesforce users to these threats, encouraging vigilance. However, practice shows that high-profile disclosures rarely deter scammers for long; there will always be individuals, whether ordinary or not, who fall for these tricks. Consequently, it is essential to continuously educate teams about emerging threats and regularly reinforce information security protocols through ongoing training, both in theory and practice, to mitigate such risks.

Into the river twice

What happened: Insiders installed a backdoor into their employer's network and attempted to blackmail him twice.

How it happened: In 2023, Lucky Erasmus and Felix Pupu, employees of the South African fintech company Ecentric, installed remote access software on their employer’s systems.

This enabled them to steal corporate documents and demand a ransom of $534,000 to prevent the data from being published to competitors and regulators. The company refused to meet their extortion demands. Dissatisfied, Erasmus and Pupu tried again, raising their ransom to $1 million. However, their actions backfired, leading to their arrest instead of payment.

The trial of the insiders recently concluded, revealing that the data theft also affected Ecentric’s clients, with four losing nearly R$800,000. This further worsened their situation, resulting in Erasmus being sentenced to eight years in prison, while Pupu is still awaiting his sentence.

Soap opera

What happened: An accountant stole $800,000 from a church and three other organizations through BEC attacks.

How it happened: Margo Williams, a 63-year-old accountant and part-time business teacher, stole and laundered nearly $800,000. Williams was sentenced to four years in prison in 2024, and details of the case have recently surfaced online.

She targeted companies in the midst of paying invoices, sending emails that appeared to be from trusted contacts, instructing recipients to change bank details. Four businesses fell for this scam between December 2022 and July 2023, including Cedar Rapids Church, which transferred over $466,000 after receiving a fraudulent email purportedly from their project architect.

The court proceedings took an unexpected turn when Williams claimed she was acting under the influence of a famous British actor with whom she had a romantic relationship, raising questions about whether she was also a victim of fraudsters using her to launder money. This led to her not being directly charged with hacking, leaving open the possibility that she may have employed hired hackers or been manipulated into her actions.

Those Who Seek Will Always Find

What happened: Information security researchers discovered two huge data sets in the public domain.

How it happened: On June 3, Cybernews and security researcher Bob Diachenko announced the discovery of a 631 GB unprotected database containing approximately 4 billion records of Chinese citizens' information, including names, addresses, phone numbers, financial data, and WeChat and Alipay details. The database was stored online without security measures and was removed from the network before experts could fully examine it or identify its owners.

However, Cybernews managed to access sixteen data sets; for instance, the wechatid_db set contained over 800 million records related to WeChat users, while the address_db set included more than 750 million entries of Chinese residents' addresses.

The second leak became known on June 18. Then Cybernews specialists reported finding 30 unprotected data sets, totaling 16 billion records. They had a clear structure - URL, login, password.

On June 18, Cybernews specialists reported discovering 30 unprotected data sets containing 16 billion records, including URLs, logins, and passwords, which was widely sensationalized as the world's largest leak.

However, it was later clarified that the data mainly consisted of infostealer logs and old leaks, making it difficult to assess the true scale of the threat, though it potentially included login details for major accounts like Apple, Google, Twitch, and GitHub. The leak was likely caused by cybercriminals or negligence, and further analysis is needed to determine the number of duplicate records and affected account owners.

Paper Chaos

What happened: Hackers bankrupted Fasana, a napkin manufacturer with over a century of history, within just a few weeks.

How it happened: On May 19, the workday for 240 employees at the Fasana factory began not with coffee, but with a message from unknown hackers. Suddenly, all the printers at the factory printed the same document – a ransom demand. The message revealed that the company had fallen victim to a ransomware attack.

One of the employees told journalists that the cyberattack paralyzed Fasana’s corporate IT infrastructure – computers, laptops, and servers ceased functioning – causing production to halt. The day after the attack, the company was unable to fulfill orders exceeding €250,000.

Fasana’s management brought in external IT specialists to restore the disrupted systems, but after two weeks, the company’s losses had surpassed €2 million, and the specialists had only partially restored operations. The company continued to struggle with fulfilling orders fully and had to delay employee salaries.

On June 1, Fasana filed for bankruptcy and announced it was seeking a new buyer for the business. Notably, just a few months earlier, on March 25, the company had been acquired by the larger organization Powerparc AG. However, the new parent company was unable to provide either protection or financial support for the damaged subsidiary.