(In)Secure Digest: a Leak via Contractor, Hack of Airline and Case of Corporate Fraud

01.11.2023

At the end of the month, traditionally, we’ve  gathered a selection of high-profile IS incidents. In this issue you’ll find details on the following: 

• Case of the insider from a Japanese telecommunications company
• Leak of employees’ data at a French retailer
• Case of a fraudster, who spent her employer's money on a luxurious life.

Cards thrown to the wind

What happened: cybercriminals hacked Air Europa and gained access to its customers' credit card information.

How it happened: on 10 October, Air Europa sent letters to customers notifying that the cyberattack may had  enabled cybercriminals to access clients’  payment data. The company did not disclose the exact number of affected customers. It is known that cybercriminals gained access to credit card numbers, expiry dates and CCV codes. At the same time, keeping of CCV codes contradicts the rules of the  Payment Card Industry Data Security Standard (PCI DSS).

Company representatives reported that suspicious activity in internal systems was detected on 28 August. The airline representatives informed the affected customers about the incident only 41 days later. Air Europa officials  claim  there hasn’t been  confirmed cases of stolen data misuse, but urged customers to block credit cards if they were used to pay for tickets (just in case).

Sincere apology

What happened: an employee of Scottish company Panda Rosa Metals has been sentenced to 40 months in prison for embezzling her employer's money.

How it happened: 55-year-old Colleen Muirhead, an employee of the metals recycling company, had been spending her employer's money on expensive shopping and holidays. The fraud was discovered by a senior partner of the company during a background check. The investigation revealed that the administrative assistant had created several fake accounts to which she transferred corporate funds. In total, the woman made several transfers from company accounts worth $1.8 million.

Colleen Muirhead's colleagues said that the woman could afford to go on an expensive holiday with the whole family (the woman has four children and seven grandchildren), to pay the  bill for organizing a banquet at a charity event, to buy cars.  The woman pleaded guilty and claimed paying for her son's wedding and buying several vans. Her lawyer revealed that she even tried to apologize to the family that owns Panda Rosa Metals.

The contractor didn't make it in time

What happened: a hacker published in the public domain the data on 8 thousand  French retailer Decathlon’s employees.

How it happened: on 7 September, vpnMentor experts found a database on the darknet that contained the following information about Decathlon employees: 

• Full names
• Phone numbers
• Email addresses
• Countries and cities of residence 
• Authentication tokens
• Photos.

According to vpnMentor experts, the hacker published the data that was compromised as a result of the data leak, which occurred in 2021 at the side of  Bluenove, which is Decathlon's partner. On 9 March 2021, cyber experts discovered that Bluenove was storing the collected data in improperly configured cloud storage. The experts reported the finding to Bluenove representatives, and the  access to the data was prevented on 13 April. But, as it turned out, the company was not able to fix the breach  without consequences: at least one attacker had managed to gain access to Decathlon employees’ data before Bluenove experts reconfigured access rights.

Film festival attendees’ data in danger of being leaked

What happened: the data of the International Film Festival of India (IFFI) participants has ended up in the public domain.

How it happened: in September, registration for IFFI, Asia's largest film festival, which will be held in November, was opened. In October, it became known that data on registered attendees of the festival was leaked.

It turned out that any visitor to the official IFFI website at a certain URL could access an unprotected repository with information about the participants. Allegedly, the repository contained the data on 550 participants:

• Identity cards
• Phone numbers
• Addresses
• Dates of birth 
• Portfolios with links to film works.

One of the affected participants said that he was more concerned not about the compromise of personal information, but about the fact that anyone could view his piece of work, which was uploaded via closed links to YouTube and Google Drive. Only those users, who have  the links can access the festival participants’ videos. Filmmakers do this in order to find producers or publishers who would agree to buy their works later and then publish them in the public domain. Leaking information about a filmmakers’ works reduces their chances of successful  participation into IFFI and other film festivals.

After news about the incident broke in the media, IFFI Goa blocked access to the file catalogue on its server. 

An experienced insider

What happened: the Japanese telecoms company NTT exposed data on 9 million customers.

How it happened: NTT began investigating the incident in 2022 after several customers complained about a probable data leak. The company conducted an internal investigation but found no wrongdoing. After that, the police officers joined the investigation. It turned out that for 10 years one of the employees had been leaking customers' data for money. The unscrupulous employee had access to a server where the following information about customers was stored: 

• Addresses
• Names
• Phone numbers. 

According to the company representatives, the employee downloaded confidential data to a USB device and then sold it. The company officials also reported that the employee leaked customers' credit card data.

At a press conference on 17 October, NTT West executives apologized to the affected customers. They admitted that the information security methods implemented were ineffective. In some cases, the company's employees failed to comply with even basic security requirements.

International data leak

What happened: Japanese company Casio's customer data became publicly available.

How it happened: The company representatives reported that hackers managed to hack the servers of the ClassPad education platform and gain access to user data. The Japanese company experts detected the incident in October after a glitch in the educational platform. The attackers gained access to the following : 

• Customer names
• Email addresses 
• Country of residence
• Service usage information, 
• Purchase information, which included payment method, licence code, order details. 

Casio representatives claim that the hackers failed to compromise the database where the bank card data was stored.

In total, cybercriminals gained access to more than 90,000 records with data on Japanese customers and 35,000 records  with data on customers  from 149 countries.

Data request

What happened: a former Navy IT manager leaked personal data for money.

How it happened: according to court records, in August 2018, IT manager Marquis Hooper took advantage of his official position and opened an account in a company that manages a database on millions of people. The company only grants access to that database upon official request from businesses and government agencies. Hooper told the company that the Navy needed access to the database for military background checks. Once the account was created, the IT manager connected his wife to it, and they then uploaded the personal information of 9,000 people from the database. This information they sold for $160,000 to several darknet users. Some of the data the attackers have already managed to use in fraudulent schemes.
 
In December 2018, the account of Marquis Hooper was blocked on suspicion of fraud. But this did not stop Hooper, he found an accomplice, to whom he offered for 2500 thousand dollars to open an account allegedly for the needs of the Navy. The accomplice applied to set up the account, but the company requested official authorization with the signature of a supply officer. Hooper provided the accomplice with false documents, but the company still refused to open the new account. The Naval Criminal Investigative Service, the Federal Bureau of Investigation, and Homeland Security Investigations were involved in the investigation of the fraudulent scheme. Marquis Hooper was sentenced to 5.5 years in prison, and his wife is awaiting sentencing. It is reported that the woman could face a sentence of 20 years in prison and a $250,000 fine.

Personal data Insider Former employees Risk management