Major Data Breaches and Hacking News in October 2023

Data Breaches

Flagstar Bank

Organization description: Flagstar is a Michigan-based bank and subsidiary of New York Community Bank. It is one of the largest residential mortgage servicers in the United States, with over $31 billion in assets and an annual revenue of over $1.9 billion.

Breach size: 800,000

Data exposed: Data exposed varied between individuals, but included Social Security Numbers

Flagstar revealed it detected a data breach on June 3, 2023, that occurred sometime in May of this year. The incident was related to the MOVEit Transfer vulnerability discovered earlier this year. Demonstrating once again the domino effect of the MOVEit data breach, Flagstar confirmed that the source of their breach stemmed from a third-party vendor. Fiserv, which provides payment processing and mobile banking services to Flagstar suffered a MOVEit data breach, ultimately leaking sensitive data of Flagstar customers.

Flagstar used the help of a third-party cybersecurity team to investigate the incident, identify the victims, and patch the vulnerability. The bank disclosed to the Maine Attorney General that data exposed in the breach included names and other personal identifiers like Social Security Numbers.

The bank reported no compromise in their internal IT systems or disruption to normal banking operations. Victims were offered two years of free identity monitoring services to help prevent fraud.

Don’t wait for a data breach to affect you and your family. Take control of your personal data with IDSeal’s identity monitoring, identity theft insurance, and device protection. Get Protected Now

Walmart

Organization description: Walmart is a multinational retailer based in Bentonville, Arkansas, in the United States.

Breach size: 85,952

Data exposed: Protected health information

Walmart reported a data breach to the U.S. Department of Health and Human Services for Civil Rights on October 4, 2023. Although the extent of the data breach isn’t clear, the report indicates the data is related to protected health information. Victims affected by the breach should have received a notification letter detailing what information of theirs was compromised.

Casio

Organization description: Casio is a Japanese company producing calculators, cameras, musical instruments, watches, and more.

Breach size: 91,921 Japanese customers and 35,049 customers from 148 countries

Data exposed: Customer names, email addresses, countries of residence, service usage details, purchase history, and payment methods, but no credit card or other payment data was leaked.

Casio suffered a cybersecurity incident involving the data of thousands of customers across 149 countries. The origin of the data breach occurred within the company’s development environment in the ClassPad.net database. Casio uses ClassPad.net as an education and learning platform. Upon further investigation, the company discovered the cause of the incident was due to human error. According to a spokesperson, some “network security settings in the development environment were disabled due to an operation error of the system by the department in charge and insufficient operational management.”

Fortunately, credit card information was not stored on the compromised database; however, customer names, email addresses, and other details were accessed.

No particular threat actor has claimed responsibility for the leak. Casio notified law enforcement and reported the incident to Japan’s Personal Information Protection Commission, a customer data watchdog.

Dollar Energy Fund, Inc

Organization description: The Dollar Energy Fund provides utility assistance grants to people facing financial hardships.

Breach size: 28,000

Data exposed: Names and Social Security numbers

The Dollar Energy Fund, Inc filed a notice of data breach with the Attorney General of Main on Oct 19, 2023. After investigation, the organization confirmed that an unauthorized party accessed its network between January 31, 2023 and February 5, 2023. Sensitive customer data was accessed at this time. After completing a review of the compromised files on August 15, the company determined that the information varied depending on the individual, but for some, it included names and Social Security numbers.

Dollar Energy Fund sent out data breach letters starting on September 28, 2023, on a rolling basis, sending the last round of letters to affected individuals on October 19, 2023.

Sony Interactive Entertainment

Organization description: Sony is a Japanese multinational corporation manufacturing game consoles, televisions, cameras, and other consumer electronics.

Breach size: 6,800

Data exposed: Unknown

Sony sent notifications out to current and former employees and their family members that were impacted by a data breach stemming from the MOVEit zero-day vulnerability. The Clop ransomware gang published Sony as one of victims back in late June, but the company didn’t publicly confirm the breach until early October.

An investigation revealed that the initial compromise occurred on May 28, three days before Sony’s MOVEit vendor discovered the flaw. The company has sent notifications to affected individuals with more information on what data was exposed but isn’t sharing those details with the public.

D.C. Board of Elections

Organization description: The District of Columbia Board of Elections (DCBOE) is the independent agency of the District government responsible for the administration of elections, ballot access, and voter registration.

Breach size: Unknown; potentially the entire voter roll

Data exposed: Possibly a wide range of personally identifiable information (PII), like driver’s license numbers, dates of birth, voter IDs, partial Social Security numbers, and contact information like phone numbers and email addresses.

On October 5, 2023, the District of Columbia Broad of Elections (DCBOE) discovered its website hosted on a server managed by DataNet Systems may have been breached. DataNet Systems was unable to determine if or when this data may have been accessed, but the entire voter roll is potentially at risk. Once the website was identified as the source of the breach, it was removed and replaced with a maintenance page to prevent further penetration. The DCBOE reports its databases and servers were not directly compromised.

The threat actor, known as RansomVC, claimed to have stolen 600,000 lines of U.S. voter data. The hacking group is currently attempting to sell the data on the dark web for an undisclosed amount. Despite their claims to have extracted the data, another user by the name of pwncoder offered the DCBOE database for sale on BreachForums and Sinister.ly hacking forums on October 3.

The DCBOE is investigating the breach with the help of a third-party cybersecurity expert, the Federal Bureau of Investigation (FBI), and the Department of Homeland Security (DHS).

Hacking News

Hackers Crash Online Family Reunions Hosted by 23andMe

On October 6, 2023, the family genetics website learned that a hacker was advertising the sale of “millions of pieces of data” of its customers. Although 23andMe didn’t suffer a direct data breach, the company believes the information was accessed with a technique known as credential stuffing. By collecting passwords and email addresses stolen from other data breaches, threat actors can infiltrate any account recycling that password. This is one reason why cybersecurity experts warn against using the same password for multiple accounts and recommend using multi-factor authentication on all accounts that offer it.

The 23andMe website offers a “DNA Relatives” feature to customers to connect and share their personal data with relatives around the world. The company has disabled this feature to prevent threat actors from accessing the information meant to be shared between relatives like birth year, family names, location, and other sensitive data that could be used in phishing attempts. Emails were sent to account holders with DNA Relatives profiles linked to one or more accounts with suspicious activity.

23andMe is continuing to investigate the extent of this breach and posting updates on data security concerns here.

Hacking Contest Reveals Security Weakness in Popular Smartphone

The Samsung Galaxy S23 series debuted on February 17, 2023, with three models ranging between $799 – $1199. Reaching 20 million units sold in the first six months of their release, the Samsung Galaxy S23 series massively outsold the Galaxy S22. Despite no revolutionary changes in the design compared to its predecessors, reviews have been overall favorable, praising the phones as some of the best you can buy. As popular as the Samsung Galaxy S23 is to own, it’s also been particularly easy for hackers to “pwn.” (Pronounced like “poned,” it’s a slang term used by hackers to refer to defeating or outdoing someone in an extreme way.)

This week at a hacking contest in Toronto, Pwn2Own, the new phone was subjected to two successful hacks on the first day. During the event, contestants had the opportunity to win over $1 million in cash and prizes to demonstrate security weaknesses in several devices, including other new mobile phones like the Apple iPhone 14, Google Pixel 7, and Xiaomi 13 Pro. Google’s and Apple’s mobile devices managed to make it through the first day without getting hacked.

The Samsung Galaxy 23 was hacked two more times on the second day of the event.

While the news of the multiple hackings may be worrisome, the contest provides vital information for companies. Throughout the contest, vulnerabilities are carefully documented to improve the safety and security of common technology devices.

This year’s Pwn2Own ended on October 27, so look out for more news that might affect your favorite household tech and remember to update your software to patch for vulnerabilities in the future.