Security News Round-Up: 250 Million Microsoft Records Leaked
News Round-Up – Get a Quick Rundown of What You Need to Know
Evolver’s Cyber News Round-Up looks into recent reports and journalism covering cyber threats and trends affecting all industries. You can suggest articles to us on LinkedIn and on Twitter at @EvolverInc. Visit our cybersecurity services page to learn more about cyber risk assessment and threat protection.
250 Million Microsoft Records Leaked
Over 250 million Customer Service and Support (CSS) records belonging to Microsoft have been leaked, spanning 14 years—2005 to 2019. The data was exposed online without any protection for two days, says Hack Read. The sensitive data leaked includes agent and customer email IP addresses, customer location details and IP addresses, claim and case descriptions, case numbers, statements, and resolutions, and internal confidential notes, the article explains. The company’s commercial cloud services were not exposed, however. The database was secured on December 31st, 2019, Help Net Security says.
Hackers Access Mitsubishi Electric Data
Mitsubishi Electric has become the latest data breach victim, with attackers first targeting another related company in China to work their way into the giant. According to Help Net Security, more than 120 computer terminals along with more than 40 servers located at the Mitsubishi Electric headquarters in Tokyo have all been breached since July alone. Company data, information belonging to power, telecommunications, railway and auto leading companies, and more than 10 government organizations’ data are thought to have been accessed and possibly stolen, the article states. Around 8,122 applicants, employees, and retirees are believed to have their information leaked as a result of the breach as well.
Creation of State Cybersecurity Leaders Included in New Bill
A new bill has been introduced which, if passed, would require state cybersecurity leaders appointed by the Department of Homeland Security, says Bank Info Security. The legislation, known as the Cybersecurity State Coordinator Act of 2020, would help increase the speed of responses by the government to various cybersecurity events. Additionally, threat intelligence sharing between federal and state governments would be improved. When appointed, the cybersecurity state coordinators would serve as principal federal cybersecurity risk advisors, raise awareness of resources available from the federal government to other entities, help other entities create vulnerability disclosure programs, assist with training, and more, Bank Info Security notes.
$126 Million Imposed in GDPR Fines So Far
According to an article from Info Security Magazine, over $126 million in GDPR fines have been issued by data protection regulators thus far. Google has faced the highest individual fine out of all, getting hit with more than $55 million by French data protection regulators. France has handed out the highest monetary amount in GDPR fines, with Germany and Austria following behind, the article notes. The Netherlands, however, had the greatest number of breaches reported, at 40,647, just ahead of Germany and the UK. While these numbers are high, they would be much greater if the fines were the maximum amount under the law.
Clothing Brand Hanna Andersson’s Website Compromised
Children’s clothing store Hanna Andersson has become the latest breach victim. Information entered by customers making online purchases from September 16th to November 11th, 2019, was accessed by attackers, Security Week says. The company discovered the breach via a warning from law enforcement, which likely points to the idea that fraud attempts were already made using stolen card information. It is still unclear as to when the company found out about the incident and names, billing addresses, payment card numbers, CVV codes, expiration dates, and shipping addresses were all affected. As stated in the article, PCI DSS regulations require encryption of card numbers and removal of CVV codes.
Ransomware Possession May Be Outlawed in Maryland
A new bill introduced Maryland focuses on ransomware, says Info Security Magazine, making it illegal to possess any sort of malware with a malicious intent. Furthermore, if passed, it would allow ransomware victims to sue attackers for civil damages, the article notes. Up to $10,000 and/or 10 years in prison can be required of attackers if convicted. Researchers using malware for learning purposes would not be punished. Currently, only the use of ransomware for stealing vast amounts of money is illegal in the state, Info Security says.