Breach Roundup: Ferrari, Indian Health Ministry and the NBAAlso: Lionsgate, Royal Dirkzwager, New LockBit Claims and Latitude Financial
Every week, Information Security Media Group rounds up cybersecurity incidents around the world. In the days between March 17 and March 23, luxury car manufacturer Ferrari underwent a ransomware attack, a pro-Russian group claimed to have attacked the Indian health system, hackers got ahold of data from the National Basketball Association, streaming platform Lionsgate revealed a bit too much about its customers and a Dutch maritime logistics company also suffered a ransomware attack. LockBit asserted it had hacked the California city of Oakland and South Korea fined McDonald's and Samsung for data leaks.
Ransomware attacks got ahold of the names, physical and email addresses and telephone numbers of customers of Italian luxury car maker Ferrari. The Italian manufacturer says the attack "has had no impact on the operational functions of our company." A breach letter posted online by Troy Hunt states that attackers do not appear to have taken financial information. The company vowed not to pay the extortion demand. Besides funding criminals, a ransomware payment "does not fundamentally change the data exposure," wrote company CEO Benedetto Vigna.
Indian Ministry of Health's Information Management System
Pro-Russian hacker group Phoenix allegedly targeted the Indian Health Ministry website and infiltrated its Health Management Information System, according to a report from threat intelligence solutions provider CloudSEK. The hacker group allegedly accessed 40 million patient records and data records of employees' and chief physicians of all major hospitals in the country. Phoenix characterized the attack as retaliation for India's observance of the G7 oil price cap and G20 sanctions.
National Basketball Association
The National Basketball Association informed fans last week of a breach following a hack of its third-party newsletter service provider. Data stolen from the unnamed third party included names and email addresses but not usernames, passwords or other personal information. The U.S. sports league emphasized the attack was limited to the service provider and had no effect on any of the NBA's systems or assets. Given the nature of the information stolen, the organization warned of an uptick in phishing and social engineering attacks.
The Play ransomware gang released data allegedly stolen from Dutch maritime logistics company Royal Dirkzwager. The company confirmed the attack, which forced it to take its systems offline and suspend several services. Company CEO Joan Blaas told The Record that the ransomware attack did affect any operations but an undisclosed data, including contracts and personal information, was stolen from its servers. The Play ransomware gang published 5 gigabytes of the data and threatened to publish the entire data dump if its demands are not met.
Canadian-American streaming giant Lionsgate reportedly leaked 37 million users' IP addresses and personalized content information watched on its movie-streaming platform. The leak was identified in an unprotected Elasticsearch server by researchers at Cybernews. The unprotected 20 gigabytes of server logs exposed subscribers' IP addresses and user data concerning device, operating system, web browser and usage data, typically used for analytics and performance tracking. Lionsgate took immediate action and the Elasticsearch server instance is now secured, the researchers said.
LockBit Claims City of Oakland Data
The LockBit ransomware-as-a-service gang asserted it stole data from the San Francisco Bay Area city of Oakland, which underwent an attack by rival gang Play in February.
"We are aware that another unauthorized actor claims to have access to data removed from the City of Oakland's systems. Based on our investigation so far, we have no indication there was additional unauthorized access of our systems," the city said on Wednesday.
This would not be the first time that LockBit falsely claimed an attack. Last June, it stated it had hacked cybersecurity firm Mandiant in what it later revealed to be publicity stunt.
McDonald's and Samsung Fined by South Korea
South Korea's data protection authority fined McDonald's Korea approximately $500,000 for failing to secure the data of 4.8 million South Korean customers and for holding onto the personal data of 766,846 customers beyond the legal data retention period.
The commission also fined Samsung Securities approximately $78,000 for not securing a web server that leaked 48,122 users' data, and it fined British American Tobacco $31,000 for not taking enough measures to mask customers' IP addresses.
Update on Latitude Financial
Australian personal lending provider Latitude Financial Services confirmed that last week's hacking incident resulted in the data theft of at least some form of personal identifiable information of nearly 330,000 of the company's consumers. On Monday, it warned the breach may widen and that the cyberattack remained "active."