1. DarkBeam

The three elements of information security are confidentiality, integrity and availability. In other words, data has to be reliable and up to date, and accessible only to those who need it.

Instances of data being exposed to the Internet – more often than not via configuration errors – clearly breach the confidentiality principle, but are often viewed as somehow less serious than information that’s made its way into criminals’ possession via sophisticated cyber attacks or phishing campaigns, as if human error is less of an issue than criminal hacking.

This is, of course, an erroneous position to take. Search engines such as Shodan – theoretically, at least – let anyone find anything that’s connected to the Internet, not just websites that are indexed by Google. This, obviously, includes opportunistic criminals as well as civic-minded security researchers who identify exposed services and warn their operators.

This brings us to DarkBeam. According to Cybernews, the CEO of SecurityDiscovery, Bob Diachenko, discovered on 18 September that the digital risk protection firm DarkBeam had “left an Elasticsearch and Kibana interface unprotected, exposing records with user emails and passwords from previously reported and non-reported data breaches”.

Diachenko informed DarkBeam, which closed the vulnerability immediately.

Although most of the 3.8 billion exposed data records come from previous data breaches, ironically having been assembled by DarkBeam in order to alert its customers to security incidents affecting their personal information, the extent of the information held by DarkBeam, as well as the way it was organised, means anyone who managed to access it has the opportunity to create very plausible phishing campaigns.

It’s not yet known whether anyone did access it but, as Benjamin Franklin said, distrust and caution are the parents of security. So, it’s worth checking your credentials via haveibeenpwned.com and taking the usual precautions, such as changing your password where it’s been reused, implementing multifactor authentication where possible and not clicking on any links unless you’re absolutely sure of their source.

2. MOVEit

As with last month (see below), the MOVEit breach continues to claim victims, among which the most significant – at least in terms of the number of individual victims – was Better Outcomes Registry & Network, which discovered that “personal health information of approximately 3.4 million people – mostly those seeking pregnancy care and newborns who were born in Ontario between January 2010 and May 2023” had been compromised.

Other recently identified MOVEit victims include:

• Microsoft’s healthcare technology company Nuance, which issued a breach notice on behalf of 13 healthcare organisations;
• The National Student Clearinghouse, which issued a data breach notification on behalf of 900 schools; and
• CareSource – a Medicaid and Medicare plan provider – which reported that information relating to 212,193 people was exposed.

The scale of the MOVEit breach remains unquantified, but some estimates now put the number of affected organisations at over 2,000 and the number of individual victims at over 60 million.

It’s likely that we’ll continue to see breach disclosures related to MOVEit Transfer in the weeks and months to come.

3. Undisclosed restaurant database

The personal information of 2.2 million Pakistani citizens, including their contact numbers and credit card details, has been offered for sale online on the dark web for 2 Bitcoin. The data was apparently compromised when criminal hackers accessed a database used by more than 250 restaurants.

Indolj – a popular food ordering app – has taken the step of denying any involvement, saying in a press release reported by Pro Pakistani: “We have conducted a detailed audit of the sample data and determined that the data records do not match the current transactional records of customers on the Indolj platform. Furthermore, Indolj does not store any credit card or payment-related information and therefore it is impossible for any customer payment data to be breached from our platform.”

According to Geo News, the criminals provided a sample of the stolen data as part of their online listing, while naming “dozens of food outlets”.

However, having analysed the available data, the security company CTM360 confirms Indolj’s analysis. In a comment published by Pakstani Pro, the company claims that the data in fact comes from a 2022 leak, and says it will continue to monitor the post “and will notify impacted organizations urgently if any credible data is released”.

Resource : https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-2023#:~:text=See%20the%20full%20list%20of%20data%20breaches%20for%20September%202023&text=September%20saw%20the%20biggest%20data,misconfigured%20Elasticsearch%20and%20Kibana%20interface.