[Security Weekly] US COVID-19 Relief Fund Leaks Sensitive Data of 8,000 Small Businesses
4th Week of April 2020
1. US COVID-19 relief fund exposes sensitive data of 8,000 small businesses
In late March, the United States’ Coronavirus Aid, Relief, and Economic Security (CARES) Act was passed by Congress. The law allocates a total of $2.2 trillion to both stimulate the economy, and help organizations and businesses affected by the COVID-19 outbreak.
As part of the CARES Act, the Small Business Administration (SBA) is currently in charge of providing relief funds for small businesses through the Economic Injury Disaster Loan (EIDL) program. Over 4 million small businesses have already applied for a total of $383 million in aid.
Earlier this week, the SBA made an announcement notifying that sensitive information of over 8,000 relief fund applicants was exposed, and that other applicants may have viewed the information during their application process.
The exposed data included the business owners’ names, dates of birth, social security numbers, tax identification numbers, contact information, home and business addresses, citizenship status, household size and income, as well as financial and insurance information.
According to the SBA, the data was only visible to applicants who use its online application portal. When an applicant hits the back button during the application process, it would lead them to a page where all the information of other applicants was visible.
The SBA immediately fixed the bug and brought the application portal back to service. However, new applications are currently paused. The government is now offering free identity theft protection services for those affected for one year.
As organizations rush to take emergency measures, mistakes can be made more easily, putting security at risk. In such a chaotic time, organizations must stay cautious about information security.
2. Data breach of Android app store Aptoide leaks 20 million user details
20 million user data of the Aptoide app store were found posted and available for download on a popular hacking forum. The hackers claim that they have the data for another 19 million users, which could be released in the future. The data was said to be obtained on April 13.
As one of the largest third-party apps stores for the Android operating system, Aptoide has 150 million users worldwide and 1 million apps available. To put things into perspective, the original Android app store Google Play has a total of 2.8 million apps.
The incident was first disclosed by ZDNet on April 17. After investigation, it discovered that the leaked data contained the information of users who either registered or used the app between July 2016 and January 2018. The database included personally identifiable information such as real name, email address, IP address at the time of sign up, device information, as well as the date-of-birth for those who accessed age-restricted contents.
After the incident was reported, Aptoide issued a public statement on April 18 confirming the data breach. However, the company emphasized that no physical addresses, phone numbers, and payment card information was contained in the leaked database. It did not provide any information on how the attack was conducted.
It is advised that all Aptoide users change their login credentials immediately.
3. Torrance, California hit by DoppelPaymer ransomware, sample data leaked online
With an estimated population of 145,182, Torrance is a city in the County of Los Angeles, located just south of the City of Los Angeles. Earlier this week, the city’s confidential data were found to be published online by the DoppelPaymer ransomware group.
According to the original report published by BleepingComputer, DoppelPaymer has encrypted 150 servers and 500 workstations, and compromised over 200 GB of files. It is now demanding the city to pay a ransom of 100 Bitcoins, or roughly 713,000 US dollars, in exchange for the decryption key.
As DoppelPaymer’s common practice, not only does it encrypt critical data, it also steals them and publishes a portion of them online. Security experts refer to this tactic as “double extortion”, which is essentially a ransomware attack and a data breach at the same time, making it very difficult for the victim to cope with.
DoppelPaymer even has its own website dedicated to posting stolen data from victims who do not pay the demanded ransom. This time, a new page for “City of Torrance, CA” was created on the site. Data including the city’s budgets, accounting documents, as well as other documents belonging to the city manager were published. Of course, this is only a small portion of the 200 GB of stolen data.
The attack actually took place a while ago on March 1. The city did report the incident and said that some of the city’s business services were impacted, but did not provide further details about the ransom demand and claimed that no personal data was compromised.
4. Children’s game Webkinz suffers data breach affecting 23 million user accounts
Webkinz is a popular virtual pet game developed by Canadian toy manufacturer Ganz in 2005. In order to play the game, users would first need to buy a stuffed animal of their choice, and then enter a secret code that comes attached to the animal into the Webkinz World online platform, so that they would be able to interact with a virtual version of that exact same animal.
On April 18, usernames and passwords of nearly 23 million user accounts of Webkinz were posted on a well-known hacking forum. After the discovery, Webkinz immediately investigated the issue and found out that a flaw in one of its website’s web forms has allowed hackers to inject SQL scripts to retrieve data from the server. It appears that email addresses were also stolen, despite not posted online.
The silver lining is that all the passwords were encrypted with the MD5-Crypt algorithm, and that all the email addresses were hashed. Moreover, the breached database did not contain any payment information because all transactions were processed through their eStore site which uses a separate set of servers and accounts. Thus the attack is unlikely to pose any significant threat to information security.
Webkinz patched the vulnerability immediately. It has also deleted all personal information associated with the accounts as a preventative measure.
Webkinz has shown a great example of having proper security measures at all levels. Even though an attack on the web application went through, the database stored in the server was securely encrypted so that attackers could not make use of them. [Penta Security offers both a web application firewall and an encryption module to keep your data secured with multiple layers of protection.]
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Web Application Firewall for Cloud: WAPPLES SA
Database Encryption: D’Amo
Smart Car Security: AutoCrypt