November 18, 2019

Data breaches have both immediate and long-term impact on business performance. Firstly, there is the short-term cost of dealing with a breach, often an immediate loss of custom, followed by a loss of reputation no matter how well the breach is dealt with.

Consumer website Comparitech has studied the stock market performance of 28 companies which have recently been victim to a significant data breach and discovered long-term stock market underperformance as a result. Comparitech, as reported by CPO Magazine, found immediate negative reactions from investors as well as market underperformance for up to three years.

With that in mind, let’s look at some of the last week’s data breaches to help us to learn how to better protect our data and systems from cybercriminals and accidental breaches.

Gamers hit by Magic the Gathering and MTG Arena data breach

Wizards of the Coast, creators of Magic the Gathering, has contacted players to inform them of a data breach that has leaked names, email address, and passwords.

Eurogamer reporting on November 17, reveals an email has been sent to affected players. Wizards of the Coast say an internal database from a decommissioned login version was accidentally “made accessible” online.

So far, it’s not believed that the data has been used maliciously or that any financial information is at risk. Eurogamer also notes that the revealed passwords were encrypted which may protect them from being extorted. Wizards of the Coast adds:

“We believe this was an isolated incident related to a legacy database and is unrelated to our current systems. Based on our current investigation, we have no reason to believe that any malicious use has been made of the data.”

The company is asking players to update their passwords in the next seven days or request that Wizards of the Coast reset a password if necessary.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Fairfax County Police Department, US

A breach at another local police department may have led to the personal information of up to 500 employees of the Fairfax County Police Department, Virginia, US, and its police chief being compromised.

The Washington Post reports that names, dates of birth, and social security numbers, of police and other staff were contained in an email inbox stored on a memory stick that has now vanished.

So far Police Chief Col. Edwin C. Roessler Jr. has said he has not received any reports of the information being exploited but he is concerned for his officers who, The Washington Post says, “go to great lengths to protect their personal information.” Roessler has referred to the incident as “devastating” and says he hopes “it doesn’t create any harm.”

The email inbox belonged to neighbouring Police Chief Cynthia McAlister. A copy was made as part of an internal investigation dating back to October 2017 and may have fallen into the hands of a “felon.” The copy inbox may have contained up to 1,800 personal records in total.

Liver Wellness, Dublin, Ireland

Patients at liver scanning procedure company Liver Wellness in Dublin were informed last month that the company’s email account had been hacked. RTÉ’s This Week reports that the hacker used the company’s email account to contact customers asking them to share personal information.

Liver Wellness says it is treating the breach “very seriously,” and the Data Protection Commission has been notified.

As part of its procedures, Liver Wellness keeps patient medical history on file as well as that of its patient’s families including histories of alcohol use and medical information from GPs. So far, as per reports, there is no information to suggest that this information has been accessed by hackers.

A team from Liver Wellness and Microsoft cybersecurity is working on the issue and patients have been asked to delete any suspicious emails asking for personal information.

ZoneAlarm, 4,500 customers affected

As reported by TechRadar on November 13, ZoneAlarm, part of security company Check Point, has seen a breach to its web forums. Hackers were able to gain unauthorized access to one of its web forums and then obtain the names, addresses, encrypted passwords, and dates of birth, of up to 4,500 customers.

Neither ZoneAlarm of CheckPoint appear to have publicly announced the breach, but emails were sent to affected customers with ZoneAlarm saying:

“The website became inactive in order to fix the problem and will resume as soon as it is fixed. You will be requested to reset your password once joining the forum. ZoneAlarm is conducting a thorough investigation into the whereabouts of this incident and views this as a serious matter.”

Hackers reportedly exploited a “known critical RCE vulnerability” in vBulletin’s forum software, used by ZoneAlarm, which allowed them to gain access to the website.

TechRadar writes that ZoneAlarm was running an older version of the vBulletin software which contained the vulnerability. The same vulnerability has been used to hack a forum belonging to Comodo where the login information of 245,000 users was breached.

This last ZoneAlarm breach serves as a huge reminder that constant system and software vulnerability checks and the updating all software is absolutely critical in today’s digital age. And, that’s not just internal systems and networks, but also any software used in website or application build, communications, and even software and systems used by third parties. Though the latter is a responsibility of a supplier, a contracting company must endeavour to ensure any of its own strict cybersecurity practices are equally matched by a third-party vendor.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this: