November 26, 2019

Despite growing cyber security awareness and cyber security’s escalation to a board level agenda item, this past week’s data breaches are proof that no company is impervious and there is still much work to be done to prevent both breaches and cyberattacks.

T-Mobile pre-paid customers – 1 million+ affected

Telecoms giant T-Mobile has confirmed a malicious actor was able to obtain names, addresses, phone numbers, and account information including rate plans and features purchased, of over a million of its users.

As per TechRadar and a T-Mobile announcement:

“Our Cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account. We promptly reported this to authorities. None of your financial data (including credit card information) or social security numbers was involved, and no passwords were compromised.”

The breach has reportedly affected “less than 1.5 percent” of T-Mobile customers and did not expose passwords. Pymnts.com says little more details were revealed as to the length of the breach or how it was fixed. T-Mobile was also the victim of an attack and breach that exposed around 3% of its 75 million customer’s records in August 2018.

OnePlus website breached

Staying in the telecommunications industry, smartphone maker OnePlus has revealed an attacker has accessed some customer data via a vulnerability in its website.

As per ZDNet and a OnePlus FAQ page the breach happened last week and was discovered quickly. Cyber attackers were, however, able to gain access to past customer orders, customer names, telephone numbers, emails, and addresses. OnePlus has said passwords and financial details were not exposed and adds:

“We’ve inspected our website thoroughly to ensure that there are no similar security flaws.”

The exact vulnerability does not appear to have been disclosed. OnePlus says:

“Before making this public, we informed our impacted users by email. Right now, we are working with the relevant authorities to further investigate this incident.”

The company has also committed to using a new security platform as of next month and plans to launch an official bug bounty program by the end of the year. In January 2018 attackers managed to breach the data of around 40,000 OnePlus customers in a similar incident.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Centers for Medicare and Medicaid (CMS), US, affecting 220,000

In the US, and in yet another healthcare breach, CMS says around 220,000 Medicare beneficiaries card numbers were compromised by an unknown actor. It appears unclear to date how the breach occurred but is checking affected Medicare accounts for fraudulent use.

Macy’s, US

Iconic US retailer Macy’s has informed online customers they may have been affected by a breach, after performing an investigation commencing in October. It has sent a letter to customers, as per Business Insider, and believes an attacker attached “malicious computer code” to Macys.com “Checkout” and “MyWallet” webpages. Macy’s wrote:

“On behalf of Macy’s, we are writing to inform you about a recent incident involving unauthorized access to personal information about you on macys.com. We regret that this incident occurred and appreciate your time to read this letter.”

Reports indicate Macy’s was made aware of the breach on October 15 and removed the code the same day. Macy’s also believe the website was breached a week previously. The company told Business Insider:

“We have investigated the matter thoroughly, addressed the cause and have implemented additional security measures as a precaution.”

It also says it has offered affected customers free consumer protection.

As per Bleeping Computer the malicious code used may have been a Magecart attack, malware that attempts to steal payment information as a customer completes a shopping cart checkout and payment.


Cybersecurity researchers have exposed a data breach that made personal and financial information of PayMyTab mobile and card terminal users available online.

The breach is reportedly due to an “unsecured Amazon Web Services (AWS) S3 bucket” and PayMyTab not following Amazon’s security protocols.

vpnMentor, as per ZDNet, says the leak may have left “10,000s of people vulnerable to online fraud and attacks.” It adds:

“As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. This is especially true when the companies data breach contains such private information. However, these ethics also mean we carry a responsibility to the public. PayMyTab users must be aware of a data breach that impacts them also.”

The exposed records included customer names, addresses and telephone numbers, as well as the last four digits of customer payment card numbers.

Catch Restaurants, New York

In another point-of-sale (POS) system breach, as per ThreatPost, three New York restaurants have discovered malware on the their POS systems.

Catch NYC, Catch Roof and Catch Steak, owned by Catch Hospitality Group, customers may have had their credit-card information breached. The restaurant group issued a notice explaining:

“The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date and internal verification code) read from a payment card as it was being routed through these PoS devices. There is no indication that other customer information was accessed.”

It also says it has implemented “enhanced” security measures and is working with cybersecurity experts to “evaluate additional ways to enhance the security of payment-card data.”

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this: