Statista Portal Breach Leads RoundupFlaw in Website Exploited to Access Data
In this week's breach roundup, online statistics portal Statista is notifying customers about a breach that compromised personal information. Also, Johns Hopkins University reports a breach tied to what it describes as an extortion attempt.
Statista Portal Breached
Online statistics portal Statista, based in Germany, is notifying customers about a breach resulting from an exploited flaw in the company's website that compromised personal information.
A hacker was able to illegally gain access to the company's customer database. "While we have not discovered any actual technical traces of such an attack, there have been spam e-mails sent to strictly internal e-mail addresses since last Sunday that lead us to the conclusion that part of our customer data has been copied," the company says in a March 11 statement sent to Information Security Media Group.
During its investigation into the incident, Statista discovered that the administrative system that stores contact information was not protected sufficiently against external attacks. While the company cannot say for sure the exact number of customers impacted, its worst-case estimate is 50,000. Compromised information includes names, e-mail addresses and postal addresses, the company says.
Statista says a hacker most likely used a brute force attack to copy and save all of the data sets onto their own server. Afterward, the attacker could have potentially accessed the contact information of Statista's clients as well as the encrypted passwords.
"For some of the passwords, we must assume that they can be decrypted by a skilled hacker as they were stored with an older encryption without salt," the company says. The German police have been notified of the attack.
Johns Hopkins Hit with Extortion Attack
Johns Hopkins University is notifying students, faculty, staff and alumni about a breach of a Web server in the Department of Biomedical Engineering involving what it describes as an extortion attempt.
The department received an extortion message from someone claiming to be a member of the hacktivist group Anonymous, who threatened to post stolen data if the university did not provide user ID and password credentials to access the university's network, Johns Hopkins says.
One day later, on March 6, Johns Hopkins learned from the FBI that stolen information was posted on the Internet. The data included names, contact information and biographical information on current faculty and staff in the biomedical engineering department. Also compromised was student data from the department's BME design team course, including the names and contact information for approximately 848 students enrolled in the course from 2006 through 2013. Although the exposed information did not contain grades, it did include student-entered comments evaluating the course and fellow team members, the university says.
The university is working toward having the stolen information that was posted online removed, and it's cooperating with the FBI.
Social Work Data Exposed
The Iowa Department of Human Services is notifying 2,000 individuals that their personal information was potentially exposed when two workers used personal e-mail accounts, personal online storage accounts and personal electronic devices for work purposes.
The information was related to Polk County social work assessments, according to a statement. Compromised information includes name, mailing address, Social Security number, state identification number, date of birth, health information and incident information.
An investigation was launched Jan. 17 once the issue was identified by a social work supervisor, the department says. Officials found that the workers did not follow department policy, which prohibits use of personal devices and transmitting information outside of the agency's network.
"The chance that this information was accessed through these password-protected accounts and devices was small," says Pat Penning, service area manager for the region including Polk County. "But we realize the Iowans involved in these cases may wish to take steps to be sure their information wasn't misused."
Affected individuals are being offered free credit monitoring services.
Australian Telecom Company Fined
Australian telecommunications provider Telstra has been fined $10,200 by the Office of the Australian Information Commissioner and Australian Communications and Media Authority for violating privacy laws after information on 15,775 customers was accessible on the Internet between February 2012 and May 2013.
"This incident is a timely reminder to all organizations that they should prioritize privacy," says Privacy Commissioner Timothy Pilgrim. "All entities bound by the Privacy Act must have in place security measures to protect personal information."
In May 2013, Telstra contacted the information commissioner after the company was notified by a journalist that the names, phone numbers and addresses of the Telstra customers were available on the Internet. Telstra also discovered that there were at least 166 unique downloads of these records, according to the commissioner.