Plus, hardware wallets are found to be hackable and a ransomware group says it’s targeting scammers
British budget airline easyJet told the BBC that it is in the process of alerting 9 million customers about a data breach that occurred in January, exposing their email addresses and travel details. EasyJet reported that about 2,200 customers also had their credit card numbers stolen, including security codes, and that the company alerted those customers in early April. Regarding the 3-month delay before alerting victims, a spokesman for the airline commented, “This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted.”
Avast security evangelist Luis Corrons points out that in 2018, British Airways suffered a similar breach for 15 days. “It was discovered on September 5th,” he says. “And the company made it public one day later. EasyJet took more than 3 months, which doesn’t make its cybersecurity capabilities look good.”
The airline did not share details of the attack, but under the General Data Protection Regulations (GDPR), easyJet could face fines of up to 4% of its annual revenue if it is found to have mishandled customer data. The airline said that all affected customers of the breach will be notified by May 26 and that they are providing protective steps to deflect any phishing attempts, such as bad actors pretending to be easyJet.
Cryptocurrency hardware wallets are physically hackable
New research reveals that cryptocurrency hardware wallets can be compromised by a hacker who has physical access to the unit. Hardware wallets are small portable drives expressly designed to be a secure place where one can store their cryptocurrency in “cold storage,” meaning offline. Wired published a report this week about the security team at Ledger, a company that manufactures hardware wallets itself, who examined the hardware wallets of their competitors Coinkite and Shapeshift and found that both companies sold products that could be hacked, as long as the hacker had sufficient time in person with the device.
This week’s stat
The number of user records from Home Chef, a US-based meal kit delivery service, a hacker sold on a dark web marketplace
Google & others race to stave off massive DDoS risk
Researchers from Tel Aviv University and the Interdisciplinary Center of Herzliya in Israel released new details this week of a distributed denial of service (DDoS) technique they are calling NXNSAttack. They say it allows a large-scale DDoS attack to be carried out by a relatively small number of hacked computers or devices. The attack takes advantage of vulnerabilities in common DNS software, overloading targets with bogus requests until they're knocked offline. Wired reports that major internet companies like Google, Cloudflare, Microsoft, and Amazon have all updated their software to address the potential threat.
Poll reveals tech fears and priorities among CEOs & CISOs
The Wall Street Journal worked with a cybersecurity firm to poll 200 global CEOs and CISOs about the current state of cybersecurity. The results revealed that 71% of the CEOs surveyed lose sleep over the risk of their companies suffering a data breach. Less than half believe that they have a sensibly updated cybersecurity strategy, and only 46% regularly review these strategies. Interesting disparities in protective priorities also emerged from the report, based on the geographic location of company leaders. In the U.S. and Europe, protecting customer data seems to be a resounding priority, while in Asia, protecting organizational IP is the main objective. See more survey results at TechRepublic.
This week’s quote
"We see ransomware popping up like a poor relation demanding money—which, in many cases, they get. It should be on your radar,” said the authors of the Verizon Data Breach Incident Report. Read some key takeaways here.
Details of 40 million Wishbone subscribers for sale
A hacker has put up a database for sale containing usernames, emails, phone numbers, locations, and hashed passwords of 40 million Wishbone subscribers on multiple hacking forums this week. ZDNet reported that the stolen passwords are not secured with a strong encryption and can be hacked fairly easily. The Wishbone data appears to come from a hack perpetrated in January 2020, and the seller is asking .85 bitcoin for it, which is about $8,000. The data also includes links to user profile photos, with much of the Wishbone user base composed of minors. The Google Play Store lists the app as having been downloaded between 5,000 and 10,000 times.
Vigilante hackers say they’re going after scammers
A hacking group called “CyberWare” claims to have developed a ransomware expressly intended to be used on scammers. In an interview with Bleeping Computer, the hackers said they are targeting companies they know to conduct “loan scams” – ploys to get victims to pay money up front for large financial loans that they never receive. Cyberware launches a ransomware called MilkmanVictory at these criminals, which is actually a destructive wiper, encrypting the files but not saving an encryption key. The ransomware does, however, provide a way to contact the attackers along with a note that reads, “Hello! This computer has been destroyed with the MilkmanVictory Ransomware because we know you are a scammer!” The group says it is also launching DDoS attacks against the scam companies’ websites.
This week’s ‘must-read’ on The Avast Blog
Is reading about breach after breach getting you worried about your own information online? Use Avast’s Data Breach Survival Guide for tips on how to protect yourself from breaches.
Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN. Get advertisers off your back and disguise your online identity for greater privacy with Avast AntiTrack.