This Week in Data Breaches: Credit Karma Bug Exposed Thousands of Credit Files
Welcome to our round-up of this week’s data breaches, leaks, and privacy intrusions. This week, a data exposure at Credit Karma, a massive breach at BioStar 2, and a whole bunch of ransomware attacks in Texas!
Credit Karma Exposed People's Credit Files to Other Users
Last week, Credit Karma users reported that they were being shown other people’s credit files when checking their accounts. Users reported that instead of Credit Karma showing their own information, it was displaying credit scores, credit card accounts, loan information, and derogatory marks from other users. Discussions about the glitch were shared and discussed on Reddit and Twitter on Reddit and Twitter.
On Reddit, one user said, “Out of curiosity I logged in and out of Credit Karma a couple of times...Each time I had full access to a different random person’s credit file. Extremely troubling.” Some users even reported that every time they refreshed their account page they would be served someone else’s information.
According to TechCrunch, Credit Karma shut down its login page for a period of time to resolve the issue. In a statement, Credit Karma spokesperson Emily Donohue said, “What our members experience this morning was a technical malfunction that has now been fixed. There is no evidence of a data breach.”
Regardless of if it was a data breach or not, the exposure of personal credit information is alarming. The company believes the bug may have affected up to 2,000 accounts. Credit Karma said that they will individually notify users whose credit information was exposed.
Massive Biometric Database Compromised
The Guardian reported last week that the fingerprints, facial recognition information, and personal data of over 1 million people were exposed by Suprema, a security company that runs the biometric platform known as Biostar 2. The system is used by the UK Metropolitan police, defense contractors, and more than 5,700 other businesses around the world to secure warehouses and buildings.
Biostar 2 uses biometric authentication for access to secure buildings, including fingerprints and facial recognition. The platform is part of the company’s AEOS access control system. The security vulnerability also gave hackers access to user accounts and permissions at secure facilities using BioStar 2.
Security researchers Noam Rotem and Ran Locar, who have discovered a wide range of security vulnerabilities and publicly accessible databases in recent months, found the exposed database at the beginning of August. The Biostar 2 database was mostly unencrypted and could be accessed by anyone who cared to look.
In total, the exposed database contained 27.8 million records and weighed in at over 23GB, which included fingerprint data, facial recognition data, photos of users’ faces, unencrypted passwords, logs of facility access, security levels, and personal details of staff members.
The level of access was breathtaking. Rotem told the Guardian, “The access allows first of all seeing millions of users are using this system to access different locations and see in real time which user enters which facility or which room in each facility, even."
MoviePass Exposed Tens of Thousands of Credit Card Numbers
On Tuesday, TechCrunch reported that MoviePass exposed tens of thousands of credit card numbers after leaving one its servers unprotected. The exposed database contained over 161 million records, 58,000 of which included credit card or customer card numbers. Many of the numbers were from customer cards, which MoviePass subscribers use to store cash balances on.
Included in each customer record in the database was the user’s customer card number, expiration date, activation date, and balance. Some records also included the customer’s personal credit card number, card expiration date, name, and address. According to TechCrunch, all of the records were unencrypted. It also appears that the database was exposed for months, from early May through the middle of August.
In a statement, a spokesperson for the company said, “MoviePass recently discovered a security vulnerability that may have exposed customer records. After discovering the vulnerability, we immediately secured our systems to prevent further exposure and to mitigate the potential impact of this incident.”
Texas Hit by 22 Ransomware Attacks
A coordinated ransomware attack hit local government agencies in Texas this past week, with IT systems in 22 towns being infiltrated, taken over, and held for ransom by hackers. Along with a rapid emergency response from state authorities, a federal investigation has been launched. Some towns have reported that the attack has impacted or shut down normal city operations and services.
In a Facebook post, the City of Borger said on Monday that Vital Statistics, which provides birth and death certificates, is down, and the city was unable to take utility or other payments. As of Thursday, systems were back online. Meanwhile, a spokesman for the City of Kaufman said, “At this time, all of our computer and phone systems are down and our ability to access data, process payments, etc. is greatly limited.”
Wilmer, Texas, a town of 5,000, was hit especially hard. The New York Times reported on Thursday that the ransomware attack shut down the public library, forced police officers to resort to paper ticketing, and affected the water department.
The Texas Department of Information Resources, which is leading the response to the ransomware attack, said in an update on Tuesday that “more than twenty-five percent of the impacted entities have transitioned from response and assessment to remediation and recovery, with a number of entities back to operations as usual."
Ransomware attacks have proliferated in recent years, with hackers encrypting the data or preventing access to critical systems of local government agencies or hospitals who sometimes have no choice but to pay the ransom in order to resume vital operations. According to Kaspersky Lab, 25% of US and Candian health care organizations reported being hit by a ransomware attack. Small towns and cities have also come under increased fire, more than 40 have been hit this year alone.
Bloom: Take Back Control of Your Data
At Bloom, we are giving you the tools to take back control of your data. No more centralized data storage. No more selling off your data to the highest bidder. No more risking identity theft. Bloom enables you to own, control, and protect your data using the latest advancements in blockchain technology.
It’s time to take back control of your data and unlock the power of a secure, reusable identity today. Download the Bloom mobile app to build a cryptographically secure identity and get free data breach alerts with Radar!