All posts tagged: data breach

How victims of PowerSchool’s data breach helped each other investigate ‘massive’ hack

How victims of PowerSchool’s data breach helped each other investigate ‘massive’ hack

Published by skeptic

On January 7, at 11:10 p.m. in Dubai, Romy Backus received an email from education technology giant PowerSchool notifying her that the school she works at was one of the victims of a data breach that the company discovered on December 28. PowerSchool said hackers had accessed a cloud system that housed a trove of students’ and teachers’ private information, including Social Security numbers, medical information, grades, and other personal data from schools all over the world.  Given that PowerSchool bills itself as the largest provider of cloud-based education software for K-12 schools — some 18,000 schools and more than 60 million students — in North America, the impact could be “massive,” as one tech worker at an affected school told TechCrunch. Sources at school districts impacted by the incident told TechCrunch that hackers accessed “all” their student and teacher historical data stored in their PowerSchool-provided systems.  Backus works at the American School of Dubai, where she manages the school’s PowerSchool SIS system. Schools use this system — the same system that was hacked — …

The biggest data breaches in 2024: 1 billion stolen records and rising

Published by skeptic

We’re over halfway through 2024, and already this year we have seen some of the biggest, most damaging data breaches in recent history. And just when you think that some of these hacks can’t get any worse, they do. From huge stores of customers’ personal information getting scraped, stolen and posted online, to reams of medical data covering most people in the United States getting stolen, the worst data breaches of 2024 to date have already surpassed at least 1 billion stolen records and rising. These breaches not only affect the individuals whose data was irretrievably exposed, but also embolden the criminals who profit from their malicious cyberattacks. Travel with us to the not-so-distant past to look at how some of the biggest security incidents of 2024 went down, their impact and. in some cases, how they could have been stopped.  AT&T’s data breaches affect “nearly all” of its customers, and many more non-customers For AT&T, 2024 has been a very bad year for data security. The telecoms giant confirmed not one, but two separate …

Threat actor says he scraped 49M Dell customer addresses before the company found out

Threat actor says he scraped 49M Dell customer addresses before the company found out

Published by skeptic

The person who claims to have 49 million Dell customer records told TechCrunch that he brute-forced an online company portal and scraped customer data, including physical addresses, directly from Dell’s servers.  TechCrunch verified that some of the scraped data matches the personal information of Dell customers. On Thursday, Dell sent an email to customers saying the computer maker had experienced a data breach that included customer names, physical addresses and Dell order information.  “We believe there is not a significant risk to our customers given the type of information involved,” Dell wrote in the email, in an attempt to downplay the impact of the breach, implying it does not consider customer addresses to be “highly sensitive” information. The threat actor said he registered with several different names on a particular Dell portal as a “partner.” A partner, he said, refers to a company that resells Dell products or services. After Dell approved his partner accounts, Menelik said he brute-forced customer service tags, which are made of seven digits of only numbers and consonants. He also …

Dell warns 49 million customers about massive data breach

Dell warns 49 million customers about massive data breach

Published by skeptic

Dell has warned customers of a massive data breach following a hacker’s claims they accessed information belonging to roughly 49 million customers. The U.S. computer manufacturer has started distributing data breach notifications to customers impacted by the incident, detailing how an attacker gained unauthorized entry to an online portal that housed customer purchase information on its website. The email seen by ReadWrite stated, “We are currently investigating an incident involving a Dell portal, which contains a database with limited types of customer information related to purchases from Dell.” Dell states that the breach is not a “significant risk to our customers” According to Dell’s data breach notification, it seems that the attack resulted in the theft of personal information only, without compromising any financial data. The information stolen includes names, physical addresses, as well as hardware and order details from its systems. The company stated that it “promptly implemented our incident response procedures, began investigating, took steps to contain the incident and notified law enforcement.” It added that a third-party forensics firm has been engaged …

US Patent and Trademark Office confirms another leak of filers’ address data

US Patent and Trademark Office confirms another leak of filers’ address data

Published by skeptic

The federal government agency responsible for granting patents and trademarks is alerting thousands of filers whose private addresses were exposed following a second data spill in as many years. The U.S. Patent and Trademark Office (USPTO) said in an email to affected trademark applicants this week that their private domicile address — which can include their home address — appeared in public records between August 23, 2023 and April 19, 2024. U.S. trademark law requires that applicants include a private address when filing their paperwork with the agency to prevent fraudulent trademark filings. USPTO said that while no addresses appeared in regular searches on the agency’s website, about 14,000 applicants’ private addresses were included in bulk datasets that USPTO publishes online to aid academic and economic research. The agency took blame for the incident, saying the addresses were “inadvertently exposed as we transitioned to a new IT system,” according to the email to affected applicants, which TechCrunch obtained. “Importantly, this incident was not the result of malicious activity,” the email said.  Upon discovery of the …

Haun Ventures is riding the bitcoin high

Haun Ventures is riding the bitcoin high

Published by skeptic

The firm invested $5M in Agora, a front-end solution for Dao governance, this week Blockchain startups were red-hot when Katie Haun left Andreessen Horowitz in 2021 to launch her own crypto-focused venture firm. But shortly after Haun announced that Huan Ventures’ two funds totalled $1.5 billion, cryptocurrency prices cratered, and FTX collapsed.  Despite having a massive arsenal of dry powder, Haun Ventures didn’t rush to scoop up stakes in crypto and web3 on the cheap, and many observers wondered when the firm would pick up its deployment pace. While Haun Ventures says it wasn’t exactly sitting on its hands (and capital) through crypto’s downturn, the firm was perhaps more cautious than it initially intended.  But now that bitcoin prices have rebounded to their previous highs, Haun Ventures’ investment activity is increasing dramatically. Including some of its token positions, the firm has made 48 investments across its early-stage $500 million and $1 billion later-stage acceleration funds, Haun Ventures told TechCrunch.  The firm’s latest investment is Agora, an app that streamlines voting and other decision-making for decentralized …

TikTok faces a ban in the US, Tesla profits drop and healthcare data leaks

TikTok faces a ban in the US, Tesla profits drop and healthcare data leaks

Published by skeptic

Welcome, folks, to Week in Review (WiR), TechCrunch’s regular newsletter covering this week’s noteworthy happenings in tech. TikTok’s fate in the U.S. looks uncertain after President Joe Biden signed a bill that included a deadline for ByteDance, TikTok’s parent company, to divest itself of TikTok within nine months or face a ban on distributing it in the U.S. Ivan writes about how the impact of TikTok bans in other countries could signal what’s to come stateside. Meanwhile, fallout from the Change Healthcare hack continues. Change, a subsidiary of health insurance giant UnitedHealth, confirmed this week that the ransomware attack targeting it earlier this year resulted in a huge theft of Americans’ private health info, possibly covering “a substantial proportion” of Americans. And Tesla profits dropped 55% as the EV company contends with increased pressure from hybrid carmakers. The automaker’s growth plan is centered around mysterious cheaper EVs scheduled to launch next year — as well as perhaps a robotaxi. But a recall on the Cybertruck for faulty accelerator pedals certainly won’t help in the interim. …

Health insurance giant Kaiser will notify millions of data breach after sharing patients’ data with advertisers

Health insurance giant Kaiser will notify millions of data breach after sharing patients’ data with advertisers

Published by skeptic

U.S. health conglomerate Kaiser is notifying millions of its members of a data breach after confirming it shared patients’ information with third-party advertisers, including Google, Microsoft and X (formerly Twitter). In a statement shared with TechCrunch, Kaiser said that it conducted an investigation that found “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.” Kaiser said that the data shared with advertisers includes member names and IP addresses, as well as information that could indicate if members were signed into a Kaiser Permanente account or service and how members “interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia.” Kaiser said it subsequently removed the tracking code from its websites and mobile apps. Kaiser is the latest healthcare organization to confirm it shared patients’ personal information with third-party advertisers by way of online tracking code, often embedded in web pages and mobile apps and designed to collect information about users’ online activity for analytics. Over the past …

Personal information of parents, staff at 127 schools accessed in data security breach

Personal information of parents, staff at 127 schools accessed in data security breach

Published by skeptic

SINGAPORE: A data breach at one of its vendors has resulted in the “unauthorised access” of names and email addresses of parents and staff from five primary and 122 secondary schools, the Ministry of Education (MOE) said on Friday (Apr 19).  MOE said it was notified by Mobile Guardian that its user management portal had been breached on Wednesday, with the incident occuring at the company’s headquarters in Surrey, United Kingdom.  Mobile Guardian is a device management app (DMA) installed on personal learning devices used by students, like iPads and Google Chromebooks. The app enables parents to manage students’ device usage by restricting applications or websites and screen time.  MOE added its own device management app was not affected by the data breach as it is separate from Mobile Guardian’s user management portal and “remains safe for use”. “There is no evidence of unauthorised access into the MOE DMA. Parents whose students use the iPad or Chromebook can continue to use the DMA as usual,” it said. The ministry as well as the schools involved will notify …

Indian government’s cloud spilled citizens’ personal data online for years

Indian government’s cloud spilled citizens’ personal data online for years

Published by skeptic

The Indian government has finally resolved a years-long cybersecurity issue that exposed reams of sensitive data about its citizens. A security researcher exclusively told TechCrunch he found at least hundreds of documents containing citizens’ personal information — including Aadhaar numbers, COVID-19 vaccination data, and passport details — spilling online for anyone to access. At fault was the Indian government’s cloud service, dubbed S3WaaS, which is billed as a “secure and scalable” system for building and hosting Indian government websites. Security researcher Sourajeet Majumder told TechCrunch that he found a misconfiguration in 2022 that was exposing citizens’ personal information stored on S3WaaS to the open internet. Because the private documents were inadvertently made public, search engines also indexed the documents, allowing anyone to actively search the internet for the sensitive private citizen data. With support from digital rights organization the Internet Freedom Foundation, Majumder reported the incident at the time to India’s computer emergency response team, known as CERT-In, and the Indian government’s National Informatics Centre. CERT-In quickly acknowledged the issue, and links containing sensitive files …