From Amazon to McDonald’s: what do we know about the latest major data leak?

The MOVEit Transfer breach, one of the most significant incidents of the previous year, continues to affect numerous companies. A self-identified data hacktivist has released millions of user records on a data leak forum.

Amazon, which had the highest number of records compromised in the breach—nearly 3 million—has confirmed that the exposed data includes phone numbers, email addresses, and office locations of its employees. Nevertheless, the company stated that neither Amazon nor AWS systems were affected by the security incident, as indicated in a statement provided to Cybernews.

An Amazon spokesperson informed Cybernews, “We were alerted to a security event involving one of our property management vendors that affected several of its clients, including Amazon. The only information related to Amazon that was compromised pertains to employee work contact details, such as work email addresses, desk phone numbers, and building locations.”

According to the security firm Hudson Rock, other prominent entities implicated in the leak include major banks like HSBC, UBS, and City National Bank, along with technology companies HP and Lenovo. Notably, even the fast-food chain McDonald’s was included in the list.

While the individual or individuals responsible for the leak assert that their motivations are noble, their actions may have far-reaching consequences for the organizations affected.

Why is the Amazon leak dangerous?

The recent leak, which discloses information derived from previous data breaches, has led Cybernews researchers to assert that the systematic organization of such data greatly facilitates the efforts of individuals with malicious intentions.

According to our team, “The author of the leaks compiled and processed previously compromised and exposed information, thereby enhancing its accessibility and usability, which reduces the effort required for malicious actors to exploit it in extensive campaigns.”

The leaked data may be utilized by attackers to devise social engineering schemes, phishing attempts, and credential-stuffing attacks, potentially resulting in further breaches within the organizations affected by the disclosed data.

Earlier this year, Cybernews identified a similarly organized dataset, referred to as the Mother of all Breaches (MOAB), which encompassed 26 billion records distributed across 3,800 folders, each representing a distinct data breach.

Researchers contend that organizations lacking robust cybersecurity measures are particularly vulnerable, as substantial effort is necessary to fortify systems against previous attacks.

Self-proclaimed data security evangelist

Attackers who released a substantial dataset on a prominent data leak forum attempted to frame their actions as a form of public awareness.

“Let me clarify for everyone. I am not a hacker! […] I have no ties to any ransom or hacker groups. I neither sell nor purchase data,” stated the individual or group known as Nam3L3ss in what they referred to as a “manifesto.”

Nam3L3ss claimed to monitor the dark web for vulnerable online cloud services. They asserted that if organizations and government entities are “foolish enough” not to encrypt their transmitted data, they bear the responsibility for any consequences.

“Those transmitting encrypted data must ensure that a third party is maintaining that encryption,” the data leaker emphasized in their manifesto.

While it is indeed essential for companies to prioritize user data privacy, there are more constructive methods to address this concern. One such approach, which garners significantly less attention, involves notifying the affected organizations about the exposure of their information.

What companies were exposed?

Hudson Rock reports that numerous companies were compromised, resulting in the exposure of millions of records. Nevertheless, the extent of the impact varied among organizations; some experienced the exposure of several thousand records, while others faced breaches ranging from half a million to 2.8 million records.

Here’s the full list of impacted organizations reviewed by Hudson Rock:

  • Amazon  (2,86 million records)
  • MetLife  ( 585K)
  • Cardinal Health ( 407K)
  • HSBC   (281K)
  • Fidelity (fmr.com)  (124K)
  • U.S. Bank  (114K)
  • HP (104K)
  • Canada Post (70K)
  • Delta Airlines ( 57K)
  • Applied Materials (AMAT)   (53K)
  • Leidos  (53K)
  • Charles Schwab (49K)
  • 3M (49K)
  • Lenovo  ( 45K)
  • Bristol Myers Squibb ( 37K)
  • Omnicom Group (37K)
  • TIAA ( 24K)
  • UBS ( 20K)
  • Westinghouse (18K)
  • Urban Outfitters (URBN)  (18K)
  • Rush University (16K)
  • British Telecom (BT)  (15K)
  • Firmenich  (13K)
  • City National Bank (CNB)  (9K)
  • McDonald’s (3K)

So far, only Amazon has confirmed the data leak, with 404 Media reporting the confirmation first. We’re contacting other companies for confirmation and will include their responses after obtaining a reply.

What’s the MOVEit Transfer hack?

Last year, the now-disbanded ransomware group Cl0p took advantage of a zero-day vulnerability in MOVEit Transfer, a managed file transfer application. This vulnerability, which has since been addressed, compromised the servers of MOVEit Transfer, enabling attackers to gain unauthorized access to and download data stored by the company’s clients.

Organizations utilize the MOVEit service to securely transmit files to and from their clients, which means that attackers could potentially access sensitive information.

The breach impacted numerous companies, including Shell, ING Bank, Deutsche Bank, Postbank, American Airlines, Radisson Americas, among others. According to the cybersecurity firm Emisoft, more than 2,700 organizations were affected, resulting in the exposure of approximately 95 million users.

The resurgence of this incident in the news, 15 months after it initially occurred, serves as a poignant reminder of the challenges associated with protecting against hacks involving third-party providers, as noted by Joe Silva, CEO of the cybersecurity firm Spektion.

“By the time any company reacts to third-party software risks and vulnerabilities, they’re already being actively exploited while just being publicly disclosed,” Silva remarked.

About the Author

You may also like these

No Related Post