06 March 2020

IRM Weekly Cybersecurity Roundup: Loyalty card data breaches and more

Loyalty card data breaches at Tesco and Boots

Loyalty Card Data Breaches

Two big retailers have been victim to loyalty card data breaches this week, leaving customers of their loyalty card schemes impacted.

Boots suspended payments with their Advantage Card after there was a cyber-attack on its customer database. The hackers used passwords from other websites to break into Advantage Card accounts and steal customers’ reward points to spend on themselves.

Tesco has decided to replace of 620,000 Clubcards after discovering a security breach which they’ve reported to the Information Commissioner’s Office.

Similarly to Boots, its believed hackers used passwords from other websites in a brute-force attack to gain access to Clubcard accounts. Credit card information is thought to be protected from the breach and affected accounts have been blocked as a security measure.

You can read more about Boots here and Tesco here.


CIA accused of 11-year cyber-attack against China

Amercia’s Central Intelligence Agency (CIA) has been accused of launching cyber-espionage lasting 11 years against critical industries in China.

This is after a security company announced it had discovered evidence of cyber-attacks by the CIA hacking group (APT-C-39). Attacks appear to be against sectors including aviation, science research, oil, internet and government agencies.

A document disclosed to WikiLeaks in 2017 and made public is said to include details on the hacking group’s methods, targets, tools and technical specifications.

You can read more here.


DoppelPaymer ransomware affects Lockheed Martin, SpaceX and Tesla

Visser Precision, a supplier to Lockheed Martin, SpaceX and Tesla, has admitted to being victim to a cyber-attack which has led to the access and/or theft of data.

The cyber-attack used DoppelPaymer ransomware to put sensitive information at risk which has since been sold on the DarkWeb. DoppelPaymer has been around for months but the public has only started to see information released in the last week.

Customers of Visser Precision are aware of the situation and are closely monitoring the incidents to ensure information is protected.

You can read more here.


Zynga Inc

Farmville games creator faced with class-action lawsuit

Zynga Inc., the gaming company who created Farmville and Words With Friends told users to update their passwords in September 2019 after a data breach.

Gnosticplayers hacker from Pakistan claimed the breach, stating they gained access to 218 million user accounts. The information on what information had been stolen was vague, as Zynga said that “certain player account information may have been illegally accessed by outside hackers”.

Plaintiffs have filed a class-action lawsuit against Zynga in California accusing the company of failure to reasonably safeguard the personal information of their players. It’s thought that information including email addresses and Facebook IDs were stored with out of date cryptography.

You can read more here.


Quick-fire Updates

Airline fined £500k by ICO over data breach: Cathay Pacific, who discovered a data breach in 2018, exposed the details of 9.4 million customers across the globe. The Information Commissioner’s Office has applied the maximum fine under relevant UK law. Read more here.

T-Mobile announces security breach: The US mobile operator has revealed information about a security breach which has compromised customer information including names, addresses, phone numbers, billing info and account numbers. T-Mobile’s incident response team hasn’t found evidence of misuse of the exposed data yet. Read more here.


Looking for guidance on cybersecurity best practice? Email us at hello@irmsecurity.com today to find out how we can support organisations of all sizes.