Fraud Management & Cybercrime , Incident & Breach Response , Ransomware

Breach Roundup: US CFPB, NCR and Rheinmetall

Also in Focus: Philippines Law Enforcement Agencies, RentoMojo and Point 32 Health Mihir Bagwe (MihirBagwe) • April 20, 2023

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. In the days between April 14 and April 20, the spotlight was on the U.S. Consumer Financial Protection Bureau, a ransomware attack on American payments firm NCR, German automotive and arms producer Rheinmetall, State agencies in the Philippines, and popular Indian rental platform RentoMojo. Also included are Point32Health and an update on British professional outsourcing giant Capita.

US Consumer Financial Protection Bureau

Not every data breach needs a hacker; sometimes just a careless employee will do. The U.S. Consumer Financial Protection Bureau said a now-ex-employee sent records containing Americans' private data to a personal email account. Over the course of 14 emails, the employee sent records including two spreadsheets containing names and transaction-specific account numbers related to roughly 256,000 consumer accounts at a single institution, the CFPB acknowledged. The Wall Street Journal first reported the incident on Wednesday.

The data the employee sent cannot be used to gain access to consumer accounts, the agency said. The agency asked the former CFPB employee to certify the deletion of each email, something the former employee so far has refused to do. "This unauthorized transfer of personal and confidential data is completely unacceptable," said a CFPB spokesperson. Republican lawmakers such as Senate Banking Committee Ranking Member Tim Scott, who has long been critical of the CFPB, used the breach to denounce the agency.

NCR Payment Solutions

American payments giant NCR suffered a ransomware attack affecting its Aloha brand point-of-sale systems for restaurants. The Atlanta company said on Monday the attack, which the company discovered on April 13, took down one of its data centers. NCR said none of its "ATM, digital banking, payments, or other retail products are processed at this data center" and no customer systems or networks were involved.

Trade news outlet Restaurant Business reported some restaurants have said they can't access back-office tools, accept gift cards or use the NCR data dashboard, Pulse.

Rheinmetall

German automotive and arms producer Rheinmetall disclosed an April 14 cyberattack affecting a business unit catering to the automotive sector, reported Der Spiegel. The company's defense division was unaffected and continued to operate "reliably," a company spokesperson said. No threat actor has publicly claimed responsibility for the cyberattack yet.

Pro-Kremlin nuisance hacktivist group Killnet last month on its Telegram channel called for distributed denial-of-service attacks on Rheinmetall, Germany's largest arms manufacturer. A company spokesman told Cybernews at the time that the attack had minimal effect. "Apart from the group website operated by an external service provider, which was temporarily unavailable, there are no significant outages," the spokesperson said. KillNet was acting in apparent retaliation to reports the firm is holding talks to build a tank factory in Ukraine.

Philippines State Agencies

Multiple state agencies in the Philippines had 1.2 million records exposed to the open internet due to a non-password-protected database. Cybersecurity researcher Jeremiah Fowler told VpnMentor that the incident affected 817.54 gigabytes of data belonging to applicants and employees of the Philippine National Police, National Bureau of Investigation, Bureau of Internal Revenue and Special Action Force.

The exposed data contained scanned and photographed images of original documents that included birth certificates, educational record transcripts, diplomas, tax filing records, passports and police identification cards. Internal directives addressing law enforcement officers were also exposed in the data breach.

RentoMojo

Popular Indian rental platform RentoMojo on Thursday began informing customers of a data breach incident potentially affecting hundreds of thousands of registered users. The breach first came to light after a criminal hacking group ShinyHunters apparently started contacting RentoMojo customers after the company declined to acknowledge or pay an extortion demand. "Just a few minutes back got an email from Shiny Hunters," one user posted on Wednesday to the Pune and Mumbai subreddits on Reddit.

In an email seen by Information Security Media Group, Geetansh Bamania, chief executive officer and co-founder of RentoMojo, said, "It appears that the attackers were able to get unauthorized access to our customer data, including in some cases personally identifiable information, by exploiting the cloud misconfiguration." Bamania said the breach had no impact on any financial information such as payment data "as we never store them in our database." Some users tweeted that the threat group had emailed their personal data and credit card details including expiration date and CVV information, although Information Security Media Group did not verify the claim.

Point32Health

A leading not-for-profit health services organization that serves more than 2 million people across the United States confirmed this week it had been targeted with a ransomware attack. The affected systems were used to service members, accounts, brokers and health care providers. "At this time, most systems impacted are on the Harvard Pilgrim Health Care side of our business," the organization said. The systems have been taken offline and law enforcement agencies are working with third-party cybersecurity experts to conduct a thorough investigation into this incident and remediate the situation.

Update on Capita

British professional outsourcing giant Capita said hackers exfiltrated data in a Thursday update to its April 3 cyber incident. An investigation revealed that attackers had penetrated the firm's systems on March 22 and accessed roughly 4% of its server infrastructure, the company said. "The incident was significantly restricted." But "there is currently some evidence of limited data exfiltration from the small proportion of affected server estate, which might include customer, supplier, or colleague data," it added.

The company initially described the incident as affecting access to internal Microsoft Office 365 applications (see: British Outsourcing Giant Capita Disrupted by Online Attack).