Breach Roundup: Ukrainian Police Detain a PII VendorAlso in Focus: A US Navy shipbuilder, an Indian lender and a Kenyan grocery chain
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. In the days between April 21 and April 27, the spotlight was on the arrest of a Ukrainian trafficker in stolen data, a shipbuilder for the U.S. Navy, the American Bar Association and a Canadian online phone book publisher.
Also: a large Indian non-bank lender, a Kenyan supermarket chain and a European airport shuttle provider.
Ukrainian Police Arrest PII Seller
The Cyber Police of Ukraine arrested a man, aged 36, in the western city of Netishyn for selling the personal data of more than 300 million individuals. The unidentified man administered closed groups and channels in Telegram, which he used to steal information such as Ukrainian and European passport, taxpayer and driver's license numbers, as well as bank account data and birth certificates. Customers included Russian citizens in sales "using currencies prohibited on the territory of Ukraine," Ukrainian police say.
Police detained the man after he assaulted a cyber police officer.
Fincantieri Marinette Marine
Wisconsin-based defense and commercial shipbuilder Fincantieri Marinette Marine underwent a ransomware attack on April 12, reported USNI News, a publication of the nonprofit U.S. Naval Institute. The attack affected servers holding data used to feed instructions to machining tools in the shipyard building frigates for the U.S. Navy. The incident knocked the servers offline for several days, USNI reported. In a statement, the company acknowledged experiencing a cybersecurity incident.
"Repair and construction operations continue at all three U.S. shipyards, however the company's email and some networked operations remain offline for now," the company said on April 20.
The company, a subsidiary of Italy-based Fincantieri SpA, did not reveal the attackers or their demands.
The American Bar Association
Hackers stole about 1.5 million logon credentials from the American Bar Association. The attorney industry association said the passwords were salted and hashed. The breach affects online accounts set up before 2018 or accounts for the ABA Career Center made since 2018.
ABA President Deborah Enix-Ross said in a statement shared with Information Security Media Group that the threat actor had been inside the network for 11 days starting on March 6. The association detected the intrusion on March 17. "An outside investigation determined no credit card numbers, addresses, phone numbers, Social Security numbers or other sensitive personally identifiable information were accessed," Enix-Ross said.
Yellow Pages Canada
Canadian phone directory publisher Yellow Pages Group confirmed to ISMG a cyberattack after being targeted by the Black Basta ransomware group. "Based on our investigation to date, we have reason to believe that the unauthorized third party stole certain personal information from servers containing YP employee data and limited data relating to our business customers," said Franco Sciannamblo, senior vice president and chief financial officer.
The Black Basta leak site posted an apparent sample of stolen data including scans of passports and driver's licenses, as well as internal documents.
LockBit Claims Fullerton India Attack
The LockBit ransomware-as-a-service group said it struck Indian non-bank lender Fullerton India and threatened to dump more than 600 gigabytes of financial data on Saturday unless it receives a $3 million extortion payment.
The company on Monday acknowledged detecting a cyber incident and said it "chose to operate offline as a precautionary measure" but resumed online operations that day.
Fullerton India operates 699 branches across India and extends credit to around 2.1 million customers. The company in 2022 reported $2.5 billion worth of assets under management and employed over 13,000 people.
Naivas, one of the largest supermarket chains in Kenya, announced last week a customer data breach following a ransomware attack incident. "This unlawful intrusion may have compromised some of our data," said Willy Kimani, chief commercial officer. The particulars of the stolen data remain undisclosed but Kimani said that the supermarket giant does not retain credit or debit card information on its systems.
The BlackCat, aka Alphv, ransomware group claimed responsibility for this attack on its leak site. Kimani said the company is aware of the threat actor's claims to have stolen data. "We and law enforcement agencies are monitoring this closely," he said.
European airport shuttle provider Terravision suffered a data breach in February that exposed over 2 million customer records. The breach has only now become public. According to HaveIBeenPwned, the data included names, phone numbers, email addresses, salted password hashes and, in some cases, birthdate and country of origin. The sites says the company did not respond to multiple attempts by cybersecurity practitioners and individuals over a couple of months to report the incident. Terravision did not immediately respond to ISMG's request for comment.