SEC, education company Pearson settle charges over 2018 security incident for $1 million

British educational software company Pearson settled charges with the U.S. Securities and Exchange Commission for $1 million over it “misleading” handling of a 2018 data breach, the SEC announced Monday. The SEC based its charges on a July, 2019 disclosure to the agency that a hypothetical “data privacy incident” could “result in a major data privacy or confidentiality breach” when the company had in fact already been breached and known about it for months, among other statements. In its public response to the incident, which involved the theft of student information and administrator log-in accounts for 13,000 district, school and university customer accounts, Pearson also left out details about the extent of the stolen information, the SEC said. Pearson claimed to have “strict protections” in place even though it had left a critical vulnerability unpatched for six months that the hackers exploited, along with other poor security practices cited by […]

The post SEC, education company Pearson settle charges over 2018 security incident for $1 million appeared first on CyberScoop.

Continue reading SEC, education company Pearson settle charges over 2018 security incident for $1 million

T-Mobile investigates potentially massive breach of consumer data

T-Mobile is investigating claims by a hacker that they have put sensitive information about more than 100 million of the company’s customers up for sale after breaching its servers. The data set includes names, Social Security numbers, addresses, phone numbers and driver’s license information, Motherboard first reported. The sales ad asks for six bitcoin, which is roughly the equivalent to $278,781 as of Monday morning, in exchange for 30 million Social Security numbers and driver’s licenses from the data set. “We are aware of claims made in an underground forum and have been actively investigating their validity,” T-Mobile said in a statement to multiple outlets Sunday. “We do not have any additional information to share at this time.” T-Mobile did not immediately respond to a request for additional comment from CyberScoop. T-Mobile has just over 100 million customers in the United States, meaning that the data set could cover a […]

The post T-Mobile investigates potentially massive breach of consumer data appeared first on CyberScoop.

Continue reading T-Mobile investigates potentially massive breach of consumer data

Hackers stole client info, work materials in Accenture ransomware attack

Ransomware hackers began leaking Accenture data after the consulting giant suffered a security incident where the perpetrators made off with client-related documents and work materials. The gang, known as LockBit 2.0, has threatened to leak further after providing purported proof of the breach. Accenture acknowledged the attack on Wednesday, but has downplayed its severity. “Through our security controls and protocols, we identified irregular activity in one of our environments,” an Accenture spokesperson said. “We immediately contained the matter and isolated the affected servers. We fully restored our affected servers from back up. There was no impact on Accenture’s operations, or on our clients’ systems.” In an internal memo, Accenture said it noticed the “security incident” on July 30. “While the perpetrators were able to acquire certain documents that reference a small number of clients and certain work materials we had prepared for clients, none of the information is of a […]

The post Hackers stole client info, work materials in Accenture ransomware attack appeared first on CyberScoop.

Continue reading Hackers stole client info, work materials in Accenture ransomware attack

Four years after FBI shut it down, AlphaBay dark web marketplace claims it’s back in business

It might be time to update the obituary of one of the web’s most notorious marketplaces for hacking tools and drugs. Four years after the FBI shut down AlphaBay, which registered a reported $1 billion in transactions, a scammer is touting the launch of a new version of the illicit marketplace, according to threat intelligence firm Flashpoint. In an online posting earlier this week, someone claiming to be one of the original moderators of AlphaBay said the marketplace was coming back into business, Flashpoint researchers noted. Among the offerings on the revamped AlphaBay, according to the posting, will be the source code of a hacking tool that steals banking credentials, and money, from victims. U.S. and European law enforcement agencies have in the last year conducted a series of crackdowns on popular dark-web forums. But the alleged resurrection of AlphaBay, dubbed the Amazon.com of the dark web, shows how difficult it can […]

The post Four years after FBI shut it down, AlphaBay dark web marketplace claims it’s back in business appeared first on CyberScoop.

Continue reading Four years after FBI shut it down, AlphaBay dark web marketplace claims it’s back in business

European police round up 23 suspected scammers accused of $1.2 million fraud

An international police sting netted 23 arrests in three countries of suspects behind a business email compromise scheme that last year turned to capitalizing on COVID-19 fears, Europol announced on Wednesday. Together, the fraudsters are believed to have stolen at least $1.2 million from companies in 20 countries, mainly European and Asian nations, the European Union police agency said. The scheme relied on use of compromised email accounts for advance-payment fraud, Europol said. The suspects created fake emails and websites that resembled those of legitimate companies to trick victims into placing orders with them. They then laundered financial data through Romanian bank accounts to ultimately withdraw money from ATMs. “The fraud was run by an organised crime group which prior to the COVID-19 pandemic already illegally offered other fictitious products for sale online, such as wooden pellets,” Europol’s announcement said. “Last year the criminals changed their modus operandi and started […]

The post European police round up 23 suspected scammers accused of $1.2 million fraud appeared first on CyberScoop.

Continue reading European police round up 23 suspected scammers accused of $1.2 million fraud

Hackers returned some of the $600 million they stole from Poly Network, a cryptocurrency firm

An unidentified hacker stole $600 million worth of virtual currencies from Poly Network the cryptocurrency company announced Tuesday. Then in an unusual twist, less than 24 hours later, the hacker began to return some of the stolen money after a public plea from the company. As of publication time, the hacker had returned more than $4,772,000 worth of assets, according to the company. Chainalysis, a cryptocurrency-tracking firm, confirmed Wednesday that funds were on the move. The incident is the largest public attack against the decentralized financed industry to date. The identity of the thieves remains unclear. Poly Network offers a service that promises interoperability between different chains of cryptocurrency, which each have their own digital ledger and act independently of one another. A preliminary investigation by cybersecurity firm SlowMist found that the hacker exploited a vulnerability in a feature that allows for the implementation of exchanges across chains. This allowed […]

The post Hackers returned some of the $600 million they stole from Poly Network, a cryptocurrency firm appeared first on CyberScoop.

Continue reading Hackers returned some of the $600 million they stole from Poly Network, a cryptocurrency firm

Senate fails to amend cryptocurrency reporting requirements, moving fight to the House

The Senate stopped short Monday of passing an amendment that would have altered language in the current $1 trillion infrastructure bill to narrow the definition of parties that will be required to report cryptocurrency sales to the Internal Revenue Service. Senators failed to reach unanimous consent because of an objection to an unrelated requested attachment to increase military spending. A group of Senate Republicans and Democrats as well as representatives of the Treasury Department had struck a compromise to narrow the language on Monday and had hoped to pass the amendment through unanimous consent. Cryptocurrency industry leaders and privacy experts say that if the current language in the bill goes through it could handicap the emerging technology in the United States and strip privacy from users. “We may very well have to go back and revisit the rules but we shouldn’t just have an overly broad mandate or reporting requirement […]

The post Senate fails to amend cryptocurrency reporting requirements, moving fight to the House appeared first on CyberScoop.

Continue reading Senate fails to amend cryptocurrency reporting requirements, moving fight to the House

Fintech company Plaid, consumers reach $58M settlement agreement in privacy suit

Financial tech company Plaid has reached a $58 million settlement agreement in a lawsuit where customers alleged that the company obtained and used their banking information without permission. Plaid’s service connects customer banking accounts to financial apps like Venmo and Robinhood. The plaintiffs claimed that Plaid misled them and violated their privacy by obtaining data from their financial accounts without consent, getting their bank login information through a deceptive interface meant to look like customers’ own bank login screens and selling their transaction histories. Under the settlement agreement, still subject to court approval, Plaid must also delete some data from its systems, minimize the data it stores, improve disclosures of how it uses data and maintain disclosures and websites about its security practices. “We do not, nor have we ever, sold data,” a Plaid spokesperson said. “We make our role and practices clear, and provide services that give consumers control […]

The post Fintech company Plaid, consumers reach $58M settlement agreement in privacy suit appeared first on CyberScoop.

Continue reading Fintech company Plaid, consumers reach $58M settlement agreement in privacy suit

Two members of QQAAZZ, which laundered funds from cybercrime, plead guilty

Two individuals involved with laundering funds from U.S. victims of cybercrime pleaded guilty to their role in a transnational organization that relied in part on hacking to defraud victims out of millions of dollars, the Justice Department announced Friday. The defendants, Arturs Zaharevics and Aleksejs Trofimovics, are just two of 20 indiviuals charged by the U.S. government with involvement with QQAAZZ, a European-based crime group that provided cash and cryptocurrency laundering for cybercriminals. U.S. and European authorities launched a major crackdown on the group last fall, resulting in indictments against 14 members of the criminal organization. QQAAZZ  allegedly laundered or attempted to launder tens of millions of dollars’ worth of funds stolen from cybercrime victims across 16 countries. Trofimovics opened thirteen corporate bank accounts in Portugal under a shell company to help move money for cybercriminals. Zaharevics, who was extradited from the United Kingdom in April, also set up foreign […]

The post Two members of QQAAZZ, which laundered funds from cybercrime, plead guilty appeared first on CyberScoop.

Continue reading Two members of QQAAZZ, which laundered funds from cybercrime, plead guilty

Courts order handover of breach forensic reports in trend welcomed by consumers, feared by defendants

In the past year, three judges have ordered companies that suffered data breaches to hand over internal forensic reports on how the incident happened — a trend that could lend new insights into incidents where consumers’ personal data is exposed, at the expense of companies that want to keep that information to themselves.  In July, a judge ordered the Rutter’s convenience store chain to deliver a forensic report on its data breach to attorneys in a class action suit brought by store customers. It was the kind of decision that could shed light on whether the company neglected cyber defenses leading up to a breach that affected customer credit card data at roughly 70 stores over the course of nine months.   A judge ruled in May 2020 that Capital One would need to provide a forensic report to attorneys for customers who sued the bank over a 2019 incident in […]

The post Courts order handover of breach forensic reports in trend welcomed by consumers, feared by defendants appeared first on CyberScoop.

Continue reading Courts order handover of breach forensic reports in trend welcomed by consumers, feared by defendants