Big week for breaches: McDonald’s, Carnival, and more

Carnival: The cruise operator Thursday stated in a letter to its customers it had detected “unauthorized third-party access to a limited number of email accounts” in mid-March that potentially exposed certain personal information of guests, employees, and crew members on its Carnival Cruise Line, Holland America Line, and Princess Cruises. The potentially compromised information included Social Security numbers, passport numbers, dates of birth, addresses, and health information.

Carnival said it “acted quickly to … prevent further unauthorized access,” hired a cyber-security firm to investigate the matter, and notified appropriate authorities. “There is evidence indicating a low likelihood of the data being misused,” the company stated.

In August 2020, the company disclosed in a regulatory filing it had detected a ransomware attack that also had resulted in “unauthorized access to personal data of guests and employees.” The hackers had accessed and encrypted part of the cruise line’s IT systems, including the download of certain of its data files.

Wegmans: The grocery chain Wednesday alerted customers to a security incident that occurred “due to a previously undiscovered configuration issue,” in which two of its cloud databases, intended for internal business purposes, “were inadvertently left open to potential outside access.” Impacted customer information included names, addresses, phone numbers, birth dates, club numbers, e-mail addresses, and passwords to Wegmans.com accounts.

Wegmans said it was first notified of the vulnerability by a third-party security researcher.

In response, the company said it worked with a forensics firm to investigate the matter. “We have since corrected configurations and secured all affected information,” Wegmans said. “We have also taken steps to avoid the occurrence of similar issues in the future.”

McDonald’s: The fast food giant on June 11 confirmed—after the Wall Street Journal reported—hackers accessed a “small number of files” that contained names, emails, phone numbers, and addresses of customers and employees in the United States, South Korea, and Taiwan. McDonald’s indicated hackers were able to gain unauthorized access of an internal security system by means of a phishing email.

Volkswagen: Volkswagen Group of America on June 11 disclosed in data breach notifications filed in California and Maine that an unauthorized third party obtained certain personal customer information. The company had been alerted to the issue in May.

Volkswagen said it believed the data was obtained when a vendor used by Audi, Volkswagen, and some authorized dealers in the United States and Canada “left electronic data unsecured at some point between August 2019 and May 2021.”

CVS: The retail pharmacy this week acknowledged an incident in which more than one billion records containing sensitive information were left exposed.

On March 21, security researcher Jeremiah Fowler and an investigative team at WebsitePlanet discovered “a non-password protected database that contained more than one billion records” that was found to be connected to CVS Health.

Upon being notified of the vulnerability, CVS Health took immediate action and restricted public access that same day. According to CVS, the database was being managed by a vendor on behalf of CVS Health.

“We are not implying any wrongdoing by CVS Health, their contractors, or vendors,” Fowler wrote. “We are also not implying that customers, members, patients or website visitors were at risk. … We are only highlighting our discovery to raise cyber-security awareness of how something as simple as search logging and a misconfigured database could potentially capture and expose data.”

Wider lessons

Oftentimes when a security incident is discovered by an external party, the victim company is quick to point out the likelihood of the stolen data being misused is small. That misses the point. As Fowler noted, “each record of information serves as a puzzle piece to provide a larger picture of an organization’s network or data storage methods.”

Anurag Kahol, chief technology officer and co-founder of cloud-security firm Bitglass, adds the exposure of any sensitive data is “more than enough for hackers to launch highly targeted phishing attacks against those individuals impacted, underscoring the importance of securing all personal records.”

In the case of CVS Health, for example, while protected health information was not directly exposed, “the information revealed could be cross-referenced for e-mail phishing campaigns or social engineering style hacks,” says Stephan Chenette, co-founder and chief technology officer of security optimization platform AttackIQ. “Organizations that manage sensitive health information must take proactive approaches to protect their data.”

“Robust, flexible, and multifaceted cyber-security platforms that prevent leakage; authenticate all users; and monitor their behavior are essential for defending business operations and securing resources within,” Kahol says. “Following cyber-security best practices and implementing mandatory employee training can also help minimize additional attack vectors and enforce stricter security standards.”

The incidents at Volkswagen and CVS further highlight cyber-security vulnerabilities posed by third parties.

“The exposure of over a billion records belonging to CVS Health highlights the importance of protecting sensitive customer information, as well as ensuring your organization and any third-party vendors who have been brought on to help with security and cloud migration have proper security measures in place,” says David Pickett, senior cyber-security analyst at cloud solutions provider Zix | AppRiver.

“Another component to be mindful of when working with third-party vendors that have access to company data is reviewing and understanding what the vendor agreement encompasses for security practices,” Pickett says. “These solutions will help to prevent companies from becoming another statistic in a long list of companies who have had data exposed online.”