Security: Booking.com, Cracked Yet Again, CISA, and More

posted by Roy Schestowitz on Nov 13, 2023

• Hackers swipe Booking.com, damage from attack is global

  Hackers breached Booking.com, one of the world’s largest online accommodation reservation sites, by posing as hotel staff to steal credit card information from travelers making bookings.

  Phishing scams like this have plagued Japan since May.

  The headquarters of Booking.com in the Netherlands conceded the damage is occurring on a global scale.

  After learning that the stolen card information could have been used to illegally make purchases, the company said, “it is working to recover the money for the affected customers.”

  Booking.com’s website and app require hotels and travelers to use their own IDs and passwords for access.

• Hackers swipe Booking.com, damage from attack is global

  This is not Booking.com’s first breach. Readers may recall the firm was hit with a €475,000 fine in 2021 by the Dutch data protection authority for being late to report a data breach in 2019 — and that wasn’t the firm’s only breach-related woes in 2019. A search of this site for “Booking.com” will return other breach reports involving the firm.

• Time’s up, Sunday edition: Some Jeffco Public Schools data was leaked, some data was put up for sale

  As first reported on DataBreaches on Friday, SingularityMD indicated that they would be leaking or selling Jeffco Public Schools data. They followed through.

  In one thread on a popular hacking forum, they leaked what they claim is a 500 MB csv file for an AD Export from November 2020. The leak contains “includes hashed passwords, an effective list of all users and then also servers at the time with local service accounts.”

• 2023-11-06 [Older] Siemens, Ericsson Warn EU Cybersecurity Rules May Disrupt Supply Chains

• If entities continue to obfuscate and lie, it’s time to mandate more transparency in breach disclosures

  When it comes to data breach disclosures, the very same entities who claim to take our privacy and security very, very seriously are generally not being transparent in their breach disclosures. Their refusal to be transparent often results in consumers and patients being left in the dark about the risks we face from breaches. Those affected may first find out about incidents from threat actors or the media instead of from the entities who were responsible for securing the data. DataBreaches believes it’s time to consider promoting legislation that will require disclosure of facts about breaches that are currently being withheld and that will prohibit certain kinds of obfuscation or “weasel words” that mislead consumers and patients.

  As one recent example of frustrating non-transparency, WDRB reported, “Norton, a company serving about 600,000 patients a year with nearly $5 billion in assets, continues to be tight-lipped about the May 9 data breach, which it refers to as a “cyber event.” That breach has been the subject of speculation for months as the company works to recover its information and patients struggle to obtain prescriptions and schedule appointments.”

• Was a recent OCR settlement fair? Maybe, but maybe not.

  Sometimes you think you did a good job — and sometimes you actually did do a good job compared to everyone else — but someone comes along and says what you did wasn’t satisfactory at all. And when that “someone” is the U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR), people are likely to read their criticisms of you and accept them uncritically.

  Mea culpa.

  When HHS announced its first settlement arising out of a ransomware case, DataBreaches was genuinely surprised and didn’t recognize the entity’s name. With all the outrageous breaches DataBreaches has reported over the years and even filed watchdog complaints about with HHS, why had OCR pursued one DataBreaches couldn’t even recall?

• Michael Garron Hospital confirms some employee and clinician data stolen in cyberattack; Akira claims it stole 882,000 files

  As the Toronto Star and CBC first reported last month, Michael Garron Hospital in Toronto has been investigating a cyberattack it discovered on October 23. In its update on October 26, the hospital reported that it was actively investigating what they labeled a “data security incident.”

  “At this time, there are no known impacts to clinical applications or patient care services,” they announced, adding, “We have initiated a Code Grey to facilitate the coordination of resources and business continuity. We have also notified our partners.”

• 2023-11-09 [Older] CISA, NSA, and Partners Release New Guidance on Securing the Software Supply Chain

• 2023-11-09 [Older] CISA Releases Four Industrial Control Systems Advisories

• 2023-11-09 [Older] Johnson Controls Quantum HD Unity

• 2023-11-09 [Older] Hitachi Energy eSOMS

• 2023-11-08 [Older] CISA Adds One Known Exploited Vulnerability to Catalog

• 2023-11-07 [Older] CISA Adds One Known Exploited Vulnerability to Catalog

• 2023-11-07 [Older] CISA Releases Guidance for Addressing Citrix NetScaler ADC and Gateway Vulnerability CVE-2023-4966, Citrix Bleed

• 2023-11-07 [Older] CISA Releases One Industrial Control Systems Advisory

• 2023-11-07 [Older] FEMA and CISA Release Joint Guidance on Planning Considerations for Cyber Incidents

• 2023-11-07 [Older] GE MiCOM S1 Agile

• 2023-11-07 [Older] GE MiCOM S1 Agile

• 2023-11-06 [Older] CISA Published When to Issue VEX Information