What is an example of a human glitch

Review of the data breaches and security incidents in 2019

January 22, 2020

Part 2: July to December 2019


13 German Red Cross clinics infected with ransomware

According to the authorities, a service account created ten years ago is the weak point through which attackers penetrate the networks of a total of 13 DRK clinics. The attackers encrypt servers and databases. Details about ransom demands and the type of malware are not disclosed. [1] [2]

Dealing with voice recordings on Google

In April, when asked, Google said it would also rely on human analysis for its voice assistant. The Belgian radio is doing research and can analyze over 1,000 recordings from a whistleblower. In contrast to what Google presented in April, the images can be used to identify people in numerous cases. [1]

Apple contractors listen to confidential recordings through Siri

The Guardian reveals that Apple contractors also regularly listen to confidential recordings to improve quality. Including sensitive medical information, drug deals, and how couples have sex. As with Alexa and other providers of voice assistants, accidental activation of voice assistants occurs again and again. [1] [2]

17,000 websites infected by misconfiguration of S3 buckets

Criminals infect 17,000 websites with credit card data spying software. The common pattern is misconfigured S3 buckets from Amazon, which allow the attackers to inject the prepared JavaScript code to intercept the data. [1]

7.5 terabytes of data on Russian intelligence projects copied

Sytech, a service provider for the Russian secret service FSB, is hacked by the hacker group 0v1ru $. BBC Russia speaks of what is likely to be the largest data leak in the history of Russian intelligence services. [1]

Failure of online banking at Commerzbank and DKB

The online access for Internet banking at Commerzbank and DKB does not work for a few hours. At Commerzbank, at times, payments can not be made at ATMs and purchases with the Girocard (EC card) do not work either. [1]

One year after the fix, Palo Alto admits critical vulnerability

The firewall manufacturer Palo Alto quietly fixed a vulnerability in the VPN module GlobalProtect with new firmware in 2018. GlobalProtect is used to dial into company networks via SSL-VPN. The vulnerability enables the execution of any malicious code and thus the complete takeover of the firewall by attackers. Hackers can thus completely bypass the protective mechanism of the firewall and eavesdrop on the data traffic flowing through the device. The online passenger transport operator Uber was attacked through this vulnerability. Only after the publication of instructions for the GlobalProtect hack will a security advisory on the vulnerability appear after more than a year.

Database of the smart home manufacturer ORVIBO unprotected in the network

According to a report by vpnMentor, the database was unprotected for customers of the smart home manufacturer ORVIBO. E-mail addresses, family names and exact position data of the respective smart home devices were stored there. Passwords as an MD5 hash without salt, which has not been state of the art for many years, as well as reset codes can also be found in the data pot at the time. According to analyzes by vpnMentor, the devices, which also include video cameras, are not only used in the private sector, but also in the business environment. One of the devices is titled with the name "massage room". The smart home devices are sold in Germany on Amazon, among others. [1]

Hacker burglary at the Bulgarian tax authorities

Unknown persons have gained access to systems of the Bulgarian tax authority NAP and copied data from millions of people. In addition to personal information about the people, tax and pension information about those affected also came into the hands of the attackers. [1]

CapitalOne is hacked - 100 million customers affected

The US bank CapitalOne is hacked through an incorrectly configured web application firewall at a cloud provider. The perpetrator is said to be a 33-year-old former employee of Amazon Webservices (AWS). The data captured are credit card applications from the past ten years. The social security number is said to have been included with over a million customers. [1] [2]

Logitech Unifying radio technology open to hacker attacks

Security expert Marcus Mengs discovered several weak points in Logitech's Unifying radio technology, which enable keystrokes to be read and PCs to be remotely controlled. Using known plain text attacks, attackers can read out the key for AES encryption. All that is required for the attack is a radio module from Nordic Semiconductor (nRF52840) that costs 12 euros and can be used to eavesdrop on the pairing process between the receiver and the device. Anyone who cannot ensure extensive physical protection must expect successful attack attempts. [1] [2] [3]

Hacker break-in at Freenet subsidiary Vitrado

According to Vitrado, data from around 67,000 data from affiliate partners is copied from an SQL database. The data records contain names, addresses, e-mail addresses and bank details. [1]


State Farm online accounts cracked

State Farm, the largest provider of property and casualty insurance in the United States, is hacked using a credential stuffing attack. This attack is based on targeting combinations of email accounts and passwords resulting from the numerous data breaches against new targets. Since State Farm customers use the same password as for other services, the hackers have an easy time of it. [1] [2]

T-Mobile customer data copied by hackers

The US-American T-Mobile subsidiary publishes in a press release that it has noticed unauthorized access to customer data. About two million customers are said to be affected. The data are customer names, telephone numbers, email addresses and customer numbers. [1]

AWS virtual hard disk unprotected in the network

A security researcher discovers unprotected Elastic Block Store volumes on Amazon Web Services (AWS). On the data carriers, he can find access data to databases, VPN networks and other key material. The operators of the volumes have switched the access mode from "private" to "public". [1]

Hackers access 14 million customer data at Hostinger

Strangers gain access to a database of the web hosting company Hostinger and get access data for 14 million customers. Passwords are available as SHA-1 hashes, but this hash algorithm has been considered insecure for several years. [1]

More than 130,000 tenant data at LEG can be viewed by unauthorized persons

Customers of the Düsseldorfer Wohnungsgesellschaft LEG can access the data of other tenants after registering in the tenant portal by changing the contract number in the URL. A student discovers this trivial security gap and reports it to the state data protection officer of North Rhine-Westphalia and the press. [1] [2]

Data from 1.2 million users of the porn portal Luscious unprotected

vpnMentor reports on a porn portal where users can upload their own content. The portal's Elasticsearch database can be accessed via the Internet using a web browser without a password. The 1.195 million users are said to include 50,000 from Germany. [1] [2]

90,000 people affected by data leak in Mastercard's Priceless Specials bonus program

An Excel list with 90,000 entries is discovered on the website of the Mastercard bonus program. It contains the first and last name, date of birth, email address and, in many cases, the postal address and mobile phone number. Shortly thereafter, a second list appears, which also includes full credit card numbers. [1] [2]

700,000 records of guests at Choice Hotels are openly accessible

Choice Hotels, which includes chains such as Clarion, EconoLodge, Comfort Inn and Quality Inn, is making its customer database openly accessible on the Internet for four days. Despite the short period of time, hackers find the unprotected database and demand a ransom of 0.4 Bitcoin. [1]

Unprotected biometric database Biostar2 on the Internet

Once again, employees of vpnMentor discover an unprotected database with 27.8 million entries on the Internet. The fingerprints, photos and passwords of millions of people are stored unencrypted in the Biorsttar2 database of the South Korean company Suprema. As part of a partnership with Nedap, the data from Biostar2 are to be integrated into the AEOS access control system, which is used by 5,700 companies and government agencies worldwide. [1]

MoviePass database with 161 million entries without a password on the network

A security researcher discovers an unprotected database with customer and sometimes credit card data from the cinema ticket distributor MoviePass. However, the company does not respond to the notification of the security expert. It wasn't until TechCrunch approached MoviePass that the database was taken offline. As part of the research, it turns out that MoviePass was informed of the data leak months ago by another security researcher. [1]

Tracking by Kaspersky virus protection

As part of a test of anti-virus software, editors at Heise-Verlag found out that the virus protection from the manufacturer Kaspersky injects a unique ID directly into the HTML code when the website is called up. This means that every website can read this ID and misuse it for tracking. [1]

Face ID function of iPhones tricked

At the BlackHat 2019 hacker conference, a security researcher will show how the sensors for voice, fingerprint or face of the iPhone's lifelike recognition can be fooled. For one of the hacks presented, you only need craft glasses for a few euros and some adhesive tape. [1]

BRK reports sensitive health data to Facebook

Confidential data from blood donors from the blood donation service of the Bavarian Red Cross is sent to Facebook via a tracking pixel. Donors are asked to provide information on HIV infections, pregnancies, drug use or diabetes. The Bavarian State Office for Data Protection Supervision is initiating a procedure. [1] [2]


Bugged Cortana and Skype

After Amazon, Apple and Google let people evaluate recordings of their voice assistants, it is hardly surprising that Microsoft also hires service providers to evaluate Cortana commands and Skype calls and learn intimate details of those affected. [1] [2]

DoorDash food delivery service loses data on 4.9 million people affected

For five months, hackers have access to the data of customers, employees and dealers. The attackers can intercept customer data, user names, password hashes as well as copies of driver's licenses and parts of credit card data. [1]

Billions of patient data are openly accessible

Employees of the Bavarian Broadcasting Corporation (BR) and the US investigative platform ProPublica find insecure PACS servers (Picture Archiving and Communication System servers) worldwide. Via these servers, unauthorized access to X-ray images and other patient data is possible for everyone with the help of the "Radiant DICOM Viewer" viewing program. Unprotected servers can be found via open databases such as Shodan or Censys. The reason for this is the DICOM communication standard used by the PACS servers, which originated in the 1980s. In many cases, access to the data is not protected with a password. In Germany alone, around 15,000 data sets from German citizens with around 2.85 million images are openly accessible at the time of discovery. Oleg Pianykh, professor of radiology at Harvard Medical School, published a study on unprotected PACS servers back in 2016. [1] [2] [3]

Data breach at the Haufe certificate manager

On September 20, 2019, Haufe-Lexware informs its customers that an employee of the Haufe Group stored a list of users of the Haufe Certificate Manager Premium on the web server without protection on October 13, 2017. Affected are users who used the Certificate Manager in the period from December 2016 to September 2017. The file is discovered by our own employees and removed on 08/20/2019. Haufe-Lexware does not find any indications of unauthorized access to the list, but admits that not all access logs are available for an all-clear.

Ransomware extortionists received nothing

IT systems of the New Bedford City Council in the US state of Massachusetts are infected by the ransomware "Ryuk". IT experts can contain the spread at an early stage, so that only four percent of government PCs are affected by the infection. However, the administration is offering the extortionists approximately $ 400,000 as ransom to decrypt the files. This sum would have been covered by the insurance. However, the blackmailers are demanding bitcoins worth $ 5.3 million. Ultimately, the blackmailers get nothing. [1] [2]

Ransomware paralyzes the Berlin Higher Regional Court

The encryption trojan Emotet infects IT systems of the Berlin Court of Appeal. The President of the Supreme Court, Bernd Pickel, does not expect operations to resume before 2020. With 30 emergency PCs, the first specialist proceedings can be restarted and bills paid. In an audit in 2017, it was found, among other things, that the Microsoft Word 95 software, which was no longer supported since January 1, 2002, was still in use. [1] [2]

Open Elasticsearch Server with Ecuadorians discovered

Two Israeli security researchers find a freely accessible server with 20.8 million records on almost all of Ecuador's residents. The data records also contain information on account balances, credit information and data on employment relationships. Those affected also include records on the President of Ecuador and Wikileaks founder Julian Assange. [1] [2]

CEO fraud with an artificial voice

Criminals use software based on artificial intelligence to imitate the voice of a CEO of the German parent company. Initially, the branch's CEO does not suspect anything and transfers the amount of 220,000 euros to the perpetrators' account. Only when he is supposed to make a second transfer does he become suspicious. [1] [2]

City administration Neustadt is hit by Emotet

An infection with the Emotet ransomware paralyzes the IT systems of the Neustadt am Rübenberge city administration. [1]

419 million phone numbers of Facebook users freely accessible

The security researcher Sanyam Jain finds a file with 419 million phone numbers of Facebook users on a server. Criminals can use the phone numbers for so-called SIM swapping. The victim's cell phone number is transferred to a SIM card owned by the perpetrator. This means that SMS can be forwarded e.g. with a TAN for online banking or calls. [1]

1,300 credit card details memorized using photographic memory

A seller of a shopping center in Tokyo is said to have memorized the 16-digit credit card numbers, the security number and the expiry date during 1,300 payment transactions and misused them for purchases at the victims' expense. The perpetrator has the purchased goods sent to his private address. This makes it easy for detectives to solve the case. [1] [2]


Phishing with Alexa

Researchers from SRLabs show how Trojanized apps can be used to remotely control Alexa and Google Home and instruct their users to ask for a password. [1] [2] [3]

22 city administrations / municipal administrations affected by ransomware attack

The wave of ransomware infections is not ebbing. The IT systems of 22 communities in the US state of Texas are paralyzed by ransomware. [1]

Another vulnerability in WhatsApp

WhatsApp made headlines with a security vulnerability back in May. A new vulnerability is discovered that allows attackers to gain access to chart progressions and photos. Malicious software can also be installed through this hole. For the attack, the victim must be sent an infected file via WhatsApp. Exploits for exploiting the vulnerability are quickly available on the Internet. [1]

330,000 access data from sex portal in the darknet emerged

A Dutch and Italian sex portal were hacked through a vulnerability in an outdated vBulletin forum software. The perpetrator steals email addresses and password hashes in the MD5 format, which is considered insecure, and other data from those looking for contact with prostitutes and escorts. The hacker offers the data for sale on the Darknet for only 300 euros. [1] [2]

Health app Ada forwards sensitive data to Facebook and other analysis companies

The health app from Ada Health GmbH, based in Berlin, is said to have forwarded sensitive user data to Facebook and the analysis service providers Amplitude and Adjust. Techniker Krankenkasse uses the app for its members. [1] [2]

Vulnerability in millions of Unitymedia routers

The Connect Box, which provides the connection to the Internet via Unitymedia in 2.2 million households, enables full control over an injection vulnerability.This is particularly problematic for customers who have activated the remote maintenance function. This means that the devices can also be attacked from the Internet. [1]

Forum hack by security software manufacturer Comodo

A hacker penetrates Comodo through a security hole in the forum software vBulletin and steals data from 170,000 forum users. [1]

Attackers access private keys from the VPN provider NordVPN

An insecure remote management system enables unknown attackers to steal private keys for generating X.509 certificates. These certificates are used for SSL / TLS connections to websites or VPN nodes. With the private keys, criminals can read the data traffic from such secure connections. [1] [2]

Anti-virus software maker Avast hacked

Hackers can infiltrate the Czech software manufacturer Avast using cracked access data from a temporary VPN account. The attackers seem to be targeting the CCleaner protection software, which was supposed to be provided with malicious code. As a result, the attackers could have achieved a widespread distribution of back doors. [1]

Data leak at UniCredit

The financial institution UniCredit announced that a data breach has been detected. Three million records with email addresses, telephone numbers and addresses of Italian customers are affected. [1]

7-Eleven Fuel App with data leak

An app for paying for fuel from 7-Eleven enables access to data from other users. The app has been downloaded two million times. [1]

Database with data from 7.5 million Adobe customers open on the Internet

Bob Diachenko discovers an unprotected database again. This time, it affects Adobe Creative Cloud subscription customers. The records contain email addresses and subscription information. [1]


Google receives millions of patient records

For the development of new services and functions in the field of health care, Google receives millions of health data from US citizens. Sensitive data includes an entire health history, laboratory results, hospital stays and diagnoses - linked to the patient's name and date of birth. However, those affected do not know anything about it, according to Google, they do not need their consent. [1]

Emotet paralyzes IT at the Fürstenfeldbruck Clinic

After an attack with the Emotet ransomware, the Fürstenfeldbruck Clinic had to complain about a week-long IT failure. 450 computers are affected by the infestation. The clinic can only deal with emergencies. Other patients are transferred to the surrounding hospitals. [1]

1 terabyte data leak at Gekko Group

At the business travel provider Gekko Group, a subsidiary of AccorHotels, more than a terabyte of customer data is discovered unsecured by security researchers online. Including access data, booking information and credit card details from direct customers, as well as those of some subcontractors. However, the experts at vpnMentor also find data from other travel providers and booking portals, such as booking.com and hotelbeds.com. The affected server is then backed up. [1] [2]

Security leak at Alexa and Co. through remote control by laser

Security researchers from the USA and Japan show how easily smart home systems such as Alexa and Amazon Echo can be remotely controlled - and even completely unnoticed. From a distance of 75 meters, the researchers manage to “inject” commands into the device with a laser beam aimed at the microphone of the assistance system. Conceivable, for example, from the window of the house opposite. From switching off the electricity, to opening smarthome-controlled doors and doing shopping, everything is possible. Even if massive abuse is unlikely. [1]

Hacker attack on Adobe's Magento Marketplace

Unknown attackers hack the Magento server and gain access to e-mail addresses, MageIDs, names, billing and shipping addresses. Credit card information and passwords should not be affected. The servers are temporarily disconnected from the network and affected customers are informed. No information is given about the extent of the attack. [1] [2]

Data leak comprises 4 terabytes of data

Bob Diachenko and Vinny Troia discover an unprotected Elasticsearch server with 4 billion user accounts. The data includes private and social information such as names, email addresses, phone numbers, LinkedIn and Facebook profile information. This makes this collection one of the biggest data leaks from a single source in history. The data can be assigned to two different data enrichment companies, "People Data Labs" and "OxyData.Io". [1]

Trend Micro customer data is being sold to fraudsters

In-house threat: An employee of Trend Micro, an IT and server security company, steals customer data such as names, e-mail addresses and ticket numbers for company support in order to sell it to fraudsters. These are then used fraudulently for alleged technical support cases. Credit card information is not affected. Customers who are allegedly being called by Trend Micro on the pretext of a technical matter should end the call and report back. The company itself does not contact its customers over the phone in this way. [1]

Database with around 500,000 user data from an online game free on the net

A freely accessible back-up database of 452,634 users of the online version of the game "Magic: The Gathering" is discovered by a British security company. It contains the names, usernames and email addresses of the users. Passwords were also found on it, but these were protected with a hash process and a salt and therefore could not be easily viewed. [1]

Hackers gain access to customer data from smartphone manufacturer OnePlus

It's not the first incident to hit OnePlus. This time hackers can infiltrate the customer area of ​​the shop system and access data there in order to use it for personalized phishing emails. The data includes email addresses, contact numbers, names and postal addresses. Passwords and payment details should not have been copied. [1]

Router gap ensures unprotected access to patient data

An IT expert discovered a freely accessible Windows server in a doctor's practice in Celle on the Internet. In addition to data from around 30,000 patients, there are also employment contracts, terminations, donations, lists of debtors and business reports (BWA) on the server. The cause was a faulty forwarding to port 443 of a web server in the practice network. This port is usually used for secure SSL / TLS connections on web servers. The Telekom router does not only release port 443, but all ports from 440 to 449. By default, the shares of Windows servers can be reached on port 445. Further research by Heise-Verlag shows that a faulty firmware version of the Telekom router is the cause of unwanted opening of further ports. [1]

Data leak at Conrad Elecronic

Strangers gain access to 14 million customer data records from an Elasticsearch instance of the Conrad Elektronic Group. The data records include postal addresses, in some cases e-mail addresses or fax and telephone numbers and, for almost 20% of the data records concerned, also IBANs. [1]

Politically motivated hack hits offshore bank

A data set with over 600,000 internal e-mails and documents from servers of a branch of the Cayman National Bank and Trust is made publicly accessible on the Internet. The hacker activist "Phineas Fisher" will confess to the action with which he claims to have stolen a six-figure dollar amount. Access is achieved through gaps in the bank's own VPN and firewall system. [1]

Update causes data breach at Berlin criminal police

An update from Windows 7 to Windows 10 is carried out by an IT employee without prior protection of the local hard drives. The result: process-relevant data, evaluations and investigation notes from the areas of robbery, fraud and intensive offenders are deleted without the possibility of recovery. [1]


Uni Giessen hit by ransomware

The University of Giessen will be offline for around two weeks. The background is an infection with the ransomware "Ryuk", as confirmed by the public prosecutor. Once again, the malware Emotet serves as the gateway, which makes infected mail attachments, mostly even Office documents from the addressees last contacted and meaningful content an easy trap. There is no blackmail letter. Presumably the university reacted quickly enough. Who is behind this is not known. [1]

Tens of thousands of citizen data on ebay

In Coburg, a dealer sells declined SSD storage media on ebay. These were previously in use at the vehicle registration office and the youth welfare office of the Coburg district office. Unencrypted personal data of citizens and internal mails of the authority were stored. Since the data cleaning obviously did not serve its purpose, buyers of the B-goods now receive the data from the authorities on top. [1]

Data breach at Lufthansa Miles & More

For around 40 minutes, customers who have logged on to Lufthansa's Miles & More page can view data from other customers. Name, service card number, date of birth, address, email, telephone number, mileage, transaction data and travel preferences are displayed. It is now also possible to redeem third-party miles. According to the Lufthansa statement, this is probably due to a technical error, not a hacker attack. [1]

Klinikum Fürth hacked with Emotet

No new patients can be admitted to the Fürth Clinic for several days. Operations have to be postponed and all IT has to go offline. The reason for this is a hacker attack with Emotet. [1]

BMW network affected by factory espionage

The Vietnamese hacker group "OceanLotus" has been looking around the BMW network since spring 2019. They gain access via a fake website and the Cobalt Strike attack framework. The aim of the whole thing is presumably factory espionage, from which the auto industry is more and more frequently affected. In this case, sensitive data is not tapped because IT security experts from BMW first observed the intruders and then removed the affected computers from the network. It is believed that OceanLotus is spying for the Vietnamese state. [1]

604 gigabyte data leak in TrueDialog

A 604 GB database owned by the American SMS provider TrueDialog is open, unencrypted and unprotected on the network. They found them vpnMentor security researchers using web mapping. Almost a billion highly sensitive data, passwords and private information from text messages can be read out easily in this way. The consequences of the data leak are still incalculable for the 5 billion customers and the company itself. [1]

Music streaming service Mixcloud hacked and database advertised for sale

Mixcloud itself only found out about the hacker attack when the database with over 20 million account data was offered for sale on the Darknet for around 4,000 US dollars. The unknown hackers obtain IP addresses, e-mail addresses of the users and passwords. Most users are not affected by this, as they log into the streaming service via Facebook. In these cases, Mixcloud says it does not save any passwords. It is still recommended that users set up a new password. [1]

Cyber ​​attack on Maastricht University

For over a week, a hacker attack paralyzed all Windows systems at the university through the use of ransomware. The IT experts deployed cannot yet answer whether scientific data has also been copied. Behind this is the Russian organization TA505. For tactical reasons, it is not stated whether a ransomware demand has been made to the university, which is common with ransomware. [1]

Data from 267 million Facebook users online

Security researchers working with Bob Diachenko discover a database on an unsecured server on the Internet. It contains over 267 million basic data from Facebook users, mainly from the USA. It is believed that the collection was created with criminal intent and came from Facebook's developer API. The database will be taken offline after it is found. [1]

Theft of hard drives containing data from 29,000 Facebook employees

Strangers steal multiple hard drives from a Facebook employee's car. These contain salary information, social security numbers and other data from 29,000 employees of the group. [1]

CCC finds weaknesses in the German health network

At the Chaos Computer Congress 36C3, hackers from the Chaos Computer Club (CCC) will show how they can get access to the telematics network. 115,000 medical practices are connected to this network. It is mandatory to transfer digital patient data and electronic prescriptions via the system. Due to a lack of identity verification, the hackers can obtain valid medical professional ID cards, practice ID cards, connector cards and health cards for the identities of third parties and thus access applications in the telematics network and health data. [1] [2]


Part 1 of the review (January to June)