The Month in Hacks: October 2015

Two teenagers are in hot water for two different hacks, thieves use SIM swapping to steal more than €1 million, a TV producer has her Instagram taken over and Kmart customers down under are on alert.  All that and more... The Month in Hacks.

Hack to the Head of the Class

ABC News reported on 10/21 that New York high school student Daniel Soares, 17, is facing felony charges related to a hack of his high school computer system. Authorities allege that Soares used a keylogger to record the usernames and passwords of school officials. Armed with the stolen credentials, Soares accessed the system and changed both grades and schedules for himself and two accomplices. Because of the password breach, student ID numbers, names, addresses, contact information and student schedules have all been compromised, says the Commack Union Free School District.

TalkTalk Struck Again

UK broadband provider TalkTalk suffered a second hack in just 12 months, as reported by CNET. The company initially warned its 4 million customers that attackers could have gained access to their names, addresses, credit card and bank details, dates of birth, phone numbers, email addresses and TalkTalk account information--but later revised the amount affected down to 1.2 million. CNET's coverage included the details that “Of these customers, 21,000 unique bank account numbers and sort codes were exposed and 28,000 obscured credit and debit card details.”

Teen Accesses Emails of US Security Heads

An American teen claims to have accessed the personal e-mail accounts of CIA Director John Brennan and Homeland Security Secretary Jeh Johnson with uncanny ease. Using social engineering, the teen gathered publicly available information to hoodwink customer service representatives at Verizon and AOL into allowing access. CNN reported on 10/20 that while the FBI continues to investigate, it does not appear that any classified information was stolen. However, the episode certainly reveals the vulnerability of personal e-mail accounts, especially when two-factor authentication isn't used.

Remote Robbery: Thieves Use SIM Swap to Bypass mTan Verification

The Local reported on 10/21 that fraudsters exploited a flaw in the mTan verification system to fleece online banking customers of more than €1 million; mTan is a mobile feature that sends a verification code via text message to authenticate online banking transactions. Armed with not only stolen log in credentials, but also their targets' phone numbers, the hackers posed as retail workers needing to activate a SIM card (SIM Swap fraud) for the associated phone number. The cloned phones allowed access to all text messages, including mTan verification codes.

Details on Scottrade Hack Still Murky

It remains unclear whether online brokerage firm Scottrade was the victim of theft following a  high profile data breach that occurred months ago. While the company confirmed to CNN Money on 10/2 that the database in question stores Social Security numbers and e-mail addresses, they believe that no information was stolen. The case remains under FBI investigation.

Lawsuits in Three States Allege Negligence Against T-Mobile, Experian

Federal lawsuits seeking class-action status have been filed against T-Mobile and Experian in California, Florida and Illinois. Less than a month after a data breach at the credit-monitoring firm leaked the personal information of 15 million T-Mobile subscribers, Bloomberg reported on 10/7 that fears are mounting that data will be sold to identity thieves, wreaking havoc on the financial lives of victims.

Wide Conspiracy Targeting WSJ

The parent company of the Wall Street Journal, Dow Jones & Co., says that it was targeted in a wide conspiracy to access debit and credit card information. Less than 3500 customers are affected. There's still no certainty that any information was stolen, and according to NBC News reported on 10/9 the company doesn't know when the hack occurred, only that it was sometime in the last three years.

Pretty Little Heckler

Hollywood Life reported on 10/11 that the Instagram account of Pretty Little Liars executive producer Marlene King was hijacked by a mean girl with a major ax to grind against the hit show's story lines. The hacker taunted King by announcing that her password was easy to guess before tearing apart the series. Fans defended King against the peevish remarks and the matter was resolved in short order.

Trump Breach Continues to Unfold

The Trump Hotel Collection is the latest victim in a string of major data attacks aimed at obtaining customer payment information. For just over 12 months, malware in the payment system recorded card numbers, expiration dates, and security codes. American Banker reported on 10/1 that the company has removed the spyware and is taking steps to tighten data security.

Effective Security Minimizes Harm for Patreon

Effective data security prevented a bad situation from getting worse for crowdsourcing site Patreon. A recent debug hack compromised customer names and contact information. Patreon acted quickly to end the breach and has expressed remorse for users' loss of anonymity. Social Security numbers and other high risk data were protected by 2048-bit key encryption from RSA Security, reported ZD Net on 10/2.

Aussie Kmart Notifies Customers of Breach

On 10/1, Mashable reported that Kmart Australia moved quickly to notify customers via e-mail of a data breach that revealed contact information for the retailer's online shoppers. Customers took to the company's Facebook page to express disappointment at the lack of a clear solution. Jaded Kmart Australia customer Jess Riley described herself as “beyond unimpressed.”

Talk To An Expert

Interested in learning about how TeleSign's identity and engagement solutions can prevent fraud while fostering secure and global growth for your business? Let's chat.