Database Security Digest – September 2018
Please take a look at the biggest database security incidents in September 2018.
British Airways Hacked
For more than two weeks presumably from August 21 to September 5 hackers had access to more than 380,000 transactions details of customers who made, or changed bookings on the official website of the airline and the app. The hackers got hold of the following financial information: names, e-mail addresses and credit card information (credit card numbers, expiration dates and CVC codes that are used to approve payments. The Information Commissioner’s Office is conducting an investigation as to the roots of this successful hacking attack. It’s very likely that British Airways will have to pay a fine for being unable to keep customers’ sensitive information safe.
The airline’s representatives say that the attack was carried out by a very “sophisticated” group of cybercriminals. Now the airline recommends the affected customers to contact their banks to take all the necessary measures to prevent money and identity theft.
Experts say that the stolen data could be worth more than 20 million pounds on the dark side of the internet based on the average price for such information.
More Than 6 million Customers Hit in a US retailer Data Breach
SHEIN is a multinational company selling clothes. It started in North Brunswick, New Jersey in 2008. However, cybercriminals don’t really care what company they hack, they’re interested only in obtaining company databases and selling it.
The company admitted being hacked and leaking personal data of over six million customers. Further the company informed that it had been a target of a “concerted criminal cyber-attack” and had to resort to a forensic cybersecurity firm and a legal company to conduct an investigation. The company didn’t give many details, but it seems that its servers had some malware downloaded on them. In the company press release it was declared that the personal data illegally acquired by the hackers included e-mail addresses and encrypted passwords of customers who visited the company website.
14 Million Records Are Exposed by Government Payment Service
A popular platform used by many Americans to pay bills, fines, license fees and more to over 2000 government bodies and agencies in 35 states was unintentionally leaking personal data through a website error. The online receipts issued after a payment were numbered sequentially. By simply typing new numbers in the address bar everyone could look through other peoples’ records. In this way over 14 million records were easily accessible dating back to the year of 2012. The exposed information included names, addresses, phone numbers and the last four digits of bank cards. This information is theoretically enough for a very realistic-looking phishing attack. The Government Payment Service run by GovPayNet was very quick to eliminate this bug.
Security updates for databases
Oracle
https://nvd.nist.gov/vuln/detail/CVE-2018-16959https://nvd.nist.gov/vuln/detail/CVE-2018-16958
https://nvd.nist.gov/vuln/detail/CVE-2018-16957
https://nvd.nist.gov/vuln/detail/CVE-2018-16956
https://nvd.nist.gov/vuln/detail/CVE-2018-16955
https://nvd.nist.gov/vuln/detail/CVE-2018-16954
https://nvd.nist.gov/vuln/detail/CVE-2018-16953
https://nvd.nist.gov/vuln/detail/CVE-2018-16952
MS SQL Server
https://nvd.nist.gov/vuln/detail/CVE-2018-16659PostgreSQL
https://nvd.nist.gov/vuln/detail/CVE-2016-7070MySQL
https://nvd.nist.gov/vuln/detail/CVE-2018-17034https://nvd.nist.gov/vuln/detail/CVE-2018-17035
IBM DB2
https://nvd.nist.gov/vuln/detail/CVE-2018-1711https://nvd.nist.gov/vuln/detail/CVE-2018-1710
https://nvd.nist.gov/vuln/detail/CVE-2018-1685
