EA Games, McDonalds and a CVS vendor are all in the headlines this week for leaking customer data. Plus, a vulnerability was identified in Peloton bikes which could allow an attacker to take control of the bike. That and more in this week’s Cyber News Rundown.
McDonald’s employee data leaked in breach
McDonald’s officials are working to resolve an incident in which unauthorized users were able to gain access to data belonging to employee’s based in South Korea and Taiwan. It was confirmed that no customer data was exposed in the cyberattack, though it remains unclear how the attack initiated. The company has begun contacting affected individuals to notify them of the breach.
Researchers identify vulnerability in Peloton bikes
A recent report revealed a vulnerability of Peloton exercise bikes that could allow an attacker to control a device by modifying its boot.img before reuploading it to the device itself. By making this modification to gain additional device privileges, researchers were able to run any Android application through the bike’s tablet screen. This access could be used to harvest user data or access network locations. Researchers have contacted the company and a patch has been pushed to Peloton devices.
CVS vendor leaves over a billion records exposed
Yet another misconfigured cloud database is responsible for exposing of more than one billion records belonging to CVS Health, which had no means of user authentication for access. While the database did not include personally identifiable information, an attacker could track some of the metadata to narrow down an individual purchase and determine some contact information. Officials for CVS are said to have worked with the unnamed vendor to secure the database before additional damage occurred.
Clop ransomware gang arrested
U.S. and South Korean law enforcement collaborated with Ukrainian police to arrest a number of individuals responsible for laundering money and cryptocurrencies for the Clop Ransomware group. Rather than encrypt their victim’s data, Clop would instead exfiltrate as much data as possible and use it to leverage a ransom payment, often gaining access through the Accellion file transfer incident that happened earlier this year.
EA Games reveals major data leak
Cybercriminals announced late last week that they had stolen more than 780GB of internal data, including source code for games and other development tools, from gaming giant Electronic Arts (EA). Officials were apparently able to detect the intrusion early enough to stop access to sensitive employee or customer data, but are still unsure how the attack originated. As these types of attacks continue to target a variety of large corporations around the globe, it’s clear organizations are struggling to keep pace with security developments.