New cybersecurity threats like phishing attacks, ransomware, and scams are always popping up. Stay up to date on the latest widespread threats and protection methods in our recurring series.
APPLEBEE'S POINT-OF-SALE MALWARE ATTACK
Over 160 Applebee's restaurants in the United States appear to have been victims of malware, causing the breach of customer data.
“Based on the experts’ investigation, RMH believes that unauthorized software placed on the point-of-sale system at certain RMH-owned and -operated Applebee’s restaurants was designed to capture payment card information and may have affected a limited number of purchases made at those locations,” it explained.
“Certain guests’ names, credit or debit card numbers, expiration dates and card verification codes processed during limited time periods could have been affected. The exact dates vary by location. Payments made online or using self-pay tabletop devices were not affected by this incident.” (RMH Franchise Holdings [page removed since writing of this article])
"Those hit include outlets in Alabama, Arizona, Texas, Florida, Illinois, Indiana, Kansas, Kentucky, Ohio, Mississippi, Missouri, Nebraska, Oklohoma, Pennsylvania and Wyoming.
In the majority of cases, malware was allowed to sit on the POS systems for around a month, between December 6, 2017 and January 2, 2018. In a few locations it was active from November 23 or December 5, 2017." (Infosecurity Magazine)
What to do: If you visited an Applebee's restaurant between the dates listed, closely monitor your card statements for any unusual activity. If you see any unauthorized charges, report it to the issuing bank immediately. RMH has engaged cybersecurity experts and notified the police about the incident, and will continue to take measures to mitigate any damage.
WALMART JEWELRY PARTNER EXPOSED CUSTOMER DATA
"Walmart jewelry partner MBM left personal data for more than 1.3 million customers in the US and Canada exposed without a password.
The Chicago, Illnois-based jewelry company, which operated under the name Limogés Jewelry, left names, addresses, ZIP codes, phone numbers, email addresses, IP addresses and passwords publicly available in an AWS S3 bucket – data that can be used to carry out targeted fraud or phishing attempts." (Infosecurity Magazine)
It's estimated this incident exposed the data of 1.3 million customers. There is no evidence currently that the data was accessed by a malicious party, but that doesn't eliminate the possibility.
What to do: If you're a Walmart customer, and especially if you've purchased jewelry there in the past few years, keep an eye on your bank statements. Notify your bank of any unauthorized charges immediately.
FACEBOOK/CAMBRIDGE ANALYTICA DATA HARVESTING
In probably the biggest story of the month, we learned that "Cambridge Analytica, a data analytics firm which is currently under investigation by the ICO, was revealed to journalists working for the Observer to have used personal information taken without authorization in early 2014 to build a system that could profile individual US voters. It is thought the purpose of this was to target Facebook users with personalized political advertisements.
According to the Observer: 'Documents seen [by the Observer], and confirmed by a Facebook statement, showed that by late 2015 the company had found out that information had been harvested on an unprecedented scale. However, at the time it failed to alert users and took only limited steps to recover and secure the private information of more than 50 million individuals.'" (Infosecurity Magazine)
Additionally, Facebook was revealed to be harvesting cell phone call and text data from Android users. Facebook claimed that this was a feature that users had to expressly consent to to enhance their experience, but user reports are conflicting.
This incident is still unfolding, but many users have already expressed their dissatisfaction through the #DeleteFacebook campaign.
What to do: Facebook has introduced a feature that allows you to view and delete the data they've collected about you. If you can't delete Facebook, this is the next best solution. Visit this page on Today.com to learn how to control your data.
ORBITZ DATA BREACH
The travel site Orbitz.com has likely been hacked, exposing the data of 880,000 payment cards and customers' personal information. "The company said evidence suggests an attacker may have accessed information stored on a legacy e-commerce platform during two periods: 1 January through 22 June 2016 and 1 October to 22 December 2017." (Infosecurity Magazine)
The issue may have arisen during Expedia's purchase of the company in 2015.
What to do: Orbitz is offering customers a free year of credit monitoring. Keep an eye on credit statements and look out for unauthorized charges.
If you need some extra help identifying or protecting against any of these or other cybersecurity threats, let us know!