.png?width=200&height=78&name=CH%20Diligence%20(thicker%20line).png "CH Diligence (thicker line).png")
The target: Orbitz, a subsidiary of online travel agency Expedia Inc.
The take: Payment card information and personal data such as billing addresses, phone numbers, and emails.
The attack vector: About 880,000 payment cards had been hit by a security breach. The attacker may have accessed personal information that was submitted for certain purchases made during an entire year.
The target: Timehop, an application which aggregates old posts and photos from user’s social media feeds.
The take: Personal information including some combinations of name, e-mail address and phone number, to a total of 21 million records.
The attack vector: An account with administrative access to Timehop’s cloud computing environment was not protected with two-factor authentication – the attacker accessed the account, created a separate administrator credential for their own use in December of 2017. The attacker maintained access and performed reconnaissance for eight months until they proceeded to exfiltrate user data in July of 2018.
The target: Delta Air Lines, a major American airline.
The take: Hackers may have accessed names, addresses, credit card numbers, CVV numbers and expiration dates for “several hundred thousand” customers during approximately two months.
The attack vector: [24]7.ai, Delta's online chat services provider, suffered a malware attack and failed to notify its client of the breach until a few months following the intrusion.
The target: Verification.io, who offer ‘e-mail validation’ services to advertisers.
The take: Over two billion records were exposed, consisting of e-mail addresses, often with associated names, social media accounts, phone numbers, dates of birth, ZIP codes – as well as credit score information, mortgage amounts, interest rates, and other data. Also exposed were names, revenues, and other business-specific data for a number of companies.
The attack vector: A database server was discovered by security researchers to be exposed to the public web, completely unencrypted and without any form of password protection or access control in place.
The target: Social media giant Facebook.
The take: Passwords for between 200 and 600 million user accounts.
The attack vector: Passwords were stored in plaintext on internal systems dating back to 2012 and were accessible to more than 20,000 Facebook employees. Access logs show that at least 2,000 engineers or developers made approximately 9 million internal queries for datasets that contained plain text user passwords.
The target: Cathay Pacific Airlines, a Hong Kong airline.
The take: Personal information including names, dates of birth, addresses, and some passport numbers and e-mail address for 9.4 million clients.
The attack vector: It’s believed that vulnerabilities were discovered and exploited due to poor planning and a failure to adapt security practices and postures during a transition from legacy IT systems to cloud-based infrastructure.
The target: Sonic Restaurants, an American fast-food chain.
The take: An estimated five million credit and debit payment card accounts were compromised as a result of the attack.
The attack vector: The success of the attack was attributed to the age of Sonic’s Point-of-Sale systems, which were no longer receiving security updates and which were inherently vulnerable to manipulation and data exfiltration.
The target: Target, an American retailer.
The take: PPayment card information, and/or names, phone numbers and e-mail addresses for up to 70 million customers.
The attack vector: Attackers accessed Target’s network via credentials stolen from a third-party HVAC vendor, installed malware and exfiltrated the data in what was one of the first major data breaches to make headlines.
The target: British Airways, the largest airline in the United Kingdom.
The take: Payment card information for more than 380,000 customers.
The attack vector: By injecting altered scripts into third-party webpages called during the payment and check-out process, malicious actors performed a digital ‘card skimming’ attack, stealing payment card information from BA’s clients from August and September of 2018.
The target: India’s national ID database, Aadhaar.
The take: Names, unique identity numbers, bank details and other private information for more than 1.1 billion registered Indian citizens.
The attack vector: One utility’s channel to access the Aadhaar database was without any access control in place, used a hardcoded access token, and enforced zero rate-limiting – meaning that an attacker could cycle through all possible Aadhaar numbers and obtain information every time a valid number was hit.
Castle Hall helps investors build comprehensive due diligence programs across hedge fund, private equity and long only portfolios More →
Montreal
1080 Côte du Beaver Hall, Suite 904
Montreal, QC
Canada, H2Z 1S8
+1-450-465-8880
Halifax
84 Chain Lake Drive, Suite 501
Halifax, NS
Canada, B3S 1A2
+1-902-429-8880
Manila
Ground Floor, Three E-com Center
Mall of Asia Complex
Pasay City, Metro Manila
Philippines 1300
Sydney
Level 36 Governor Phillip Tower
1 Farrer Place Sydney 2000
Australia
+61 (2) 8823 3370
Abu Dhabi
Floor No.15 Al Sarab Tower,
Adgm Square,
Al Maryah Island, Abu Dhabi, UAE
Tel: +971 (2) 694 8510
Copyright © 2021 Entreprise Castle Hall Alternatives, Inc. All Rights Reserved.
Terms of Service and Privacy Policy