The IT Nerd

Volkswagen says more than 3.3 million customers had their information exposed after one of its vendors left a cache of customer data unsecured on the internet:

The car maker said in a letter that the vendor, used by Volkswagen, its subsidiary Audi, and authorized dealers in the U.S. and Canada, left the customer data spanning 2014 to 2019 unprotected over a two-year window between August 2019 and May 2021. The data, which Volkswagen said was gathered for sales and marketing, contained personal information about customers and prospective buyers, including their name, postal and email addresses, and phone number. But more than 90,000 customers across the U.S. and Canada also had more sensitive data exposed, including information relating to loan eligibility. The letter said most of the sensitive data was driver’s license numbers, but that a “small” number of records also included a customer’s date of birth and Social Security numbers.

Well, if you own a VW or Audi product, you might have a problem. And if you’re like me who is on a VW mailing list, you might also have a problem. I wonder why the company thought they deserved to have that information to begin with. This idea that every business you interact with needs to know all about you is absurd. Sell me your product, don’t try to make me your product.

In any case, I hope VW gets slapped pretty hard for this screw up as this is not acceptable.

McDonald’s said hackers stole some data from its systems in markets including the U.S., South Korea and Taiwan, in another example of cybercriminals infiltrating high-profile global companies:

The burger chain said Friday that it recently hired external consultants to investigate unauthorized activity on an internal security system, prompted by a specific incident in which the unauthorized access was cut off a week after it was identified, McDonald’s said. The investigators discovered that company data had been breached in markets including the U.S., South Korea and Taiwan, the company said. In a message to U.S. employees, McDonald’s said the breach disclosed some business contact information for U.S. employees and franchisees, along with some information about restaurants such as seating capacity and the square footage of play areas. 

The company said no customer data was breached in the U.S., and that the employee data exposed wasn’t sensitive or personal. The company advised employees and franchisees to watch for phishing emails and to use discretion when asked for information. McDonald’s said attackers stole customer emails, phone numbers and addresses for delivery customers in South Korea and Taiwan. In Taiwan, hackers also stole employee information including names and contact information, McDonald’s said. The company said the number of files exposed was small without disclosing the number of people affected. The breach didn’t include customer payment information, McDonald’s said.

I suspect the Hamburger.

In all seriousness, the only thing that is good about this hack is that customer info hasn’t been exposed. The bad news is that clearly a company the size of McDonald’s did not have their act together when it comes to cybersecurity. It really underscores that companies big and small need to up their cybersecurity game.

U.S. Senate Majority Leader Chuck Schumer on Thursday said he is initiating a review of recent high-profile cyber attacks on governments and businesses to find out whether a legislative response is needed:

“Today I am asking Chairman Gary Peters of our Homeland Security Committee and our other relevant committee chairs to begin a government-wide review of these attacks and determine what legislation may be needed to counter the threat of cyber crime and bring the fight to the cyber criminals.” Schumer noted that the New York City subway system was the victim of a computer hack in early June. This came on the heels of Colonial Pipeline having to shut down some operations, resulting in disrupted fuel supplies in the U.S. Southeast, as a result of a cyber attack.

In case you were wondering about the cyberattack on the New York subway system, The New York Times has a story about it that you can read.

In any case. I for one would be in favor of laws to address cyberattacks. The thing is that it has to cover a number of areas:

• It has to force companies to employ defenses against cyberattacks. And face punishments if they fail to do so. Along with worse punishments if they get pwned and those defenses were not in place.
• It has to require companies who get pwned to report that they got pwned.
• It has to make paying the ransom illegal to make it less profitable for the scumbags behind these crimes.
• It has to go after the scumbags behind these crimes and target the cash. Because if its not profitable to do these crimes, they won’t do it.
• It has to go after the nation states who shield these scumbags. That way the scumbags in question have no place to hide.

The fact is that this cannot be some token measure. It has to have teeth. Otherwise we’re going to be talking about this day after day.

Hackers have broken into gaming giant Electronic Arts, the publisher of Battlefield, FIFA, and The Sims, and stole a wealth of game source code and related internal tools, Motherboard reported Thursday:

“You have full capability of exploiting on all EA services,” the hackers claimed in various posts on underground hacking forums viewed by Motherboard. A source with access to the forums, some of which are locked from public view, provided Motherboard with screenshots of the messages. In those forum posts the hackers said they have taken the source code for FIFA 21, as well as code for its matchmaking server. The hackers also said they have obtained source code and tools for the Frostbite engine, which powers a number of EA games including Battlefield. Other stolen information includes proprietary EA frameworks and software development kits (SDKs), bundles of code that can make game development more streamlined. In all, the hackers say they have 780gb of data, and are advertising it for sale in various underground hacking forum posts viewed by Motherboard.

Lovely. This is a bad look for Electronic Arts. And Electronic Arts have confirmed to Motherboard that it had suffered a data breach and that the information listed by the hackers was the data that was stolen. So you can expect that there is a ton of damage control going on inside the company right now as the damage is going to be extensive and multi-faceted.

You might recall that I brought you the story of JBS Foods who got pwned in a cyberattack that shut the company down globally. Well it seems that they decided to pay up to get themselves back online:

The world’s largest meat processing company has paid the equivalent of $11m (£7.8m) in ransom to put an end to a major cyber-attack.

Computer networks at JBS were hacked last week, temporarily shutting down some operations in Australia, Canada and the US.

The payment was reportedly made using Bitcoin after plants had come back online.

JBS says it was necessary to pay to protect customers.

Paying these guys is a mistake. Why? The fact that we are still talking about cyberattack after cyberattack every single day shows that paying the attackers isn’t the solution to the problem as all that paying them does is encourage more attacks.

The solution is stronger cyber-defenses that all companies big and small must introduce. More aggressive law enforcement action, especially against those who backed by nation states like China and Russia. And more moves like the one the FBI did the other day to go after the proceeds of these crimes. Actions like those will turn the tide on this issue. Paying them is not the answer.