This week, two prominent dark web markets - AlphaBay and Hansa - found their customers’ data leaked online by an individual who previously warned the market administrators about the vulnerabilities. Meanwhile, an Australian agency accidentally leaked the personal health information of vulnerable children under the state’s protection (again), and the world’s biggest bowling company suspects a payment card breach.
White Hat, Black Hat, Dark Web Chitchat
A throwaway account named Cipher0007 tried to alert AlphaBay that their website contained some flaws in the system management of private messages. Cipher0007 coded a bot to extract data from the site to get past their dual captcha system. Alphabay did not respond promptly enough to their suggestions, so Cipher0007 took to Reddit to go public with AlphaBay’s information.
Cipher0007 dumped redacted private messages between buyers and sellers containing high risk information, first and last names, addresses for packages, and tracking IDs. Cipher0007 also included in their post that he discovered bugs for Hansa market. AlphaBay later published a statement letting users know that Cipher0007 gained access to 218,000 private messages from the last month and a list of usernames and IDs. In the end, Cipher0007 told DataBreaches.net they were paid a bug bounty by both markets, which they in turn donated to the Tor Project.
Human error will always pose a significant threat to information security. People make mistakes when they’re tired, overworked, and performing routine and mundane tasks. And although most organizations usually follow security mishaps with internal training to address the issue, it doesn’t always help.
An Australian state agency in Victoria, the Department of Health and Human Services (DHHS), has been particularly afflicted by human error; several employees in previous years have mistakenly leaked confidential information, provoking an investigation from the Office of the Commissioner for Privacy and Data Protection. The investigation aimed to produce a review of the agency’s information security practices, governance, and control
But this week, days before the commissioner was set to deliver the report, an employee from the DHHS’ Child Protection Service mistakenly shared a spreadsheet containing the PHI of more than 30 vulnerable children. The file identified the children by name and included an itemized description of expense claims, which detailed DNA testing, psychological assessments, medical appointments, and listed the government employees assigned to their case.
Past events have shown that these inadvertent data leaks threaten the safety of children under the state’s protection. DHHS employees have unintentionally distributed children’s’ information to their abusive guardians, and have dispersed other sensitive data that ultimately led to home break-ins and harassment.
One More Thing: Bowling Alley Strike has Data to Spare
Bowlmor AMF, the world’s largest bowling center operator with 300 US locations in 12 states, was in the gutter after a possible data breach. The bowling company discovered malware on computers at 21 different locations. The company polished their shoes and looked into their systems after their credit card payment processor noticed some unusual card activity they wanted to pin down. The bowling company found no evidence of information stolen from their systems, but the malware they discovered appeared to be collecting certain data relating to some cards used at these locations.