In the latest update on the University of Minnesota’s data breach, the school has confirmed the breach after a hacker claimed to have accessed a database containing approximately seven million Social Security numbers. The university launched an investigation on July 21 after learning of the hacker’s claims. The school spokesperson stated that the preliminary assessment indicates that the data at issue is from 2021 and earlier. However, the hacker claims that the database contains data as far back as 1989, which would explain the high number of Social Security numbers included.
Despite confirming the breach, the university has stated that its security professionals have not detected any system malware, encrypted files, or fraudulent emails related to the incident. They have also emphasized that there have been no known disruptions to the university’s current operations as a result of the data security incident. While the university did not disclose how the breach occurred or what type of data were exposed, they have assured that if any sensitive personal data were accessed, they will notify the affected individuals and provide resources to help protect against misuse of their information, as required by federal and state law.
Moving on to another data breach, Australian telemarketing firm Pareto Phone recently suffered a breach that exposed the data of thousands of donors to Australian charities. The LockBit threat group has dumped 150 gigabytes of data allegedly stolen in the attack. In addition to donor information, the exposed data includes Excel and Word documents, images, internal company data, and information on the charities Pareto serves. The most concerning aspect is that the exposed data also includes criminal checks that the company ran on prospective employees, highly sensitive data that experts believe should not have been retained at all. Employee data, including information on staff counseling and other sensitive matters, was also exposed.
The extent of the breach raises questions about Pareto’s data retention policies and has put Australia’s privacy policies under scrutiny. Experts are calling for a review and assessment of the effectiveness of the country’s national cybersecurity policies, legislation, and cyber advisories in light of high-profile cyberattacks like this. The ongoing review of the Privacy Act by the government could potentially set higher expectations for companies that handle personal data.
In other news, St Helens Borough Council in northwest England has disclosed that it was targeted by a ransomware attack. The council’s website states that it is currently investigating the incident and working with specialist cybersecurity teams to maintain access to online services. While it is unclear if any resident data were stolen, the council is warning residents to be vigilant with any emails received from them. This incident is part of a wave of ransomware attacks on English councils, with Redcar and Cleveland Council, Hackney Council, and Gloucester City Council also falling victim in recent weeks.
Lastly, FTX, a bankrupt crypto exchange, has disclosed a data breach involving limited, non-sensitive customer data of specific claimants at its bankruptcy case claims agent, Kroll. FTX has confirmed that its own systems were not affected, and Kroll is directly notifying the affected individuals with measures they can take to protect themselves. Security experts have commended both FTX and Kroll for their responsible handling of the breach and their commitment to investigating the incident and notifying affected customers.
As data breaches continue to pose significant risks to organizations and individuals, it is essential for companies to prioritize robust cybersecurity measures and adhere to data protection policies. Public and private entities must work together to strengthen cybersecurity defenses and ensure the security and privacy of sensitive information.