This weekly brief highlights the latest threat intelligence news to provide insight into the latest threats to various industries.
Information Security Risk
“Adidas AG is the latest company to come under attack from cyber-thieves looking to steal personal information, with millions of customers potentially at risk. The athletic-wear company alerted customers about a possible data breach on its U.S. website. A preliminary investigation found the leaked data includes contact information, usernames and encrypted passwords, the company said in a statement. Adidas said it does not believe any credit card or health and fitness information was compromised. The company said it found out about the problem when “an unauthorized party” claimed to have acquired some of its consumer data. Adidas is in the process of conducting a forensic review and is alerting customers it believes could be affected.”
“A Spain-based software-as-a-service (SaaS) company that specializes in online forms and surveys, has suffered a security breach that resulted in the data collected by its customers getting stolen. According to a notice posted on its website, Typeform identified the breach on June 27 and addressed its cause roughly half an hour later. The company says an attacker has managed to download a backup file dated May 3 from one of its servers. The compromised file stored names, email addresses and other pieces of information submitted by users through Typeform forms. Data collected after May 3, payment information, and passwords are not impacted, Typeform said. UK-based mobile banking service Monzo is one of the impacted organizations. Monzo says the breach affects roughly 20,000 individuals, a vast majority of which only had their email address exposed. However, in some cases, information such as postcode, name of the old bank, Twitter username, university, city, age and salary range, and employer was also compromised. The Tasmanian Electoral Commission was also hit by this breach. The organization notes that while some of the stolen data is already public, the attacker may have also obtained names, addresses, email addresses, and dates of birth submitted by electors when applying for an express vote at recent elections. The list of organizations that has notified customers of the Typeform breach also includes Thriva, Birdseye, HackUPC, and Ocean Protocol.”
“A Danish bank’s Estonian operations may have been used to launder as much as 53 billion kroner ($8.3 billion), according to a recent report by a Danish newspaper. That’s considerably more than the 25 billion kroner previously estimated, the newspaper said. The revised figure was based on documents from a further 20 firms that had accounts at the bank’s Estonian office between 2007 and 2015. The bank expects to release the findings of an internal investigation of the money laundering breaches by September. A Danish government official said he bank’s internal probe won’t be enough to satisfy the government, and said he was awaiting the findings of other investigations. The bank was reprimanded in May by the Financial Supervisory Authority in Copenhagen and ordered to hold an additional 5 billion kroner in regulatory capital, among other disciplinary measures.”
Legal, Litigation, & Regulatory Risk
“Many U.K. financial firms don’t have a Plan B to fall back on if they’re hit by a cyber-attack. The Bank of England wants to change that. Financial regulators told firms to come up with a detailed plan for restoring services such as payments, lending and insurance after a disruption, and to invest in the staff and technology to make it work. The plan should include time limits on how long an outage could last. “Boards and senior management should assume that individual systems and processes that support business services will be disrupted, and increase the focus on back-up plans, responses and recovery options,” the Bank of England and the Financial Conduct Authority said. The discussion paper is part of the regulators’ effort to bolster the resilience of financial firms in response to a rising number of operational failures.”