Let's kick off the week with some other happenings in the world of infosec.
Bamboo spills beans on hack attack
Cloud-based human-resources biz BambooHR has admitted that some companies using its Trax online payroll service were hacked, and sensitive private data, primarily names and full US social security numbers of employees, was exposed to miscreants. The software-as-a-service outfit told El Reg on Friday it was working with law enforcement to figure out what happened.
"The information of a handful of our Trax customers was compromised this past week, and we secured the information for these affected customers very quickly," a Bamboo spokesperson said. "We are in contact with their legal teams, insurance companies, and the FBI to make sure our customers are safe and secure."
One thing to note here: when Bamboo says "a handful" of customers were exposed, it's not referring to the number of people, but rather companies that use the service. Those "customers" can in fact be businesses that manage the data of hundreds or thousands of individual employees. So even if only a few accounts were accessed we could still see a significant number of people exposed.
Also, Bamboo is being weirdly cagey about the details: it's not clear if companies were hacked by poorly securing their Trax accounts, such as using weak passwords, or if the Trax backend itself was compromised, and only some customer records were taken before the intrusion was caught and stopped. Bamboo declined to confirm either way.
Wendy's tosses $50m on the grill to settle breach case
Fast food chain Wendy's says it has agreed to pay $50m to settle the class-action suit filed on behalf of customers whose card details were slurped in 2015 and 2016 when a malware infection was spreading through its cash registers.
"With this settlement, we have now reached agreements in principle to resolve all of the outstanding legal matters related to these criminal cyberattacks," CEO Todd Penegor said of the deal.
"We look forward to putting this behind us so that we can continue to focus on growing the Wendy's brand."
While insurance will help to cover some of the settlement cash, Wendy's says it will still have to shell out around $27.5m of its own money to cover the remainder of the payout.
The cash will go to the banks and financial institutions who had to deal with the stolen cards, and as always the lawyers who brought the case will also be able to collect a healthy payout from the $50m pile of cash.
NeverQuest hacker pleads guilty
A Russian man has admitted to using a banking trojan called NeverQuest to take millions of dollars from Americans.
Stanislav Lisov plead guilty to a single count of conspiracy to commit computer hacking and now faces five years behind bars.
Lisov, who was arrested in Spain in 2017 and extradited to the US a year later, admitted to infecting PCs with Neverquest and using the resulting botnet to mass-harvest bank account credentials.
According to the DOJ, at its peak the botnet was harvesting "millions" of accounts for Lisov to access and drain.
How much is your Facebook account worth? A lousy £3
Your Facebook account won't net the typical hacker even enough to purchase a decent cup of java.
This according to a report from MoneyGuru, which found that the going rate for a stolen account on the social network was a mere £3. By comparison, an AppleID account would fetch around £10.30 and Netflix credentials go for £8.20.
Even Instagram accounts were deemed more valuable than Facebook, with individual credentials going for £4.80 on average.
"There are few better ways to gain insight into someone’s life than their social media accounts," says MoneyGuru.
"These details are frequently stolen to sell to companies with little scruples about targeted advertising. It’s also a fast track to identity theft as they can take control of your accounts, lock you out and cause serious reputational damage in a short space of time."
Crikey! Aussie hospital gets 15,000 records ransomed
An Australian hospital says some 15,000 of its patient records are being held for ransom by hackers.
The Age says that Cabrini hospital in Malvern was hit by what it calls a "digital crime syndicate", (which seems like an odd way to describe a ransomware infection) and, despite caving in and paying up the demanded cryptocurrency, it still hasn't been able to get back all of the encrypted records.
This is where we point out that paying ransomware demands is not a good idea. Even when you comply, you're more likely than not to still lose your data. Instead, make regular backups and be prepared to wipe and restore your devices if need be.
Microsofties rebel over military HoloLens project
A bit of unrest is brewing in Redmond over a controversial project Microsoft is planning with the US government.
A group called Microsoft Workers for Good is flogging an open letter to CEO Satya Nadella, and president Brad Smith asking that they reconsider a project called "IVAS" which uses the HoloLens technology to train soldiers in combat situations. In this case, the group argues, HoloLens is being used to make the soldiers more capable of killing, something they object to.
"We did not sign up to develop weapons," the group declares, "and we demand a say in how our work is used."
Hackers flogging Pakistani bank accounts
Researchers with Russian security firm Group-IB say they have spotted a massive cache of bank accounts from Pakistan being flogged on darknet markets.
The databases are said to be valued at around $3.5m in all and include more than 69,000 cards with PINs. The accounts are priced at $50 each, and nearly all appear to originate from one bank, Meezan.
"The scale, volume, frequency and connection to one institution contributes to the theory that the leak might be involved in a larger incident, potentially an advanced actor gaining access to card systems within Pakistan," said researcher Dmitry Shestakov. ®