Cyber attacks and data breaches in review: October 2019

It was a mixed bag this month in terms of cyber attacks and data breaches. On the one hand, the 421,103,896 data records that were confirmed to have been compromised represents about half of the monthly average. 

But on the other hand, the 111 incidents accounts for the highest monthly total this year. 

As we do every month, let’s review some of the most notable incidents that took place in Europe.  


Sixth June hit by formjacking

Thousands of online shoppers at the French fashion retailer Sixth June have had their personal and financial information compromised following a formjacking attack. 

Formjacking works by inserting malicious code into the payment form of an organisation’s online checkout and siphoning off customers’ card details. 

The payment proceeds as normal, and the only way a customer will know they’ve been attacked is when charges show up on their bank statement or the organisation discloses a breach. 

It would have been even harder for Sixth June to identify the breach, as the criminal hackers used a fake Google Tag Manager snippet to hide the malicious activity. 

Fortunately, a security researcher identified the malicious JavaScript code and contacted the organisation’s CEO, Jean-Jacques Gov, on 28 October. 

However, it took another two days for the organisation to secure its payment systems. 

It’s understandable that there might be a slight delay because Sixth June’s staff will have had to confirm that its systems were indeed compromised. But given the severity of the claims, you’d have thought this would be an urgent matter. 

Instead, the site – which has about 70,000 monthly visitors – was exposing customers’ data for a significant length of time and didn’t tell customers that it was investigating the incident. 

This, more than the breach itself, is likely to anger Sixth June customers. Every organisation comes under attack from time to time, and the public is starting to accept it. However, it’s precisely for this reason that organisations should be equipped to address security concerns promptly. 

The scale of the incident is currently unknown, but more information should come to light when Sixth June completes its investigation and contacts affected customers. 


Thérapie Clinic investigates security incident

Earlier this month, the beauty treatment chain Thérapie Clinic confirmed that its investigating a possible data breach involving patient records. 

The organisation has stores across the UK, Ireland and India, but it’s unclear which stores were affected by this incident. The clinic only stated that personal data may have been accessed or taken without permission by a former employee. 

That sounds like a classic case of an employee stealing information after being fired or quitting. 

Looking to get revenge against their employer, the individual logs on to the company intranet to steal or alter customer information. 

The employee might also have had access to patient data if they still had office keys, or if they were aware of a security loophole that allowed them to enter the building after hours. 

However former employees might breach company data, organisations must be more vigilant. That means having robust network and physical security, and remembering to scrub login details as soon as a member of staff is no longer employed. 

The lesson could be particularly harsh for Thérapie Clinic, as the stolen information is considered medical data. That’s because the clinics offer services such as Botox injections, which in Ireland can only be administered by a doctor or dentist. 


Prostitutes and their customers embroiled in personal data dump

October saw a series of data leaks at online prostitution forums, with the email addresses of escorts and their customers being compromised. 

Hookers.nl, a forum for those involved in the sex industry in the Netherlands, Belgium and Germany, was the first to confirm that it had been hacked. All 250,000 users were affected. 

Shortly after this breach was disclosed, ZDNet confirmed further two further breaches at sex-related forums. 

Individuals have every right to be concerned whenever their contact information is exposed, but the nature of these breaches will only increase their unease. There’s a genuine possibility that a cyber criminal will purchase these records on the dark web and use the information to blackmail data subjects. 

That’s exactly what happened when the adultery hook-up site Ashley Madison was hacked in 2015. Data subjects were forced to pay the equivalent of £418 or risk the criminals leaking their identities. 

Experts routinely recommend that victims don’t pay up when being extorted by cyber criminals. However, given the subject matter involved in some of these cases, you could forgive someone for acquiescing to the criminals’ demands even if there’s only a slim chance that they’ll keep their word and delete the information. 


Subscribe to our weekly newsletter

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.