What do public school students, BMW dealers, Canadian defense engineers, and the world’s richest human have in common? They all fell victim to some manner of cybercrime during March.
We’ve seen time and time again that no group is off-limits in the world of cybercrime, and the span of attacks we’re covering this month highlights cybercriminals lack of preference when there’s data and money on the line.
Biggest Cyber Attacks of March 2023
Minneapolis Public Schools Get a Hard Lesson
The troubling trend of cyber attacks on educational organisations and public services continued to escalate in March. Criminals not only breached deep troves of data in the Minneapolis public school system, but also leaked personal data of students and employees to the dark web. The early March attack tied up computer systems and communications throughout Minnesota’s largest school system for several days.
The situation worsened on 7 March, when the well-known Medusa hacking collective took credit for the breach and proved their involvement by leaking a sample of employee and student data. That was followed by a wider leak on 17 March that included a deep reserve of personally identifiable information (PII).
According to CBS News, that leak involved “payroll information, protected health information, home addresses, phone numbers, disciplinary records, student records, pictures of students and staff, safety plans, union grievances, misconduct complaints and civil rights investigations.” The lasting damage from this damaging attack on vulnerable individuals remains to be seen, but outrage amongst parents and community members remains strong.
Records Exposed: Personally identifiable data
Type of Attack: Ransomware
Industry: Public education
Date of Attack: March 2023
Location: Minneapolis, Minnesota
Key takeaway: If anyone needed more evidence of just how ruthless cybercriminals can be, the public exposure of thousands of children’s personal data should do the trick.
Unfortunately, security programs for public sector and governmental organizations are underdeveloped and underfunded. The sprawling attack on Minneapolis Public Schools may well be only an early entry in a flurry of similar future attacks.
Twitter Source Code Turns Up on GitHub
Without wading too deeply into the many controversies surrounding Twitter of late, it seems safe to say that it has been an interesting several months for the social media giant’s security teams. The latest in a string of embarrassments for Twitter came on 24 March, when the company sent a copyright infringement notice to the software development collaboration site GitHub.
Portions of Twitter’s source code were posted to GitHub by an anonymous user under the name “FreeSpeechEnthusiast,” and had apparently been publicly accessible for several months.
It isn’t known what, if any, damage Twitter may suffer due to the public availability of this behind-the-scenes information, but it is another bad look for a business that has seen a number of accusations and retaliations from former employees after widely publicised staff reductions. The leaker’s identity may soon be revealed, as the US District Court for the Northern District of California has issued a subpoena for GitHub to reveal the poster’s personal information.
For its part, Twitter voluntarily shared some of its source code on GitHub on 31 March, officially in the interest of increasing transparency.
Records Exposed: Source code
Type of Attack: Public exposure
Industry: Social media
Date of Attack: January-March 2023
Location: San Francisco, CA
Key takeaway: We can all do with periodic reminders that not all cybercrime is the work of organised gangs or even outside actors. An employee with access to sensitive information and a reason to bear a grudge can be just as damaging to an organization as a hack by foreign operatives. Businesses need to have a comprehensive plan in place to safeguard sensitive data when employees are let go or be prepared to deal with the online consequences.
Canadian Engineering Hack Could Entangle Infrastructure
Coming on the heels of a high-profile February cyber attack on Canadian retail giant Indigo Books and Music, a ransomware attack on engineering firm Black and McDonald drew less publicity but at least as much concern from experts. That’s because Black and McDonald works closely with the Canadian government on a number of infrastructure fronts, including military, power and transportation operations. Spokespeople for the company and the Canadian Defense Department and other potentially affected agencies have denied that any sensitive info was impacted.
Since Black and McDonald disclosed the attack on March 8, details about the specifics of the attack, including the identity of possible perpetrators, have been scarce.
Given the nature of the engineering company’s business contacts, however, some experts have speculated on possible ties to foreign governments. Those suspicions are unconfirmed as yet, but even the possibility of a politically motivated data breach raises some serious concerns.
Records Exposed: Unconfirmed, allegedly non-sensitive information
Type of Attack: Ransomware
Industry: Engineering, government contracting
Date of Attack: February 2023
Location: Toronto, Ontario
Key takeaway: While it is understandable that a company that deals with as much potentially sensitive material as Black and McDonald does would be cagey about revealing details of a data breach, the nature of that material also makes it equally understandable for the public to have concerns. Transparency is usually the preferable path following a potentially damaging breach, especially when the specter of an international incident has been brought up.
BMW Security Gets Dinged Twice
Even luxury brands don’t get the luxury of avoiding missteps in the cybersecurity realm. BMW proved that the hard way in March with two incidents that underline the many ways bad actors can get at sensitive data. The first incident came to light on March 10, when researchers with Cybernews discovered publicly exposed files on the BMW Italy website, including an unprotected environment (.env) and .git configuration files.
While it is unknown whether those exposed areas have been accessed by criminals, the .git repository did include highly exploitable source code for the BMW website.
In an apparently unrelated incident later in the month, BMW France was breached by the up-and-coming Play ransomware group. Play is best known as the perpetrators of a damaging attack on the city of Oakland, California in February.
The BMW attack reportedly yielded “contracts, financial information, and client documents” among other personally identifiable information. The automaker has been given two weeks to meet Play’s ransomware demands before having the materials posted to the Dark Web. Having recently posted data from the Oakland attack, the gang appears to be prepared to follow through on those threats.
Records Exposed: .git repository files, .env environment, personally identifiable data
Type of Attack: Ransomware, public exposure
Date of Attack: 29 March, 2023
Location: Italy and France
Key takeaway: While there seems to be no evidence that the attack on BMW France is connected to the security lapse at BMW Italy, the appearance of compromise can be damaging in its own right.
The lax public exposure of sensitive files being revealed so closely to a major data breach is a bad look for a company whose image revolves around high standards of operational quality. While companies of all sizes and statuses are vulnerable to cybercrime, those with upscale reputations may find they have more at stake in this kind of attack.
There you have it. It doesn’t matter what car you drive, what school you attend, or what social media platform you purchase — bad online actors are gunning for your data. Your surest line of defense against these kinds of breaches is a professional-grade cybersecurity system from Arctic Wolf.