In one look.
- Possible data leak at the University of Kashmir.
- Insurance company vulnerable to data exposure.
- Third-party data breach affects Priority Health.
Possible data leak at the University of Kashmir.
The Kashmir Monitor reports that the University of Kashmir has launched an investigation into an alleged data leak. “I just spotted an alleged Kashmir University database being sold on a hacking forum. The threat actor is called ‘ViktorLustig’ selling @KmrUniversity database for $250. He shared a database index showing what he has,” DroidMaze reporter Abhishek Verma said in a tweet. According to a later tweet from Verma, it is revealed that if the database is legit, the actor from the threat has information about students, registration numbers, emails, passwords, employees and more data.The forum admin claims that the database is legit, but the university claims that in its preliminary investigation it found that the data was unaltered. A university spokesperson said: “The alleged breach is being analyzed and, based on the preliminary analysis, it was found that the data was not changed. Any breach of Read Data (which is already accessible in the public domain) is thoroughly analyzed and based on the analysis, the University will take further action and appropriate legal remedy accordingly.
Insurance company vulnerable to data exposure.
A cybersecurity startup discovered critical vulnerabilities in the network of a major Indian insurance broker, the AP reports. CyberX9, the startup that discovered the vulnerabilities, did what any ethical hacker would do and gave Policybazaar, the brokerage firm involved, time to fix the flaws and notify the authorities. CyberX9 did not ask to test the system, rather they believed they were justified in their access as they were clients of the brokerage. Policybazaar notified the Indian exchange of the breach and noted that there was “no significant customer data exposure.” It also indicates that it fixed the vulnerabilities. CyberX9 says the data accessed was more than just phone numbers, addresses and emails – it also included scans of photo IDs and medical and financial documents such as tax returns, bank statements and birth certificates because they are all collected when people apply for insurance.
It is unclear how this will turn out for CyberX9, as Indian laws make little distinction between ethical hacking and malicious hacking. Apar Gupta, executive director of the non-profit Internet Freedom Foundation, said: “There’s an ambiguity in the law – it says you can’t test without permission and only after that can you probe.” Security experts seem to find CyberX9’s actions justified because they were customers, as long as they made their assessment responsibly. The startup says it would be happy to receive a “bug bounty” for its work, although none has been paid.
Third-party data breach affects Priority Health.
Priority Health, a plan serving more than one million members in Michigan each year, issued a notice regarding a third-party data breach that took place at Warner Norcross & Judd (WNJ) law firm in October 2021 .HealthITSecurity reports this unauthorized activity was discovered on the law firm’s network on October 22, 2021, and steps have been taken to secure the network. The company disclosed the incident to Priority Health on June 6, 2022. While there was no evidence of misuse of the hacked data, the data involved included first and last names, pharmacy information, and claims, drug names and prescription dates of certain prescriptions filled. in 2012. More than 120,000 Priorité Santé members were affected. The company’s notice read, “WNJ has sent notification of the incident to those potentially affected and provided resources to assist them.”