Cloud Host Breach Leads RoundupHackers Accessed Souce Code, Database
In this week's breach roundup, cloud-hosting provider Linode reports a breach of its web servers that exposed source code and a database containing encrypted credit card numbers. Also, an unencrypted laptop stolen from the home of an employee at an Arizona counseling center contained sensitive information about mental health patients.
See Also: The Global State of Online Digital Trust
Hackers Breach Cloud Host's Servers
Cloud-hosting provider Linode says hackers breached its web servers, gaining access to a portion of its source code as well as a database that included encrypted credit card numbers.
A group known as HTP claimed responsibility for the breach, the company reports in an April 16 blog on its website. Linode believes the hackers may have exploited a previously unknown zero-day vulnerability in Adobe's ColdFusion application server, the blog notes.
In addition to encrypted card numbers, the exposed database includes the last four digits stored in clear text to assist in lookups, the company says. So far, there's no evidence that decrypted credit card numbers were obtained by hackers, Linode says.
Because some passwords for the company's virtual console feature, known as Lish, were stored in clear text in the database, the company has invalidated all affected Lish passwords, which now must be reset.
Stolen Laptop Impacts Mental Health Patients
An unencrypted laptop stolen from the home of an employee at an Arizona counseling center contained sensitive information about hundreds of mental health patients.
Arizona Counseling and Treatment Services told the Yuma Sun that the home of one of its employees was burglarized the week of March 18. Information stored on the device includes names, dates of birth and treatment plans for more than 500 patients of Arizona Counseling and Treatment Services as well as Cenpatico Behavioral Health of Arizona, the newspaper reports.
The employee immediately filed a police report, and Arizona Counseling and Treatment Services is offering affected patients free credit monitoring.
Canadian Agency Reports Breach
The Investment Industry Regulatory Organization of Canada, which oversees all investment dealers and trading activity on debt and equity marketplaces in Canada, is notifying a number of investment firms of a breach involving the loss of a portable device that contained personal information on the firms' clients.
The agency says it conducted an internal investigation and hired a forensics company to determine what information was contained on the device. Although the agency did not reveal the nature of the information that was exposed, it's offering to place a six-year alert flag on affected individuals' credit files through Equifax Canada.
The agency did not reveal how many individuals were affected, but news outlet The Globe and Mail reports that 52,000 brokerage firm clients were impacted by the lost device.