British Airways says a further 185,000 payment cards possibly hit in cyber attack

FILE PHOTO - People queue with their luggage for the British Airways check-in desk at Gatwick Airport in southern England, Britain, May 28, 2017. REUTERS/Hannah McKay

(Reuters) – International Airlines Group said an investigation into the theft of customers’ data at its unit British Airways showed the hackers may have stolen personal information from an additional 185,000 payment cards.

BA said in September that around 380,000 card payments were compromised, with hackers obtaining names, street and email addresses, credit card numbers, expiry dates and security codes – sufficient information to steal from accounts.

On Thursday, British Airways revised that number down, saying that only 244,000 of those originally identified were affected, but said additional customers could have been affected.

On the whole, the total number of payment cards potentially affected stood at 429,000 as of Thursday.

The hackers obtained names, street and email addresses, credit card numbers, expiry dates and in some cases, security codes – sufficient information to steal from accounts.

(Reporting by Arathy S Nair in Bengaluru; Editing by Elaine Hardcastle)

Japan hit by another cryptocurrency heist, $60 million stolen

The silhouette of Japan's highest mountain Mount Fuji is seen beyond buildings in Tokyo in a file photo. REUTERS/Issei Kato

By Taiga Uranaka

TOKYO (Reuters) – Japanese cryptocurrency firm Tech Bureau Corp said about $60 million in digital currencies were stolen from its exchange, highlighting the industry’s vulnerability despite recent efforts by authorities to make it more secure.

Tech Bureau, which had already been slapped with two business improvement orders by regulators this year, said its Zaif exchange was hacked over a two-hour period on Sept. 14. It detected server problems on Sept. 17, confirmed the hack the following day, and notified authorities, the exchange said on Thursday.

Following the hack, Tech Bureau said it had agreed with JASDAQ-listed Fisco Ltd to receive a 5 billion yen ($44.59 million) investment in exchange for majority ownership. The proceeds from the investment would be used to replace the digital currencies stolen from client accounts.

However, Fisco said in a statement the 5 billion yen in “financial assistance” may change in value if the amount affected by the heist changes upon further investigation.

Documents seen by Reuters on Thursday showed Japan’s Financial Services Agency would conduct emergency checks on cryptocurrency exchange operators’ management of customer assets, following the theft. FSA officials were not immediately available for comment.

Japan’s crypto exchanges have been under close regulatory scrutiny after the theft of $530 million in digital coins at Tokyo-based cryptocurrency exchange Coincheck Inc. in January. Coincheck has since been acquired by Japanese online brokerage Monex Group Inc.

In the industry-wide check that followed the Coincheck theft, FSA said it found sloppy management at many exchanges, including the lack of proper safeguards for client assets and basic anti-money laundering measures.

In the Tech Bureau theft, virtual currencies worth about 6.7 billion yen ($59.67 million), including Bitcoin, Monacoin and Bitcoin Cash, were stolen from the exchange’s “hot wallet”. About 2.2 billion yen worth of the stolen currency was its own while the remaining 4.5 billion yen belonged to customers, it said.

Hot wallets are connected to the internet. Industry experts consider them to be more vulnerable to hacks than “cold wallets”, which are not connected to the internet.

The latest hack is likely to affect the FSA’s ongoing regulatory review of the industry. Other countries are also grappling with how to regulate crypto market.

Japan last year became the first country to regulate cryptocurrency exchanges, as it encourages technological innovation while ensuring consumer protection. Exchanges have to register with FSA and required reporting and other responsibilities.

FSA said last week more than 160 entities have expressed interest in entering the cryptocurrency exchange business but FSA has not issued any approval since December last year.

Toshihide Endo, FSA commissioner told Reuters in an interview last month that the agency is trying to strike a balance between safeguarding clients and technological innovation.

“We have no intention to curb (the crypto industry) excessively,” he said. “We would like to see it grow under appropriate regulation.”

($1 = 112.1400 yen)

(Additional reporting by Chang-Ran Kim and Takahiko Wada; Editing by Shri Navaratnam and Sam Holmes)

British Airways apologizes after 380,000 customers hit in cyber attack

Commuters pass a British Airways advert on the tube at Canary Wharf station in London, Britain September 7, 2018. REUTERS/Kevin Coombs

By Paul Sandle

LONDON (Reuters) – British Airways was forced to apologize on Friday after the credit card details of hundreds of thousands of its customers were stolen over a two-week period in the most serious attack on its website and app.

The airline discovered on Wednesday that bookings made between Aug. 21 and Sept. 5 had been infiltrated in a “very sophisticated, malicious criminal” attack, BA Chairman and Chief Executive Alex Cruz said. It immediately contacted customers when the extent of the breach became clear.

Around 380,000 card payments were compromised, the airline said, with hackers obtaining names, street, and email addresses, credit card numbers, expiry dates and security codes – sufficient information to steal from accounts.

The attack came 15 months after the carrier suffered a massive computer system failure at London’s Heathrow airport, which stranded 75,000 customers over a holiday weekend.

Shares in BA’s parent, International Airlines Group, were down 2 percent in afternoon trading on Friday.

Cruz said the carrier was “deeply sorry” for the disruption caused by the attack which was unprecedented in the more than 20 years that BA had operated online.

He said the attackers had not broken the airline’s encryption but did not explain exactly how they had obtained the customer information.

“There were other methods, very sophisticated efforts, by criminals in obtaining the data,” he told BBC radio.

IT security company Avast said that based on the limited information available the attackers had probably targeted a gateway between the airline and a payment processor because no travel details had been stolen.

“Quite often, when it’s just a hack of a database somewhere it is hard to identify when something has been compromised,” Avast’s consumer security expert Pete Turner said.

“This feels much more like a transaction-type attack, where data is moving about within the system.”

COMPENSATION

The British government said authorities including the National Cyber Security Centre and the National Crime Agency were working to establish what had happened.

The country’s Information Commissioner’s Office said it had been alerted by BA and it was making inquiries. Under new GDPR data regulations, companies must inform regulators of a cyber attack within 72 hours.

BA advised customers to contact their bank or credit card provider and follow their recommended advice. It also took out ads in national newspapers on Friday.

Cruz said anyone who lost out financially would be compensated by the airline.

Data security expert Trevor Reschke said that like any website which sees large volumes of card transactions, BA was a ripe target for hackers.

“It is now a race between British Airways and the criminal underground,” said Reschke, head of threat intelligence at Trusted Knight.

“One will be figuring out which cards have been compromised and alerting victims, whilst the other will be trying to abuse them while they are still fresh.”

NatWest, one of Britain’s biggest card issuers, said it was receiving higher-than-usual call volumes because of the breach.

It said in a recorded message that its security systems would likely stop any fraud as a result of the hack but anyone affected should look out for unusual activity on their accounts.

IAG said the data breach had been resolved and the website was working normally, and that no travel or passport details were stolen.

After the computer system failure in May 2017, BA said it would take steps to ensure such an incident never happened again, but in July it was forced to cancel and delay flights out of the same airport due to problems with a supplier’s IT systems.

(Reporting by Paul Sandle and James Davey in London and Sangameswaran S and Rama Venkat Raman in Bengaluru; Editing by Keith Weir)

Cyber-attack on Singapore health database steals details of 1.5 million, including PM

Singapore Prime Minister Lee Hsien Loong in Manila, Philippines November 14, 2017. REUTERS/Aaron Favila/Pool

By Jack Kim

SINGAPORE (Reuters) – A major cyber attack on Singapore’s government health database stole the personal information of about 1.5 million people, including Prime Minister Lee Hsien Loong, the government said on Friday.

The attack, which the government called “the most serious breach of personal data” that the country has experienced, comes as the highly wired and digitalized state has made cybersecurity a top priority for the ASEAN bloc and for itself.

Singapore is this year’s chair of the 10-member Association of Southeast Asian Nations (ASEAN) group.

“Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS)confirmed that this was a deliberate, targeted and well-planned cyberattack,” a government statement said.

“It was not the work of casual hackers or criminal gangs,” the joint statement by the Health Ministry and the Ministry of Communications and Information said.

About 1.5 million patients who visited clinics between May 2015 and July 4 this year have had their non-medical personal particulars illegally accessed and copied, the statement said.

“The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines,” it said.

A Committee of Inquiry will be established and immediate action will be taken to strengthen government systems against cyber attacks, the Ministry of Communications said in a separate statement.

It did not provide details about what entity or individuals may have been behind the attack.

Lee, in a Facebook post following the announcement, said the breach of his personal medical data was not incidental and he did not know what information the attackers were hoping to find.

“My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it,” he said.

(Reporting by Jack Kim; Editing by Clarence Fernandez and Michael Perry)

Exclusive: Ukraine says Russia hackers laying groundwork for massive strike

A message demanding money is seen on a monitor of a payment terminal at a branch of Ukraine's state-owned bank Oschadbank after Ukrainian institutions were hit by cyber attacks, in Kiev, Ukraine June 27, 2017. Picture taken June 27, 2017. REUTERS/Valentyn Ogirenko

By Pavel Polityuk

KIEV (Reuters) – Hackers from Russia are infecting Ukrainian companies with malware to create so-called ‘back doors’ for a large coordinated attack, Ukraine’s cyber police chief told Reuters on Tuesday, almost a year after a strike on Ukraine spread around the world.

Affected companies range across various industries, such as banks or energy infrastructure. The pattern of the malware being rolled out suggests the people behind it want to activate it on a particular day, Serhiy Demedyuk said.

Demedyuk said his staff were cooperating with foreign agencies to track the hackers, without naming the agencies.

Police had identified viruses designed to hit Ukraine since the start of the year, including phishing emails sent from legitimate domains of state institutions whose systems were hacked, or a fake webpage mimicking that of a real state body.

They had intercepted hackers sending malware from different sources and broken into various components so as to remain undetected by antivirus software until activated as a single unit, Demedyuk said.

“Analysis of the malicious software that has already been identified and the targeting of attacks on Ukraine suggest that this is all being done for a specific day,” he said.

Relations between Ukraine and Russia plunged following Russia’s annexation of Crimea in 2014, and Kiev has accused Russia of orchestrating large-scale cyber attacks as part of a “hybrid war” against Ukraine, which Moscow repeatedly denies.

Some attacks coincided with major Ukrainian holidays and Demedyuk said another strike could be launched on Thursday — Constitution Day — or on Independence Day in August.

On June 27 last year, the country was hit by a massive strike known as “NotPetya”, which knocked out Ukrainian IT systems before spreading around the world. The United States and Britain joined Ukraine in blaming Russia for the attack.

Demedyuk said the scale of the latest detected preparations was the same as NotPetya.

“This is support on a government level – very expensive and very synchronized. Without the help of government bodies it would not be possible. We’re talking now about the Russian Federation,” he said.

“Everything we’re seeing, everything we’ve intercepted in this period: 99 percent of the traces come from Russia.”

The Kremlin did not immediately respond to a request for comment.

Ukraine is better prepared to withstand such attacks thanks to cooperation with foreign allies since the NotPetya strike, Demedyuk said. Ukraine has received support from the U.S., Britain and NATO among others to beef up its cyber defenses.

But Demedyuk said some Ukrainian companies had not bothered to clean their computers after NotPetya struck, leaving machines still infected by the virus and vulnerable to being used for another attack.

“We are sounding the alarm to remind people – come to your senses, check your equipment,” he said. “It’s better to be on the safe side than clean up a mess like last time.”

He also appealed to global companies who were hit by NotPetya, including U.S. and European firms in Ukraine, to share details of their investigations and steps to localize the hack.

“They have a huge amount of very interesting evidence, which they store themselves. We would like it if they weren’t scared and approached us.”

(Additional reporting by Margarita Popova in Moscow; writing by Matthias Williams; editing by Philippa Fletcher)

Atlanta officials reveal worsening effects of cyber attack

(Reuters) – The Atlanta cyber attack has had a more serious impact on the city’s ability to deliver basic services than previously understood, a city official said at a public meeting on Wednesday, as she proposed an additional $9.5 million to help pay for recovery costs.

Atlanta’s administration has disclosed little about the financial impact or scope of the March 22 ransomware hack, but information released at the budget briefings confirms concerns that it may be the worst cyber assault on any U.S. city.

More than a third of the 424 software programs used by the city have been thrown offline or partially disabled in the incident, Atlanta Information Management head Daphne Rackley said. Nearly 30 percent of the affected applications are considered “mission critical,” affecting core city services, including police and courts.

Initially, officials believed the reaches of the cyber assault on city software was close to 20 percent and that no critical applications were compromised, Rackley said.

“It’s a lot more… it seems to be growing every day,” she told the Atlanta City Council, which must vote on a fiscal 2019 budget by the end of the month.

Rackley anticipated an additional $9.5 million would be needed by her department in the coming year due to the hacking. That would be a sharp increase from the $35 million Mayor Keisha Lance Bottoms suggested for the technology department in her budget pitch, which was delayed in the cyber incident.

Top city officials are still discovering the extent of the ransomware incident, in which hackers demanded $51,000 worth of bitcoin for the release of encrypted city data. Atlanta has said it did not pay the ransom.

Departments citywide, including municipal courts, told the council on Wednesday about their struggles to regain workplace normalcy since the attack. Interim City Attorney Nina Hickson said her office lost 71 of 77 computers as well as a decade of legal documents.

The discussions came two days after Atlanta Police Chief Erika Shields told local television news station WSB-TV 2 that the hack wiped out police dash-cam recordings. “That is lost and will not be recovered,” she said in a brief televised interview.

City Council President Felicia Moore told the administrators she was frustrated by how little she has been told about the cyber attack investigation. Many times, Moore said, she learns about developments in the news. “Something has to give,” she said.

Councilman Howard Shook, chair of the finance committee, asked how much attack-related costs have risen elsewhere in the city since the budget proposal was put together.

“A lot of water has gone over the dam since then,” Shook said.

In response, administrators said they were still working on determining total costs. Deputy Chief Financial Officer John Gaffney, whose department help’s develop the mayor’s budget proposal, said the city was still in the “response phase.”

(Reporting by Laila Kearney; Editing by Leslie Adler)

Cyber firms, Ukraine warn of planned Russian attack

Power lines are seen near the Trypillian thermal power plant in Kiev region, Ukraine November 23, 2017. REUTERS/Valentyn Ogirenko

By Jim Finkle and Pavel Polityuk

TORONTO/KIEV (Reuters) – Cisco Systems Inc warned on Wednesday that hackers have infected at least 500,000 routers and storage devices in dozens of countries with sophisticated malicious software – activity Ukraine said was preparation for a future Russian cyber attack.

Cisco’s Talos cyber intelligence unit has high confidence that the Russian government is behind the campaign, according to Cisco researcher Craig Williams, because the hacking software shares code with malware used in previous cyber attacks that the U.S. government has attributed to Moscow.

Ukraine’s SBU state security service said the activity showed Russia was readying a large-scale cyber attack against Ukraine ahead of the Champions League soccer final, due to be held in Kiev on Saturday.

“Security Service experts believe the infection of hardware on the territory of Ukraine is preparation for another act of cyber-aggression by the Russian Federation aimed at destabilizing the situation during the Champions League final,” it said in a statement after Cisco’s findings were released.

Russia has previously denied assertions by Ukraine, the United States, other nations and Western cyber-security firms that it is behind a massive global hacking program, which has included attempts to harm Ukraine’s economy and interfering in the 2016 U.S. presidential election.

The Kremlin did not immediately respond to a request for comment submitted by Reuters on Wednesday.

Cisco said the new malware, dubbed VPNFilter, could be used for espionage, to interfere with internet communications or launch destructive attacks on Ukraine, which has previously blamed Russia for massive hacks that took out parts of its energy grid and shuttered factories.

“With a network like this you could do anything,” Williams told Reuters.

CONSTITUTION DAY ATTACK

The warning about the malware – which includes a module that targets industrial networks like ones that operate the electric grid – will be amplified by alerts from members of the Cyber Threat Alliance (CTA), a nonprofit group that promotes the fast exchange of data on new threats between rivals in the cyber security industry.

Members include Cisco, Check Point Software Technologies Ltd, Fortinet Inc, Palo Alto Networks Inc, Sophos Group Plc  and Symantec Corp.

“We should be taking this pretty seriously,” CTA Chief Executive Officer Michael Daniel said in an interview.

The devices infected with VPNFilter are scattered across at least 54 countries, but Cisco determined the hackers are targeting Ukraine following a surge in infections in that country on May 8, Williams told Reuters.

Researchers decided to go public with what they know about the campaign because they feared the surge in Ukraine, which has the largest number of infections, meant Moscow is poised to launch an attack there next month, possibly around the time the country celebrates Constitution Day on June 28, Williams said.

Some of the biggest cyber attacks on Ukraine have been launched on holidays or the days leading up to them.

They include the June 2017 “NotPetya” attack that disabled computer systems in Ukraine before spreading around the globe, as well as hacks on the nation’s power grid in 2015 and 2016 that hit shortly before Christmas.

VPNFilter gives hackers remote access to infected machines, which they can use for spying, launching attacks on other computers or downloading additional types of malware, Williams said.

The researchers discovered one malware module that targets industrial computers, such as ones used in electric grids, other infrastructure and in factories. It infects and monitors network traffic, looking for login credentials that a hacker can use to seize control of industrial processes, Williams said.

The malware also includes an auto-destruct feature that hackers can use to delete the malware and other software on infected devices, making them inoperable, he said.

(Writing by Jim Finkle and Jack Stubbs; Editing by Mark Heinrich)

Russia: our response to U.S. sanctions will be precise and painful

FILE PHOTO: A view shows a tower of the Kremlin (R) and the Foreign Ministry headquarters (back) in Moscow, Russia March 16, 2018. REUTERS/Maxim Shemetov/File Photo

MOSCOW (Reuters) – Valentina Matvienko, the speaker of the Russian upper house of parliament, said on Wednesday that Moscow’s response to U.S. sanctions will be targeted and painful, Russian news agencies reported.

The United States this month added several Russian firms and officials to a sanctions blacklist in response to what it said were the Kremlin’s “malign activities”. Moscow says those sanctions are unlawful and has warned that it will retaliate.

“No one should be under any illusions,” Matvienko, who is closely aligned with the Kremlin, was quoted as saying by the Interfax news agency.

“Russia’s response to the sanctions, our so-called counter-sanctions, will be precise, painful, and without question sensitive for exactly those countries that imposed them (the sanctions) on Russia,” she was quoted as saying.

“Sanctions are a double-edged sword and those who impose them should understand that sanctions against countries, especially those like Russia, will carry with them risks of serious consequences for those who impose them.”

Lawmakers in the lower house of the Russian parliament have drawn up legislation that would give the government powers to ban or restrict imports of U.S. goods and services ranging from medicines to software and rocket engines. However, the Kremlin has not yet said if it backs such measures.

A senior U.S. administration official said on Monday President Donald Trump has delayed imposing additional sanctions on Russia and is unlikely to approve them unless Moscow carries out a new cyber attack or some other provocation.

(Reporting by Maria Kiselyova; Writing by Christian Lowe; Editing by Catherine Evans)

Iran hit by global cyber attack that left U.S. flag on screens

FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017. REUTERS/Kacper Pempel/Illustration/File Photo

DUBAI (Reuters) – Hackers have attacked networks in a number of countries including data centers in Iran where they left the image of a U.S. flag on screens along with a warning: “Don’t mess with our elections”, the Iranian IT ministry said on Saturday.

“The attack apparently affected 200,000 router switches across the world in a widespread attack, including 3,500 switches in our country,” the Communication and Information Technology Ministry said in a statement carried by Iran’s official news agency IRNA.

The statement said the attack, which hit internet service providers and cut off web access for subscribers, was made possible by a vulnerability in routers from Cisco which had earlier issued a warning and provided a patch that some firms had failed to install over the Iranian new year holiday.

A blog published on Thursday by Nick Biasini, a threat researcher at Cisco’s Talos Security Intelligence and Research Group, said: “Several incidents in multiple countries, including some specifically targeting critical infrastructure, have involved the misuse of the Smart Install protocol…

“As a result, we are taking an active stance, and are urging customers, again, of the elevated risk and available remediation paths.”

On Saturday evening, Cisco said those postings were a tool to help clients identify weaknesses and repel a cyber attack.

Iran’s IT Minister Mohammad Javad Azari-Jahromi posted a picture of a computer screen on Twitter with the image of the U.S. flag and the hackers’ message. He said it was not yet clear who had carried out the attack.

Azari-Jahromi said the attack mainly affected Europe, India and the United States, state television reported.

“Some 55,000 devices were affected in the United States and 14,000 in China, and Iran’s share of affected devices was 2 percent,” Azari-Jahromi was quoted as saying.

In a tweet, Azari-Jahromi said the state computer emergency response body MAHER had shown “weaknesses in providing information to (affected) companies” after the attack which was detected late on Friday in Iran.

Hadi Sajadi, deputy head of the state-run Information Technology Organisation of Iran, said the attack was neutralized within hours and no data was lost.

(Reporting by Dubai newsroom, additional reporting by Dustin Volz in Washington; editing by Ros Russell and G Crosse)

Saks, Lord & Taylor hit by payment card data breach

The Lord & Taylor flagship store building is seen along Fifth Avenue in the Manhattan borough of New York City, U.S., October 24, 2017. REUTERS/Shannon Stapleton

By Jim Finkle and David Henry

TORONTO/NEW YORK (Reuters) – Retailer Hudson’s Bay Co on Sunday disclosed that it was the victim of a security breach that compromised data on payment cards used at Saks and Lord & Taylor stores in North America.

One cyber security firm said that it has evidence that millions of cards may have been compromised, which would make the breach one of the largest involving payment cards over the past year, but added that it was too soon to confirm whether that was the case.

Toronto-based Hudson’s Bay said in a statement that it had “taken steps to contain” the breach but did not say it had succeeded in confirming that its network was secure. It also did not say when the breach had begun or how many payment card numbers were taken.

“Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring,” the statement said.

A company spokeswoman declined to elaborate.

The breach comes as Hudson’s Bay struggles to improve its financial performance as a tough retail environment has weighed on sales and margins. Last June, it launched a transformation plan to cut costs and is working to monetize the value of its substantial real estate holdings.

Hudson’s Bay disclosed the incident after New York-based cyber security firm Gemini Advisory reported on its blog that Saks and Lord & Taylor had been hacked by a well-known criminal group known as JokerStash.

JokerStash, which sells stolen data on the criminal underground, on Wednesday said that it planned to release more than 5 million stolen credit cards, according to Gemini Chief Technology Officer Dmitry Chorine.

The hacking group has so far released about 125,000 payment cards, about 75 percent of which appear to have been taken from the Hudson’s Bay units, Chorine told Reuters by telephone.

The bulk of the 5 million card numbers that JokerStash said it plans to release are likely from Saks and Lord & Taylor, but it is too early to say for sure, Chorine said.

“It’s hard to assess at the moment, primarily because hackers have not released the entire cards in one batch,” he told Reuters.

Alex Holden, chief information security officer with cyber security firm Hold Security, confirmed that the 125,000 cards had been released by JokerStash but said it was too soon to estimate how many had been taken from Hudson’s Bay.

If in fact millions of records were stolen, the breach would be one of the largest involving payment cards in the past year, but it would still be far smaller than any of the biggest thefts on record, which occurred a decade ago.

Hackers stole more than 130 million credit cards from credit-card processor Heartland Payment Systems, convenience store operator 7-Eleven Inc and grocer Hannaford Brothers Co, from 2006 to 2008, according to U.S. federal investigators.

Cyber criminals stole some 40 million payment cards in a 2013 hack on Target Corp and 56 million from Home Depot Inc in 2014.

Hudson’s Bay said there is no indication its recent breach involved online sales at Saks and Lord &Taylor outlets or its Hudson’s Bay, Home Outfitters and HBC Europe units.

The company said that customers will not be liable for fraudulent charges resulting from the breach.

(Reporting by Jim Finkle in Toronto and David Henry in New York; Editing by Bill Rigby and Steve Orlofsky)