Amazon, Delta employee PII exposed in data breaches
Amazon and Delta Airlines both confirmed this week that a data breach exposed information about an untold number of their respective employees. In the case of Amazon, 2.8 million lines of employee data, including work email addresses, desk phone numbers, and building locations were stolen. Both breaches occurred because of a security vulnerability in the MOVEit file transfer system, which is believed to have first been exploited in May 2023.
The breach underscores the critical importance of timely patch management, robust security practices, and vigilance against emerging threats.
A Delta Airlines spokesperson told Recorded Future News that an internal investigation had revealed that an internal directory managed by a third-party partner had been compromised.
“The dataset includes things like names, contact information, and office location but no sensitive personal information,” a Delta spokesperson told Recorded Future News.
The Amazon breach also occurred to a third-party property management vendor which was responsible for managing the company’s employee contact information. Amazon’s internal systems, including Amazon Web Services (AWS), remained secure, according to the company, and no sensitive personal data such as Social Security numbers or financial information were compromised.
“Amazon and AWS systems remain secure, and we have not experienced a security event,” said Amazon spokesperson Adam Montgomery. “We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon. The only Amazon information involved was employee work contact information, for example work email addresses, desk phone numbers, and building locations.”
Amazon Web Services is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments on a metered, pay-as-you-go basis.
The Amazon breach was revealed by the threat actor calling itself Nam3L3ss, who posted the 2.8 million lines of Amazon employee data on BreachForums. Nam3L3ss claims to have “well over 250 terabytes of archived database files” and warned that it can “download entire databases from exposed web sources including mysql, postgres, SQL Server databases and backups, azure databases and backups etc.”
Nam3L3ss further claimed that the published data represents “less than .001%” of its total cache and has threatened to release information from as many as 1,000 previously unidentified breaches.
Hudson Rock Co-Founder and CTO Alon Gal said in a blog post Monday that “Nam3L3ss has since made several dark web posts claiming they are not a hacker and simply download data posted to ransomware sites or data held on unsecured storage platforms. The person claimed they are not selling the data and are releasing it in anger towards prominent companies that do not protect user information. In another post, Nam3L3ss attributed their actions to a recent controversy in Columbus, Ohio in which a cybersecurity researcher was sued for accessing city data stolen by a ransomware gang. The lawsuit was dropped two weeks ago.”
The cybersecurity firm Emsisoft estimates that nearly 3,000 organizations were impacted by exploits of the MOVEit vulnerability and that the records of nearly 96 million people were stolen.
Gal said the stolen information “contain[s] detailed employee information, including names, email addresses, phone numbers, cost center codes, and, in some cases, entire organizational structures.” Gal added that “such data could serve as a goldmine for cybercriminals seeking to engage in phishing, identity theft, or even social engineering attacks on a large scale.”
It’s unclear whether Nam3L3ss is the same entity that goes by the moniker C10p, a ransomware gang that is believed to have first exploited the MOVEit vulnerability. However, there is no publicly available information directly tying the two groups to one another. It’s important to note that multiple threat actors can exploit the same vulnerability independently. Without concrete evidence, it cannot be conclusively stated that Nam3L3ss and C10p are the same entity.
In May 2023, C10p exploited the MOVEit vulnerability to conduct a widespread data theft campaign. The group deployed a web shell named LEMURLOOT to exfiltrate data from compromised MOVEit Transfer servers. This attack impacted more than 1,000 organizations and exposed the sensitive information of more than 60 million individuals. It has been estimated that the gang earned anywhere from $75 million to $100 million in ransom.
The group is said to be a Russian-speaking cybercriminal organization that has been active since at least 2019. C10p has targeted major organizations worldwide, employing sophisticated malware and extortion techniques. The group is notorious for demanding substantial ransom payments and threatening to leak stolen data if their demands are not met.
Cybersecurity and Infrastructure Security Agency (CISA) officials said last year that they do not believe the MOVEit attacks were coordinated by the Russian government.
Both CISA and the Federal Bureau of Investigation (FBI) have issued advisories detailing the group’s tactics, techniques, and procedures, providing indicators of compromise and mitigation strategies to defend against such attacks.
The MOVEit vulnerability has been central to significant cybersecurity incidents since at least mid-2023, and has had widespread repercussions, impacting multiple organizations beyond Amazon. Nam3L3ss, which has been particularly active in the cybercrime community, has engaged in data breaches affecting multiple organizations. The group used the MOVEit flaw to breach at least 25 companies, exposing employee information such as names and contact details.
The methods employed by Nam3L3ss involve exploiting vulnerabilities in third-party vendors and leveraging misconfigured cloud storage services. They have been known to download entire databases from exposed web sources, including MySQL, PostgreSQL, and SQL Server databases, as well as backups from Azure and AWS. This approach allows them to amass large volumes of sensitive information, which they then leak or sell on hacking forums.
In response to the breach, Amazon has collaborated with the affected vendor to address and rectify the security vulnerability and reassured that its internal systems remain secure and that the compromised data was limited to work contact information.
Nevertheless, the incident underscores the critical importance of robust security measures, especially when relying on third-party vendors for data management.
MOVEit is a managed file transfer software that was developed by Ipswitch, Inc., which is now part of Progress Software. In May 2023, a critical zero-day vulnerability was discovered in the MOVEit Transfer. The SQL injection flaw allowed unauthenticated attackers to access the application’s database, potentially altering or deleting its contents. The vulnerability was actively exploited, leading to unauthorized data access across numerous organizations.
Progress Software promptly released patches and advisories to mitigate the vulnerability, but by that time the exploitation had already resulted in significant data breaches, affecting entities such as the BBC, British Airways, and the US Department of Energy. The company subsequently was hit with more than 100 lawsuits.
Emsisoft said last year that “file transfer applications tend to be developed by smaller vendors, and there is a persistent perception that smaller vendors are less capable when it comes to application security. File transfer applications also tend to be deployed by organizations rather than individuals, increasing the likelihood that victims will have the resources to pay. Finally, and perhaps most important, these applications hold data. Lots of data. All of this means that file transfer applications make for an attractive target and will almost certainly be targeted again.”
The activities of Nam3L3ss – as well as C10p – highlight the critical importance of robust cybersecurity measures, particularly when relying on third-party vendors for data management. Organizations are advised to implement comprehensive security protocols, conduct regular audits of their systems, and ensure that their vendors adhere to stringent security standards.
While specific details about Nam3L3ss are limited, its recent activities serve as a stark reminder of the evolving landscape of cyber threats and the necessity for organizations to stay ahead of potential vulnerabilities.
Organizations are advised to apply security updates promptly, monitor for unusual activity, and implement comprehensive security measures to protect against similar vulnerabilities and threat actors.
Article Topics
cybersecurity | data privacy | digital identity | multifactor authentication
Comments