Payment gateway provider Slim CD has notified 1.7 million users that their credit card information may have been leaked.

Payment provider Slim CD has disclosed a security incident that may have exposed the full credit card information of anyone paying at a merchant that uses Slim CD’s services.

The Florida-based gateway system, which allows merchants to take any kind of electronic payment, said on June 15 it noticed “suspicious activity” within its environment.

A subsequent investigation by a third-party specialist revealed that cybercriminals had access to Slim CD’s systems for 10 months, between August 17, 2023, and June 15, 2024. However, the company said the criminals only had access to credit card and other information between June 14 and June 15, 2024.

Slim CD said that the compromised information included full names, physical addresses, and credit card numbers including expiration dates.

The company said it is not aware of anyone yet using the exposed information:

> “Although Slim CD presently has no evidence that any such information has been used to commit identity theft or fraud, Slim CD is providing information about the event, Slim CD’s response, and resources available to individuals to help protect their information from possible misuse.”

Even though there is no mention of credit card verification numbers being included in the breached data, Slim CD is still warning about the possible risks:

> “We encourage you to remain vigilant against incidents of identity theft and fraud by reviewing your account statements and monitoring your free credit reports for suspicious activity and to detect errors.”

Customers are often unaware which payment provider is used by their online shops, so a data breach notice may come as a surprise to many of the 1,693,000 affected people.

****Protecting yourself after a data breach****

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Payment provider data breach exposes credit card information of 1.7 million customers 

Scammers are now throwing in the name of the partner of the targeted victim, telling them that their partner is cheating on them.

As if they weren’t annoying enough already, scammers have recently introduced new pressure tactics to their sextortion and scam emails.

Last week we reported how cybercriminals are using photographs of targets’ homes in order to scare them into paying money. Now they’re throwing in the name of targets’ partners, telling the receiver that their partner is cheating on them.

The general outline of the scammy email looks like this:

> “Hi (target’s name\],
> 
> \[Partner’s name\] is cheating on you. Here is proof.
> 
> As a company engaged in cyber security we’ve found information related to \[partner’s name\] that might interest you.
> 
> We made a full backup of \[his/her\] disk. (We have all \[his/her\] address book, social media, history of viewing sites, dating apps, all files, phone numbers, and addresses of all \[his/her\] contacts) and are willing to give you a full access to this data. For more details visit our website.”

For some people, the links in the mail lead to a site where you can “buy the data” for around $2500 in Bitcoin. Others report they were sent to a site that presented them with a login screen.

But where did the scammers get the partner’s name from?

Based on speculation among Reddit users, BleepingComputer contacted a wedding planning site called The Knot, which was listed as a possible source, but received no reply. Looking at our data, we can confirm that 3,677 users of The Knot have had their login credentials compromised at some point in time, but not all at once, so The Knot is not necessarily the source of the data.

There are many other ways that scammers can dig through or combine breached data to find out who your partner is and compose such a personalized email, or they could spend a small amount of time on social media to find out relatively quickly.

Regardless of where the scammers got the information, please don’t let this type of email ruin your relationship or even one minute of your day. Send the emails straight to the trash.

**How to react to your partner “is cheating on you” emails**

First and foremost, never reply to emails of this kind. That tells the sender that someone is reading the emails sent to that address, and will lead to them trying other ways to defraud you.

*   If the email includes a password, make sure you are not using it any more _on any account_. If you are, change it as soon as possible.
*   If you are having trouble remembering all your passwords, have a look at a password manager.
*   Don’t let yourself get rushed into doing something. Scammers rely on time pressure that leads to people making quick decisions.
*   Do not open unsolicited attachments. Especially when the sender address is suspicious, or even appears to be your own.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Your partner “is cheating on you” scam asks you to pay to see proof 

This week on the Lock and Code podcast, we speak with Eva Galperin about the arrest of Telegram's CEO and how it impacts security and privacy.

_This week on the Lock and Code podcast…_

On August 24, at an airport just outside of Paris, a man named Pavel Durov was detained for questioning by French investigators. Just days later, the same man was charged in crimes related to the distribution of child pornography and illicit transactions, such as drug trafficking and fraud.

Durov is the CEO and founder of the messaging and communications app Telegram. Though Durov holds citizenship in France and the United Arab Emirates—where Telegram is based—he was born and lived for many years in Russia, where he started his first social media company, Vkontakte. The Facebook-esque platform gained popularity in Russia, not just amongst users, but also the watchful eye of the government.

Following a prolonged battle regarding the control of Vkontake—which included government demands to deliver user information and to shut down accounts that helped organize protests against Vladimir Putin in 2012—Durov eventually left the company and the country all together.

But more than 10 years later, Durov is once again finding himself a person of interest for government affairs, facing several charges now in France where, while he is not in jail, he has been ordered to stay.

After Durov’s arrest, the X account for Telegram responded, saying:

“Telegram abides by EU laws, including the Digital Services Act—its moderation is within industry standards and constantly improving. Telegram’s CEO Pavel Durov has nothing to hide and travels frequently in Europe. It is absurd to claim that a platform or its owner are responsible for abuse of the platform.”

But how true is that?

In the United States, companies themselves, such as YouTube, X (formerly Twitter), and Facebook often respond to violations of “copyright”—the protection that gets violated when a random user posts clips or full versions of movies, television shows, and music. And the same companies get involved when certain types of harassment, hate speech, and violent threats are posted on public channels for users to see.

This work, called “content moderation,” is standard practice for many technology and social media platforms today, but there’s a chance that Durov’s arrest isn’t related to content moderation at all. Instead, it may be related to the things that Telegram users say in private to one another over end-to-end encrypted chats.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Electronic Frontier Foundation Director of Cybersecurity Eva Galperin about Telegram, its features, and whether Durov’s arrest is an escalation of content moderation gone wrong or the latest skirmish in government efforts to break end-to-end encryption.

> “Chances are that these are requests around content that Telegram can see, but if \[the requests\] touch end-to-end encrypted content, then I have to flip tables.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 What the arrest of Telegram&#8217;s CEO means, with Eva Galperin (Lock and Code S05E19) 

A list of topics we covered in the week of September 2 to September 8 of 2024

September 5, 2024 - Criminals are impersonating MyLowesLife, Lowes' HR portal for current and former employees.

September 5, 2024 - Intermountain Planned Parenthood of Montana suffered a cyberattack which has been claimed by a ransomware group

September 4, 2024 - " Hello pervert" sextortion mails keep adding new features to their email to increase credibility and urge victims to pay

September 4, 2024 - With the elections at full throttle we are seeing several types of scams resurfacing and undoubtedly more will come

September 3, 2024 - Transport for London (TfL) is apparently fighting a cybersecurity incident but is rather sparing in providing details

 A week in security (September 2 &#8211; September 8) 

Criminals are impersonating MyLowesLife, Lowes' HR portal for current and former employees.

In mid-August, we identified a malvertising campaign targeting Lowes employees via Google ads. Like many large corporations, Lowe’s has their own employe portal called MyLowesLife, for all matters related to schedule, pay stubs, or benefits.

Lowe’s employees who searched for “myloweslife” during that time, may have seen one or multiple fraudulent ads. The threat actor, who does not strictly limit themselves to Lowe’s but also targets other institutions, aims to gain access to the login credentials of current and former employees.

**My Lowe’s Life ads**

Combining ads with a phishing page is a proven recipe for success. Indeed, unsuspecting users often rely on Google Search to take them to the site they are looking for, rather than manually entering its full URL in the browser’s address bar. It is somewhat suspicious to see ads for an internal HR portal, but then again it could be easy to overlook that oddity.

We found two different advertiser accounts impersonating MyLowesLife, and in one instance, we even saw 3 malicious ads from both accounts one after the other. The URL listed for each ad is different, and does not match the legitimate one (myloweslife.com), a well-known technique of lookalikes criminals often employ.

**Phishing site built with AI**

The threat actor registered several similarly looking domain names in order to trick their victims:

myloveslife\[.\]net  
mylifelowes\[.\]org  
mylifelowes\[.\]net  
myliveloves\[.\]net

What’s interesting is how the home page for each of those is not what you’d expect. In fact, what we see is a generic ‘retail store’ template which appears to have been built using AI.

There is a simple reason for this: if anyone was to investigate those potentially fraudulent websites, they would not see anything malicious. As a result, it will be difficult to convince a domain registrar or hosting provider to take any action such as suspending the site.

**Phishing page**

When victims click on the Google ad, they are taken directly to the phishing page, contained within a directory named ‘wamapps’, which interestingly matches the structure of the real Mylowe’s Life website:

https://lius.myloweslife.com/wamapps/wamlogin

This an exact replica of the real Lowe’s portal that prompts users for their Sales Number and Password:

Looking at the page’s source code, we can see how these two fields are being sent back to the threat actor using a POST request via xxx.php, the phishing kit. After collecting this data, a second page asks users for their security question. This is presumably a feature used by Lowe’s to secure accounts if they detect unusual login activity:

Finally, after providing those details, victims are redirected to the real MyLowesLife website where they will be asked for their login details again. While that could raise suspicion, it’s possible many users will think it’s simply a glitch with the system and won’t look back again.

It’s unclear what the threat actor does with the stolen credentials, but likely they are a broker reselling them to other criminals.

**Mitigations**

Brand impersonation via Google ads is a very popular technique leveraged by threat actors of all kind. They know people will open up their default browser, do a quick search and that’s exactly where they can target them.

To avoid many of the phishing campaigns that abuse Google ads, we strongly recommend against clicking on sponsored results. You are better off scrolling down further and visiting the official websites directly.

For an online portal you regularly visit (bank, grocery store, etc.) it’s a good idea to bookmark the website into your browser’s favorites: it’s quicker and safer to visit a site that you trust in that manner.

We reported these malicious ads to Google and to our knowledge this ad campaign is no longer running. Malwarebytes customers were protected on day 1 via both the Malwarebytes Browser Guard and Malwarebytes Premium Security. If you suspect you have been a victim of identity theft, feel free to check out Malwarebytes Identity Theft Protection (also available to customers via our premium security products).

 Lowe&#8217;s employees phished via Google ads 

Intermountain Planned Parenthood of Montana suffered a cyberattack which has been claimed by a ransomware group

In late August, Intermountain Planned Parenthood of Montana suffered a cyberattack which is still under investigation. The attack has been claimed by a ransomware group.

Intermountain Planned Parenthood Inc., doing business as Planned Parenthood Of Montana, is a nonprofit organization that provides sexual health care services. It is not yet known whether any personal information about patients might have been stolen, but that could potentially be devastating.

The patients who rely on Planned Parenthood for care are frequently low-income and face health care disparities due to race, gender, sexuality, or because they live in underserved areas. Sometimes they are minors that have been in contact with the criminal justice system, and they are not eligible for insurance or depend on Medicaid Expansion for coverage.

The group behind the attack, Ransomhub, has claimed responsibility on their leak site where they threaten to publish stolen data to increase the leverage over their victims.

Planned Parenthood listed on RansomHub’s leak site

> “Intermountain Planned Parenthood, a leading nonprofit organization, is dedicated to empowering individuals in Montana to make informed decisions regarding their sexual and reproductive health.”

The listing on the leak site shows financial information, court papers, and insurance certificates. Ransomhub set a timer for Planned Parenthood. The timer counts to September 11 before the release of all the data.

Timer before release of the data

Ransomhub listed the size of the data set at 93 GB, but ransomware groups have been known to exaggerate, lie, and mislead. They are criminals after all.

As laid out in a recent joint advisory by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS),  RansomHub is a relatively new but very active Ransomware-as-a-Service group known to target healthcare organizations and other critical infrastructure sectors.

According to a recent ThreatDown ransomware report, healthcare and education are the hardest hit sector after “Services” in the US, accounting for 60% and 71% of global attacks in these sectors, respectively.

And in the ThreatDown Ransomware Review of August 2024 we can see that Ransomhub was the gang responsible for the largest number of known attacks in July.

This story will be updated once we find out more about the nature of the stolen data.

****Protecting yourself after a data breach****

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Planned Parenthood partly offline after ransomware attack 

" Hello pervert"  sextortion mails keep adding new features to their email to increase credibility and urge victims to pay

After using passwords obtained from one of the countless breaches as a lure to trick victims into paying, the “Hello pervert” sextortion scammers have recently introduced two new pressure tactics: Name-dropping the infamous Pegasus spyware and adding pictures of your home environment.

They do this to add credibility to the false claims that the scammers have been watching your online behavior and caught you red-handed during activities that you would like to keep private amongst your friends and family.

The email usually starts with “Hello pervert” and then goes on to claim that the target has been watching pornographic content. The scammers often claim to have footage of what you were watching and what you were doing while watching.

To stop the sender from spreading the incriminating footage, the target will have to pay the scammer, or else they will send it to everyone in their email contacts list.

More recently, scammers have started increasing their threats by mentioning a powerful spyware called “Pegasus.” Several versions of these scam emails have included the following text:

> Have you heard of Pegasus? This is a spyware program that installs on computers and smartphones and allows hackers to monitor the activity of device owners. It provides access to your webcam, messengers, emails, call records, etc. It works well on Android, iOS, and Windows.

Though Pegasus is indeed a powerfully invasive spyware tool, the threat of its use, as included in these scam emails, is entirely empty. This is because Pegasus has never been observed outside of a surveillance campaign carried out, specifically, by governments. Time and time again, Pegasus has been used by oppressive government regimes to spy on political dissidents, human rights activists, and watchdog journalists. There is essentially no proof that such a closely-guarded spyware has ended up in the hands of everyday scammers.

But the pressure tactics don’t end with Pegasus, as many of these emails include an old (or active) password that a scam target has used in the past. Here, this isn’t some act of advanced hacking. Instead, it is likely that the scammers bought your password from other cybercriminals that obtained them during one of the countless data breaches that hit company after company every week.

When scammers have access to such data, it may also include your physical address. With that knowledge, scammers have increased their threats by simply adding a photograph of your personal neighborhood by looking it up online. For most places in inhabited areas, you can grab such pictures from Google Maps or similar apps.

A Reddit user demonstrated this by finding that such a scammer used an old PO box address. But it’s true that this adds a convincing argument to the claim that the sender has been spying on you.  

As an extra threat the email may include something like:

> “Or is visiting \[your physical address\] a more convenient way to contact if you don’t take action. Nice location btw.”

Implying that they know where you live and threatening to stop by and create a scene.

**How to recognize “Hello pervert” emails**

Once you know what’s going on it’s easy to recognize these emails. Remember that not all of the below characteristics have to be included in these emails, but all of them are red flags in their own right.

*   They often look as if they came from one of your own email addresses.
*   The scammer accuses you of inappropriate behavior and claims to have footage of that behavior.
*   In the email the scammer claims to have used Pegasus or some Trojan to spy on you through your own computer.
*   The scammer says they know “your password.”
*   You are urged to pay up quickly or the so-called footage will be spread to all your contacts. Often you’re only allowed one day to pay.
*   The actual message often arrives as an image or a pdf attachment. Scammers do this to bypass phishing filters.

**How to react to “Hello pervert” emails**

First and foremost, never reply to emails of this kind. It may tell the sender that someone is reading the emails sent to that address and they will repeatedly try new and other methods to defraud you.

*   If the email included a password, make sure you are not using it any more and if you are, change it as soon as possible.
*   If you are having trouble organizing your password, have a look at a password manager.
*   Don’t let yourself get rushed into action or decisions. Scammers rely on the fact that you will not take the time to think this through and subsequently make mistakes.
*   Do not open unsolicited attachments. Especially when the sender address is suspicious or even your own.
*   For your ease of mind, turn of your webcam or buy a webcam cover so you can cover it when you’re not using the webcam.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 “Hello pervert” sextortion scam includes new threat of Pegasus—and a picture of your home 

With the elections at full throttle we are seeing several types of scams resurfacing and undoubtedly more will come

With the US election campaigns at full throttle, scammers have taken a renewed interest in the ways this can be used to defraud people, often using the same tactics legitimate campaigns leverage for support (emails, text messages, phone calls, and social media pleas).

The lure that we have seen the most involves asking people to donate to a campaign. Whether that comes in by mail, text, phone call, or on social media, that money isn’t going to any of the candidates.

This sender does not care who you want to donate to

If those scam campaigns aren’t directly after your money, they might well be phishing for personal information.

These phishers also use fake surveys pretending to be a volunteer for one of the political parties and will ask you for personal information directly or get on your nerves by engaging in discussions about controversial subjects.

A survey site that asks for personal details and credit card information

Another method besides surveys are voter registration scams where the scammer poses as an election official and asks you to update your voter registration, or tell you that you can register to vote over the phone. Reminder, here is how you can securely register to vote.

Example voter registration scam courtesy of KrebsOnSecurity

These scams are not only after your personal information but sometimes have the audacity to ask you to pay for completing your voter registration paperwork—something that is never asked in legitimate voter registration.

**How to stay safe**

**Watch out for fake emails**

With the increasing use of AI by cybercriminals, it has become more difficult to spot fake emails. Looking for spelling errors is of no use anymore, but a few golden rules still apply to unsolicited emails:

*   Don’t open attachments.
*   Hover over the link(s) in the email. If they are different from the one that is displayed this is a red flag.
*   Don’t let any sense of urgency expressed in the email rush you into a hasty decision.
*   Check the sender’s email address is what you’re expecting. Note: these can be spoofed so this is not a guarantee, but anything that doesn’t look genuine definitely won’t be.

**Donate safely**

If you decide to sponsor a candidate, do not follow any links provided in text messages, emails, or on social media.

Find the official site for your favorite candidate and follow the instructions there. If you use Google or any other search engine to find the official site, do not click on the links in the sponsored ads. We have found too many cases where these went to false sites.

**Ignore text messages**

This is an easy one: just ignore them. Honest. Anyone texting me requests out of the blue will find my cold shoulder. Do not even respond, because that will tell them you read the message.

**Avoid robocalls**

When you receive a call from someone outside your contact list only to hear a recorded message playing back at you, that’s a robocall. Here’s what to do:

1.  Hang up as soon as you realize that it is a robocall.
2.  Don’t follow any instructions or give away personal information. In fact, don’t engage with the call at all.
3.  Report the robocall.
    *   If you’ve lost money to a phone scam or have information about the company or scammer who called you, tell the FTC at ReportFraud.ftc.gov.
    *   If you didn’t lose money and just want to report a call, use the streamlined reporting form at DoNotCall.gov
    *   If you believe you received an illegal call or text, report it to the Federal Communications Commission (FCC).

It’s important to not engage in any conversation or respond to any prompts in order to minimize the risk of fraud. Even the smallest snippets of your voice being recorded can be used in scams against you or your loved ones.

If you have an iPhone, let Malwarebytes intercept your robocalls (by installing our app).

**Don’t give away personal information when filling in surveys**

Don’t engage in surveys that ask for personal information. And when giving out information remember what they already know about you. How did they contact you? If by email that means they already have your email address and your responses can be combined with the information they already have based on that.

**Consider your payment method**

There are two major considerations to make when you decide on a payment method for donating to a political campaign.

*   How much of your donation ends up at the right place? Most payment providers charge transaction fees that decrease the amount of the actual contribution, and  the fee amount is not the same for all of them.
*   When making a donation, consider which payment method offers you the best protection. Credit cards are better than debit cards because they offer more protection against things like identity theft and fraud. E-checks are another popular payment option that can be an alternative, but e-checks require your routing number and account number, which could leave you more exposed.

The old-fashioned way of sending a check in the mail is not as popular but covers both transaction fees and security worries. Although for a small amount, the time needed to process them is a new factor.

**Always monitor your accounts**

Monitoring your account activity is one of the most effective ways to protect yourself from fraud. Especially when you’re in doubt about a recent transaction like a donation that doesn’t sit right in retrospect. The sooner you notice unauthorized activity, the sooner you can intervene and prevent further damage.

Some things you can do are:

*   Daily checks on your account activity through online banking.
*   Many banks offer the opportunity to send you notifications of larger or unusual transactions. Turn those on, preferably by email or text so you’ll see them as soon as possible.
*   When you see something suspicious, notify your financial institution immediately so they can assist you in keeping your money safe.

 How to avoid election related scams 

Transport for London (TfL) is apparently fighting a cybersecurity incident but is rather sparing in providing details

Transport for London (TfL), the city’s transport authority, is fighting through an ongoing cyberattack. TfL runs three separate units that arrange transports on London’s surface, underground, and Crossrail transportation systems. It serves some 8 million inhabitants of the London metropolitan area.

In a public notice Transport for London stated:

> “We are currently dealing with an ongoing cyber security incident. At present, there is no evidence that any customer data has been compromised and there has been no impact on TfL services.
> 
> The security of our systems and customer data is very important to us, and we have taken immediate action to prevent any further access to our systems.”

The incident does have some impact though, as TfL took the contactless website for purchasing tickets offline for “maintenance.” This maintenance was not announced earlier though, which they likely would have done under normal circumstances.

The contactless website is used to purchase online tickets, upgrade travelcards (Oystercards), check travel history, and request refunds.

In a short thread on X, TfL said it is working with the National Crime Agency and the National Cyber Security Centre to investigate and respond to the incident.

> Hi, thanks for getting in touch. We are working to resolve this as soon as possible. We need to complete our full assessment, but there is currently no evidence that any customer data has been compromised, or impact on TfL services. We are working closely with the

> National Crime Agency and the National Cyber Security Centre to respond to the incident. We are continuing to work to assist our customers here in the usual manner. Thanks, SW.

According to security researcher Kevin Beaumont:

> “Transport for London have a genuine internal security incident running and are reverting to paper processes.”

Since TfL is keeping rather quiet about the incident it is hard to asses whether this disruption is the result of a ransomware attack or something else.

We’ll keep you posted if we learn more.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 London’s city transport hit by cybersecurity incident 

The City of Columbus filed a lawsuit against a researcher for trying to inform the public about the nature data stolen by a ransomware group

The City of Columbus, Ohio is suing a security researcher for sharing stolen data.

All the complaint will accomplish, we imagine, is spotlight the ignorance of certain city officials in handling a common security matter.

What happened is that the City of Columbus was attacked by a ransomware group on July 18, 2024. Due to the timing, it was at first unclear whether the disruption in the public facing services was caused by the CrowdStrike incident or if it was in fact an attack. The attack was later claimed by the Rhysida ransomware group on their leak site, where the group posts information about recent victims that are unwilling to pay.

The City of Columbus said that the city’s Department of Technology quickly identified the threat and took action to significantly limit potential exposure. Due to the swift action no systems had been encrypted, but they were looking into the possibility that sensitive data might have been stolen in the attack.

> “The city is in the process of identifying individuals whose personal information was potentially exposed and will provide notice and additional guidance to all who are impacted in the coming weeks.”

Rhysida started an auction to buy the stolen data with a starting bid of about $1.7 million in bitcoin. When that didn’t render any results, Rhysida published (please note the word “published” here, it’s important) stolen data comprising 260,000 files (3.1 TB) which was almost half of what they claimed to have, on August 8, 2024.

On that same day, the mayor of Columbus stated on local media that the disclosed information was neither valuable nor usable.

> “The fact that the threat actor’s attempted data auction failed is a strong indication that the data lacks value to those who would seek to do harm or profit from it.”

This is where an external security researcher comes in. Security researcher David Leroy Ross, aka Connor Goodwolf, shared information with the media about the content of the stolen data. From what Goodwolf shared it became clear that the data contained unencrypted personal information of city employees and residents.

So, the City of Columbus decided to sue Goodwolf for alleged damages for criminal acts, invasion of privacy, negligence, and civil conversion.

The lawsuit claimed that downloading documents from a dark web site run by ransomware attackers amounted to him interacting with the ransomware group and that it required special expertise and tools.

When all he did was use a special browser to visit a website, download a file, and disclose the nature of the data to the local press. These actions, mind you, indistinguishable from the work of many security researchers committed to stopping cyberattacks.

Take, for instance, the means of access for Goodwolf.

If you are willing to consider the Tor Browser to be a special tool, I’ll grant you that one, although grudgingly. If you are a Firefox user, you may see a big resemblance with the Tor Browser, so the browser is not really that special. If visiting a website and downloading a file is a crime, we’re all guilty of said crime. If disclosing that a public official told an untruth (even if it was out of ignorance) is wrong then you probably shouldn’t want to live in a democratic country.

But unfortunately, a Franklin County judge issued the coveted temporary restraining order barring Goodwolf from accessing, downloading, and disseminating the City’s stolen data. The order also requires the defendant to preserve all data that was downloaded to date.

We want to make absolutely clear: Rhysida stole and published the data. And it was spokespeople from The City of Columbus that told everyone not to worry about other criminals using the data for further crimes, instead of warning the people that they should be wary of phishing attempts that could leverage the stolen data against them.

****Protecting yourself after a data breach****

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Source

Malwarebytes