Cyber Breach at Hospital; McDonald's User Info Exposed; and a Gmail Scam

Sorbis/Shutterstock.com

Just another week in ThreatWatch, our regularly updated index of noteworthy data breaches.

In case you missed our coverage this week in ThreatWatchNextgov’s regularly updated index of cyber breaches:

Hospital Breach Affects Thousands of Patients

A "cybersecurity breach" at a third-party vendor may have compromised the information of thousands of patients at a Virginia hospital.

Over 5,450 vascular and/or thoracic patients seen between 2012 and 2015 have been affected, according to a spokesperson from the Charlottesville, Virginia-located Sentara Martha Jefferson Hospital, The Associated Press reported.

The breach may include names, medical record numbers, dates of birth, Social Security numbers, procedure information, demographic information and medications, AP said.

The hospital is working with law enforcement, the vendor and a cybersecurity company to investigate the incident. Those affected by the breach will receive notification on how to protect themselves, according to AP.

Researcher Discovers Way to Pilfer McDonald's Users' Passwords

A security researcher found a couple of vulnerabilities that allow an attacker to crib users' passwords from a fast-food giant's website.

In a Jan. 6 blog post, Researcher Tijme Gommers wrote that "By abusing an insecure cryptographic storage vulnerability ... and a reflected server cross-site-scripting vulnerability ... it is possible to steal and decrypt the password from a McDonald's user."

Gommers said he tried to notify the fast-food giant "multiple times" on Dec. 24 and right before the holidays. After not hearing back, he decided to disclose the flaw—something that irked others in the security community.  

"Typically, responsible disclosure dictates that a researcher gives a company at least 30 days to respond to a vulnerability before they go public with it," said David Bisson, writing on GrahamCluley.com, which first reported on Gommers' discovery. "Gommers waited less than two weeks to go public with details of the flaws he had discovered."

Gmail Scam Tricks Users With Convincing Login Page

A hacker has pilfered data from a company that specializes in cellphone hacking.

Taken partly from company servers, the stolen information—about 900 gigabytes worth—from Cellebrite entails customer information, databases and technical data of the company's products, according to Motherboard.

In a statement, Cellebrite said it had "recently experienced unauthorized access to an external web server,” Motherboard reported.

Speaking with Motherboard, the hacker "expressed disdain for recent changes in surveillance legislation," but didn't reveal many details about the breach.

“I can't say too much about what has been done,” the hacker told Motherboard.

Cellebrite is an Israeli company, with Japan-based Sun Corp. as parent company.