Hackers Hit Tunecore, JD Wetherspoon, Elephant Bar

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

It's been another busy week in the world of data breaches -- significant breaches at three companies in the U.S. and U.K. exposed a variety of data on millions of customers, including passwords, contact information, birthdates, and payment card data.

The digital music distribution company TuneCore was recently hacked, potentially exposing millions of customers' names, email addresses, mailing addresses, account numbers and passwords, as well as bank addresses, the last four digits of credit card numbers, bank account numbers and routing numbers, Billboard reports.

In an email sent to customers on December 4, 2015, the company stated, "We recently discovered suspicious activity on Tunecore's servers in November, and that on November 17th an individual illegally collected information from our servers. We are actively working with law enforcement to investigate this unlawful act, and we have retained a leading cyber security firm to help prevent this from happening again."

Although the stolen passwords were encrypted, the company has reset all user passwords as a precaution.

U.K. pub operator JD Wetherspoon recently acknowledged that 656,723 of its customers' names, birthdates, email addresses and phone numbers may have been accessed when a company database was hacked, Motherboard reports. In 100 customers' cases, the last four digits of debit and credit card numbers were also exposed.

Wired reports that the breach took place on June 15 and 17, 2015, and was first discovered by CyberInt, who notified Wetherspoon on December 1, 2015. In a statement dated December 4, 2015, Wetherspoon said the information, which also included "[s]ome personal staff details," was taken from the company's old website, "which has been replaced in its entirety."

"The company's current website is managed by a new digital partner, which has no connection to the website that was the subject of the breach of security," Wetherspoon added.

The hacker responsible for the breach told Motherboard that the Wetherspoon vulnerability "took no more than 15 minutes to find through manual searching and analysis."

More recently, CM Ebar, LLC, the owner of the Elephant Bar restaurant chain, announced on December 8, 2015 that malware installed on payment processing systems at 29 Elephant Bar locations in Arizona, California, Colorado, Florida, Missouri, Nevada and New Mexico in August and September of 2015 may have exposed customer payment data, including names, account numbers, expiration dates, and verification codes.

The company was alerted to the issue by its card processor on November 3, 2015.

"We are treating this matter as a top priority, and took steps to address and contain this incident promptly after it was discovered, including engaging outside data forensic experts to assist us in investigating and remediating the situation," the company said in a statement. "We have disabled the malware and have reconfigured our point-of-sale and payment card processing systems to enhance the security of these systems."

In a FAQ, the company added, "Unfortunately, we cannot be certain whether any particular individual was affected by this incident as our equipment does not retain that information."

"If companies want to know what they should be doing to prevent breaches like the Elephant Bar, the answer is -- do not allow your network security posture to be relegated to a secondary function of an IT administrator," Netsurion CEO Kevin Watson told eSecurity Planet by email.

"A really crucial consideration, especially in the case of POS system malware, is also securing the data that leaves your network," Watson added. "A business' outbound security policy is its last defense against a data breach."

Recent eSecurity Planet articles have offered advice on improving database security, provided six tips for stronger encryption, and examined the challenge of improving point-of-sale security.