[BreachExchange] British American Tobacco Suffers Data Breach and Ransomware Attack

Destry Winant destry at riskbasedsecurity.com
Thu Dec 5 10:13:50 EST 2019


A Romanian web platform owned by the international tobacco company
British American Tobacco (BAT) has suffered a data breach and
ransomware attack.

The data breach was discovered on an unsecured Elasticsearch server
located in Ireland, which involves close to 352 GB of data. In
addition, they found that hackers had already gotten to the data and
that the server also contained a readme file with a ransom request, in
which a hacker or group of hackers threatened to delete the data from
the server if their demands aren’t met. The hackers are demanding a
Bitcoin payment in exchange for the data.

Noam Rotem and Ran Locar, internet privacy researchers from vpnMentor,
found the data breach on a server connected to the web platform
YOUniverse.ro. The web platform is part of a BAT Romania promotional
campaign targeting adult smokers, says vpnMentor.

BAT is based in the United Kingdom. It is one of the world’s largest
manufacturers of tobacco and nicotine products. Through the platform,
Romanian residents can win tickets to parties and events featuring
well-known local and international performers. "Romanian law prohibits
most kinds of tobacco advertising. However, the law permits certain
types of promotional campaigns and event sponsorships that exclusively
target existing smokers over the age of 18," says the report.

The data breach involves sensitive personally identifiable information
(PII) of users, such as:

full name
phone number
date of birth
source IP
cigarette and tobacco product preferences

Despite multiple attempts by the team to disclose the breach, the
database remained open and unsecured for over two months. Starting on
September 22nd, the research team repeatedly tried to contact the
company (the local branch, as well as the global company), the
server’s hosting company, Romania’s National Authority for Consumer
Protection (ANPC) and the certification authority (CA). The only party
the researchers heard back from was the CA. They also contacted
several Romanian journalists asking for help getting in touch with the
company, but they have yet to receive a reply.

As of November 27th the database was finally closed, but nobody ever
replied to the researchers.

More information about the BreachExchange mailing list