[BreachExchange] Skyline.com Ransomware Attackers Claim 200+ GB of Cleartext Financial, Passport, and Personal Data Leaked

[Destry Winant]

https://www.riskbasedsecurity.com/2020/09/23/skyline-com-ransomware-attackers-claim-200-gb-of-cleartext-financial-passport-and-personal-data-leaked/

Ransomware has had a massive impact on 2020’s data breach landscape,
contributing towards the 27 billion records exposed in the first half
of the year alone. Just two breaches were responsible for leaking 18
billion of those records. It’s an example of an alarming trend our
researchers have noted, where a handful of major breaches are
responsible for jeopardizing the privacy and safety of billions.

Unfortunately, we may see something similar happening now with Skyline.

Over 200 GB of Data Leaked

Skyline Displays, Inc. is a large company that specializes in exhibits
for events and trade shows, which gives an indication of the type and
size of data exposed. According to their website, the company has
“representation in 30 countries and has served well over 100,000
clients.”

On Monday, September 21st, a threat actor claiming to represent the
Lockbit ransomware hacking group shared a number of files totaling
over 200 GB on a prominent Russian-speaking dark web hacking forum.

The threat actor who posted the data alleges it is from Skyline.
According to sources, the files contain:

Cleartext credit card information (Names, credit card numbers,
expiration dates, CVV)
Passport scans of US citizens
Driver License scans
W-9 scans
Social Security numbers
Bank and account information
Payroll information
Email addresses and phone numbers

Risk Based Security has reached out to Skyline to confirm the claim’s
legitimacy, but at this time they have not responded to our inquiries.
However, the forum is frequented by notorious ransomware operators,
which suggests that the threat actor’s claims are valid. Our
researchers are in the process of independently confirming the source
of the data.

The Full Impact Is Still Unknown

The files contain many document scans, making it difficult at first
pass to ascertain the full extent of the data exposed and number of
individuals impacted. Regardless, the large file size implies the
impact of the breach may be extensive.  When compared to some of the
other major data breaches analyzed by Risk Based Security, it shows
that the impact of the data exfiltration may be substantial:

Breached OrganizationFile SizeNumber of Individuals Affected
Wattpad128 GB268 million
Zynga 72 GB218 million
Skyline Displays200 GBTBD

While file size can be heavily dependent on the type of documents
included, nevertheless the unusually large size is of serious concern
because it points to an alarming breach for Skyline. It is important
to note that our research has previously uncovered recent ransomware
events where actors are grabbing any files they can find, meaning the
leak may not be entirely made up of sensitive or confidential
information. Regardless of how many individuals do end up being
affected, we believe that we can expect that number to
disproportionately include US information, given that the majority of
Skyline locations are centered in the US.

Unlike the Wattpad and Zynga incidents, the Skyline data breach
contains cleartext credit card information, and since Skyline is
primarily a B2B organization, this leak could have far reaching
implications for Skyline’s customers.

Another Data Drop Expected

When the data was shared on September 21st, it was originally limited
to forum administrators and premium users. However, the data was
shared publicly the next day, September 22nd. The post also claimed
that a further data archive will be shared on Thursday, September
24th.