[BreachExchange] The data of 110 thousand customers was stolen from the Lithuanian car rental service
Destry Winant
destry at riskbasedsecurity.com
Tue Feb 23 10:37:02 EST 2021
https://www.ehackingnews.com/2021/02/the-data-of-110-thousand-customers-was.html
It became known that on the night of February 15-16 in Lithuania, the
data of about 110 thousand customers of the local car rental service
CityBee was stolen.
The information was published on one of the forums of cyber hackers.
"On the night of February 15-16, cybercriminals posted a message on a
foreign-registered forum that they had not only the names and personal
codes of some CityBee customers, as previously announced, but also
phone numbers, email addresses, residential addresses, driver's
license numbers and encrypted passwords," said CityBee.
Experts reported that, according to available information, passwords
are provided in the SHA1 format without additional security criteria
(salt), so they can be guessed automatically and used for unauthorized
access.
The company noted that the data is already three years old — and their
theft will not affect the security of CityBee customers, since the
organization does not store information about payment methods.
However, CityBee representatives still asked customers who registered
in the system before February 22, 2018, to change their passwords if
they used the same or similar password.
According to the Minister of Justice Agnė Širinskienė, such personal
data can be used very widely. Especially in the case of international
crimes.
"For example, illegal immigration from third countries often occurs
with the use of fake documents. Let's just think about how a citizen
of a third country X can easily move around the EU with the personal
data of a CityBee customer in a fake passport. Now imagine that a
resident of country X, who has personal documents filled out with
CityBee customer data, is involved in the arms trade, the organization
of a terrorist network in Europe, and is suspected of money
laundering... while the client of CityBee, the "owner" of the
identity, is flying to the Maldives on vacation," Širinskienė gave an
example.
CityBee has launched an investigation to find out how customer data was stolen.
The police are conducting a pre-trial investigation.
More information about the BreachExchange
mailing list