Hackers Stay at Hilton & Trick Lunch Lady into Exposing Students, While Workers Lose Child Mental Health Records


Just another week in ThreatWatch, our regularly updated index of noteworthy data breaches.

In case you missed our coverage this week in ThreatWatchNextgov’s regularly updated index of cyber breaches:

Hilton Hotel Visitors: Watch Your Bank Accounts

It is believed hackers have compromised payment networks in gift shops and restaurants at a large number of Hilton properties across the nation. 

The breach does not appear to affect the guest reservation systems at the affected locations. 

In August, Visa sent alerts to numerous financial institutions warning of a breach at a brick-and-mortar entity for several months this past spring and summer. The notice listed card numbers suspected of having been compromised.

Each payment card had been used at Hilton properties, including the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites and the upscale Waldorf Astoria Hotels & Resorts.

Several sources in the financial industry told KrebsOnSecurity the incident may date back to November 2014, and may still be ongoing.

Unencrypted Hard Drive Containing 3.4M Child Services Records Goes Missing

The government of British Columbia is unable to locate a backup drive containing data on school students spanning more than a decade. 

"There's no doubt a mistake was made," Technology Minister Amrik Virk said. "First, in how the hard drive was created, and secondly, in how it was stored."

The hard drive was created in 2011 and contains student data from 1986 to 2009, including information on child health and behavior issues. The Ministry of Education realized drive was lost while reviewing records to ensure compliance with data-storage standards.

Records show the hard drive should be in a locked cage inside a locked warehouse, but when personnel went looking for it, they came back empty. 

"It's hard to think of something more intimate and personal than this type of information,” said Vincent Gogolek of the B.C. Freedom of Information and Privacy Association. "Psychological assessments, describing in-care status, substance abuse, family problems. Even if it's not lost, even if it is sitting behind a filing cabinet, those people are going to be upset and rightly so."

Virk said the government will be examining the potential risk to individuals, and notifying them.

"The chief information officer will be examining the threats ... in terms of the potential for harm, whether it be humiliation, whether it be data, whether it be personal information," Virk said.

School Nutrition Staffer Leaked Student SSNs to Hacker

At Kentucky's North Oldham High School, a nutrition services staff member ended up at a website that wasn't the site she intended to visit, which resulted in the breach of a computer, officials said.

The hacked computer contained a database with the names, telephone numbers, addresses, Social Security numbers and dates of birth of both current and former students at the school.

Officials did not say exactly what the database was for.

A notification letter said the district is working with the Kentucky Department of Education and "the supplier of the software involved."

Canadian Engineer Association Delivers Member Records to Bad Folks

An association that regulates engineers and geoscientists sent tens of thousands of member records containing personal information to an unknown party during a phishing incident.

The Association of Professional Engineers and Geoscientists of Alberta is telling members not to respond to emails that appear to come from the organization and not to provide any personal information by email, including member ID, credit card information or passwords.

The association inadvertently handed over the first names, last names and email addresses of members. 

(Image via rmnoa357/Shutterstock.com)