Leaked Pentagon Bomber Data, Scoop Up Toy Company Details on Kids, and Pinch Credit Cards from Wisconsin Resort

In case you missed our coverage this week in ThreatWatch, Nextgov’s regularly updated index of cyber breaches:

Potential Leak of Classified Air Force Data on Bomber Contract Protest

Confidential information about a competition for a next-generation U.S. bomber should not have appeared in a Forbes magazine article and the Pentagon is looking into the matter, according to Reuters

Boeing and Lockheed Martin in November contested the Air Force's $80 million contract with Northrop Grumman to develop the new long-range strike bomber.

Forbes contributor Loren Thompson, chief operating officer of the Lexington Institute think tank, published a column on the magazine's website Nov. 6, the day the protest was filed. Northrop’s cost to develop the plane was roughly twice what the competing industry teams had bid, he wrote.

The level of detail in the column raised concerns given the classified nature of the bomber program, according to three sources interviewed by Reuters.

200,000 Children Are Among the Victims in VTech Data Breach

A hacker claiming responsibility for the attack allegedly gained access to the gadget and toy company’s database through a technique known as a SQL injection, in which hackers type malicious commands into a website's user text box, tricking it into returning other data.

The hacker was then able to break into VTech’s web and database servers, where they had full system access.

Personal information on almost 5 million parents and more than 200,000 kids was compromised.

“What’s worse, it’s possible to link the children to their parents, exposing the kids’ full identities and where they live, according to an expert who reviewed the breach for Motherboard,” the publication reports.

Sensitive data from the VTech's servers was provided to Motherboard a week ago.

 “When it includes their parents as well—along with their home address—and you can link the two and emphatically say ‘Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question),’ I start to run out of superlatives to even describe how bad that is,” security expert Troy Hunt, wrote in a blog post.

Human Error Exposes Mortgage Customer Data at Santander

The financial institution apparently sent documents that were intended for clients Claire Nightingale and Simon Jones to another customer. The files contained confidential earnings information on the couple.

“Bizarrely when they complained to Santander's chief executive, the response from an executive complaints manager included three more confidential documents intended for other customers,” the Telegraph reports.

The couple went through eight hours of phone interviews with Santander about porting a loan, and a face-to-face interview was arranged with a mortgage adviser.

But, Nightingale says, the personnel were incompetent and knew nothing about the products Santander offers.

Eventually the bank agreed to port the loan but there were long delays with the paperwork.

Finally some paperwork arrived in the mail, but it belonged to another Santander customer.

After complaining about the way the whole process was handled, Nightingale’s case was passed to an executive complaints manager, who responded via email offering £500 compensation.

“But unbelievably, in another serious security breach, he attached three letters meant for other customers, or their MPs, who had complained to Santander about their treatment by the bank,” according to the Telegraph.

Reservation System at Milwaukee Wilderness Resort Robbed

Guests booking stays at the popular Wisconsin water park this spring may have had their credit or debit cards stolen.

Someone infected the resort's payment system, potentially affecting guests who made reservations from March 9 to June 8, Wilderness said in a statement.

The property has some 1,200 guest rooms and 200 timeshare units.

In addition to hacking reservation information, the malware may have compromised cards used for purchases at food and beverage outlets, attractions and shops on the property.