Supply Chain Cyberattack Disrupts Giant Retailers Including Starbucks, Sainsburys

Sponsor Message

Armed with a complete view of your organization’s software assets, Anchore allows you to find and prevent malicious content from reaching your users. Anchore’s end-to-end, SBOM-powered software supply chain security management platform protects you and your customers at every step, from SBOM monitoring to policy enforcement to remediation. Anchore integrates at every stage of the software development process, from source code to build to runtime. Every package, every library, every version is cataloged and stored. This enables organizations to find out where content is, where it came from, and how it changed.

A ransomware attack against Blue Yonder, a major supply chain technology provider owned by Japanese conglomerate Panasonic, left retailers, including Starbucks and UK grocery chain Sainsbury’s, scrambling to implement backup plans to manage operations, including scheduling and handling inventories.

Blue Yonder, one of the world’s largest supply chain software providers, said it was working to restore services after last week's attack disrupted the systems it hosts for customers.

Blue Yonder did not provide a timeline for service restoration. The company said the attack did not affect systems that run on public cloud-based platforms.

Starbucks said the ransomware attack affected company-owned stores in its network of around 11,000 sites in North America. It disrupted the coffee chain’s ability to pay baristas and manage their schedules, leaving cafe managers to calculate employees’ pay manually.

Starbucks is currently paying employees for their scheduled shifts, meaning they could be overpaid or underpaid depending on the hours actually worked. The company said it would eventually ensure baristas are paid for all hours worked.

Automaker Ford Motor said it uses Blue Yonder technology and was investigating whether the outage affected its operations.

Sainsbury’s and Morrisons, two of the U.K.’s largest grocery chains, said they have turned to backup plans to keep operations running.

Morrisons, which has about 1,600 convenience stores and 500 supermarkets across the U.K., said the outage affected its warehouse management systems for fresh foods and produce. “We are currently operating satisfactorily on our backup systems and we’re working very hard to deliver for our customers across the country,” a spokesperson for Morrisons said.

Sainsbury’s, which has 600 supermarkets and more than 800 convenience stores across the U.K., said it is in “close contact” with Blue Yonder and has put contingency processes in place. (Liz Young and Heather Haddon / Wall Street Journal)

Related: Blue Yonder, Tech Monitor, Silicon Republic, CSO, Reuters, The Record, BleepingComputer, Forbes, The Grocer, CNN, BNN Bloomberg, Dark Reading, Cybernews.com, SiliconANGLE, PYMNTS.com, Business Insider, PCMag, The Register, CBS News, NBC News, Fox Business, SupplyChainBrain, Cybernews, Augusta Free Press, CSO Online

New York Attorney General Letitia James and the NYS Department of Financial Services fined auto insurers Geico and Travelers Indemnity a combined $11.3 million for lapses in their cybersecurity programs that led to hackers stealing data on 120,000 people during the Covid-19 pandemic.

They alleged that hackers accessed Geico’s online quoting tool, which is used by insurance agents, starting in 2020 to steal driver’s license numbers and dates of birth. The attacks exposed sensitive information belonging to approximately 116,000 people.

In April 2021, hackers used stolen credentials to break into Travelers’ insurance agents’ quoting tool, which allowed users to generate reports with driver’s license numbers in plain text. The joint statement from New York said the system wasn’t protected by multifactor authentication, and the attack went undetected for seven months. Data on around 4,000 people was ultimately stolen.

The DFS found that both companies violated its 2017 cybersecurity regulations, some of the strictest in the US, which have specific rules governing data protection. The rules were updated in 2023 to cover ransom payments and board oversight of cyber risk management. (James Rundle / Wall Street Journal)

Related: New York State Department of Financial Services, PYMNTS, Newsday, BankInfoSecurity, Insurance Journal, Investing.com

Australia has passed its first standalone Cyber Security Act, granting the government additional powers, introducing new ransom reporting requirements, and launching the long-discussed “limited-use” obligation for the Australian Signals Directorate (ASD) and the National Cyber Security Coordinator, among other things.

Cyber Security Minister Tony Burke said collaboration between government and industry is crucial, something that forms a large part of the new legislation.

Cybersecurity firms generally praise the bill, with some saying it doesn't go far enough to address several problems. (Daniel Croft / Cyber Daily)

Related: CSO Online, CRN, ARN, Australian Cybersecurity Magazine, InnovationAus, IT News

A long-withheld investigation into a 2019 hacking at diagnostic and genetic testing firm LifeLabs that compromised millions of Canadians’ health data was finally made public after an Ontario court dismissed the company’s appeal to prevent its release.

A statement from the privacy commissioners of both British Columbia and Ontario says their joint report, completed in June 2020, found that LifeLabs “failed to take reasonable steps” to protect clients’ data while collecting more personal health information than was “reasonably necessary.”

The report ordered LifeLabs, which handles most medical tests ordered by doctors outside hospital settings in British Columbia, to address several issues, such as appropriately staffing its security team. The commissioners’ statement says the company complied with all orders and recommendations.

LifeLabs had cited litigation and solicitor-client privilege to block the document’s publication, but the commissioners’ offices opposed this.

The company then sought judicial review in the Divisional Court in Ontario before the case went to the Ontario Court of Appeal, where LifeLabs’ appeal was dismissed.

The British Columbia Information and Privacy Commissioner, Michael Harvey, said that “the road to accountability and transparency has been too long” for the data breach victims. (Chuck Chiang / Canadian Press)

Related: Databreaches.net, Information and Privacy Commissioner of Ontario, Vancouver is Awesome, Toronto Star

A "major incident" was declared at Arrowe Park Hospital in the Wirral region of Liverpool, UK, for "cyber security reasons."

The Wirral hospital has told people to only attend the emergency department if they have a genuine emergency. It states that business continuity processes are in place and that its focus remains on maintaining patient safety.

One patient said a message was announced on the hospital's overhead speakers, stating that they were declaring a major incident and that non-emergencies should consider going home and coming back tomorrow.

A staff member at the hospital told the ECHO: “Everything is down. Everything is done electronically so there’s no access to records, results or anything so we are having to do everything manually, which is really difficult. The damage is huge." (Conaill Corner / Liverpool Echo)

Related: Wirral Globe, Liverpool World, The Mirror, Chester Standard

Officials with the Texas Tech University Health Sciences Center El Paso and Texas Tech University Health Sciences Center said patient information was breached during a cyberattack.

The organization dealt with a temporary disruption to some of its computer systems and applications in September.

The investigation confirmed that a cybersecurity event caused the technology issues, resulting in access to or removal of certain files and folders from the company's network between September 17 and September 29.

The information varies by patient but may include name, date of birth, address, driver’s license number, government-issued identification number, financial account information, health insurance information, medical records numbers, billing/claims data, and diagnosis and treatment information, officials said. (KFOX14)

Related: News4SA, KDBC

Ping Li, a 59-year-old IT worker living in Florida, was sentenced to four years in prison for sharing sensitive information with the Chinese government’s intelligence agency. 

Li, a US citizen living in Wesley Chapel, pleaded guilty to conspiring to act as an agent of the People’s Republic of China and will pay a $250,000 fine.

Li shared troves of data with the Ministry of State Security (MSS), the country’s civilian intelligence agency, dating back to at least 2012.

Li reportedly worked for two decades at Verizon before moving to Infosys, the second-largest IT company in India. The Department of Justice said he served as a “cooperative contact” who obtained information the MSS asked for, leaking information about Chinese dissidents, pro-democracy advocates, and members of the Falun Gong religious movement, as well as sensitive cybersecurity information.

In March 2022, a Chinese officer asked Li for information, including “materials relating to cybersecurity training,” about his new employer. He provided the information that same day, prosecutors said. The incident also involved emails from MSS officers “discussing hacking tactics that could be employed.”

Court documents show the MSS handler asked Li to obtain information about the Solarwinds cyberattack on the U.S. government in 2021.

Li was able to send the information to the agency through anonymous Gmail and Yahoo accounts and often traveled to China to meet with MSS officers.

He also provided personal information about Chinese dissidents and sent biographical data to the agency about an individual affiliated with Falun Gong residing in St. Petersburg, Florida. In June 2022, Li provided the MSS with information about someone who fled China for the U.S.

Li was arrested on July 20 and initially lied about the information he provided to the MSS, but after being shown copies of emails he had exchanged with one of his handlers, he admitted to working with them. (Jonathan Greig / The Record)

Related: Justice Department, Tampa Bay Times

Researchers at Trend Micro provide details on the tactics, techniques, and procedures used by Salt Typhoon, which the company referred to as one of “the most aggressive Chinese advanced persistent threat (APT) groups” currently in operation.

Sen. Mark Warner, D-VA, said last week that the hack is “the worst telecom hack in our nation’s history—by far,” and the attackers are still in the systems.

The researchers say that several pieces of malware used by the group have been used to infiltrate other telecommunications companies and government entities worldwide. Tracked as “Earth Estries,” Trend Micro says this group, which is also known as FamousSparrow, GhostEmperor, and UNC2286, has used the malware in the US, Asia-Pacific, Middle East, and South Africa.

The group capitalizes on several known vulnerabilities in Ivanti, Fortinet, Sophos and Microsoft Exchange products, From there, Trend Micro says the group likes to use legitimate tools like Windows Management Instrumentation Command (WMIC.exe) or PsExec to penetrate further into networks. 

Once inside, the group uses malware described as “backdoors,” which Trend Micro refers to as GhostSpider, SnappyBee, and Masol RAT. Each tool exhibits high sophistication, enabling the group to stay hidden within compromised networks.

GhostSpider, in particular, is a multi-modular backdoor designed to deploy various components for specific functions, enhancing its adaptability and making it harder to detect. (Greg Otto / Cyberscoop)

Related: Trend Micro, The Record, GovInfoSecurity, Bleeping Computer, Computing

NAS appliance company QNAP released security bulletins that address multiple vulnerabilities, including three critical severity flaws that users should address as soon as possible.

QNAP says two vulnerabilities CVE-2024-38643 (CVSS v4 score: 9.3, "critical") and CVE-2024-38645, a server-side request forgery (SSRF) vulnerability, affect QNAP Notes Station 3, a note-taking and collaboration application used in the firm's NAS systems.

Two other vulnerabilities affecting Notes Station 3 are CVE-2024-38644 and CVE-2024-38646. Both are high-severity (CVSS v4 score: 8.7, 8.4) command injection and unauthorized data access problems that require user-level access to exploit.

QNAP addressed CVE-2024-48860, which impacts QuRouter 2.4.x products, QNAP's line of high-speed, secure routers. The flaw, rated 9.5 "critical" according to CVSS v4, is an OS command injection flaw that could allow remote attackers to execute commands on the host system.

QNAP also fixed a second, less severe command injection problem, tracked as CVE-2024-48861. Both issues were addressed in QuRouter version 2.4.3.106.

Other products that received important fixes this weekend are QNAP AI Core (AI engine), QuLog Center (log management tool), QTS (standard OS for NAS devices), and QuTS Hero (advanced version of QTS). (Bill Toulas / Bleeping Computer)

Related: QNAP, CSO Online, The Register

Cybersecurity firm Halcyon announced the closure of its $100m Series C venture funding round.

Evolution Equity Partners led the round with participation from Bain Capital Ventures, SYN Ventures, Harmony Group, Corner Capital Management, Dropbox Ventures, ServiceNow Ventures, and existing investors. (Katie Roof / Bloomberg)

Related: Austin Business Journal, SiliconANGLE, Halcyon, Crunchbase News, Pulse 2.0, FinSMEs, SecurityWeek, VC News Daily, FinTech Global

Best Thing of the Day: Cutting Phishing Incidents in Half

The Financial Services Information Sharing and Analysis Center (FS-ISAC) unveiled a phishing prevention framework that has already reduced the volume of phishing incidents by half in a pilot program across three banks using techniques that might be broadly applicable to other industries.

Worst Thing of the Day: Not Even Your Pokémon Go Data Is Safe

Brian McClendon, Niantic’s SVP of engineering and formerly the co-creator of Google Earth, Street View, and Google Maps, said that he “could definitely see” governments and militaries purchasing the company’s newly announced AI model for navigating the real world, which would be based on scan data generated by Pokémon Go players.

Closing Thought

,