P2017-ND-042

New England College of Optometry

On or about December 23, 2016, the Organization noted fraudulent activities within its systems after some members reported unauthorized activities on their accounts. The Organization also noticed changes to member data and requests for new numbers, as well as unusual activity concerning vehicle use and trip duration. The Organization found there had been a brute force attack against its system in late December, whereby unauthorized third parties accessed member accounts using lists of email/password combinations to log into the systems and verify valid matches for accounts. The attacker(s) knew the credentials of the members or used commonly-used passwords (e.g. “password,” or “12345”) to gain access to accounts, and that the incident was not due to any data leaks or weakness in the Organization?s systems. The unauthorized third parties logged-in to accounts and then requested the PIN in order to drive and use the Organization?s cars.

File Type: pdf
Categories: 2017
Tags: Loss