Month: May 2024

UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko told TechCrunch that they discovered a security bug that allows anyone to remotely send commands to laundry machines run by CSC and operate laundry cycles for free.

Sherbrooke said he was sitting on the floor of his basement laundry room in January 2024, and was able to run a script of code with instructions telling the machine in front of him to start a cycle, despite having $0 in his laundry account. The machine immediately woke up with a loud beep and flashed “PUSH START” on its display, indicating the machine was ready to wash a free load of laundry.

In another case, the students were able to add a balance of several million dollars into one of their laundry accounts, which reflected in their CSC Go mobile app as an entirely normal amount of money for a student to spend on laundry.

The two discovered that CSC’s servers could be tricked into accepting commands that modify their account balances, because any security checks are done by the CSC Go app on the user’s device and are automatically trusted by CSC’s servers.

CSC ServiceWorks is a large laundry service company, having a network of over a million laundry machines installed in hotels, university campuses and residences across the US, Canada and Europe.

Sherbrooke and Taranenko sent the company several messages through its online contact form in January 2024, but heard nothing back. A phone call to the company landed them nowhere either, they said. They first disclosed their research in a presentation at their university cybersecurity club earlier in May.

Days after the story was published, CSC provided a statement thanking the security researchers and promising to fix the bug.

Read more about it here.

Giant computer maker Dell faced a huge data breach after a cyber attacker stole information for approximately 49 million customers. Dell confirmed that the information stolen includes people’s names, postal addresses, and “Dell hardware and order information, including service tag, item description, date of order and related warranty information.” Dell did not disclose whether the incident was caused by malicious outsiders or inadvertent error.

According to Dell, the breached data did not include email addresses, telephone numbers, financial or payment information, or “any highly sensitive customer information.”

Dell seemes to have downplayed the impact of the breach in the message.

“We believe there is not a significant risk to our customers given the type of information involved,” Dell wrote in the email sent to affected customers.

As first reported by Daily Dark Web, a threat actor named Menelik tried to sell a Dell database on the Breach Forums hacking forum on April 28, 2024.

The threat actor said they stole data from Dell for “49 million customer and other information systems purchased from Dell between 2017-2024.”.

Read more about it here.

The UK Ministry of Defense (MoD) disclosed on May 7, 2024 a data breach impacting a third-party payroll system that exposed data of approximately 272,000 armed forces personnel – active, reserve and retired veterans.

In a statement to the House of Commons, Defence Secretary Grant Shapps said that the Ministry of Defence (MoD) identified the intrusion “in recent days.”

The Ministry of Defence revealed that a malicious actor gained access to part of the Armed Forces payment network, which is an external system completely separate from MoD’s core network.

The compromised information includes names and bank details, and, in a smaller number of cases, addresses of the impacted personnel.

Mr. Shapps publicly criticized the contractor, stating there was “evidence of failings” in the management of the breached system.

Read more about it here.