Wolters Kluwer data breach shows contact info, not tax and finance data

Business and accounting solutions provider Wolters Kluwer is currently aware of, and is looking into, what could be a major data breach. 

Over the weekend it was reported that a post had appeared on a cybercrime forum from an alleged threat actor advertising a fresh dataset from Wolters Kluwer up for auction, with an opening bid of $15,000. While passwords were not included in the dataset, which is said to range between 3-6 gigabytes in size, it did have other sensitive data such as full names, emails, phone numbers, home addresses, job and university info, and even social media accounts and tokens.

Despite not including user passwords, such information would likely be valuable for things like identity theft as well as targeted social engineering against specific customers, as information like this can be used to recover passwords fraudulently, as well as engage in spear phishing campaigns on particular individuals. The inclusion of social media tokens could also provide secondary login methods for other services as well as potentially hijack social media profiles.

Stefan Kloet, a Wolters Kluwer spokesperson, said the company is still assessing the scope and scale of the damage, though so far it seems that its impact has been limited. 

“We are aware of this matter and investigating any potential data impact. Our investigation is ongoing; based on our preliminary review to date, it appears the data is limited to business contact information in our health journals business. At this time, there is no evidence that any financial or tax data has been impacted, nor evidence of data impact associated with products outside of the health journals business,” said Kloet.