The target: Adobe, an American computer software company.
The take: 7.5 million customer accounts which contained email addresses, account creation dates, subscription status, country and payment details.
The attack vector: A misconfigured Elasticsearch cloud database was left online without any password protection. This information could easily be used to launch sophisticated, targeted phishing attacks to trick users into giving further sensitive details.
When provisioning new systems or types of systems, care must be taken to ensure that appropriate and proportionate security measures are implemented, either by automated scanning or by manual review. Adopting (and validating) robust controls to technological tools employed is critical to secure operations.
Yahoo Finance: At a time when trust has become central to the customer experience, KPMG cyber security practice leaders have told a roundtable that they believe financial services firms are demonstrating a commitment to trust through their cyber agendas. They said that amidst accelerating technological disruption, actively managing customer trust is presenting new revenue opportunities and challenges for financial institutions.
Cointelegraph: In its “Cryptocurrency Anti-Money Laundering Report, 2019 Q3,” security research firm CipherTrace delved into the 120 most popular cryptocurrency exchanges’ compliance with Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements and analyzed patterns in crypto-related crimes.
Cision: Madrid-based cybersecurity firm buguroo has secured $11 million in Series A funding to bring its Deep Learning based online fraud detection and prevention technology, combining behavioral biometrics, malware detection and device assessment, to more financial services customers.
Pensions & Investments: Record keepers are under pressure from retirement plan trustees and regulators to protect participant data in the U.K. after several companies such as Tesco PLC and British Airways PLC became targets of cyberattacks.
The Hindu: An industry-oriented workshop on ‘Cyber security technologies and applications’ organised at the Indian Institute of Information Technology (IIIT Sri City) gave a fresh outlook on the emerging opportunities in the sector as well as future global applications.
The target: Macy’s, an American department store chain.
The take: First and last names, physical addresses, ZIP codes, email addresses, payment card numbers, card security codes and expiration dates.
The attack vector: The attackers used card skimming code, colloquially termed as Magecart, to inject a malicious script into two pages on Macy’s website, the wallet and checkout page. Tampering with the scripts on the retailer’s website allowed attackers to ‘skim’ sensitive information as it was entered by customers and forward it to their own systems.
Any webpage where sensitive information is entered by the user is a prime target for hackers. Ensuring robust standards around critical nodes such as these are key for strong security practices.
The Irish News: The Northern Ireland division of US cybersecurity firm Proofpoint lost £1million last year on the back of a significant increase in salary costs, a new report produced by the company has shown.
CNBC: Scott Van Den Berg, president of Century Management Financial Advisors, has added cybersecurity to the firm’s insurance coverage.
Private Equity News: Private equity firms know the importance of cybersecurity. But their awareness has not translated into widespread implementation, leaving many vulnerable to data breaches that have the potential to slash the value of their investments.
Reuters: Britain’s opposition Labour Party was using a $20-a-month “basic security” service to protect its website when hackers attempted to force it offline and temporarily slowed down online campaigning, according to internal emails seen by Reuters.
ZDNet: Cyber espionage has been going on pretty much since the dawn of the web, with Russia, China, Iran and North Korea generally seen as the countries most likely to be engaging in cyber-espionage campaigns against Western targets.
Private Equity Wire: The partnership with Vista will allow Sonatype to further fast-track growth and enhance its Nexus product portfolio. Several of Sonatype’s existing investors will retain a stake in the company.
WSJ: How good a company is at cybersecurity is joining factors such as greenhouse-gas emissions and directors’ pay when it comes to investors evaluating whether or not to buy in.
The target: InfoTrax, a Utah-based provider of IT systems for the Direct Sales industry.
The take: 1 million user records including Social Security Numbers, payment card information, bank account information, user names and passwords.
The attack vector: A vulnerability in InfoTrax’s public facing website allowed the attacker to upload malicious code, which allowed remote control of the company’s website and servers. Inadequate security monitoring practices gave the attacker unrestricted, and undetected, access to 17 different systems over a period of two years. InfoTrax was only alerted when one of its servers ran out of storage space.
Robust monitoring standards are critical to detect not only intrusions, but any and all unusual activity that can indicate if IT systems have been compromised.
Tribune: Security experts have cautioned nations that major cyber-attacks may happen around the globe in the near future, which may force governments and private sector to seek international help in an effort to take back control of their systems from hackers.
DARKReading: In a global study of more than 2,200 organizations across 22 different countries, NTT Security's 2019 Risk:Value research found that cyberattacks (43%), data loss or theft (37%), and attacks on critical infrastructure (35%) — aimed particularly at telecoms and energy networks — concern respondents the most.
Reuters: Under the Standing Term Liquidity Facility (STLF), eligible provincially and federally regulated members of Payments Canada challenged by idiosyncratic shocks like natural disasters, system failures, and cyber attacks would be given access to central bank liquidity for a 30-day term, renewable at the Bank of Canada’s discretion.
Cision: The global cybersecurity market was valued at USD 118.78 billion in 2018, and is expected to reach USD 267.73 billion by 2024, registering a CAGR of 14.5%, during the period of 2019-2024. The rise in trend for IoT, BYOD, AI and machine learning in cybersecurity is increasing. For instance, machine learning provides advantages in outlier detection, much to the benefit of cybersecurity. Machines can handle billions of security events in a single day, providing clarity around a system's activity and flagging anything unusual for human review.
Channel News: Australian banks have received a warning from the nation‘s peak financial regulator to improve their poor “cyber hygiene”, following revelations that there have been some 36 significant data breaches in just four months.
The target: First American Financial Corp, a Fortune 500 real estate title insurance giant
The take: 885 million files, including records of wire transactions with bank account numbers, bank statements, mortgage records, tax documents, Social Security numbers and driver’s licenses.
The attack vector: FA’s webserver used a system of assigning sensitive documents unique web links – however, incrementing the id number in the link returned other, unrelated documents for any user accessing the site via web, with no authentication necessary.
‘Security by obscurity’ has no place in the 21st century – it is altogether insufficient to rely on the presumed inability of an attacker to locate sensitive resources left exposed to the public web. Any data which is not for public consumption must be protected with a secure authentication system to ensure that it can only be accessed by the intended audience.
AsianInvestor: A lack of adequate cyber security can have a huge impact on investment performance, so asset owners should take action to minimise such risks within their portfolio companies, says a new report by two British pension funds, with clear implications for their peers elsewhere.
*Full article will require sign-in registration
ITPro: At least five critical Indian government agencies have been reportedly targeted by North Korean hackers in recent months, including its atomic regulatory board and space agency.
Hedgeweek: DrawbridgeConnect-R continuously analyses a firm’s vulnerabilities – rather than providing a mere point in time vulnerability assessment – and helps firms identify, prioritise and remediate organizational cybersecurity weaknesses that leave data at risk.
ZDNet: The UK's twice-delayed departure from the European Union is still dependent on an exit deal being agreed by Parliament. Once this is done, the country currently has until the end of 2020 to agree on its future relationship with Europe.
InvestorDaily: The white paper, Keeping Our Money Safe: Data and Security of Payments in 2020 and Beyond, from InPayTech has forecast pay-tech vendors catering to the super sector will need to be aware of evolving customer experiences and expectations around data security.
Help Net Security: Research finds that when one company experiences a cybersecurity breach, other companies in the same field also become less attractive to investors. However, companies that are open about their cybersecurity risk management fare significantly better than peers that don’t disclose their cybersecurity efforts.
The target: SingHealth, Singapore’s largest group of healthcare organizations.
The take: 1.5 million patient records which included: names, prescriptions, medical records, government registration numbers, addresses and dates of birth.
The attack vector: The source of the breach according to early reports was a phishing campaign, however, security researcher’s leading hypothesis was that the attack originated through SingHealth’s failure to keep their software updated. The company used an open source penetration testing application called Ruler. However, they ignored an available patch for Ruler which addressed a known vulnerability, and which led to the hackers gaining access.
Regular and rigorous attention to security updates must be applied to ensure maximum safety of a company’s IT systems – especially where it pertains to tools used to assess the security of internal systems and the effectiveness of technical controls.