The target: Buchbinder, a German car rental company
The take: Personally Identifiable Information of 3.1 million customers including: names, emails, phone numbers, addresses, dates of birth, license numbers, bank details and payment info. In total, over 5 million files were exposed, with some of them being passwords belonging to employees which were stored in plain text.
The attack vector: An unsecured backup database which was completely unprotected by any credentials and was freely accessibly to anyone with an internet connection. The database was discovered as part of routine scanning for unprotected databases.
This type of data is a prime target for threat actors seeking to carry out targeted phishing campaigns and BEC (business email compromise) attacks. Failure to implement robust practices can leave firms open to violations of data protection standards, and highlights the fact that protecting user data is the same as protecting the firm.
Silicon: The cyber force of hackers is due to be launched later in the spring, after many months of delays and turf wars between the Ministry of Defence and GCHQ, the Guardian newspaper reported.
The Wall Street Journal: Email scams—often riddled with typos and written by non-native English speakers in Africa—were once crude attempts to steal money from inexperienced computer users. No more.
**Source may require registration/subscription
City Wire: Former Federal Bureau of Investigation (FBI) special agent Scott Augenbaum offered his top tips for how wealth managers can protect their clients and their portfolios from hackers.
City Wire: In a commentary piece, de Blonay, who runs the Jupiter JGF Financial Innovation fund, said the cyber security software market is estimated by industry experts to grow 8.6% per year to around $82bn by 2024.
ZDNet: Hacking is growing, but in some cases, that's no bad thing. That's the main take-away from the annual report on the state of ethical hacking published by bug bounty platform HackerOne. As of 2020, the organization can boast a base of 600,000 white hat hackers; a community twice as big as the previous year, which altogether cashed in a record $40 million in bounties in the past 12 months.
Evening Express: The Financial Conduct Authority (FCA) revealed the personal details of complainants on its website in response to a Freedom of Information (FOI) request, meaning the data was accessible by anyone between November 2019 and February this year.
ZDNet: A threat group has been emailing victims with threats to carry out distributed denial of service (DDoS) attacks unless the organizations pay hefty ransom fees in the Monero (XMR) cryptocurrency.
The target: Crown Bank, a New Jersey based financial institution.
The take: $2 million USD
The attack vector: Cyber criminals impersonated the wife of the CEO using a fake email address and tricked the bank’s employees to transfer funds multiple times. Using fraudulently created signatures of the CEO’s wife attached to PDF files, the attackers convinced bank staff that the requests, and their urgency, were legitimate.
Failure to implement and follow internal validation procedures can have serious consequences, and where an attacker discovers and exploits a weakness, they are likely to attack again until they are discovered. Furthermore, failure to enforce a firm’s security and cash transfer control procedures can invalidate an attempt to recoup damages via an insurance claim.
City Wire: Financial firms and their employees could be doing much more to protect their assets and those of their clients as cybercrime will become one of the biggest risks they face over the next decade, according to cybersecurity expert and former FBI agent Scott Augenbaum.
*Note full article may require free sign-up registration.
Reuters: Britain and the United States joined Georgia on Thursday in blaming Russia for a large-scale cyber attack last year that knocked thousands of Georgian websites offline and disrupted national television broadcasts.
BBC: The data exposed included names, address, and passport numbers for former guests. MGM said it was "confident" no financial information had been exposed. The resort chain said it was unable to say exactly how many people were impacted because information that was exposed might be duplicated.
Plan Adviser: Retirement plan advisers not only have rigorous cybersecurity responsibilities of their own—they also need to proactively help their plan sponsor clients establish airtight cybersecurity firewalls and procedures, industry experts say.
Silicon Angle: The venture capital firm has been a prolific investor in cybersecurity startups. Investments included access control startup Remediant Inc. in August, app security startup NowSecure in June and IoT security provider Mocana Corp. in March. Fund II focus areas include cyber intelligence, privacy, security services and infrastructure protection.
Tech Crunch: Dell Technologies announced that it was selling legacy security firm RSA for $2.075 billion to a consortium of investors led by Symphony Technology Group. Other investors include Ontario Teachers’ Pension Plan Board and AlpInvest Partners.
CityWireSelector: An ETF specialist boutique launched by four former Legal & General Investment Management (LGIM) employees has unveiled two thematic ETFs as it seeks to capitalise on future trends.
The target: The United Nations
The take: 400GB of data including: internal documents and emails, human resource records, database access, commercial information, and Active Directory access.
The attack vector: The threat actors used compromised 42 servers in total when they were able to exploit a known remote code vulnerability in Microsoft Sharepoint. This let the attackers move freely within all of the IT systems. A patch was released a few months prior to the breach, but the U.N’s IT department failed to deploy the patch when it was released, leaving a significant timeframe in which their systems were vulnerable.
This breach highlights the critical importance of maintaining an inventory of internal systems and software, and ensuring those systems are kept up-to-date. Security vulnerabilities can be exploited as soon as they’re identified, underlining the importance of adhering to a regular and frequent patching schedule.
Business Insider: A company that sends out SMSes and emails on Nedbank’s behalf may have been hit by a data breach. The “data security incident” may have released the names, ID numbers, telephone numbers, physical and/or email addresses of 1.7 million Nedbank clients.
CTV: Puerto Rico's government has lost more than US$2.6 million after falling for an email phishing scam, according to a senior official.
The finance director of the island's Industrial Development Company, Ruben Rivera, said in a complaint filed to police Wednesday that the agency sent the money to a fraudulent account.
Reuters: Some of London’s top hedge funds and asset managers are among those that have been targeted by rogue internet operators who clone their names and websites in an attempt to part unsuspecting investors from their cash.
ABC: Federal Parliament failed to develop effective methods for preventing cyber intrusions and did not regularly update some sensitive information systems, according to a draft internal audit dated three months after a major cyber attack was uncovered.
CNN: A security flaw in a mobile app used primarily by Prime Minister Benjamin Netanyahu's Likud party exposed the personal data of every eligible voter in Israel just three weeks before a national election.
BBC: More than 147 million Americans were affected in 2017 when hackers stole sensitive personal data including names and addresses. Some UK and Canadian customers were also affected. China has denied the allegations and insisted it does not engage in cyber-theft.
ZDNet: The FBI received 467,361 internet and cyber-crime complaints in 2019, which the agency estimates have caused losses of more than $3.5 billion, the bureau wrote in its yearly internet crime report.
The target: Mitsubishi Electric, an electronics company based in Japan.
The take: Personal data of 8000 employees and trade secrets including technical, sales, and client information.
The attack vector: A zero-day vulnerability (a newly discovered vulnerability for which no patch/mitigation has yet been published) in antivirus software used by Mitsubishi compromised accounts and internal systems. Attackers gained access to forty servers and one hundred and twenty computers inside the company.
The unfortunate reality is that every company is potentially vulnerable, and this example only reinforces our position that cybersecurity is not a one-and-done, set-it-and-forget-it domain. While zero-day exploits are rare and extremely difficult to defend against, monitoring and assessment of redundant security measures and the defense-in-depth approach can limit the potential impact of a compromise of one layer of a firm’s defenses.
Evening Standard: Anthony Murrell, 44, siphoned off the money from Legal and General Investment Management over three years, buying non-existent computer cables and paying the money to a fake company in his wife’s name.
The Sydney Morning Herald: Speaker of the House of Representatives Tony Smith condemned Mr Pyne's comments about the hack on Parliament's computer network in January 2019, saying any suggestion the public had been kept in the dark about the extent of the hack was "false".
The Sydney morning Herald: A 31-year-old man has been charged over an $11 million cyber fraud in which he allegedly obtained the financial profiles and identities of more than 80 people to create fraudulent bank accounts and steal from their savings and superannuation accounts.
Institutional Investors: Investment firms that get hacked, hike fees, or switch portfolio managers can expect to land in the hot seat with their institutional clients.
City A.M.: Callsign, which uses AI to verify the identity of users, is signing off on a deal with JP Morgan Asset Management, which manages $2 trillion (£1.5 trillion) for global clients, Sky News reported.
Reuters: Israeli venture capital firm Jerusalem Venture Partners (JVP) opened a cybersecurity center in New York City to help launch new companies, and said it was looking to build a similar hub in Europe.
Financial Post: Avast allegedly collected data on what many of its users did online and sent it to Jumpshot, which then offered to sell the information to clients, media reports said. Avast denied the allegations and began a review.