The target: Bergen Logistics, a U.S based fulfillment provider.
The take: Personally Identifiable Information including: names, sur names, city, zip code, addresses, order numbers, email addresses, plain-text passwords to customer accounts.
The attack vector: An unsecured Elasticsearch database server was left online, meaning anyone with an internet connection was able to connect and download the data.
The exposure of personal information can lead to highly targeted phishing and fraud attacks. More critical was how this firm stored their customer account passwords in plain text on the server with no encryption or protections. Ensuring credentials are adequately and appropriately protected through encryption is an integral part of maintaining a robust cybersecurity posture.
Yahoo Finance: U.S. pipeline operators will be required for the first time to conduct a cybersecurity assessment under a Biden administration directive in response to the ransomware hack that disrupted gas supplies in several states this month.
Yahoo Finance: Canada's national mail carrier says a malware attack on one of its suppliers has impacted 44 of its biggest corporate customers across the country, and potentially up to nearly one million people.
Bleeping Computer: Offices of multiple Japanese agencies were breached via Fujitsu's "ProjectWEB" information sharing tool. Fujitsu states that attackers gained unauthorized access to projects that used ProjectWEB, and stole some customer data.
ASIC: ASIC is urging Australians to be wary of scammers using the COVID-19 pandemic to target small businesses. Scammers often target small business owners as they recognise that they are busy and may have limited resources to keep systems safe. Common scams aimed at small businesses are outlined below.
Hedge Week: New research by Intertrust Group — which quizzed 100 CFOs across the UK, Europe, North America and Asia, from hedge funds collectively representing a total AUM of USD7.3 billion spanning a range of strategies – indicates the growing clamour for greater transparency from investors will place increase burdens on hedge funds’ ops teams.
Help Net Security: Human Layer Security company Tessian announces that it has raised $65 million in Series C venture capital funding to accelerate its mission of quantifying and preventing human risk in global enterprises, and empowering people to do their best work without security getting in the way.
Forbes: Fraud is not a new problem. Some historians trace it back to 300 B.C., when a Greek merchant named Hegestratos took out an insurance policy on his boat full of corn with the intent to sink it and collect the insurance money.
The target: FastTrack Reflex Recruitment, a U.K based online recruitment firm.
The take: Exposure of 20,000 records of personally identifiable information including: email addresses, home addresses, full names, phone numbers, dates of birth, and passport photos.
The attack vector: The information was exposed due to a misconfigured cloud storage account, allowing anyone with an internet connection to access and download a full copy of the details.
Leaving databases exposed to the internet without any credential management impacts its confidentiality, integrity, and availability. Taking the stance of using industry standard practices of password length, complexity, two-factor authentication, and email verification, will raise the level of protection needed for sensitive information.
BNN Bloomberg: Colonial Pipeline Co. confirmed on Wednesday that it paid hackers US$4.4 million in ransom after suffering a devastating cyberattack that took the U.S.’s largest fuel pipeline offline.
BNN Bloomberg: President Joe Biden’s infrastructure proposal includes billions of dollars tied to improving cybersecurity, an area of intensified interest after the ransomware attack on the Colonial Pipeline Co. sent U.S. gasoline prices soaring.
Hedge Week: Eyre will drive Drawbridge’s corporate cybersecurity strategy and oversee infrastructure, security and privacy initiatives as the company continues its rapid global growth. Eyre also serves as Managing Director and Head of Europe for Drawbridge.
IT News: The centre, which launches this month, will be led by Elrich Engel. Engel is currently AMP’s group head of cyber security and digital protection at AMP and acting director of architecture for cyber security and data.
Institutional Asset Manager: The Financial Conduct Authority (FCA) has sent 4,430 of its employees on compulsory cyber and information security courses over the past two financial years – (FY 19-20 and FY 20-21) – to help combat the growing threat of financial crime, such as money laundering and fraud, according to official figures.
Forbes: On the first Friday in May, a gang of black-hat hackers operating under the ominous nom de guerre of DarkSide successfully breached the cyber defenses of Colonial Pipeline, a company that moves 100 million gallons of fuel a day through a 5,500-mile network of pipes running across the eastern half of the U.S.
Bleeping Computer: The UK government has announced a call for advice on defending against software supply-chain attacks and ways to strengthen IT Managed Service Providers (MSPs) across the country.
The target: The U.S based Fermilab Physics Laboratory
The take: Exposure of databases containing proprietary documents, project names, configuration files, passwords, and personality identifiable information such as employee names and emails.
The attack vector: Security researchers found wide open ports in Fermilab’s systems and were able to use these unprotected points of access to gain access to their IT ticketing support system and file transfer service. This led to further exposures of employee name and titles, as well as many sensitive documents attached to individual help tickets. Fermilab’s file transferring service was also online with no password protection.
This breach highlights the importance of credential management and thorough testing of points of access in a firm’s IT systems. All entry points should be secured through robust password controls, using the appropriate length and complexity, along with proper management and monitoring.
BNN Bloomberg: Colonial Pipeline Co. paid nearly US$5 million to Eastern European hackers on Friday, contradicting reports earlier this week that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline, according to two people familiar with the transaction.
ZDNet: Web applications represented 39% of all data breaches in the last year with phishing attacks jumping 11% and ransomware up 6% from a year ago, according to the Verizon Business Data Breach Investigations Report.
Compliance Week: A Colorado-based broker-dealer will pay $1.5 million as part of a settlement with the Securities and Exchange Commission (SEC) announced for lapses in the filing of suspicious activity reports (SARs) related to the threat of cyber-breaches.
O Canada: President Joe Biden on Wednesday signed an executive order to improve federal cyber security capabilities and digital security standards across the private sector.
Yahoo Finance: A new report estimates nearly two-thirds of businesses globally, including 63 per cent in Canada, have seen an increase in targeted cyberattacks since they switched to widespread remote work.
MSN Money: Cybersecurity is more critical than ever, especially in a world already reeling from supply disruptions and bottlenecks caused by the coronavirus pandemic. The latest big ransomware attack, against Colonial Pipeline Co., is an eye-opener, as it has led to the shutdown of the 5,500-mile Colonial Pipeline system and could push up gasoline prices.
BNN Bloomberg: Criminals launched more websites to trick people into giving up data, downloading malware and sending them money during 2020, taking advantage of pandemic lockdown by pretending to be celebrities, shops and government agencies, according to the U.K.’s National Cyber Security Centre.
The target: Peloton, an exercise equipment manufacturer.
The take: Exposure of an unknown number of its 3 million user’s personally identifiable information such as: user ID, instructor ID, location, workout statistics, gender and age, and studio check-ins.
The attack vector: The leak occurred due to lack of authentication and authorization controls in the API endpoints used in Peloton’s mobile app, website, and backend (An API is an Application Programming Interface, a software intermediary that allows two applications to exchange data). Unauthenticated individuals were able to manually send an API request and return profile information for Peloton users, even if those profiles were marked as ‘private’.
This breach highlights critical importance of robust authentication whenever user data is being requested and transferred in a firm’s IT systems which are available to the public. Thorough testing of authentication protocols is an integral part of maintaining a rigorous cybersecurity posture. Exposed personal data can lead to extremely effective phishing attacks and further data breaches of a firm’s customers.
Institutional Asset Manager: At the same time, the behaviour and culture of financial institutions is under growing scrutiny from a wide range of stakeholders in areas such as sustainability, employment practices, diversity and inclusion and executive pay.
ABC News: In an apparent industry first, the global insurance company AXA said Thursday it will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.
Cision: With the digital economy continuing to grow rapidly, accelerated by the COVID-19 pandemic, cyber security is an ever-increasing concern for Canadians and businesses. A strong cyber security sector will cement Canadians' trust in the digital economy. That is why the Government of Canada is committed to ensuring Canada is a global leader in cyber security innovation and talent development.
Institutional Asset Manager: Freedom of Information data obtained by Kroll from the FCA shows that the number of reportable cyber incidents where company or personal data was potentially compromised or breached dropped 30 per cent to 76 in 2020, compared to 108 during the same time period in 2019.
Mergers & Acquisitions: CVC Capital Partners VII and other investors have provided $250 million in funding to Acronis, a cyber protection provider. Acronis will use the funds to accelerate growth by expanding its portfolio of natively integrated cyber protection products. A significant portion of the investment will also be used to expanding Acronis’ partner network, notably managed service providers.
Yahoo Finance: The company providing internet services for Belgium’s parliament, government agencies, universities and scientific institutions said Tuesday that its network was under cyberattack, with connections to several customers disrupted.
Help Net Security: A huge jump in new pandemic-related threats, alongside a rise in challenges caused by enforced work from home guidance, is leaving open and insecure gaps in FIs’ networks. The findings analyze the changing nature and impact of fraud, risk and cyber threats on UK and US FIs and consumers over the last 12 months.