The target: Coninsa Ramon, a Colombian based architecture, engineering, construction, and real estate firm.
The take: 5.5 million files of 100,000 customers of their personally identifiable information including: full names, addresses, email addresses, transaction data, and asset values.
The attack vector: An unsecured Amazon S3 storage server was misconfigured, allowing anyone with an internet connection to access and download the data. In addition, malicious code was discovered that would allow attackers to maintain a persistent connection to the website, letting them redirect traffic to fraudulent pages.
The exposure of personal information can lead to highly targeted phishing and fraud attacks. Given how detailed the information was in this exposure, the threat of spear-phishing campaigns is high. Use of authentication protocols is an integral part of maintaining a rigorous cybersecurity posture, and it is critical to employ industry standard practices of credential management, user authentication and validation, around all storage of customer data.
Forbes: Humans: we'd like to believe they're all good at the core. Unfortunately, there are a few bad apples in the bunch — or at least very opportunistic apples. When it comes to cybersecurity, the bad apples are hackers who are out to invade, profit from or damage a business.
Bleeping Computer: CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) warned today of an increased number of Conti ransomware attacks targeting US organizations.
International Adviser: Zoom, Skype, Microsoft Teams and e-signatures are just some of the digital solutions that have become part of our daily lives in the last year and a half or so. They were unknown before the plethora of lockdowns we’ve all gone through.
CBC News: The White House imposed sanctions Tuesday against SUEX, a virtual currency exchange that enables users to trade cryptocurrency or other digital currencies, for its role in facilitating financial transactions for ransomware actors.
Bleeping Computer: In collaboration with Europol and Eurojust, European law enforcement dismantled an extensive network of cybercriminals linked to the Italian Mafia that was able to defraud their victims of roughly €10 million ($11.7 million) last year alone.
The target: Walgreens, a U.S based drug store and pharmacy chain.
The take: Millions of records of personally identifiable information including: name, date of birth, gender, phone number, address, email, and in some cases results from Covid-19 tests.
The attack vector: Walgreens failed to secure their test appointment registration system. When a user requests a test and fills out the online form with their personal info, they are given a unique 32-digit ID number and a link to their appointment request page. This URL has no authentication or credential control whatsoever. Anyone can use the link to view the personal information.
Security-by-obscurity is not a reliable method, or industry standard, way of securing personal data. Authentication and credential management are an essential strategies that should be taken into high consideration in every area where user information is accessed.
Engadget: Since 2009, companies handling health records have been required to notify consumers if their data is breeched. Now, the rule has been extended to health apps that track fitness, vital statistics, sleep and more.
Dark Reading: After polling some 1,000 senior cybersecurity leaders, EY found that CISOs and other security leaders are struggling with inadequate budgets, regulatory fragmentation, and disconnection with the functions that need them the most. The results are detailed in the results of EY's Global Information Security Survey 2021 (GISS).
The United States Department of Justice: On Sept. 7, U.S. citizens, Marc Baier, 49, and Ryan Adams, 34, and a former U.S. citizen, Daniel Gericke, 40, all former employees of the U.S. Intelligence Community (USIC) or the U.S. military, entered into a deferred prosecution agreement (DPA) that restricts their future activities and employment and requires the payment of $1,685,000 in penalties to resolve a Department of Justice investigation regarding violations of U.S. export control, computer fraud and access device fraud laws. The Department filed the DPA today, along with a criminal information alleging that the defendants conspired to violate such laws.
The Guardian: A quarter of cyber incidents reported to Australian security officials over the past year have targeted critical infrastructure and essential services, including health care, food distribution and energy.
Hedge Week: Drawbridge, a premier provider of cybersecurity software and solutions to the investment industry, has added three industry veterans to bolster its business development, strategy and operations teams.
Silicon: The US financial regulator is reportedly engaging in a lage-scale probe into the effects of the SolarWinds hack that affected companies around the world.
The target: MyRepublic, a Singapore based Internet Service Provider
The take: 80,000 user records containing personally identifiable information such as: national identity cards with photos and addresses, names, copies of utility bills needed for verification, and mobile phone numbers.
The attack vector: The occurred due to unauthorized external access to from a 3rd party vendor employed by MyRepublic to store the firm’s documents needed for registration with their mobile service.
This breach highlights the risks of using third party vendors as the personal information exposed could lead to high targeted phishing attacks against the firm’s users. Up to date monitoring on where and what systems a firm’s data resides on, and regular audits on the effectiveness of the deployed protections, is essential for maintaining the expected industry standard of cybersecurity.
ZDNet: All the time spent ticking boxes in cybersecurity training sessions seems to be paying off after all: according to a new report, about a third of emails reported by employees really are malicious or highly suspect, demonstrating the effectiveness of the well-established maxim "Think before you click".
IT News: Boston-based cyber security software startup Snyk said it raised US$300 million (A$408 million) in fresh funds and the company was now valued at $8.5 billion (A$11.5 billion).
Lexology: The past 12 months have seen an increase in cybersecurity attacks against major companies, placing data breaches on the front page of virtually every major newspaper. The U.S. government has taken notice.
NDTV: Websites of a number of financial institutions in New Zealand and its national postal service were briefly down on Wednesday, with officials saying they were battling a cyber attack.
CNBC: In the wake of increasingly sophisticated criminal hacks of companies like SolarWinds, Colonial Pipeline, and JBS Foods that touched on fears of national security weaknesses, U.S. politicians all the way up to the White House have been adamant on one cybersecurity requirement: organizations needed to spend more on it to protect the nation. But there’s a problem: in many cases, increased spending on cybersecurity in recent years hasn’t resulted in better protection against hackers.
The United States Department of Justice: A dual Canadian and U.S. national was sentenced today to 140 months in federal prison for conspiring to launder tens of millions of dollars stolen in various wire and bank fraud schemes – including a massive online banking theft by North Korean cyber criminals.
ZDNet: It seems that every tech security vendor is talking up 'zero trust' as an answer to increasingly dangerous cyberattacks, but UK cybersecurity experts warn customers its definition is a bit slippery and they should proceed with caution.
The target: T-Mobile, a U.S based cellphone carrier.
The take: Exposure of Personally Identifiable Information of 50 million customers including: addresses, social security numbers, dates of birth, drivers’ licenses, and a small number of account PINs.
The attack vector: The attacker penetrated T-Mobile’s IT systems through an unsecured router, using the lack of credential controls as a launchpad to steal data.
Use of industry standard authentication protocols is an integral part of maintaining a rigorous cybersecurity posture, and it is critical to employ robust practices of credential management, user authentication and validation, around all points of access in a firm’s IT network. An unprotected point of entry on a key piece of equipment like a router can lead to a breach with a cascading effect on data exposure.
ETF Trends: That’s a positive for a variety of exchange traded funds, including the First Trust Nasdaq Cybersecurity ETF (CIBR). Following large-scale ransomware attacks this year on energy pipelines, meat packing plants, and other assets, the case for cybersecurity spending — and investing — has never been stronger.
IT Pro Portal: Across any industry, cybersecurity and regulatory compliance are crucial areas for business leaders to keep on top of. Both present a set of diverse, rapidly evolving challenges, each with their own unique twists and turns.
Help Net Security: For too long, both the private and public sectors have not prioritized cybersecurity efforts enough and only acted in “good faith” – an inadequate effort to improve cybersecurity.
The Irish Times: US financial services group State Street is to establish a new global cybersecurity and technology unit in Kilkenny, which will see the creation of 400 new jobs.
Sky News: The thresholds set for the mandatory reporting of cyber incidents across the energy, transport, health, water, and digital infrastructure sectors are so high that few if any incidents are actually being reported to government.
PYMNTS: Hong Kong cryptocurrency exchange Bilaxy was the victim of a hack that compromised a hot wallet on its platform and saw the transfer of 295 ERC-20 tokens, worth more than $21 million, to a single wallet on Sunday (Aug. 29).
SEC: The Securities and Exchange Commission sanctioned eight firms in three actions for failures in their cybersecurity policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm.