The Target: TMX Finance Corporate Services, the parent company of lender TitleMax. TMX, which also operates the brands TitleBucks, InstaLoan and EquityAuto Loan, has more than 1,000 locations in 18 U.S. states.
The Take: A revised data breach notification sent to victims by TMX stated that beyond the raft of personal information that it previously stated had been stolen - including passport and Social Security numbers - attackers may have also stolen their credit/debit card number in combination with security code, access code, password or PIN for the account.
The Vector: TMX previously reported detecting suspicious activity on their systems on Feb. 13. A third-party incident response firm called in to investigate found the intrusion appeared to have started in early December 2022.
This breach is a stark reminder of how important authentication controls are in an overall robust cybersecurity posture, and more critically, ensuring these controls are in place on all third-party vendors which have access to a firm’s data.
The Guardian: The UK’s cybersecurity agency has warned that chatbots can be manipulated by hackers to cause scary real-world consequences.
Forbes: By now, it’s common knowledge that the pandemic accelerated the digital transformation of our work world. Remote and hybrid work environments and anytime-anywhere collaboration became the norm, and the adoption of cloud services increased substantially.
Dark Reading: The cybersecurity sector continues to face a dire talent shortage as the threat landscape evolves, according to recent research from ISC2, and the skill gap is only growing.
Business Standard: Capital markets regulator Sebi came out with guidelines to strengthen the existing cyber security and cyber resilience framework for stock exchanges and other market infrastructure institutions (MIIs).
CoinDesk: FTX customers continue to be plagued by issues several months after the exchange shut down, blocking millions of users from accessing billions in capital stored on the disgraced exchange.
Security Boulevard: Economic downturns often trigger cost-cutting and layoffs. And while it may appear counterintuitive to advocate for new business investments, the reality is that recessions don’t stop cybercrime and data leaks.
CSO: Laws and standards around cybersecurity are plenty and to make matters worse they often vary within countries.
The Target: The German Federal Bar (BRAK) Association, an umbrella organization overseeing 28 regional bars across Germany and representing about 166,000 lawyers nationally and internationally.
The Take: The organization is still trying to figure out how much information was taken involving communications from people contacting the Brussels office.
The Vector: The hackers encrypted BRAK’s mail server and exfiltrated 160 gigabytes of data.
This breach is a stark reminder of how important authentication controls are in an overall robust cybersecurity posture. As phishing actors continue to explore every potential abuse opportunity on legitimate service providers, novel security gaps constantly threaten to expose users to severe risks. It is essential not to rely solely on email protection solutions, and also scrutinize every email that lands on your inbox, look for inconsistencies, and double-check all claims made in those messages.
BNN Bloomberg: Business lobbyists are struggling to soften new US Securities and Exchange Commission rules that require publicly traded companies to quickly disclose cybersecurity breaches.
SecurityWeek: Ransomware attacks continue to be highly profitable for cybercrime groups and the recent reports released by various cybersecurity firms show that they are increasing both in terms of volume and sophistication.
CSO: Corporate cybersecurity is becoming a non-negotiable priority. How companies prepare for and defend themselves against cyber intrusions has profound implications for their operations, reputation, and bottom line.
Forbes: As the complexities of cybersecurity evolve daily, it remains essential to grasp some fundamental principles. It can take time to figure out where to start.
CNBC: Arora said the problem isn’t that companies lack cybersecurity vendors. Rather, their security infrastructure may consist of a complicated assortment of vendors, some of which are outdated.
VentureBeat: Capitalizing on malware-free tradecraft to launch undetectable breaches, attackers rely on legitimate system tools and living-off-the-land (LOTL) techniques to breach endpoints undetected.
Yahoo Finance: SentinelOne Inc, a cybersecurity company with a market value of about $5 billion, has been exploring options that could include a sale, according to people familiar with the matter.
The Target: Discord.io is not an official Discord site but a third-party service allowing server owners to create custom invites to their channels. Most of the community was built around the service's Discord server, with over 14,000 members.
The Take: The most sensitive information in the breach is a member's username, email address, billing address (small number of people), salted and hashed password (small number of people), and Discord ID.
The Vector: A person known as 'Akhirah' began offering the Discord.io database for sale on the new Breached hacking forums. As proof of the theft, the threat actor shared four user records from the database.
This breach is a stark reminder of how important authentication controls are in an overall robust cybersecurity posture. In particular, the information exposed here is perfect for crafting highly believable phishing campaigns as it would allow push notifications. Access monitoring and testing for every public-facing webpage is a key strategy to mitigate these kinds of breaches to protect a firm’s customer base.
Dark Reading: Cyber defenders so far are winning the war over artificial intelligence: AI tools have yet to be meaningfully integrated into cyberattacks, while defenders have been using them to greater effect.
Forbes: In the ever-changing landscape of cybersecurity, chief information security officers (CISOs) play a crucial role in safeguarding organizations against evolving threats.
Advisor's Edge: The Canadian financial services industry is seeing a surge in cybercrime and fraud, according to new data from LexisNexis Risk Solutions.
SecurityWeek: The plans were announced in an SEC filing, with employees being notified starting August 14. In addition, the company revealed that it’s implementing “certain real estate‑related cost optimization actions”.
Traders Magazine: Artificial Intelligence has considerably impacted the financial services industry in recent years, especially since the advent of OpenAI in late 2022.
Forbes: Finance organizations within midsize businesses have more on their minds than the traditional risks in credit, operational budgets, investments, and regulatory compliance.
Network Computing: Cybersecurity has been rapidly moving to the cloud, driving organizations to cloud-based solutions from third-party vendors instead of self-owned and maintained network security devices and software.
The Target: Salesforce, Inc., an American cloud-based software company headquartered in San Francisco, California
The Take: The goal of the phishing kit employed in this campaign was to steal Facebook account credentials, even featuring two-factor authentication bypassing mechanisms.
The Vector: The attackers chained a flaw dubbed "PhishForce," to bypass Salesforce's sender verification safeguards and quirks in Facebook's web games platform to mass-send phishing emails.
As phishing actors continue to explore every potential abuse opportunity on legitimate service providers, novel security gaps constantly threaten to expose users to severe risks. It is essential not to rely solely on email protection solutions, and also scrutinize every email that lands on your inbox, look for inconsistencies, and double-check all claims made in those messages.
US News: One of the world’s biggest law firms said it is separating from the Chinese firm that was part of its global network for eight years, citing changes in cybersecurity and other rules that have rattled foreign companies.
CNBC: Hackers will have the chance to compete for millions of dollars in prizes by using artificial intelligence to protect critical U.S. infrastructure from cybersecurity risks, the Biden administration announced.
TechCrunch: U.S. cybersecurity giant Rapid7 has announced plans to lay off 18% of its workforce, affecting more than 400 global employees.
Yahoo Finance: Private equity investors have piled $4.7 billion into European cybersecurity companies so far this year, putting deal value on course to outperform 2022, when the total reached $7.6 billion.
Dark Reading: With the emergence of generative models, and large language models (LLMs) in particular, and the meteoric rise in the popularity of ChatGPT, there once again are calls for more security regulation.
Yahoo Finance: Amid the crypto industry's myriad obstacles, hacks still rank at the top of the list. Despite the bear market, last year saw a historic spike, with nearly $4 billion stolen by cybercriminals, according to the analytics firm Chainalysis.
Forbes: We live in an age in which technology promises to shape the future. The near-constant flow of innovation makes it challenging for many business leaders to keep up.
The Target: American retail chain Hot Topic.
The Take: A threat actor obtained the valid account credentials for Hot Topic Rewards accounts from an unknown third party.
The Vector: The series of breaches that occurred between Feb. 7 and June 21 was the result of automated credential stuffing attacks against the company’s website and mobile application.
This breach is a reminder of how authentication controls are an important part of an overall robust cybersecurity posture, and more critically, ensuring these controls are in place on all third-party vendors which have access to a firm’s data.
Security Week: The five key risk areas are misconfigurations, external-facing vulnerabilities, weaponized vulnerabilities, malware inside a cloud environment, and remediation lag (that is, delays in patching).
ZD Net: Some 110.8 million user accounts were breached in the second quarter of 2023, with the US accounting for almost 45% of the global figure. Worldwide, data breaches grew 2.6 times compared to the first quarter, with an average of 855 accounts leaked every minute in the second quarter.
Help Net Security: 78% of Europe’s largest financial institutions experienced a third-party breach in the past year, according to SecurityScorecard. In the wake of attacks such as MOVEit and SolarWinds, cybersecurity regulations are increasing the need for comprehensive approaches to manage vendor risk and ensure compliance.