The target: Dave.com, a digital banking app
The take: 7.5 million records of customer information including: real names, phone numbers, birth days and home addresses.
The attack vector: The breach at Dave.com was due to another breach at one of Dave.com’s third party service providers, Waydev (an analytics platform used by engineers), which in turn exposed Dave.com’s user data. The attackers used a blind SQL injection (an insertion of malicious code) to gain access to Waydev’s database and stole authorization tokens which let them penetrate Waydev’s systems and pivot to steal access to data from other firms, such as Dave.com.
This highlights the cascading negative effects cybersecurity incidents can have on companies which rely on third-party vendors for operation. Holding third-party vendors to an organization’s security requirements is a very challenging prospect. Vigilant monitoring and applying advanced analytics to watch for malicious activities are some of the proactive strategies used to pinpoint suspicious activity before it turns into a breach.