.png?width=200&height=78&name=CH%20Diligence%20(thicker%20line).png "CH Diligence (thicker line).png")
The Target: Peugeot, a France based automobile manufacturer.
The Take: Exposure of company sensitive data including: credentials to a MYSQL database, secure web tokens along with their passphrases and locations of keys, a link to the git repository for the website, and source code.
The Vector: Peugeot’s website based in Peru was hosting an unsecured environment file (.env), which contains credentials for other services used by the program, or website in this case, that the developers are working on. The logins stored here exposed credentials to a third-party software Peugeot used named Symphony, which could let attackers download session IDs and impersonate users.
This breach is a critical reminder to monitor, flag, and properly secure all publicly accessible files on a website, and to furthermore ensure these files are protected by passwords adhering to robust cybersecurity standards of complexity and length. This attack also shows how one exposure of a system can lead to a pivot into other systems. It’s essential to secure all public-facing websites.
The Target: Samsung, a South Korea based technology company.
The Take: Exposure of internal company documents including: meeting notes and sensitive source code.
The Vector: Samsung employees uploaded sensitive information to ChatGPT, an A.I chat service. ChatGPT takes information provided by users to better answer further questions in the future, and as such, the data uploaded will be provided to third-parties at any time without any controls or user authorization.
This breach is a unique insight into how rapidly the A.I development is proceeding. It is critical that employees be aware of what such services are, and the risks involved. External services like ChatGPT takes information inputted with absolutely no accountability or oversight. Any data sent in this way can be considered open to the public.
The Target: SafeMoon, a DeFi platform for cryptocurrency trading.
The Take: Theft of $8.9 million USD.
The Vector: A software feature intended for internal use only was set to public, allowing attackers to exploit and artificially inflate the price of the SafeMoon token and then sell them for large amounts of cash.
This breach is critical reminder that new software features must be thoroughly tested before deployment. In addition, ensuring proper access settings around this kind of software is paramount for an overall robust cybersecurity posture.
The Target: Toyota Italy, one of the world’s largest vehicle manufacturers.
The Take: Exposure of Personally Identifiable Information belonging to Toyota’s clients including: phone numbers and email addresses.
The Vector: Unsecured and exposed marketing tools, namely APIs for Salesforce and Mapbox, were able to be accessed publicly on Toyota Italy’s website. This allowed attackers to access employee credentials to the third-party platforms and exfiltrate client data.
This breach is a stark reminder of how important authentication controls are in an overall robust cybersecurity posture. In particular, the information exposed here is perfect for crafting highly believable phishing campaigns as it would allow push notifications. Access monitoring and testing for every public-facing webpage is a key strategy to mitigate these kinds of breaches to protect a firm’s customer base.
The Target: Lionsgate Play, a U.S based video-streaming platform.
The Take: Exposure of 30 Million records of User Data including: IP addresses, operating system, user search queries, and web browser information.
The Vector: A misconfigured Elasticsearch database was left open and unsecured, meaning anyone with an internet connection could have viewed and downloaded the data.
This shows how important authentication controls are, and even more critically, that they be purposefully and smartly deployed with security in mind. Multi-factor authentication and password length and complexity rules on server access are effective strategies to mitigate these kinds of breaches to protect a firm’s data.
The Target: Community Health Systems, a U.S based multi-state hospital chain.
The Take: Exposure of 1 million records of Personally Identifiable Information including: full names, medical billing and insurance information, diagnoses, medication, date-of-birth, and social security numbers.
The Vector: A zero-day exploit was used to breach a third-party vendor, Fortra, of CHS, targeting their file transfer software which let the attackers gain access to sets of files throughout the third-party vendor’s systems.
This breach is critical reminder that zero-day exploits do happen, and furthermore that patching software in a timely, effective manner is a key component of ensuring customer data is protected. Ensuring third-party vendors are deploying patches and fixes in accordance with a firm’s cybersecurity policy is an important step in an overall robust security posture.
The Target: Animker, an all-in-one video marketing online platform company.
The Take: Exposure of 700,000 records of Personally Identifiable Information including: full names, device types, postal codes, IP addresses, mobile phone numbers, email addresses, profile details, and physical addresses.
The Vector: A misconfigured database was left open and unsecured, and notably, on its default settings, meaning anyone with an internet connection could have viewed and downloaded the data using the server maker’s basic setup guide.
This shows how important authentication controls are, and even more critically, that they be purposefully and smartly deployed with security in mind. Multi-factor authentication and password length and complexity rules on server access are effective strategies to mitigate these kinds of breaches to protect a firm’s data.
The Target: The NHS, the United Kingdom’s National Health Service.
The Take: Exposure of 14,000 employee records containing Personally Identifiable Information including: names, physical addresses, Date-of-Birth, NI numbers, gender, ethnicity, and salary.
The Vector: The unencrypted and unprotected file was accidentally sent to hundreds of in-firm managers, but also to twenty-four external email accounts. The file in question was a spreadsheet which had hidden tab containing the information.
This breach is a stark reminder of how critical data processes and protocols are when handling sensitive information. Furthermore, the information stolen in this attack could lead to highly targeted phishing campaigns against the victims. Regular training social engineering training, specifically around the human need to get tasks done quickly with a focus on “stop and think” methodology is a key component in cybersecurity.
The Target: Slick, an Indian based social media platform.
The Take: Exposure of 153,000 records of Personally Identifiable Information including: full names, mobile numbers, dates of birth, and profile pictures, and some belong to minors.
The Vector: A misconfigured data server was left open and unsecured, meaning anyone with an internet connection and knowledge of the IP address could have viewed and downloaded the data. The domain name for the database was also at risk by being under an easy to guess subdomain of Slick’s main website.
Authentication controls are an important piece in an overall robust cybersecurity posture. Companies should be fully aware of how their data is secured and stored. Furthermore, this sensitive user data is perfect for constructing highly effecting spear-phishing campaigns. Regular monitoring of data storage process can help mitigate these kinds of breaches to protect a firm’s data.
The Target: 8Twelve Financial Technologies, a Canadian-based mortgage solution company.
The Take: Exposure of 717, 814 records of Personally Identifiable Information including: names, phone numbers, email addresses, physical addresses, and more critically, detailed “lead” sales data on what kind of mortgage customers were hoping to secure.
The Vector: A misconfigured data server was left open and unsecured, meaning anyone with an internet connection could have viewed and downloaded the data.
This breach is critical reminder that authentication controls are an important piece in an overall robust cybersecurity posture. This data is perfect for constructing highly effecting spear-phishing campaigns. Multi-factor authentication and password length and complexity rules on server access are effective strategies to mitigate these kinds of breaches to protect a firm’s data.
Castle Hall helps investors build comprehensive due diligence programs across hedge fund, private equity and long only portfolios More →
Montreal
1080 Côte du Beaver Hall, Suite 904
Montreal, QC
Canada, H2Z 1S8
+1-450-465-8880
Halifax
168 Hobsons Lake Drive Suite 301
Beechville, NS
Canada, B3S 0G4
Tel: +1 902 429 8880
Manila
10th Floor, Two Ecom Center
Mall of Asia Complex
Harbor Dr, Pasay, 1300 Metro Manila
Philippines
Sydney
Level 15 Grosvenor Place
225 George Street, Sydney NSW 2000
Australia
Tel: +61 (2) 8823 3370
Abu Dhabi
Floor No. 15 Al Sarab Tower,
Adgm Square,
Al Maryah Island, Abu Dhabi, UAE
Tel: +971 (2) 694 8510
Prague
2nd Floor, The Park
V Parku 8
Chodov, Praha, 148 00
Czech Republic
Copyright © 2021 Entreprise Castle Hall Alternatives, Inc. All Rights Reserved.
Terms of Service and Privacy Policy