.png?width=200&height=78&name=CH%20Diligence%20(thicker%20line).png "CH Diligence (thicker line).png")
The Target: Cox Communications, a U.S based digital cable provider and telecommunicating company.
The Take: Breach of employee accounts, leading to further exposure of Personally Identifiable Information including: name, address, telephone, Cox account number, username, PIN code, account security question and answer.
The Vector: The threat actor impersonated a Cox Support Agent and gained access to a different employee’s credentials, which allowed them to view the sensitive data.
This breach highlights the ongoing and persistent threat of social engineering. Regular awareness testing and training, along with tone-from-the-top messaging to emphasize the importance of critical thinking and caution are crucial to protecting sensitive information assets.
The Target: Sennheiser, an audio equipment manufacturer.
The Take: Exposure of Personally Identifiable Information of 28,000 customers including: full names, email address, phone numbers, names of client companies and their employees.
The Vector: An unsecured public facing Amazon S3 storage server was left open on the internet, meaning anyone who navigated to the address would able to view the information in full.
It is critical to employ robust practices of credential management, user authentication and validation around all points of access. An unprotected point of entry on a key piece of equipment like a server can lead to a breach with a cascading effect on data security.
The Target: Gumtree, a U.K based online retailer of used goods.
The Take: Exposure of potentially 1.7 million records of Personally Identifiable Information including: full name and physical location (postal code or coordinates).
The Vector: A software vulnerability allowed threat actors to view user’s physical locations by simply pressing F12 to view the Developer Tools and inspect the website’s source code, a feature present in every modern internet browser. In addition, one of its APIs exposed usernames, allowing them to be read without any authentication.
This breach highlights the importance of rigorous software testing and the deployment of authentication methods wherever user data is being handled. Ensuring that whenever a firm’s website is transmitting user data it is using protective and confidential methods, such as securing source code and employing proper authentication, will help firms meet cyber industry standards which are critical for a company’s overall posture.
The Target: Régie Autonome des Transports Parisiens
The Take: Exposure of 3 million records of Personally Identifiable Information belonging to 60,000 employees including: full names, email addresses, source code and APIs, logins for their RATP accounts, hashed passwords, and more critically, access to the firm’s Github account where attackers could access ongoing projects.
The Vector: The data was left open and accessible to public on an unsecured SQL database backup server, allowing anyone with internet access to connect and view the sensitive information.
It is critical to employ robust practices of credential management, user authentication and validation around all points of access. An unprotected point of entry on a key piece of equipment like a server can lead to a breach with a cascading effect on data exposure. This breach highlights the multiplicative effects of these cascading pivot attacks which is why it’s important to lock down every point of access in an IT system.
The Target: Huntington Hospital, a New York based medical center.
The Take: Exposure of 13,000 records of Personally Identifiable Information including: name, date-of-birth, phone number, addresses, internal account number, medical record number, diagnoses, and other treatment information.
The Vector: An employee improperly accessed this information without clearance and was not prevented from viewing this data based upon their level of access and role within the firm, exposing the data.
This breach highlights the important concept of Least-Privilege when it comes to system access and authorization. Employees should only have access to the minimum amount of information and privileges they need to do their role. Ensuring this process is applied at all levels of access across a firm is a key component to maintaining a robust Cybersecurity posture.
The target: GoDaddy, a U.S based website domain registrar and web hosting company.
The take: 1.2 million records of customer information including: email addresses, SSH keys, and database usernames and passwords.
The attack vector: The threat actor gained access to GoDaddy’s hosting servers through a compromised employee account, granting them the same access to all the systems the firm’s user had. Multi-factor authentication was not enabled.
This breach highlights not only the ever-present threat that compromised employee accounts pose to firms, but also the critical importance of proper credential management. Employing Multi-factor authentication is a key part of maintaining a robust cybersecurity posture and ensuring company and customer data Is only accessed by authorized parties.
The target: RedDoorz, a Singapore based hotel booking site.
The take: Exposure of 5.9 million records of Personally Identifiable Information including: names, contact numbers, email addresses, dates of birth, encrypted passwords and booking information.
The attack vector: The attacker gained access to an Amazon Web Services key which was embedded in an APK (Android Application Package), a piece of software used in their systems. Had the firm examined the APK, they could have prevented the exploit by removing the AWS key from the APK.
This breach highlights the critical importance of IT asset management, specifically just how necessary it is that firms are aware of what software they are using and how it is being deployed. Regular auditing of all software configurations, especially where customer data is stored, across the firm is essential for maintaining a robust cybersecurity posture.
The target: Robin Hood, a U.S based investment and trading platform.
The take: Exposure of an estimated 7 million customer accounts with Personally Identifiable Information including: 5 million email addresses and 2 million full names. For a small number of the exposed records, dates-of-birth and zip codes were also vulnerable.
The attack vector: The attacker used social engineering to target one of Robin Hood’s Customer Support Representatives, tricking them into thinking they had authentication to access the firm’s internal systems and handed over their credentials. Using these legitimate permissions, the threat actors immediately accessed the sensitive data.
This breach highlights the great and always on-going risk that social engineering attacks pose to organizations. The strongest security controls are often only as effective as the employees who maintain them. Regular awareness testing and training, along with an emphasis on the importance of critical thinking and caution when receiving access requests from third parties is critical to a robust cybersecurity posture.
The target: UMass Memorial Health, a Massachusetts-based healthcare network.
The take: 209,000 records of Personally Identifiable Information including: names, dates of birth, medical record numbers, health insurance information, and clinical treatment information with dates of services, diagnoses, procedure information, and prescription details.
The attack vector: The firm’s IT system was compromised when an employee fell for a phishing email. This granted the attackers access to all the files and programs to which the employee’s account was authorized to view.
This breach highlights the ongoing threat that phishing attacks pose for firms and remain one of the greatest security threats to an entire organization. Regular social engineering and awareness testing and training, along with tone-from-the-top messaging to emphasize the importance of critical thinking and caution are crucial to protecting sensitive information assets.
The target: CU Boulder, a U.S based University.
The take: Exposure of support and procedural documents, configuration files, and personally identifiable information of 30,000 students including: names, student IDs, addresses, dates of birth, phone number, and gender.
The attack vector: The breach occurred to a known configuration vulnerability in a third-party software that the University employs. While a patch was released by the third party some months prior, it had not been implemented and this let an attacker gain access to the data.
This data leak highlights the importance of patching and testing software in a timely manner. Complying with industry standard practices of software management is essential to ensure every point of access to data is secure, up-to-date, and protected against known gaps in third-party applications.
Castle Hall helps investors build comprehensive due diligence programs across hedge fund, private equity and long only portfolios More →
Montreal
1080 Côte du Beaver Hall, Suite 904
Montreal, QC
Canada, H2Z 1S8
+1-450-465-8880
Halifax
168 Hobsons Lake Drive Suite 301
Beechville, NS
Canada, B3S 0G4
Tel: +1 902 429 8880
Manila
10th Floor, Two Ecom Center
Mall of Asia Complex
Harbor Dr, Pasay, 1300 Metro Manila
Philippines
Sydney
Level 15 Grosvenor Place
225 George Street, Sydney NSW 2000
Australia
Tel: +61 (2) 8823 3370
Abu Dhabi
Floor No. 15 Al Sarab Tower,
Adgm Square,
Al Maryah Island, Abu Dhabi, UAE
Tel: +971 (2) 694 8510
Prague
2nd Floor, The Park
V Parku 8
Chodov, Praha, 148 00
Czech Republic
Copyright © 2021 Entreprise Castle Hall Alternatives, Inc. All Rights Reserved.
Terms of Service and Privacy Policy