.png?width=200&height=78&name=CH%20Diligence%20(thicker%20line).png "CH Diligence (thicker line).png")
The target: Premier Patient Healthcare, a Texas based accountable care organization.
The take: Exposure of 38,000 records of Personally Identifiable Information including: name, age, sex, race, county, state of residence, zip code, and Medicare beneficiary information.
The attack vector: The data was illegally accessed by a former terminated employee of the firm, who used their still active access to view, download and steal the files from a third-party vendor that had a contract with Premier Patient.
This breach highlights two important lessons for firms. Access control around terminated employees is paramount to maintaining a secure environment for sensitive data. Furthermore, while Patient Data may have followed these steps for their own systems, the attack took place on a third-party vendor, showing that access control must also be applied across all platforms to be fully effective.
The target: Portpass, a private proof-of-vaccination mobile application.
The take: Exposure of potentially 650,000 records of personally identifiable information including: email addresses, names, blood types, phone numbers, birthdays, and driver's licences
The attack vector: Portpass stored user profiles on their website, accessible to the public, which exposed the above information to anyone visiting the site. This data not encrypted and was stored as plain text.
Use of industry standard authentication protocols is an integral part of maintaining a rigorous cybersecurity posture, and it is critical to employ robust practices of credential management, user authentication and validation, around all points of access, especially public facing ones, in a firm’s IT network. This breach also highlights the important of encryption as a method to improve the security of stored data, which can still protect the exposed information.
The target: Twitch.tv, a U.S based video game streaming service.
The take: Exposure of 125GB of information including source code and commit history dating back to the company’s founding, creator payout revenue from 2019 to 2021, their internal cybersecurity tool NOC tool, and which AWS services they use.
The attack vector: A misconfiguration error left one of its servers exposed, allowing the attacker to gain access to the server and exfiltrate the data of some 6000 repositories of firm storage.
It is critical to employ robust practices of credential management, user authentication and validation around all points of access. An unprotected point of entry on a key piece of equipment like a server can lead to a breach with a cascading effect on data exposure.
The target: Portpass, a private proof-of-vaccination mobile application.
The take: Exposure of potentially 650,000 records of personally identifiable information including: email addresses, names, blood types, phone numbers, birthdays, and driver's licences
The attack vector: Portpass stored user profiles on their website, accessible to the public, which exposed the above information to anyone visiting the site. This data not encrypted and was stored as plain text.
Use of industry standard authentication protocols is an integral part of maintaining a rigorous cybersecurity posture, and it is critical to employ robust practices of credential management, user authentication and validation, around all points of access, especially public facing ones, in a firm’s IT network. This breach also highlights the important of encryption as a method to improve the security of stored data, which can still protect the exposed information.
The target: Coninsa Ramon, a Colombian based architecture, engineering, construction, and real estate firm.
The take: 5.5 million files of 100,000 customers of their personally identifiable information including: full names, addresses, email addresses, transaction data, and asset values.
The attack vector: An unsecured Amazon S3 storage server was misconfigured, allowing anyone with an internet connection to access and download the data. In addition, malicious code was discovered that would allow attackers to maintain a persistent connection to the website, letting them redirect traffic to fraudulent pages.
The exposure of personal information can lead to highly targeted phishing and fraud attacks. Given how detailed the information was in this exposure, the threat of spear-phishing campaigns is high. Use of authentication protocols is an integral part of maintaining a rigorous cybersecurity posture, and it is critical to employ industry standard practices of credential management, user authentication and validation, around all storage of customer data.
The target: Walgreens, a U.S based drug store and pharmacy chain.
The take: Millions of records of personally identifiable information including: name, date of birth, gender, phone number, address, email, and in some cases results from Covid-19 tests.
The attack vector: Walgreens failed to secure their test appointment registration system. When a user requests a test and fills out the online form with their personal info, they are given a unique 32-digit ID number and a link to their appointment request page. This URL has no authentication or credential control whatsoever. Anyone can use the link to view the personal information.
Security-by-obscurity is not a reliable method, or industry standard, way of securing personal data. Authentication and credential management are an essential strategies that should be taken into high consideration in every area where user information is accessed.
The target: MyRepublic, a Singapore based Internet Service Provider
The take: 80,000 user records containing personally identifiable information such as: national identity cards with photos and addresses, names, copies of utility bills needed for verification, and mobile phone numbers.
The attack vector: The occurred due to unauthorized external access to from a 3rd party vendor employed by MyRepublic to store the firm’s documents needed for registration with their mobile service.
This breach highlights the risks of using third party vendors as the personal information exposed could lead to high targeted phishing attacks against the firm’s users. Up to date monitoring on where and what systems a firm’s data resides on, and regular audits on the effectiveness of the deployed protections, is essential for maintaining the expected industry standard of cybersecurity.
The target: T-Mobile, a U.S based cellphone carrier.
The take: Exposure of Personally Identifiable Information of 50 million customers including: addresses, social security numbers, dates of birth, drivers’ licenses, and a small number of account PINs.
The attack vector: The attacker penetrated T-Mobile’s IT systems through an unsecured router, using the lack of credential controls as a launchpad to steal data.
Use of industry standard authentication protocols is an integral part of maintaining a rigorous cybersecurity posture, and it is critical to employ robust practices of credential management, user authentication and validation, around all points of access in a firm’s IT network. An unprotected point of entry on a key piece of equipment like a router can lead to a breach with a cascading effect on data exposure.
The target: Revere Health, a Utah based multispecialty physician group.
The take: Personally Identifiable Information of 12,000 patients including: medical record numbers, dates of birth, provider names, and procedures and insurance names.
The attack vector: An employee of Revere Health fell victim to a phishing attack, allowing the attacker control of their email account.
Phishing attacks against individual employees remain one of the greatest security threats to an entire organization. Regular social engineering and awareness testing and training, along with tone-from-the-top messaging to emphasize the importance of critical thinking and caution are crucial to protecting sensitive information assets.
The target: Ford, a U.S based maker of automobiles.
The take: Exposure of Personally Identifiable Information including: customer and employee records, finance account numbers, database names and tables, internal support tickets, user profiles, and authentication access tokens,
The attack vector: A known vulnerability present in one of Ford’s misconfigured customer management interfaces named Pega Infinity, could have allowed an attacker access to the backend web panel. From here, they could execute malicious commands through the URL to retrieve data base tables, run queries, and more critically, perform administrative actions.
This breach highlights the importance of having processes in place to update software in a timely manner, an essential part of complying with industry standard cybersecurity practices. Furthermore, this exposure also demonstrates how one exposed point of access can have a cascading and multiplying effect on the severity of a breach.
Castle Hall helps investors build comprehensive due diligence programs across hedge fund, private equity and long only portfolios More →
Montreal
1080 Côte du Beaver Hall, Suite 904
Montreal, QC
Canada, H2Z 1S8
+1-450-465-8880
Halifax
168 Hobsons Lake Drive Suite 301
Beechville, NS
Canada, B3S 0G4
Tel: +1 902 429 8880
Manila
10th Floor, Two Ecom Center
Mall of Asia Complex
Harbor Dr, Pasay, 1300 Metro Manila
Philippines
Sydney
Level 15 Grosvenor Place
225 George Street, Sydney NSW 2000
Australia
Tel: +61 (2) 8823 3370
Abu Dhabi
Floor No. 15 Al Sarab Tower,
Adgm Square,
Al Maryah Island, Abu Dhabi, UAE
Tel: +971 (2) 694 8510
Prague
2nd Floor, The Park
V Parku 8
Chodov, Praha, 148 00
Czech Republic
Copyright © 2021 Entreprise Castle Hall Alternatives, Inc. All Rights Reserved.
Terms of Service and Privacy Policy