.jpg?width=200&height=78&name=CH%20Diligence%20(thicker%20line).jpg "CH Diligence (thicker line)")
The target: FireEye, a publicly traded cybersecurity company in California.
The take: Corporate documents, details on client contracts and licenses, and personal login credentials.
The attack vector: Attackers used credentials exposed in public data breaches to access the personal accounts of a security analyst employed by FireEye. Once his accounts had been compromised, they were able to exploit his business use of those personal accounts to obtain sensitive information belonging to his employer.
On an individual level – this attacks highlights the importance of changing passwords and rotating credentials, particularly in the wake of a publicized credential breach. At the firm level - once confidential and sensitive information leaves a firm’s information systems, it’s completely outside of their control. Security policies must reflect zero tolerance for use of personal accounts to communicate on behalf of the firm or store/transfer sensitive and proprietary information.
The target: Malindo Air, a Malaysian subsidiary of Indonesia’s Lion Group
The take: Approx. 35 million passenger records, including names, emails, addresses, passport numbers/expiration dates.
The attack vector: Two former employees of a subcontracted e-commerce provider were identified as having “improperly accessed and stole the personal data of our customers.” Malindo Air reiterated that their external controls were not breached and that “services and infrastructure worked as designed and were not compromised in any way.”
Malicious insiders are unfortunately common sources of data breaches, and internal controls and oversight must be put in place to ensure that data is being handled appropriately by both direct employees and subcontracted staff.
The target: Philips Capital Inc, a Chicago-based brokerage firm.
The take: $1 million USD from a client account.
The attack vector: Attackers gained access to internal systems via a successful phishing attempt and impersonated a client of the firm using information they’d gained from reviewing past e-mail correspondences. Gaps in disbursement procedures allowed a requested wire transfer to an unknown bank account to be approved and processed.
While technical controls can protect against cyber-attacks, they cannot always compensate for gaps in procedure and a failure to think critically.
The target: Flight booking site, Option Way.
The take: Security researchers were able to access Option Way’s Elasticsearch database via browser due to misconfiguration. Exposed (and unencrypted) data personally identifying information is a ripe target for identity thieves.
The attack vector: Security researchers were able to access Option Way’s Elasticsearch database via browser due to misconfiguration. Exposed (and unencrypted) data includes names, dates of birth, gender, e-mail addresses, phone numbers and addresses - a ripe target for identity thieves.
Companies must evaluate their ‘attack surface’ across servers/firewalls and third-party services to ensure that their data is secure and should continuously monitor infrastructure to be assured that changes do not result in exposure of sensitive information.
The target: Capital One Bank
The take: Highly sensitive information of 106 million customers including: 140,000 Social Security numbers, 1 million Social Insurance Numbers for Canadian credit card customers, bank account numbers, credit card application data including scores, balances, limits and payment history, and some of transaction data.
The attack vector: A misconfigured firewall in Capital One’s AWS infrastructure allowed the attacker to clone data housed in cloud storage instances. The attacker employed VPN and anonymized browsing to execute the attack surreptitiously – but was ultimately found out when they bragged about the heist in public Slack channels. Capital One was notified of the breach via an e-mail tip with directions to a public Github repository where the attacker had archived some of the exfiltrated data.
The target: Over 17,000 websites using Amazon’s S3 public cloud storage.
The take: Credit Card payment information and personal data.
The attack vector: MageCart Group perpetrated the hacking campaign which methodically scanned and identified 17,000 unique, misconfigured Cloud Storage buckets. After locating an unsecured cloud storage server, they focused on JavaScript files which they then downloaded, added their card skimming script, and then reuploaded the now infected files.
The target: The American Land Title Association (ALTA)
The take: Usernames and passwords of insurance agents, abstracters and underwriters.
The attack vector: A threat actor claiming to be an ethical hacker who claimed they had access to over 600 records. They also enacted a phishing campaign asking members to open a PDF listing the membership directory to confirm their information.
The target: Attunity, a company that manages and safeguards data.
The take: Passwords and network information about Attunity as well as emails and technology designs from some of its high-profile customers.
The attack vector: Attunity's cloud storage was improperly configured so the sensitive data was publicly visible in plain text. More than a terabyte of data was left unsecured on Amazon Web Services cloud-computer servers.
The target: Desjardins Group, a Quebec-based federation of credit unions.
The take: Personal information for more than 2.7 million individuals and more than 173,00 businesses, potentially including name, date of birth, social insurance number, address, phone number, e-mail address, and ‘details about banking habits’.
The attack vector: Desjardins announced that the breach was not the result of an external cyberattack, but was the result of ‘unauthorized and illegal use of its internal data by an employee who has since been fired.’.
The target: Quest Diagnostics, the largest blood testing provider in the US, and LabCorp, a leading health care diagnostics company.
The take: Almost 20 million patient records, including names, dates of birth, addresses, phone numbers, dates of service, providers, and balance information, including 200,000 credit card or bank account details.
The attack vector: American Medical Collection Agency, a third-party collections firm, reported that their web billing site had been breached as of Aug 1, 2018 through March 30, 2019, resulting in the theft of information held on behalf the entities for whom they provided collection services.
Castle Hall helps investors build comprehensive due diligence programs across hedge fund, private equity and long only portfolios More →
Montréal
1080 Côte du Beaver Hall, Suite 904
Montréal, QC
Canada, H2Z 1S8
+1-450-465-8880
Abu Dhabi
Floor No. 15 Al Sarab Tower,
Adgm Square,
Al Maryah Island, Abu Dhabi, UAE
Tel: +971 (2) 694 8510
Copyright © 2021 Entreprise Castle Hall Alternatives, Inc. All Rights Reserved.
Terms of Service and Privacy Policy