Industry News: ESG5

The target: FireEye, a publicly traded cybersecurity company in California.

The take: Corporate documents, details on client contracts and licenses, and personal login credentials.

The attack vector: Attackers used credentials exposed in public data breaches to access the personal accounts of a security analyst employed by FireEye. Once his accounts had been compromised, they were able to exploit his business use of those personal accounts to obtain sensitive information belonging to his employer.

On an individual level – this attacks highlights the importance of changing passwords and rotating credentials, particularly in the wake of a publicized credential breach. At the firm level - once confidential and sensitive information leaves a firm’s information systems, it’s completely outside of their control. Security policies must reflect zero tolerance for use of personal accounts to communicate on behalf of the firm or store/transfer sensitive and proprietary information.

Read more...

The target: Malindo Air, a Malaysian subsidiary of Indonesia’s Lion Group

The take: Approx. 35 million passenger records, including names, emails, addresses, passport numbers/expiration dates.

The attack vector: Two former employees of a subcontracted e-commerce provider were identified as having “improperly accessed and stole the personal data of our customers.” Malindo Air reiterated that their external controls were not breached and that “services and infrastructure worked as designed and were not compromised in any way.”

Malicious insiders are unfortunately common sources of data breaches, and internal controls and oversight must be put in place to ensure that data is being handled appropriately by both direct employees and subcontracted staff.

Read more...

The target: Philips Capital Inc, a Chicago-based brokerage firm.

The take: $1 million USD from a client account.

The attack vector: Attackers gained access to internal systems via a successful phishing attempt and impersonated a client of the firm using information they’d gained from reviewing past e-mail correspondences. Gaps in disbursement procedures allowed a requested wire transfer to an unknown bank account to be approved and processed.

While technical controls can protect against cyber-attacks, they cannot always compensate for gaps in procedure and a failure to think critically.

Read more...

The target: Flight booking site, Option Way.

The take: Security researchers were able to access Option Way’s Elasticsearch database via browser due to misconfiguration. Exposed (and unencrypted) data personally identifying information is a ripe target for identity thieves.

The attack vector: Security researchers were able to access Option Way’s Elasticsearch database via browser due to misconfiguration. Exposed (and unencrypted) data includes names, dates of birth, gender, e-mail addresses, phone numbers and addresses - a ripe target for identity thieves. 

Companies must evaluate their ‘attack surface’ across servers/firewalls and third-party services to ensure that their data is secure and should continuously monitor infrastructure to be assured that changes do not result in exposure of sensitive information.

Read more...

The target: Scotiabank, a major Canadian based banking institution

The take: Login keys to backend systems, internal source code of mobile apps, software blueprints, and credentials for a database of foreign exchange rate data.

The attack vector: The data in question was left accessible on a non-secured public repository, GitHub. Analysis of the leaked data could provide numerous and deep exploitations and vulnerabilities.

Source code repositories, like file storage repositories, must be correctly configured to ensure that sensitive data remains internal and accessible only by authorized parties. Default permissions or accessibility settings must always be reviewed before sensitive data is committed to storage.

Read more...

The target: Monster.com, a popular job posting website service.

The take: Personal information of hundreds of job applicants dating between 2014 and 2017 including: resumes, phone numbers, email addresses, home addresses and work history.

The attack vector: A customer of Monster.com, a third-party recruitment company, misconfigured a publicly-accessible web server, leaving records exposed.

A firm’s security posture is only as good as its weakest link - sub-contractors and third parties with access to sensitive data are possible sources of data leakage and must be held to a firm’s own security standards.

Read more...

The Target: Facebook, the social media giant.

The take: 419 million records which contained user’s unique Facebook ID and their associated phone numbers, as well as names, gender and country.

The attack vector: A server containing the data was left unsecured and publicly accessible. Facebook justified the security breach by explaining that the records were ‘old’, and believe that the user accounts in question were not compromised as a result of the breach.

Data breaches are a liability, regardless of whether or not the leaked data is in its most current form. Backups, replicates, and otherwise non-production datasets must be protected with the same encryption and protections to prevent the loss of sensitive information.

Read more...

The target: Lyons Companies Insurance Broker

The take: Personal customer information including names, date of birth, contact information, driver license numbers and financial records. Medical information such as patient identification numbers, diagnosis and treatment information, Medicare/Medicaid ID numbers, health insurance and claims information were also compromised, along with a small number of Social Security Numbers.

The attack vector: Attackers gained access to two Lyons employee email accounts between February and March of 2019, and used these credentials to access the above information and offload the sensitive data.

Stringent and robust employee password protocols and the implementation of two-factor authentication are paramount in providing a strong bulwark against account compromises.

Read more...

The target: Hy-Vee, a supermarket chain.

The take: 5.3 million cardholder accounts belonging to people from thirty-five mid-western U.S states. This led to the collection of a massive database which then went for sale on an underground website which sells credit and debit card data stolen from hacked merchants. This information can then be used to create counterfeit copies of the credit-debit cards, allowing the attackers to make profitable transactions.

The attack vector: Remotely installed card-skimming malware was used to compromise point-of-sale targets at Hy-Vee’s operated gas pumps, coffee shops and restaurants. The malicious software copied the data stored on credit or debit card’s magnetic stripe when they’re swiped at infected payment stations.

Read more...

The target: Suprema, a South Korean biometrics company.

The take: Unencrypted fingerprint data, facial recognition information and images, which are used to secure sensitive physical locations, user permissions and activity logs. Further to this, an additional 27.8 million records of data which included: client dashboards, usernames, passwords, ID’s, staff security levels and clearances, home addresses and emails; business hierarchies; mobile devices and operating system information.

The attack vector: An unsecured server accessed via web browser. This weakness let attackers manipulate the URL to expose huge amounts of unprotected data. Access to this information would allow: unauthorized changes to existing security settings within organization, lock out staff from their own systems, gain access to physical facilities, set up sophisticated phishing campaigns targeting senior personnel, and alter activity logs.

Read more...