.png?width=200&height=78&name=CH%20Diligence%20(thicker%20line).png "CH Diligence (thicker line).png")
The Target: Adafruit Industries is an open-source hardware company who designs, manufactures, and sells electronic products, components tools and accessories.
The Take: Exposure of Personally Identifiable Information including: names, email addresses, shipping/billing addresses, order details, and PayPal payment status.
The Vector: The information was exposed through a publicly accessible GitHub repository belonging to an ex-employee, meaning anyone with an internet connection could access and view the data.
This breach highlights the importantance of data management and confidentiality. Knowing where and how an employee stores company data, and if it’s secure or not, are key principles of maintaining a robust cybersecurity posture. Firms should consider every method to catalogue and track where their data lives to ensure access is tightly controlled, a practice paramount to a secure data environment.
The Target: Mon Health, a healthcare services provider.
The Take: Exposure of Personally Identifiable Information including: names, addresses, birth dates, social security numbers, medical record numbers, treatment data, and insurance claim numbers.
The Vector: The firm suffered a BEC (business email compromise), in which the attacker impersonated a high-level member of the company to request payment, or in this case, get access to sensitive data.
This breach highlights the importance of regular IT threat awareness training to employ a measured approach to all requests for access or payment, no matter what the source. BEC attacks exploit employee’s willingness to get things done fast, and by using a robust cyber security posture, these attacks can be greatly mitigated.
The Target: International Committee of the Red Cross
The Take: Exposure of 515,000 records of personal data and backdoor access to the firm’s IT systems.
The Vector: The threat actors used a known software vulnerability in a third-party platform named Zoho that ICRC was employing to execute their malicious code remotely. As Zoho had not patched the vulnerability, the attackers took advantage and penetrated the system, letting them pivot to ICRC’s data.
This breach highlights the extreme importance of timely software updates for known software vulnerabilities, not only in systems directly under a firm’s control, but in third-part systems the firm relies upon as well. The longer a firm, or its vendors, hold out on deploying the most up-to-date software for their systems, the greater the chance an attacker will exploit the issue.
The Target: The Internet Society or ISOC, a non-profit organization whose mission is to keep the internet open source and secure.
The Take: Exposure of Personally Identifiable Information of 80,000 records including: full names, email addresses, physical mailing addresses, and login information.
The Vector: A third-party vendor misconfigured a database server, leaving it open and accessible by anyone with an internet connection.
It is important to employ all-encompassing credential management, user authentication and validation, as much possible, on third-party vendors which have access to a firm’s data. An unprotected point of entry on a key piece of equipment like a server can lead to a breach with a cascading effect on data exposure.
The Target: Wormhole, a cryptocurrency online trading platform.
The Take: $322 million ETH currency.
The Vector: A website vulnerability allowed the attacker to fool the exchange software to release far greater number of the ETH currency than was specified through a temporary token. By altering the conversion, the hacker was able to withdraw far more than the number the entered.
This breach highlights the importance of locking input forms in a firm’s website, be it a name field, email field, or account field, anywhere the user is sending information to the database is a prime target for threat actors. Regular testing for software vulnerabilities is a key component of upholding robust cybersecurity posture.
The Target: A New York based tech company that provides audio, web conferencing, and market research services.
The Take: Exposure of up to 100,000 records of Personally Identifiable Information including: thousands of hours of audio and video meetings, written transcripts between the firm and their clients, employee’s full names and photos.
The Vector: An unsecured Amazon S3 storage server was left open with no credential management, meaning anyone with an internet connection could access the device and retrieve the data.
This breach highlights the critical nature of employing robust practices of credential management, user authentication and validation around all points of access. An unprotected point of entry on a key piece of equipment like a server can lead to a breach with a cascading effect on data security. The detailed personal information contained in the audio and video files expose users to highly targeted phishing attacks and fraud.
The Target: Crypto.com, a Singapore based cryptocurrency exchange app.
The Take: Theft of $31 million USD from customer’s online wallets.
The Vector: Through a credential stuffing attack, where previously exposed passwords are reused by users across multiple platforms, the threat actors executed unauthorized withdrawals from user accounts.
This breach highlights the high-risk practice of poor password hygiene like reused passwords, and more importantly, the critical nature of proper credential management through multi-factor authentication. Employing multi-factor authentication is a key part of maintaining a robust cybersecurity posture and ensuring company and customer data Is only accessed by authorized parties.
The Target: Transcredit, a Florida based credit reporting company.
The Take: Exposure of 822, 789 records of Personally Identifiable Information including: first and last names, emails, bank information, notes of payment history, internal User ID’s and passwords, full data schema detailing where and how data stored.
The Vector: An unsecured, non-password protected database was found open and accessible by anyone with an internet connection.
It is critical to employ robust practices of credential management, user authentication and validation around all points of access. An unprotected point of entry on a key piece of equipment like a server can lead to a breach with a cascading effect on data security. Furthermore, the access credentials which were exposed could lead to pivot attacks by breaching other IT systems belonging to the firm.
The Target: Fertility Center of Illinois
The Take: Exposure of Personally Identifiable Information including: full names, social security numbers, financial information, medical data, and health insurance policy numbers, employee numbers, and passport numbers.
The Vector: The threat actors were able to access a third-party server where FCI’s data was stored, and as the firm did not employ proper authentication tools, the attackers were able to freely view and download the sensitive information.
This breach highlights the critical nature of employing robust practices of credential management, user authentication and validation around all points of access. An unprotected point of entry on a key piece of equipment like a server can lead to a breach with a cascading effect on data security. Furthermore, firms must be aware of where their data is stored, be that on their own sites or a third-party, and take steps to ensure it is secure.
The Target: United States Cellular Corporation, a wireless carrier.
The Take: Personally Identifiable information including: names, addresses, PIN codes, phone numbers, information on wireless usage and billing statements.
The Vector: The threat actors contacted employees of U.S Cellular and tricked them into downloading and installing malicious software and as the employees were logged on with legitimate credentials, the dangerous software was able to be installed. This malware let the attackers further access customer accounts remotely to port the victim’s phone numbers to a different carrier.
This breach highlights the ongoing and ever-present threat that social engineering poses to firms. Regular training and policy review can help firms ensure their employees are employing a slow and measured approach whenever access, or installation of software, is made – especially when the request is initiated from outside the firm.
Castle Hall helps investors build comprehensive due diligence programs across hedge fund, private equity and long only portfolios More →
Montreal
1080 Côte du Beaver Hall, Suite 904
Montreal, QC
Canada, H2Z 1S8
+1-450-465-8880
Halifax
168 Hobsons Lake Drive Suite 301
Beechville, NS
Canada, B3S 0G4
Tel: +1 902 429 8880
Manila
10th Floor, Two Ecom Center
Mall of Asia Complex
Harbor Dr, Pasay, 1300 Metro Manila
Philippines
Sydney
Level 15 Grosvenor Place
225 George Street, Sydney NSW 2000
Australia
Tel: +61 (2) 8823 3370
Abu Dhabi
Floor No. 15 Al Sarab Tower,
Adgm Square,
Al Maryah Island, Abu Dhabi, UAE
Tel: +971 (2) 694 8510
Prague
2nd Floor, The Park
V Parku 8
Chodov, Praha, 148 00
Czech Republic
Copyright © 2021 Entreprise Castle Hall Alternatives, Inc. All Rights Reserved.
Terms of Service and Privacy Policy