Industry News: ESG5

The target: Revere Health, a Utah based multispecialty physician group. 

The take: Personally Identifiable Information of 12,000 patients including: medical record numbers, dates of birth, provider names, and procedures and insurance names.

The attack vector: An employee of Revere Health fell victim to a phishing attack, allowing the attacker control of their email account.

Phishing attacks against individual employees remain one of the greatest security threats to an entire organization. Regular social engineering and awareness testing and training, along with tone-from-the-top messaging to emphasize the importance of critical thinking and caution are crucial to protecting sensitive information assets.

Read more...

The target: Ford, a U.S based maker of automobiles.

The take: Exposure of Personally Identifiable Information including: customer and employee records, finance account numbers, database names and tables, internal support tickets, user profiles, and authentication access tokens,  

The attack vector: A known vulnerability present in one of Ford’s misconfigured customer management interfaces named Pega Infinity, could have allowed an attacker access to the backend web panel. From here, they could execute malicious commands through the URL to retrieve data base tables, run queries, and more critically, perform administrative actions.

This breach highlights the importance of having processes in place to update software in a timely manner, an essential part of complying with industry standard cybersecurity practices. Furthermore, this exposure also demonstrates how one exposed point of access can have a cascading and multiplying effect on the severity of a breach.

Read more...

The target: Reindeer, a U.S-based online marketing company.

The take: The exposure of 50,000 records of Personally Identifiable Information including: names, addresses, date of birth, email addresses, Facebook ID’s, and phone numbers.

The attack vector: Reindeer failed to secure this AmazonS3 bucket with any credential management whatsoever, allowing anyone with an internet connection to access the data.

While Reindeer is no longer in operation, the data they held belonged to firms that are currently operating, and this breach highlights not only the necessity of robust credential controls, but also the risks of using third party vendors. Up to date monitoring on where and what systems a firm’s data resides on is essential for maintaining the expected industry standard of cybersecurity.

Read more...

The target: UC San Diego Health, the academic health system of the University of California. 

The take: Exposure of personally identifiable information including: full name, address, date of birth, email, fax, claims information, medical diagnosis and conditions, social security number, student ID number and password, payment card number or financial account number.

The attack vector: The breach occurred when an employee clicked on a phishing email and unknowingly gave away their login credentials, company username and password, to the attackers. Using the employee’s legitimate credentials, the threat actors accessed the sensitive data.

Phishing attacks against individual employees remain one of the greatest security threats to an entire organization. Regular social engineering and awareness testing and training, along with tone-from-the-top messaging to emphasize the importance of critical thinking and caution are crucial to protecting sensitive information assets.

Read more...

The target: Lake County Health Department, a Chicago-based centre for management of health services.

The take: Exposure of name, date of birth, phone number, email address, and Covid-19 vaccination status for over 700 patients.

The attack vector: The data was exposed through an unsecured Google sheet saved on an employee’s private Google Drive account which was being accessed by company employees.

This breach is a critical reminder of the importance of robust security controls wherever customer data is concerned. Using private services poses a great threat as these are not subject to a company’s cybersecurity standards, and nor are their authentication controls in place. It also exposes the data to credential stuffing attack. If the employees personal account was compromised anywhere else, access to the company data is now at risk. Strict separation between personal and professional IT systems is critical for maintain an accurate picture of access and control.

Read more...

The target: Artwork Archive, an online platform used to connect artists and buyers based in Denver, Colorado.

The take: 200,000 records of Personally Identifiable Information including: first and last name, physical addresses, email addresses, phone numbers, and purchase details with sales agreements.

The attack vector: An unsecured Amazon S3 storage server was misconfigured, allowing anyone with an internet connection to access and download the data.

The exposure of personal information can lead to highly targeted phishing and fraud attacks. Given how detailed the information was in this exposure, the threat of spear-phishing campaigns is high. Use of authentication protocols is an integral part of maintaining a rigorous cybersecurity posture, and it is critical to employ industry standard practices of credential management, user authentication and validation, around all storage of customer data.

Read more...

The target: Morgan Stanley, an investment banking firm providing banking, securities, and wealth management services worldwide.

The take: Stock plan participant’s names, addresses, dates of birth, social security numbers, corporate company names.

The attack vector: The breach occurred within a third-party vendor, Guidehouse, used by Morgan Stanley. Guidehouse in turn was using Accelion’s FileTransferApplication, which had been compromised earlier this year. Using a known exploit in Accelion’s FTA service, attackers were able to penetrate Guidehouse’s systems and access files Morgan Stanley had stored there. While the data was encrypted, access to the decryption key was also not secure, allowing the attackers to steal and read the data.

This incident highlights the ease with which a single breach can lead to a pivot into other systems. While Morgan Stanley’s own systems were not at risk, their data was stored with a third-party who failed to fully secure their own systems by using an exploited piece of software. The cascading nature of data breaches cannot be understated, and every effort should be made by firms to secure their data no matter where it is being stored.

Read more...

The target: Wolfe Eye Clinic, an operator of a network of eye clinics throughout Iowa.

The take: Personally identifiable and medical information of 500,000 current and past patients including names, addresses, birth dates, social security numbers, and, in some cases, medical and health information.

The attack vector: Wolfe reported that they had been victim of a ransomware attack in February of 2021. They elected not to pay the ransom at the time of the attack, but after a forensic investigation, it was confirmed that a substantial quantity of data was exfiltrated as a part of the attack.

While ransomware attacks have traditionally limited themselves to encrypting data in-place, allowing firms with robust backup regimens to recover, the vast majority of recent attacks have included an exfiltrated component, in an attempt to ensure that the victim will pay the ransom to prevent sensitive information from being leaked. Commensurate technical controls and a robust security awareness program to prevent employees from falling victims to social engineering scams are critical to preventing ransomware attacks from occurring in the first place.

Read more...

The target: Amerigas, the U.S’s largest propane provider.

The take: Personally Identifiable Information of 123 employees which included: lab IDs, social security numbers, driver license numbers, and dates of birth.

The attack vector: The breach occurred when an employee of a third-party vendor, J.J Keller, fell for a phishing email and unknowingly gave away their login credentials to a threat actor. After this, the attacker logged in using the employee’s legitimate credentials and began accessing secure documents and information. 

Phishing attacks against individual employees remain one of the greatest security threats to the entire organization. Regular social engineering and awareness testing and training, along with tone-from-the-top messaging to emphasize the importance of critical thinking and caution are crucial to protecting sensitive information assets.

Read more...

The target: CVS, a U.S-based retailer and pharmacy company.

The take: Exposure of an estimated one billion records of information including: event and configuration data, visitor IDs, session IDs, device access information, a schematic of the logging system used by the website, and queries for medications including COVID-19 vaccines.

The attack vector: Misconfigured cloud service database, controlled by a third-party vendor, with no password protection or credential management, letting anyone with an internet connection download and access the data.

This breach highlights the risk of working with third-party vendors and the importance of regular auditing to ensure they are following best practice when handling data. The storage of sensitive information should follow industry standard practices be managed with proper credential deployment and security, no matter if a firm’s data is on their own servers or in the hands of another party.

Read more...