Industry News: ESG5

The target: Wolfe Eye Clinic, an operator of a network of eye clinics throughout Iowa.

The take: Personally identifiable and medical information of 500,000 current and past patients including names, addresses, birth dates, social security numbers, and, in some cases, medical and health information.

The attack vector: Wolfe reported that they had been victim of a ransomware attack in February of 2021. They elected not to pay the ransom at the time of the attack, but after a forensic investigation, it was confirmed that a substantial quantity of data was exfiltrated as a part of the attack.

While ransomware attacks have traditionally limited themselves to encrypting data in-place, allowing firms with robust backup regimens to recover, the vast majority of recent attacks have included an exfiltrated component, in an attempt to ensure that the victim will pay the ransom to prevent sensitive information from being leaked. Commensurate technical controls and a robust security awareness program to prevent employees from falling victims to social engineering scams are critical to preventing ransomware attacks from occurring in the first place.

Read more...

The target: Amerigas, the U.S’s largest propane provider.

The take: Personally Identifiable Information of 123 employees which included: lab IDs, social security numbers, driver license numbers, and dates of birth.

The attack vector: The breach occurred when an employee of a third-party vendor, J.J Keller, fell for a phishing email and unknowingly gave away their login credentials to a threat actor. After this, the attacker logged in using the employee’s legitimate credentials and began accessing secure documents and information. 

Phishing attacks against individual employees remain one of the greatest security threats to the entire organization. Regular social engineering and awareness testing and training, along with tone-from-the-top messaging to emphasize the importance of critical thinking and caution are crucial to protecting sensitive information assets.

Read more...

The target: CVS, a U.S-based retailer and pharmacy company.

The take: Exposure of an estimated one billion records of information including: event and configuration data, visitor IDs, session IDs, device access information, a schematic of the logging system used by the website, and queries for medications including COVID-19 vaccines.

The attack vector: Misconfigured cloud service database, controlled by a third-party vendor, with no password protection or credential management, letting anyone with an internet connection download and access the data.

This breach highlights the risk of working with third-party vendors and the importance of regular auditing to ensure they are following best practice when handling data. The storage of sensitive information should follow industry standard practices be managed with proper credential deployment and security, no matter if a firm’s data is on their own servers or in the hands of another party.

Read more...

The target: Carter’s, a U.S based retailer of baby clothing and apparel.

The take: An estimated 410,000 records of personally identifiable information including: full names, physical addresses, email addresses, phone numbers, shipping tracking ID’s, and purchases and transaction details.

The attack vector: The breach occurred because of the failure to implement authentication controls for the URL shortener used on the site. When a customer made a purchase online, they were redirected to the shortened purchase cart page URL which had no credential management. Furthermore, the links were not set to expire, letting anyone with the URL access the sensitive information at any time for any length of time.

Any page where customer data is stored should follow industry standard practices be managed with proper credential deployment and security. The exposure of detailed personal information makes a firm’s users extremely vulnerable to phishing attacks and fraud.

Read more...

The target: 20/20 Hearing Care Network, a vision and hearing benefits administrator.

The take: 3.3 million records of Personally Identifiable Information including: names, addresses, member numbers, date of birth, and health insurance information.

The attack vector: An unsecured Amazon Web Services cloud storage database server was left online with no password protection. This meant anyone with an internet connection was able to connect and download the data. In addition, after the data was removed by the attackers, it was then deleted.

This breach highlights the critical importance of firm’s data backups, and if there should be an incident where information is deleted, it’s essential to be able to restore data to fully ascertain the scope of the breach. Proper credential management to ensure accounts and permissions are appropriately deployed and used, is an integral part of maintaining a robust cybersecurity posture.

Read more...

The target: Bergen Logistics, a U.S based fulfillment provider.

The take: Personally Identifiable Information including: names, sur names, city, zip code, addresses, order numbers, email addresses, plain-text passwords to customer accounts.

The attack vector: An unsecured Elasticsearch database server was left online, meaning anyone with an internet connection was able to connect and download the data.

The exposure of personal information can lead to highly targeted phishing and fraud attacks. More critical was how this firm stored their customer account passwords in plain text on the server with no encryption or protections. Ensuring credentials are adequately and appropriately protected through encryption is an integral part of maintaining a robust cybersecurity posture.

Read more...

The target: FastTrack Reflex Recruitment, a U.K based online recruitment firm.

The take: Exposure of 20,000 records of personally identifiable information including: email addresses, home addresses, full names, phone numbers, dates of birth, and passport photos.

The attack vector: The information was exposed due to a misconfigured cloud storage account, allowing anyone with an internet connection to access and download a full copy of the details.

Leaving databases exposed to the internet without any credential management impacts its confidentiality, integrity, and availability. Taking the stance of using industry standard practices of password length, complexity, two-factor authentication, and email verification, will raise the level of protection needed for sensitive information.

Read more...

The target: The U.S based Fermilab Physics Laboratory

The take: Exposure of databases containing proprietary documents, project names, configuration files, passwords, and personality identifiable information such as employee names and emails.

The attack vector: Security researchers found wide open ports in Fermilab’s systems and were able to use these unprotected points of access to gain access to their IT ticketing support system and file transfer service. This led to further exposures of employee name and titles, as well as many sensitive documents attached to individual help tickets. Fermilab’s file transferring service was also online with no password protection.

This breach highlights the importance of credential management and thorough testing of points of access in a firm’s IT systems. All entry points should be secured through robust password controls, using the appropriate length and complexity, along with proper management and monitoring.

Read more...

The target: Peloton, an exercise equipment manufacturer.

The take: Exposure of an unknown number of its 3 million user’s personally identifiable information such as: user ID, instructor ID, location, workout statistics, gender and age, and studio check-ins.

The attack vector: The leak occurred due to lack of authentication and authorization controls in the API endpoints used in Peloton’s mobile app, website, and backend (An API is an Application Programming Interface, a software intermediary that allows two applications to exchange data). Unauthenticated individuals were able to manually send an API request and return profile information for Peloton users, even if those profiles were marked as ‘private’. 

This breach highlights critical importance of robust authentication whenever user data is being requested and transferred in a firm’s IT systems which are available to the public. Thorough testing of authentication protocols is an integral part of maintaining a rigorous cybersecurity posture. Exposed personal data can lead to extremely effective phishing attacks and further data breaches of a firm’s customers.

Read more...

The target: First Horizon Bank, a U.S based financial services company.

The take: An amount up to $1 million USD, and 200 online customer accounts with personally identifiable information.

The attack vector: The attacker used illicitly gained login credentials and exploited a vulnerability in third party security software, letting them access customer accounts and siphon funds. In additional to the funds stolen, the detailed personally identifiable data exposed is highly valuable for further phishing and fraud attacks.

This breach emphasizes the importance of controls around the authentication process – requirements for strong, unique credentials, and implementation of multiple factors of authentication wherever possible to mitigate stolen or brute-forced passwords. Third party software components in an authentication process must also be implemented properly, with security patches tested and applied in a timely manner to maintain a secure posture.

Read more...