Industry News: ESG5

The target: TronicsXhange, a California-based electronics retailer

The take: 80,000 images of personal identification cards and 10,000 fingerprint scans. Information included: driver license number, full name, birthday, home address, gender, hair and eye color, height and weight, and a photo of the individual. 

The attack vector: The breach occurred when an unsecured Amazon S3 bucket was discovered online even after the company had ended its operation. The database was connected with no password protection meaning anyone who found the correct URL could access and freely download the data. 

The breach is serious as the sensitive information stored could lead to severe cases of fraud. Asset management is a critical procedure for any company, and the fact that this server was kept online even after the company had supposedly closed its doors for business highlights the extreme importance of proper decommissioning procedures to ensure sensitive information is securely destroyed or taken offline.

Read more...

The target: Vertafore, a U.S based insurance provider. 

The take: 27.7 million records of personally identifiable information including: driver license numbers, first and last names, date of birth, address, and vehicle registration history. 

The attack vector: Three database files containing the above information were placed, through human error, on an unsecured external, third-party storage service with no authorization access. Meaning anyone with an internet connection had the ability to access and download the data.

This breach highlights the importance of robust cybersecurity protocols and processes. Rigid steps around the transfer andmovement of data is needed to ensure maximum protection of sensitive information, with multiple checks to verify that the destination of the information is secure and expected safeguards are in place. When data is moved, the proper controls commensurate with the sensitivity of the data must travel with it.

Read more...

The target: GrowDiaries, an online community for marijuana growers.

The take: 2 million user records including: usernames, email address, IP addresses, user posted articles, and user account passwords. 

The attack vector: The breach occurred because of a credential management and best practice failure . The site failed to secure its database management application, Kibana, which was left exposed online with no password protection, allowing anyone with an internet connection to access the site. Furthermore, passwords stored in one of the databased were encrypted with weak format known as MD5, which is insecure and can be easily cracked.

Management applications which grant access to user data should always be secured with commensurate levels of security protection. In addition to securing all access points, protection of data ‘at rest’ should include rigorous controls around password tables including hashing, salting, and strong encryption to ensure that if a breach does occur, the damage to clients is mitigated as much as possible.

Read more...

The target: Gunnebo, a Swedish-based security firm.

The take: 38,000 sensitive company documents including: schematics of client bank vaults and surveillance systems, blueprints for monitoring and alarm equipment, and security function of Automatic Teller machines.

The attack vector: Compromised credentials to an employee’s Remote Desktop Protocol account which had a password of ‘password01’. While the confirmation of this particular RDP account’s role in the attack is unverified, security researchers highlight the extremely poor password hygiene here and infer this practice is likely widespread within the firm.

The breach highlights the critical important of robust password polices. Length, complexity, and aging standards for every company account are invaluable to preventing credential compromise.

Read more...

The target: MAXEX, an Atlanta-based residential mortgage trading company.

The take: 9GB of internal company and client data including: confidential banking information, login credentials, emails, penetration test reports, and full mortgage documentation for 23 individuals.

The attack vector: The breach took place due to an unsecured, publicly exposed Jenkins server. A server of this type is used in a variety of highly sensitive activities in the operation and development of software applications. Notably in this breach, MAXEX had stored login credentials in plain text with enough permissions to compromise many of its other systems.

This breach highlights the importance of properly securing data. Furthermore, it underscores the critical importance of credential management as a compromise in one system can easily lead to a pivot to other systems, which can have a cascading negative impact upon company and client data.

Read more...

The target: Broadvoice, a Voice-over-IP service provider.

The take: 350 million total customer records of personally identifiable information including: full names, date of birth, phone number, and voice-mail transcripts with highly sensitive details such as medical records, loan applications, and mortgage information.

The attack vector: A misconfigured Elasticsearch database housing 10 separate clusters of data. There was no authentication or security in place meaning anyone with an internet connection could have full access to the data. These storage servers are easily discoverable with scanning tools available to administrators and malicious attackers alike.

The type of data exposed in this breach poses enormous risk for Broadvoice’s customers as the intricate details leaked, in voice calls and prescription records for example, would give phishing and fraud attacks a high chance of success. This breach demonstrates the extreme importance of securing access to a firm’s data. Proper authentication, monitoring, and credential management are some of the critical tools which can be implemented to prevent these occurrences.

Read more...

The target: Snewpit, an Australian-based news sharing platform. 

The take: 80,000 user records of personally identifiable information including: usernames, full names, email addresses, profile pictures, and log data detailing the amount time users spent on the app and other behaviour metrics.

The attack vector: The information was exposed on an improperly secured, and publicly accessible, Amazon Web Services server. Bad actors can locate these unsecured storage buckets very easily and the complete lack of security on the database means the records were open to anyone with an internet connection.

The combination of data exposed in this incident could lead to very targeted and successful scams by fraudsters. Personally Identifiable information helps these attackers build a complete profile of their victims, and in this case, the log data which outlined the actions taken by users on Snewpit’s app greatly increases the credibility of their scams, vastly increasing the chance they are successful. Data and credential management are critical for ensuring sensitive information is stored safely and securely.

Read more...

The target: BrandBQ, a European fashion retailer. 

The take: 7 million customer records of personally identifiable information including: full names, email addresses, home addresses, date of birth, phone number, and payment records.

The attack vector: The data was exposed on an unencrypted and unsecured Elasticsearch server meaning anyone with an internet connection could have found the information and downloaded a copy. Along with customer information, an additional 50,000 records of relating to contractors who worked with BrandBQ were also stored on the server, exposing their purchase information and correspondence. Further mixed in were API logs relating to their mobile app, greatly increasing the range of possible exposure to over 500,000 affected users. 

Credential management and proper security around storage of data is critical for every business. In this case, the mixing of data all kept in one place compounded the severity of the breach as not only were BrandBQ’s customers made into vulnerable phishing targets, but their contractors are now also extremely susceptible to Business Email Compromise scams.

Read more...

The target: Düsseldorf University Hospital, a German teaching hospital

The take: A critically ill patient died as a result of the cyberattack on the hospital’s systems

The attack vector: A ransomware attack was carried out on the hospital’s systems, exploiting a vulnerability in their VPN. However – as the encryption attack caused the hospital’s computer system to become disconnected from the ambulance network, a critically ill patient had to be redirected to a remote hospital, and died after her admission to hospital was delayed by over an hour.

While hospitals are regular targets of ransomware attacks, this is the first known case where such an attack has cost a patient’s life, and is a stark reminder of the potential stakes. This attack was made possible by a security vulnerability in an off-the-shelf software product, which, for IT professionals, again, underlines the critical importance of maintaining patching procedures and ensuring that applications and appliances are maintained.

Read more...

The target: Razer, an American-based maker of computer accessories and peripherals.

The take: 100,000 records of Personally Identifiable Information including: full name, email, phone number, internal customer ID, order number, billing and shipping address

The attack vector: The data was left unsecured due to a misconfiguration on an Elasticsearch server without any protection or credential management, leaving the information open to be downloaded by anyone with an internet connection. 

The information exposed poses great risk for Razer’s customers as social engineering attacks, such as fraud and phishing, could easily be crafted with precision by bad actors because of the leaked personally identifiable data. This breach highlights the critical importance of not only proper and secure configurations of storage where sensitive information is held, but also strict and robust policy around access and security.

Read more...