.png?width=200&height=78&name=CH%20Diligence%20(thicker%20line).png "CH Diligence (thicker line).png")
The target: MCA Wizard, a now defunct mobile app for loaning money to small business owners developed jointly by Advantage Capital Funding and Argus Capital Funding in 2018.
The take: 425GB of data comprising over 500,000 documents, including credit reports, bank statements, contracts, legal paperwork, driver’s licenses, purchase orders & receipts, tax returns, social security information and more.
The attack vector: Even though the app itself was pulled from both Google Play and the App Store, the data behind it remained online, stored in an unsecured AWS S3 bucket which was accessible without a password. Security researchers noted that while the app was no longer available, new documents were being added to the database right up until its removal, suggesting that another application or service could have been using the same bucket.
While this is yet another example of a misconfigured storage bucket, it also raises the issue of security controls and management of the lifecycle of data. If an app or service reaches its end of life, there is absolutely an onus on the responsible firm to manage any sensitive data collected or processed by that app through to secure deletion.
The target: Virgin Media, a British telephone, television and internet provider
The take: ‘Limited contact information’ of 900,000 customers, including names, home and e-mail addresses, and phone numbers along with some birth dates and technical and product information.
The attack vector: A misconfigured marketing database left the information exposed for nearly a year, and was confirmed to have been accessed ‘on at least one occasion’ by an outside party.
This incident highlights the need to ensure regimented security controls are established and verified anywhere that an organization stores personally protected information. Security controls must always be commensurate to the type of data being stored, and they must travel with that data to protect the firm and it’s clients from a data breach.
The target: Angeles Investment Advisors, an asset manager based in Santa Monica, California
The take: The e-mail account of Michael Rosen, Chief Investment Officer, was compromised and used to send a bogus ‘bid for proposal’ link to his contacts.
The attack vector: While details have not been published at this time, it is likely that the initial compromise of Rosen’s account was as a result of a targeted phishing attack. Once attackers had control of his e-mail account, they were able to send a malicious attachment to his contact list, and even responded to individuals who questioned the legitimacy of the e-mail – assuring them that attachment was safe, and that they should open it post-haste.
One of the most insidious risks in an e-mail compromise is that the compromised account will be used as a pivot point, and that the trust in that individual will be exploited for criminal gain. These attacks highlight not only the need to ensure that technical controls are in place to prevent accounts from being compromised in the first place – but also the need to train staff to think critically about the content of messages they receive, and to confirm any suspicious communications or requests via a separate channel of communication.
The target: C3UK, a provider of Free WiFi at railway stations across the UK
The take: Personal data of more than 10K rail passengers including dates of birth, email addresses and travel plans
The attack vector: A security researcher discovered that C3UK had left a database backup publicly exposed on an Amazon Web Services storage device with no password protection.
While security controls around production systems and databases are missions critical, care must also be taken when storing and transferring backups and duplicate copies of production data. Security controls must always be commensurate to the level of sensitivity of data being handled, and must travel with that data throughout its lifecycle.
The target: Buchbinder, a German car rental company
The take: Personally Identifiable Information of 3.1 million customers including: names, emails, phone numbers, addresses, dates of birth, license numbers, bank details and payment info. In total, over 5 million files were exposed, with some of them being passwords belonging to employees which were stored in plain text.
The attack vector: An unsecured backup database which was completely unprotected by any credentials and was freely accessibly to anyone with an internet connection. The database was discovered as part of routine scanning for unprotected databases.
This type of data is a prime target for threat actors seeking to carry out targeted phishing campaigns and BEC (business email compromise) attacks. Failure to implement robust practices can leave firms open to violations of data protection standards, and highlights the fact that protecting user data is the same as protecting the firm.
The target: Crown Bank, a New Jersey based financial institution.
The take: $2 million USD
The attack vector: Cyber criminals impersonated the wife of the CEO using a fake email address and tricked the bank’s employees to transfer funds multiple times. Using fraudulently created signatures of the CEO’s wife attached to PDF files, the attackers convinced bank staff that the requests, and their urgency, were legitimate.
Failure to implement and follow internal validation procedures can have serious consequences, and where an attacker discovers and exploits a weakness, they are likely to attack again until they are discovered. Furthermore, failure to enforce a firm’s security and cash transfer control procedures can invalidate an attempt to recoup damages via an insurance claim.
The target: The United Nations
The take: 400GB of data including: internal documents and emails, human resource records, database access, commercial information, and Active Directory access.
The attack vector: The threat actors used compromised 42 servers in total when they were able to exploit a known remote code vulnerability in Microsoft Sharepoint. This let the attackers move freely within all of the IT systems. A patch was released a few months prior to the breach, but the U.N’s IT department failed to deploy the patch when it was released, leaving a significant timeframe in which their systems were vulnerable.
This breach highlights the critical importance of maintaining an inventory of internal systems and software, and ensuring those systems are kept up-to-date. Security vulnerabilities can be exploited as soon as they’re identified, underlining the importance of adhering to a regular and frequent patching schedule.
The target: Mitsubishi Electric, an electronics company based in Japan.
The take: Personal data of 8000 employees and trade secrets including technical, sales, and client information.
The attack vector: A zero-day vulnerability (a newly discovered vulnerability for which no patch/mitigation has yet been published) in antivirus software used by Mitsubishi compromised accounts and internal systems. Attackers gained access to forty servers and one hundred and twenty computers inside the company.
The unfortunate reality is that every company is potentially vulnerable, and this example only reinforces our position that cybersecurity is not a one-and-done, set-it-and-forget-it domain. While zero-day exploits are rare and extremely difficult to defend against, monitoring and assessment of redundant security measures and the defense-in-depth approach can limit the potential impact of a compromise of one layer of a firm’s defenses.
The target: SpiceJet, one of India’s largest privately owned airlines.
The take: Private information of more than 1.2 million passengers including: Full names, phone number, email address, date of birth and a month’s worth of flight information.
The attack vector: SpiceJet’s IT systems were cracked through a brute-force attack of an extremely weak password. Once the system was penetrated, an unencrypted database backup file was discovered containing the millions of readable records.
This breach highlights the importance of secure password practices which should be applied at all levels across a firm. In addition, wherever personally identifiable information is concerned, extra care is advised as their compromise can enable highly effective phishing campaigns and identity theft.
The target: Microsoft
The take: 250 million Call Centre records which included full conversations between service agents and customers, as well as a portion of customer emails, internal notes and IP addresses.
The attack vector: Cloud databases across five different online servers were left unsecured, as a misconfigured security group left them exposed to the internet. These records could be used in extremely targeted and effective phishing campaigns against customers, impersonating Microsoft support agents and referencing internal case numbers and topics discussed.
This breach again raises the critical consideration that effectiveness of an organization’s security relies on vigilant processes and validations where cloud technology is concerned no matter the scale of the infrastructure or the pedigree of the firm.
