.png?width=200&height=78&name=CH%20Diligence%20(thicker%20line).png "CH Diligence (thicker line).png")
The target: C3UK, a provider of Free WiFi at railway stations across the UK
The take: Personal data of more than 10K rail passengers including dates of birth, email addresses and travel plans
The attack vector: A security researcher discovered that C3UK had left a database backup publicly exposed on an Amazon Web Services storage device with no password protection.
While security controls around production systems and databases are missions critical, care must also be taken when storing and transferring backups and duplicate copies of production data. Security controls must always be commensurate to the level of sensitivity of data being handled, and must travel with that data throughout its lifecycle.
The target: Buchbinder, a German car rental company
The take: Personally Identifiable Information of 3.1 million customers including: names, emails, phone numbers, addresses, dates of birth, license numbers, bank details and payment info. In total, over 5 million files were exposed, with some of them being passwords belonging to employees which were stored in plain text.
The attack vector: An unsecured backup database which was completely unprotected by any credentials and was freely accessibly to anyone with an internet connection. The database was discovered as part of routine scanning for unprotected databases.
This type of data is a prime target for threat actors seeking to carry out targeted phishing campaigns and BEC (business email compromise) attacks. Failure to implement robust practices can leave firms open to violations of data protection standards, and highlights the fact that protecting user data is the same as protecting the firm.
The target: Crown Bank, a New Jersey based financial institution.
The take: $2 million USD
The attack vector: Cyber criminals impersonated the wife of the CEO using a fake email address and tricked the bank’s employees to transfer funds multiple times. Using fraudulently created signatures of the CEO’s wife attached to PDF files, the attackers convinced bank staff that the requests, and their urgency, were legitimate.
Failure to implement and follow internal validation procedures can have serious consequences, and where an attacker discovers and exploits a weakness, they are likely to attack again until they are discovered. Furthermore, failure to enforce a firm’s security and cash transfer control procedures can invalidate an attempt to recoup damages via an insurance claim.
The target: The United Nations
The take: 400GB of data including: internal documents and emails, human resource records, database access, commercial information, and Active Directory access.
The attack vector: The threat actors used compromised 42 servers in total when they were able to exploit a known remote code vulnerability in Microsoft Sharepoint. This let the attackers move freely within all of the IT systems. A patch was released a few months prior to the breach, but the U.N’s IT department failed to deploy the patch when it was released, leaving a significant timeframe in which their systems were vulnerable.
This breach highlights the critical importance of maintaining an inventory of internal systems and software, and ensuring those systems are kept up-to-date. Security vulnerabilities can be exploited as soon as they’re identified, underlining the importance of adhering to a regular and frequent patching schedule.
The target: Mitsubishi Electric, an electronics company based in Japan.
The take: Personal data of 8000 employees and trade secrets including technical, sales, and client information.
The attack vector: A zero-day vulnerability (a newly discovered vulnerability for which no patch/mitigation has yet been published) in antivirus software used by Mitsubishi compromised accounts and internal systems. Attackers gained access to forty servers and one hundred and twenty computers inside the company.
The unfortunate reality is that every company is potentially vulnerable, and this example only reinforces our position that cybersecurity is not a one-and-done, set-it-and-forget-it domain. While zero-day exploits are rare and extremely difficult to defend against, monitoring and assessment of redundant security measures and the defense-in-depth approach can limit the potential impact of a compromise of one layer of a firm’s defenses.
The target: SpiceJet, one of India’s largest privately owned airlines.
The take: Private information of more than 1.2 million passengers including: Full names, phone number, email address, date of birth and a month’s worth of flight information.
The attack vector: SpiceJet’s IT systems were cracked through a brute-force attack of an extremely weak password. Once the system was penetrated, an unencrypted database backup file was discovered containing the millions of readable records.
This breach highlights the importance of secure password practices which should be applied at all levels across a firm. In addition, wherever personally identifiable information is concerned, extra care is advised as their compromise can enable highly effective phishing campaigns and identity theft.
The target: Microsoft
The take: 250 million Call Centre records which included full conversations between service agents and customers, as well as a portion of customer emails, internal notes and IP addresses.
The attack vector: Cloud databases across five different online servers were left unsecured, as a misconfigured security group left them exposed to the internet. These records could be used in extremely targeted and effective phishing campaigns against customers, impersonating Microsoft support agents and referencing internal case numbers and topics discussed.
This breach again raises the critical consideration that effectiveness of an organization’s security relies on vigilant processes and validations where cloud technology is concerned no matter the scale of the infrastructure or the pedigree of the firm.
The target: LimeLeads, a San Francisco-based business-to-business leads generator.
The take: 49 million user records including: full name, title, user email, employer/company name, company address, company total revenue and estimated number of employees.
The attack vector: LimeLeads did not set up a password for the internal database which was hosted on a publicly accessible server, meaning anyone with an internet connection was able to access the data and scrape a copy. The highly specific personal details of the data could lead to extremely effective spear-phishing campaigns targeting high level individuals.
The security of intended internal systems is as critical as external facing ones. Adopting stringent cybersecurity policies across all areas of access, whether internal or external, is crucial to maintaining the integrity, confidential and availability of data.
The target: Cabarrus County, a district of North Carolina in the United States
The take: $1.7 million dollars
The attack vector: A BEC, or Business Email Compromise. The attackers posed as one of the county’s contractors and requested their bank account be updated in time for the next payment. They spoofed legitimate documents including an electronic funds transfer form (EFT) and signed bank documentation. After receiving the bogus documents, Cabarrus County staff changed the vendor’s account to this new, fake one and continued with their scheduled payments.
This attack highlights the importance of security awareness campaigns that test and train employee’s abilities to spot and report suspicious emails. Additionally, controls should be in place wherever payments are processed to ensure that any requests to change payment instructions are reviewed and validated outside of an e-mail correspondence string.
The target: Wyze, a Seattle-based smart home device maker.
The take: Email addresses, IP addresses, WiFi SSID’s and device information of 2.4 million customers.
The attack vector: During the deployment of a new database, a mistake by an employee removed all of the security protocols governing the system, thus exposing the information. In total, two exposed Elasticsearch databases and one MySQL production database were freely accessible and the attackers were then able to access and download the leaked information.
Deployment of new technology is a potentially critical point of vulnerability. Any changes intended for the production environment should be tested in a private staging environment and audited/tested wherever possible to avoid introducing gaps into a firm’s security posture.
