Industry News: ESG5

The target: SingHealth, Singapore’s largest group of healthcare organizations.

The take: 1.5 million patient records which included: names, prescriptions, medical records, government registration numbers, addresses and dates of birth.

The attack vector: The source of the breach according to early reports was a phishing campaign, however, security researcher’s leading hypothesis was that the attack originated through SingHealth’s failure to keep their software updated. The company used an open source penetration testing application called Ruler. However, they ignored an available patch for Ruler which addressed a known vulnerability, and which led to the hackers gaining access.

Regular and rigorous attention to security updates must be applied to ensure maximum safety of a company’s IT systems – especially where it pertains to tools used to assess the security of internal systems and the effectiveness of technical controls.

Read more...

The target: Imperva, cyber-security firm based out of California.

The take: A complete copy of their customer information database.

The attack vector: Imperva uploaded a snapshot of its customer database for testing. However, in an unrelated incident, they left one of their internal systems publicly accessible on the internet from which the attacker stole key to the recently uploaded database. Using the key, the hacker was able to download a copy of the customer information.

After Imperva adopted cloud technologies to scale their infrastructure to meet increasing needs, they failed to account for the increased risk of this strategy. Cyber-security diligence applies at all levels of scale including times of expansion and investment in new technology.

Read more...

The target: FireEye, a publicly traded cybersecurity company in California.

The take: Corporate documents, details on client contracts and licenses, and personal login credentials.

The attack vector: Attackers used credentials exposed in public data breaches to access the personal accounts of a security analyst employed by FireEye. Once his accounts had been compromised, they were able to exploit his business use of those personal accounts to obtain sensitive information belonging to his employer.

On an individual level – this attacks highlights the importance of changing passwords and rotating credentials, particularly in the wake of a publicized credential breach. At the firm level - once confidential and sensitive information leaves a firm’s information systems, it’s completely outside of their control. Security policies must reflect zero tolerance for use of personal accounts to communicate on behalf of the firm or store/transfer sensitive and proprietary information.

Read more...

The target: Malindo Air, a Malaysian subsidiary of Indonesia’s Lion Group

The take: Approx. 35 million passenger records, including names, emails, addresses, passport numbers/expiration dates.

The attack vector: Two former employees of a subcontracted e-commerce provider were identified as having “improperly accessed and stole the personal data of our customers.” Malindo Air reiterated that their external controls were not breached and that “services and infrastructure worked as designed and were not compromised in any way.”

Malicious insiders are unfortunately common sources of data breaches, and internal controls and oversight must be put in place to ensure that data is being handled appropriately by both direct employees and subcontracted staff.

Read more...

The target: Philips Capital Inc, a Chicago-based brokerage firm.

The take: $1 million USD from a client account.

The attack vector: Attackers gained access to internal systems via a successful phishing attempt and impersonated a client of the firm using information they’d gained from reviewing past e-mail correspondences. Gaps in disbursement procedures allowed a requested wire transfer to an unknown bank account to be approved and processed.

While technical controls can protect against cyber-attacks, they cannot always compensate for gaps in procedure and a failure to think critically.

Read more...

The target: Flight booking site, Option Way.

The take: Security researchers were able to access Option Way’s Elasticsearch database via browser due to misconfiguration. Exposed (and unencrypted) data personally identifying information is a ripe target for identity thieves.

The attack vector: Security researchers were able to access Option Way’s Elasticsearch database via browser due to misconfiguration. Exposed (and unencrypted) data includes names, dates of birth, gender, e-mail addresses, phone numbers and addresses - a ripe target for identity thieves. 

Companies must evaluate their ‘attack surface’ across servers/firewalls and third-party services to ensure that their data is secure and should continuously monitor infrastructure to be assured that changes do not result in exposure of sensitive information.

Read more...

The target: Scotiabank, a major Canadian based banking institution

The take: Login keys to backend systems, internal source code of mobile apps, software blueprints, and credentials for a database of foreign exchange rate data.

The attack vector: The data in question was left accessible on a non-secured public repository, GitHub. Analysis of the leaked data could provide numerous and deep exploitations and vulnerabilities.

Source code repositories, like file storage repositories, must be correctly configured to ensure that sensitive data remains internal and accessible only by authorized parties. Default permissions or accessibility settings must always be reviewed before sensitive data is committed to storage.

Read more...

The target: Monster.com, a popular job posting website service.

The take: Personal information of hundreds of job applicants dating between 2014 and 2017 including: resumes, phone numbers, email addresses, home addresses and work history.

The attack vector: A customer of Monster.com, a third-party recruitment company, misconfigured a publicly-accessible web server, leaving records exposed.

A firm’s security posture is only as good as its weakest link - sub-contractors and third parties with access to sensitive data are possible sources of data leakage and must be held to a firm’s own security standards.

Read more...

The Target: Facebook, the social media giant.

The take: 419 million records which contained user’s unique Facebook ID and their associated phone numbers, as well as names, gender and country.

The attack vector: A server containing the data was left unsecured and publicly accessible. Facebook justified the security breach by explaining that the records were ‘old’, and believe that the user accounts in question were not compromised as a result of the breach.

Data breaches are a liability, regardless of whether or not the leaked data is in its most current form. Backups, replicates, and otherwise non-production datasets must be protected with the same encryption and protections to prevent the loss of sensitive information.

Read more...

The target: Lyons Companies Insurance Broker

The take: Personal customer information including names, date of birth, contact information, driver license numbers and financial records. Medical information such as patient identification numbers, diagnosis and treatment information, Medicare/Medicaid ID numbers, health insurance and claims information were also compromised, along with a small number of Social Security Numbers.

The attack vector: Attackers gained access to two Lyons employee email accounts between February and March of 2019, and used these credentials to access the above information and offload the sensitive data.

Stringent and robust employee password protocols and the implementation of two-factor authentication are paramount in providing a strong bulwark against account compromises.

Read more...