The Week In Breach! June 15 to June 22 2018

Dark Web

It should serve as no surprise, two of the breaches profiled this week occurred as the result of compromised email address and passwords. The particular events highlight the need to make password hygiene and compromised credential monitoring front and center.

This week also demonstrates that healthcare organizations are increasingly targeted by bad actors. Heathcare related PII/PHI is increasingly valuable and sought after in dark web markets and forums.  

A few more highlights…

– Malware on the move!  New Malware targeting Android phones making the rounds 

– Cortana… the weakest link? An exploit in Windows 10 was patched on Tuesday that allowed one to change passwords

– AI startup working on the United States drone program finds Russian malware on their server

– The Nigerian princes are back! This time, they want to be business partners…

There is a new mobile malware targeting Android phones, containing a banking Trojan, keyloggers, and ransomware. The malware, called MysteryBot will exfiltrate your data and send it back to LokiBot assets. While it’s still not in wide circulation, Android users should exercise caution when downloading apps both in and out of the play store.
https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware/

A vulnerability that used Cortana to access computer files even if the device was locked was revealed this week… just after patch Tuesday.
https://securingtomorrow.mcafee.com/mcafee-labs/want-to-break-into-a-locked-windows-10-device-ask-cortana-cve-2018-8140/

Across the globe, email scammers are a consistent source of problems for those who use the web. This week the FBI made 74 arrests across 7 countries and an email scam bust that targeted mid-sized businesses. The scam originated in Nigeria, the same country where the notorious ‘Nigerian prince’ email scam comes from.
https://www.cnet.com/news/fbi-busts-international-email-fraud-ring-that-stole-millions/

Look out for suspicious .men! Some top-level domains are more likely to be malicious than others, with .men .gdn and .work being the most abused. If you open a .men link there is about a 50/50 chance that you are going to a site loaded with spam or malware. Check those hyperlinks!
https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/

What we’re listening to this week!

Know Tech Talks – Hosted by Barb Paluszkiewicz

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!

Elmcroft Senior Living

Exploit: Outside actor.

Risk to Small Business: High: Lack of Data Loss Protection (DLP) and chain of custody leading to breach

Risk to Exploited Individuals: High: Elevated probability for Identity theft and fraud based on PII compromised.

Elmcroft: Recently ending its management of more than 70 assisted living, memory care, and inpatient hospital rehabilitation, Elmcroft was in wind-down mode when the breach occurred.

Date Occurred
Discovered
Occurred May 10th 2018, Discovered on May 12th
Date Disclosed Elmcroft made an official statement on June 8th, 2018
Data Compromised Names

Date of birth

Social Security Numbers

Personal health information

How it was Compromised A third party had access to information being transferred from Elmcroft to the new management company
Customers Impacted
Residents

Residents family members

Employees

Possibly others

Attribution/Vulnerability Undisclosed at this time.

https://www.mcknightsseniorliving.com/news/data-breach-puts-personal-information-of-residents-workers-at-risk-elmcroft-senior-living-says/article/772385/

Terros Health

Exploit: Phishing scam that compromised one account.

Risk to Small Business: High: Demonstrates phishing is still a primary tactic to generate exploits and how one compromised email account can end in a major breach.

Risk to Exploited Individuals: High: Sensitive personal information, Social Security numbers and medical information were leaked all of which can be used maliciously by an outside actor.

Terros Health: Phoenix-based mental health and addiction services provider.

Date Occurred
Discovered
April, 2018
Date Disclosed June 8th, 2018
Data Compromised
Patient names

Date of birth

Social Security number

How it was Compromised
Phishing scam that compromised a single email account
Customers Impacted
1,600 patients
Attribution/Vulnerability One compromised email due to a phishing scam

https://www.bizjournals.com/phoenix/news/2018/06/10/terros-healthwarns-of-patient-data-breach.html

Clarifi
Exploit: Malware exploit to steal IP

Risk to Small Business: High: Demonstrates the need to harden security when dealing with Intellectual Property and being targets as a Federal Contractor/Supply Chain Sub-contractor.

Risk to Exploited IndividualsHigh: Highly sensitive military information is located at the company, making individuals who work their targets for state-sponsored hacking.

Clarifi: An artificial intelligence startup based in New York involved in improving U.S. military drones.

Date Occurred
Discovered
November, 2017
Date Disclosed June 2018
Data Compromised
Possibly customer data, although Clarifi denies that any data was compromised.
How it was Compromised Unclear, although the origin of the malware is believed to be Russian.
Attribution/Vulnerability Malware
Customers Impacted The company assures that no customer data was compromised

https://www.wired.com/story/startup-working-on-contentious-pentagon-ai-project-was-hacked

https://cyware.com/news/ai-startup-clarifai-working-on-pentagons-project-maven-was-allegedly-hacked-by-russian-source-8a171b30

HealthEquity
Exploit: Compromised email.

Risk to Small Business: High: Demonstrates the need for compromised credential monitoring and implementing stronger authentication tools.

Risk to Exploited Individuals: High: sensitive personal information and Social Security numbers were accessed during the breach.

HealthEquity: Utah based firm that handles millions of health savings accounts.

Date Occurred
Discovered
April 11, 2018
Date Disclosed June  2018
Data Compromised Names of members

HealthEquity ID numbers

Names of employers

Employers HealthEquity IDs

Social Security numbers

How it was Compromised
An email account of a HealthEquity employee was compromised, and the outside actor was able to gather data for two days before the malicious activity was noticed by the company.
Attribution/Vulnerability Compromised employee email.
Customers Impacted 23,000

https://www.infosecurity-magazine.com/news/23000-individuals-affected-in/

https://www.darkreading.com/operations/23000-compromised-in-healthequity-data-breach/d/d-id/1332050

Dixons Carphone
Exploit: Investigation ongoing.

Risk to Small Business: High: Breach response requirements of GDPR will significantly change how quick companies must disclose breach incidents and respond.

Risk to Exploited Individuals: High: Card data of customers was accessed by an outside actor.

Dixons Carphone: Electronics company located in the UK.

Date Occurred
Discovered
July, 2017
Date Disclosed June  2018
Data Compromised Customer Cards

Names

Addresses

Email addresses

How it was Compromised
The investigation is currently ongoing into how the breach happened, but it was only just discovered a little under a year after it happened.
Attribution/Vulnerability Unauthorized access to company data
Customers Impacted 5.9 million

An important takeaway from this week is the damage that a single compromised email account can have on an organization of any size. With one compromised email account a bad actor can send countless employees malware from an unsuspicious and legitimate email, often times without the employee knowing their email is compromised. Don’t let your business end up on the next Week in Breach. Make sure you and your employees’ passwords are strong, not reused or shared, and that your credentials aren’t up for sale on the Dark Web, by monitoring with Dark Web ID™ by Prime Telecommunications.  Please share this week’s breach news with a coworker or friend.

Advertisements

This week in Breaches!

full frame shot of abstract pattern

Photo by Sabrina Gelbart on Pexels.com

 

This week shows no shortage of targeted attacks designed to extract large datasets from a broad range of consumer sites.  Travel, finance and entertainment sites were targeted, impacting more than 100,000,000 unsuspecting victims.  If anything, this week clearly demonstrates why individuals need to proactively monitor for their compromised data with tools like our SpotLight ID – Personal Identity & Credit Monitoring Solutions.  The events of this week also clearly demonstrate why businesses must monitor for compromised credentials that can be used to exploit internal systems and to compromise or takeover customer accounts.

Highlights:

  • Leaked credentials from a 3rd party data breach used to exploit 45,000 Transamerica customers 
  • No Tickets for You! – TicketFly shuts down to identify and fix the source of leak impacting 26M customers
  • Booking.com shows that phishing attacks never take a vacation
  • Google Groups – taking a page right out of Amazon’s leaky bucket playbook?

In other news…

The City of Atlanta’s losing streak continues thanks to ransomware hacks! This time, the city’s evidence chain of custody breached, allowing police evidence to be destroyed – impacting investigations and prosecutions.
https://cyware.com/news/atlanta-ransomware-attack-destroyed-years-of-police-dashcam-footage-potentially-critical-evidence-9e8134ac

Europol has a new team dedicated to cybercrime on the Dark Web, hoping to monitor and mitigate criminal activity. Multiple law enforcement agencies throughout Europe are participating in this team, in addition to some non-European organizations. Keep fighting the good fight!
https://www.welivesecurity.com/2018/06/01/europol-eu-team-fight-dark-web/

Google Groups can’t get its act together when it comes to privacy settings, resulting in accidental disclosure of users’ private documents. If your business uses Google Groups, make sure to set your group to private!
https://www.securityweek.com/thousands-organizations-expose-sensitive-data-google-groups

It looks like there’s more than just gators to watch out for in the sunshine state… Florida named the worse state in consumer cybersecurity.

https://www.darkreading.com/vulnerabilities—threats/survey-shows-florida-at-the-bottom-for-consumer-cybersecurity/d/d-id/1331983


 What we’re STILL listening to this week!

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!

TicketFly

Exploit: Database misconfiguration, hacker doxing/ransoming

Risk to Small Business: High: Demonstrates the impact of database misconfiguration and security controls.
Risk to Exploited Individuals: High: Social engineering and identity theft as a large amount of personal information including names, addresses and phone numbers of customers were leaked.
TicketFly: Owned by Eventbrite, TicketFly is a popular site where customers can purchase tickets online for upcoming events and shows.

Date Occurred
Discovered
May 30, 2018
Date Disclosed TicketFly made an official statement on June 6, 2018
Data Compromised Email addresses, Phone Number, Billing Address and Home Addresses
How it was Compromised A hacker attempted to contact the company about a vulnerability, demanding 1 Bitcoin as ransom to reveal the weakness. The hacker claims the emails to the company went unanswered so the cybercriminal vandalized the TicketFly site and leaked some of the information acquired to the press.
Customers Impacted
26 million, and even more if you consider the customers who are unable to buy tickets while the site has been down.
Attribution/Vulnerability Undisclosed at this time.

https://www.marketwatch.com/story/ticketfly-breach-may-have-exposed-data-of-26-million-customers-2018-06-03

MyHeritage

Exploit: Unsecured/misconfigured data store. Poor data at rest encryption. Poor password encryption.
Risk to Small Business: High: Demonstrates the impact of database misconfiguration, security controls and weak encryption.
Risk to Exploited Individuals: Moderate: Email addresses leaked but DNA/family history data supposedly stored separately.
MyHeritage: Users search historical records and create a family tree using this web-based service from Israel.

Date Occurred
Discovered
October 26, 2017
Date Disclosed June 4, 2018
Data Compromised
All email addresses and hashed passwords of users up to October 26, 2017
How it was Compromised
The CISO of MyHeritage received a message from a researcher that he had found a great deal of MyHeritage’s data on a server not connected with the site. The CISO confirmed that the data originated from their site but exactly how the data was acquired is not clear as of now.
Customers Impacted
92,283,889 Users
Attribution/Vulnerability Unclear, but MyHeritage did not store passwords, instead of storing a one-way hash of each password that has a key unique to each user. All credit card information is located on third party sites and the most sensitive information the website holds such as family tree and DNA data is stored in segregated systems with additional layers of security.

https://blog.myheritage.com/2018/06/myheritage-statement-about-a-cybersecurity-incident/#

https://motherboard.vice.com/en_us/article/vbqyvx/myheritage-hacked-data-breach-92-million

Transamerica
Exploit:  Compromised credentials
Risk to Small Business: High: Demonstrates the need to proactively monitor for compromised credentials from 3rd party data breaches and phishing attack mitigation.
Risk to Exploited IndividualsHigh: Highly sensitive personal information was stolen and could be used to impersonate an employee; or an outside agent could pose as a relative of an employee to phish for information

Transamerica: This company offers mutual funds, retirement strategies, insurance, and annuities.

Date Occurred
Discovered
Between March 2017 and January 2018
Date Disclosed May 2018
Data Compromised
Names, Addresses, Social Security Numbers, DOB, Financial data And Employment Information
How it was Compromised Third party compromised credentials were used to access user’s account data
Attribution/Vulnerability Outside actor

https://cyware.com/news/transamerica-hacked-nearly-45000-retirees-personal-and-sensitive-details-stolen-c2c419f5

https://www.theregister.co.uk/2018/06/05/transamerica_retirement_plan_hack/

Booking. com
Exploit: Phishing

Risk to Small Business Risk: High: Demonstrates how well-crafted phishing attacks can lead to massive data loss even with strong end-user security awareness training program and security tools in place.

Risk to Exploited Individuals: High: Money was stolen from the individuals who responded to the convincing email, and their stolen personal information could be used again.

Booking. com: A popular site for booking hotels, houses, apartments and boats.

Date Occurred
Discovered
June 2018
Date Disclosed June 3, 2018
Data Compromised Names, Addresses, Phone Numbers, Dates, Price of bookings and Reference Numbers
How it was Compromised
Certain properties of Booking.com received a link that detailed a security breach and urged them to change their password. Once the link was clicked the hackers had access to booking information that they used to send highly convincing phishing emails to customers asking for advance payments. The emails contained booking and pricing info for previously booked rooms, making the emails almost indistinguishable from an actual email from the company. The company reported that there was no compromise on their systems and that any customers who lost money due to the incident will be reimbursed.
Attribution/Vulnerability Outside actors, deployed through spam email campaign

https://www.independent.co.uk/travel/news-and-advice/travel-website-hackers-cyber-crime-phishing-holidays-a8382771.html

https://www.thesun.co.uk/money/6437309/hackers-target-booking-steal-thousands/

https://www.scmagazine.com/cybercriminals-phish-bookingcom-customers-after-possibly-breaching-partner-hotels/article/771091/

PageUp
Exploit: Malware
Risk to Small Business Risk: High: Demonstrates that malware exploits are often very difficult to detect and defend against.

Risk to Exploited Individuals: High: It is unclear what information has been compromised and from which customers of PageUp, but given the nature of the company and the information they store, the risk is serious.

PageUp: A large Australian company that provides HR, career, and recruitment service to large and small businesses around the world.

Date Occurred
Discovered
May 23, 2018
Date Disclosed June 6, 2018
Data Compromised Unclear, but passwords were hashed and salted
How it was Compromised
The investigation into the breach is ongoing, but due to the new implementation of GDPR in Europe and Australia’s Notifiable Data Breaches Scheme, PageUp disclosed the breach in compliance with the laws.
Attribution/Vulnerability Malware was found on one of PageUp’s IT systems, but how the malware entered the system is still being investigated

https://www.bleepingcomputer.com/news/security/malware-infection-at-hr-company-triggers-flurry-of-data-breach-notifications/


An important takeaway from this week finds its origin in research done by Dr. Michael McGuire, funded by Bromium and titled ‘The Web of Profit’ : The unfortunate truth is that crime does pay.Cybercrime produces 1.5 Trillion each year, which rivals Russia’s GDP and would place cybercrime at number 13 in a comparison of the world’s highest gross domestic product. $500 Billion of that can be contributed to intellectual property theft and data trading accounts for $160 Billion.

The scope of cybercrime profits and influence points to the conclusion that it is an economy in and of itself, a conclusion that is supported by the growth of platform criminality. Platform criminality is much like the business models of platform businesses such as Google, Uber, or Amazon that trade in data. Data is a profitable business as demonstrated by these famous companies (or at least two of them), and criminals have taken note.

Using the Dark Web as a means of facilitating transactions, cyber criminals are able to buy and sell anything from data to a day-zero exploit. The main takeaway from looking at how cybercrime has evolved is that cyber criminals are selling crime rather than committing it. Much like how Uber is selling a platform where drivers are paired with passengers, criminals are selling the tools and data needed to commit cybercrimes over ‘back alley’ marketplaces.

The research done by Dr. McGuire also highlights the importance of monitoring the Dark Web for personal information, stating:

New kinds of software tools are required for uncovering how cybercriminals are using digital technologies for hiding and laundering revenues. One example would be virtualization tools that can generate safe havens, isolated from the internet, where illicit revenue-generating activity can be diverted and neutralized. Another would be more sophisticated scanning tools capable of better tracking and locating items of value across the net – in particular, personal data”(125).

The Dr. also concluded that while Dark Web monitoring is vital to combatting the economy of cybercrime, it is far from an easy task. The difficult nature of monitoring the Dark Web is not just because it is harder to navigate than the traditional web… explains McGuire, it is “because many of the sites only grant access by word of mouth, or on the basis of ratings status and trust, which may take some time to build up” (57). The Dark Web and the economy surrounding it is nothing to take lightly, and ignoring its existence only adds to the ability for cyber criminals to go about their work unscathed. Dark Web ID by ID Agent fulfills this need for Dark Web monitoring, instead of turning a blind eye to the complex and dynamic reality of the cybercrime economy our services dive right in.

https://learn.bromium.com/rprt-web-of-profit.html

https://www.darkreading.com/cloud/cybercrime-is-skyrocketing-as-the-world-goes-digital/a/d-id/1331905

Which Users Will Cause The Most Damage To Your Network And Are An Active Liability?


by Stu Sjouwerman

The statistic that four percent of employees will click on almost anything, with “Free Coffee” and “Package Delivery” taking some of the top spots among phishbait subject lines, may not sound like much.

However, keep in mind the most successful marketing campaigns only achieve around two percent. With double the response of most marketing initiatives, it’s no wonder that the phishing attacks keep coming.

That statistic comes from Verizon’s 2018 Data Breach Investigations Report. The report showed that the number of phishing emails continues to grow. The victims include government agencies that house some of our most sensitive records. The report also reveals that one quarter of all malware detected was ransomware, and it indicated that 68 percent of breaches go undetected for months.

The answer to fending off phishing campaigns may lie in the same employees who choose to click. Using a type of crowd-sourced security that turns employees into human sensors, could be the answer. One example of this approach is the US Department of Defense Cyber Security/Information Assurance program, where contractors share intelligence with each other and the DOD.

With the right training, employees can learn to recognize phishing attempts and alert others of the impending threat. This type of information gives the IT team an advantage leading to a faster response.

Here are a few steps that can empower your employees to be human sensors using a Phish Alert Button:

– An aware victim can be a good sensor. Encourage employees to ask how reading a suspicious email makes them feel. Rushed, pressured, exploited? Then be wary. Train your employees to recognize how the email makes them feel.

– Build an intelligence network. If you make it easy to report potential threat emails, you’ll build a steady stream of alerts.

– But don’t overuse the “Abuse Box.” Phishing needs to be reported. Flooding an underprepared IT department with messages that need to be checked, may be counterproductive. Make sure the IT department is ready to handle the volume. So build user awareness as you build capacity.

The number of phishing emails can be expected to grow. But with a change in the way your organization perceives and responds to social engineering, users can become your best defense and not your weakest leak. As always, consider interactive, new-school security awareness training. It’s effective and extremely affordable.

GCN has the story, written by Lex Robinson who works at Cofense.

Free Phish Alert Button
When new spear phishing campaigns hit your organization, it is vital that IT staff be alerted immediately. One of the easiest ways to convert your employees from potential targets and victims into allies and partners in the fight against cybercrime is to roll out KnowBe4’s free Phish Alert Button to your employees’ desktops. Once installed, the Phish Alert Button allows your users on the front lines to sound the alarm when suspicious and potentially dangerous phishing emails slip past the other layers of protection your organization relies on to keep the bad guys at bay.

Don’t like to click on redirected links? Cut & Paste this link in your browser:

https://info.knowbe4.com/free-phish-alert-partner?partnerid=0010c00001wis6gAAA

Our friend, Kevin Lancaster from ID Agent, continues in his weekly posting of the week in breaches and phishing attacks. This is important- not just for enterprises, but also for small and medium sized businesses. Attacks are coming in from all directions- here are some highlights from his post:

Protection from Hacks

Two-factor Authentication Hackable?
Our friends at KnowBe4 show 2 Factor may not be enough in some cases.

Student of The Month in California!
Phish Teacher, Change Grades, Get Felony!  You can’t make this stuff up!

Good on ya Mate, Good on ya!
Crikey! Australians appear to have better password hygiene than the rest of us?


What we’re listening to this week:   

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!


Highlights from The Week in Breach

  • Retail Point of Sale Systems (POS) can’t catch a break! can’t get their s*** together.
  • Healthcare insider threat strikes again.
  • Your legal case may have been closed… or deleted.
  • Your personality is revealing and, it may have been revealed.

Chili’s Restaurants
Retail

Small Business Risk: High (Malware/ Forensics, Brand Reputation/ Loyalty)
Exploit: Malware-based Point of Sale Exploit
Risk to Individuals: Moderate (Replacement of Credit/ Debit Cards with limited liability)

What you need to know:  Small business retailers should take the time to educate themselves on POS exploits and how they typically occur. Since most systems do not reside within the traditional network environment, processing systems are most commonly exploited via compromised trusted 3rdparty vendors, common credential stuffing and exploit kits delivered via email.

Chili’s Restaurants

Date Occurred/Discovered March-April 2018 / Discovered 5/11/18
Date Disclosed 5/14/18
Data Compromised Preliminary investigation indicates that malware was used to gather payment card information, including credit and debit card numbers, as well as names of cardholders who made in-restaurant purchases.
How it was Compromised Malware
Customers Impacted Chili’s has not disclosed the restaurants impacted and/or the number of customers impacted.
Attribution/Vulnerability Undisclosed at this time.

http://time.com/money/5276047/chilis-data-breach-2018/

Note: Breaches have huge repercussions, often resulting in customers losing trust in the brands. According to a study from KPMG, 19% percent of consumers said they would stop shopping at a breached retailer, and 33% would take a long-term break.

https://www.sfgate.com/technology/businessinsider/article/Chili-s-restaurants-were-hit-by-a-data-breach-12911248.php

Nuance Communications
Healthcare

Small Business Risk: High (PII Exposure, Brand Damage, Compliance Violation & Fines)
Exploit: Former Employee/ Insider Knowledge Exploit.  System and security control failure
Risk to Individuals: Moderate (Compromised Data Contained and not posted for exploit)

What you need to know:  Coming on the heels of a costly malware outbreak in 2017, it seems that Nuance had the limited ability to detect on-network anomalous behavior. With such a large percentage of its target market comprised of organizations that operate in regulated industries including Healthcare, Nuance should have invested in aggressive insider threat/insider mishap detection.

Organizations operating in regulated markets should take a more aggressive approach to both inside threat detection and threats originating within the supply chain as was demonstrated in this case.

Nuance Communications (speech recognition software)

Date Occurred/Discovered 11/20/17 – 12/9/17
Date Disclosed 5/14/18
Data Compromised Exposed data included names, birth dates, medical record and patient numbers, as well as service details such as patient conditions, assessments, treatments, care plans and dates of service. The incident did not include information such as social security number, driver’s license number or financial account numbers.
How it was Compromised An unauthorized third party, possibly a former Nuance employee, accessed one of its medical transcription platforms, exposing 45,000 individuals’ records.
Customers Impacted Personal information of thousands of individuals from several contracted clients, including the San Francisco Department of Public Health. The Justice Department said that it does not appear that any of the information taken was used or sold for any purpose. All the data has been recovered from the former employee.
Attribution/Vulnerability  Unknown/undisclosed at this time.

Note: News of the data breach follows the company having been hit by the NotPetya malware outbreak in June 2017. Earlier this year, Nuance reported that the outbreak cost it $92 million. “For fiscal year 2017, we estimate that we lost approximately $68 million in revenues, primarily in our healthcare segment, due to the service disruption and the reserves we established for customer refund credits related to the malware incident,” Nuance reported in a Feb. 9 form 10-Q filing to the SEC. “Additionally, we incurred incremental costs of approximately $24 million for fiscal year 2017 as a result of our remediation and restoration efforts, as well as incremental amortization expenses.”

The incident is a reminder that Insider breaches remain one of the most difficult kinds of improper access attacks to defend against. There are a variety of tools and methods to monitor which resources an employee accesses, but preventing insiders from stealing data or intellectual property remains challenging.

https://www.bankinfosecurity.com/nuance-communications-breach-affected-45000-patients-a-11002

Mason Law Office
Legal

Small Business Risk: High (Compliance Violation & Fines, Brand/ Reputation Damage)
Exploit: Apparent Credential- based, account take-over exploit
Risk to Individuals: High: Sensitive PII and Legal Information loss and/ or deletion  

What you need to know:  It’s not 100% clear that this was an insider threat-based exploit. Regardless, Mason Law Office suffered an all-too-common account-based takeover compromise.  Legal firms leveraging 3rd party case management systems should take the time to review their security controls and procedure.  They should also conduct a full audit to determine who has access to what data within these 3rd party systems and make the required corrections.

Mason Law Office – Sacramento, CA (mycase.com)

Date Occurred/Discovered Discovered 5/5/18
Date Disclosed 5/14/18
Data Compromised Client data was potentially accessed, client case information was deleted, and other administrative changes were made to the system. Generally, any information uploaded to mycase.com was potentially accessed, and information has been deleted. Information potentially accessed includes client names, social security numbers, driver’s license numbers, phone numbers, email addresses, as well as legally privileged/protected information, including legal documents, case notes, disclosures, financial statements, evidence, photos, invoices, transcripts, trust balances, and attorney-client communications.
How it was Compromised The firm discovered evidence of unauthorized access to mycase.com by an unknown individual or group of individuals. It is unclear how this access was made.
Customers Impacted Clients of Mason Law Firm using mycase.com.
Attribution/Vulnerability Unknown/undisclosed at this time.

https://www.databreaches.net/mason-law-office-notifies-clients-of-hack-involving-mycase-com/

myPersonality app
Information Technology / Lifestyle

Small Business Risk: High (Forensic, Data Loss via GitHub Post, Brand / Reputation Damage, Fines and Damages)

Exploit: Application security misconfiguration resulting in credential-based exploit

Risk to Individuals: High (PII, Psychological Characteristics & Profile,)

What you need to know: The developers of the personality app failed committed several major blunders in this case.

  1. Poor website/application security allowed for easy and unmonitored access to their website and underlying datasets.
  2. They failed to notice that their data set had been sitting out in the open for 4 years.
  3. The data stored within the platform was easily unkeyed and de-anonymized.

myPersonality app

Date Occurred/Discovered Exact dates unknown – 2014 – 2018
Date Disclosed 5/14/18
Data Compromised The data was highly sensitive, revealing personal details of Facebook users, such as the results of psychological tests. The credentials gave access to the “Big Five” personality scores of 3.1 million users. These scores are used in psychology to assess people’s characteristics, such as conscientiousness, agreeableness and neuroticism. The credentials also allowed access to 22 million status updates from over 150,000 users, alongside details such as age, gender and relationship status from 4.3 million people.
How it was Compromised Academics at the University of Cambridge distributed the data from the personality quiz app myPersonality to hundreds of researchers via a website with insufficient security provisions, which led to it being left vulnerable to access for four years. Each user in the data set was given a unique ID, which tied together data such as their age, gender, location, status updates, results on the personality quiz and more. With that much information, de-anonymizing the data can be done very easily.
Customers Impacted 3 million users of the app
Attribution/Vulnerability Publicly available credentials allowed access to the data. For the last four years, a working username and password has been available online that could be found from a single web search. Anyone who wanted access to the data set could have found the key to download it in less than a minute. The publicly available username and password were sitting on the code-sharing website GitHub. They had been passed from a university lecturer to some students for a course project on creating a tool for processing Facebook data. Uploading code to GitHub is very common in computer science as it allows others to reuse parts of your work, but the students included the working login credentials too.

 

https://www.databreaches.net/mypersonality-app-data-leak-exposed-intimate-details-of-3m-users/

https://www.newscientist.com/article/2168713-huge-new-facebook-data-leak-exposed-intimate-details-of-3m-users/