The week in BREACH!!

Success Rate of Phishing by Day

 

This week you’ll hear how a supply chain attack could snatch your customers’ credit card information right from underneath you and why Google+ goes bye-bye.

Dark Web ID Trends:

  • Total Compromises: 974
  • Top Source Hits: ID Theft Forum (501)
  • Top PIIs compromised: Domains (973)
    • Clear Text Passwords (498)
  • Top Company Size: 11-50
  • Top Industry: High-Tech & IT

United States – Shopper Approved
https://www.zdnet.com/article/new-magecart-hack-detected-at-shopper-approved/
Exploit: Malicious code.
Shopper Approved: Utah-based company that provides a review widget for other companies’ websites, that allows customers to post reviews.
Risk to Small Business: 2.111 = Severe: This is another attack conducted by one (or more) of the several groups who operate under a similar style, given the term Magecart as a general identifier. Magecart is also responsible for the hacking of Ticketmaster and British Airways.

If your business uses Shopper Approved, you should remove the code from your website immediately.

Individual Risk: 2.428 = Severe: Those affected by this breach should cancel their credit cards and enroll in a credit monitoring service.
Customers Impacted: Unclear how many customers were affected by this breach, but only sites with the widget code on their checkout pages had credit card information compromised. The incident only lasted 2 days before being discovered, a much shorter span than many of the other Magecart breaches.
How it Could Affect Your  Business: A breach of this kind can often go unknown for a long period of time while the hackers collect valuable user data and credit card information. Even though it is a third party who was breached, it will be your business that takes the PR damage.
ID Agent to the Rescue: Spotlight ID™ by ID Agent offers comprehensive identity monitoring that also includes credit monitoring. Learn more: https://www.idagent.com/identity-monitoring-programs
Risk Levels:
1 – Extreme Risk
2 – Severe Risk
3 – Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

United States – Rebound Orthopedics and Neurosurgery
https://cyware.com/news/hackers-hit-rebound-orthopedics-neurosurgery-2800-patient-records-compromised-026125d8
Exploit: Compromised employee credentials.
Rebound Orthopedics and Neurosurgery: Vancouver-based orthopedics and neurosurgery practice.
Risk to Small Business: 1.555 = Severe: This breach would have a long-lasting effect on customer trust for any business, and in many countries the government will fine an organization heavily for failing to secure health data.
Individual Risk: 2.142 = Severe: Health information is valuable data for hackers and useful for identity theft. Those affected by this breach are at a severe risk for insurance fraud and identity theft.
Customers Impacted: 2800.
How it Could Affect Your Business: Organizations that store health information are held to a higher standard for securing data due to the sensitive nature of the information and HIPAA laws. When an organization fails to keep the data secure, it reflects very poorly on the company and usually results in a fine from the government.
ID Agent to the Rescue: Spotlight ID by ID Agent offers comprehensive identity monitoring that can help minimize the fallout from a breach such as this. Learn more: https://www.idagent.com/identity-monitoring-programs
Risk Levels:
1 – Extreme Risk
2 – Severe Risk
3 – Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


In Other News:

Google –
Google+ will be shutting down, and yes Google+ is (or at least was) still around. After exposing more than 500,000 users’ data to external developers, the tech giant has decided the best course of action is to close down the failed social network. This move makes sense given the recent outrage against Facebook after the social media site exposed 50 million people’s data. An unfortunately fitting ending to the continuously failing website.
https://www.yahoo.com/news/google-exposed-user-data-feared-repercussions-disclosing-public-170304936–finance.html?soc_src=newsroom&soc_trk=com.apple.UIKit.activity.CopyToPasteboard&.tsrc=newsroom

Podcasts:
Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!


A note for you:
e-mail….ware
New research has revealed that a whopping 90% of all malware is delivered via email. The team also discovered that the average employee will not go 48 hours without seeing a phishing message.  In addition, over half of the phishing messages examined used the word “invoice” in the subject line. A little under a quarter (21%) of the flagged emails also had malicious attachments sent with the phishing message.

Watch out for suspicious emails! All it takes is one employee to fall for a phishing email and an entire organization can be compromised.

https://www.darkreading.com/attacks-breaches/most-malware-arrives-via-email/d/d-id/1333023

 

Need to learn more about your Dark Web exposure? Click Here!

Want some free tools to combat phishing? Click Here

Advertisements

The Week In Breach

Passport Dar kWeb

Trends in data found on the Dark Web this week:

  • Total Compromises: 24,968
  • Top Source Hits: ID Theft Forum
  • Top PIIs compromised: Domains
    • Clear Text Passwords (24,884)
  • Top Company Size: 11-50
  • Top Industry: Construction and Engineering

Canada – Altima Telecom
https://techcrunch.com/2018/10/01/altima-telecom-server-flaw-customer-data-exposed/
Exploit: SQL injection attack.
Altima Telecom: Serving Montreal and Toronto, Altima Telecom is one of the largest independent Canadian internet service providers.
Risk to Small Business: 1.555 = Severe: As the risk score shows, this is a severe breach that could deal major damage to any organization. Payment info exposure is a particularly significant deterrent for customers looking to do business.
Individual Risk: 2.142 = Severe: Those affected by this breach are at an increased risk for identity theft and spam.
Customers Impacted: All of Altima Telecom’s customers.
How it Could Affect Your Business: Not only was all the organization’s customer data exposed by this breach, but the affected data was highly sensitive. This would sever trust between the customer and the organization, which could take a significant time to rebuild.
ID Agent to the Rescue: Spotlight ID™ by ID Agent offers comprehensive identity monitoring that can help minimize the fallout from a breach such as this. Learn more: https://www.idagent.com/identity-monitoring-programs
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

United States – Apollo
https://cyware.com/news/hackers-hit-apollo-stealing-database-containing-200-million-contact-records-d9c87501
https://techcrunch.com/2018/10/01/apollo-contacts-data-breach/
Exploit: Unclear at this time.
Apollo: New York-based sales engagement startup.
Risk to Small Business: 2 = Severe: This could deal a significant blow to an organization’s ability to retain customers.
Individual Risk: 2.428 = Severe: The customers affected by this breach will be at a higher risk for spam due to the nature of the data accessed.
Customers Impacted: 200 million.
How it Could Affect Your Business: A breach that exposes such a large number of customers will garner media attention and erode customer trust significantly.
ID Agent to the Rescue: Spotlight ID by ID Agent offers comprehensive identity monitoring that can help minimize the fallout from a breach such as this. Learn more: https://www.idagent.com/identity-monitoring-programs
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


In Other News:
The Chinese Chip
China was able to infiltrate US companies and governmental agencies with a simple but effective supply chain attack. The attack was discovered after Amazon had a third party examine the hardware of the servers they purchased from another American company that manufactures their servers in China. The company discovered a microchip on the servers that allow for attackers to make stealth doorways on their network. Hardware attacks are rarer and more difficult to execute than software attacks, but with China making 90% of the world’s PCs, they are in a good position to continue using hardware to infiltrate organizations across the world.

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

Podcasts:
Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show


Planning your next vacation may have just gotten weird… 

Where should I go? This is a normal question one thinks about when planning a trip. Should I go to white sandy beaches or breathtaking mountains?
When should I go? Do I visit family during the holidays, or do I plan a summer getaway?
Who should I be? This question is asked much less, but maybe more than you think. A recent study has uncovered startling secrets surrounding the passport market on the Dark Web!

  • The average cost of a passport scan on the Dark Web is $14.71.
  • Australian passport scans are the most common, but the average cost is the most expensive at $61.27.
  • The average price of a real physical passport is $13,567, while a counterfeit physical passport is just under $1,500 ($1,478).

The Dark Web is a place where black markets and illicit activity reign. In the depths of the Dark Web, identities are traded regularly and for a low price, so why leave the unknown unchecked? With Spotlight ID, know that your identity is safe even from the darkest corners of the Dark Web.
https://www.comparitech.com/blog/vpn-privacy/passports-on-the-dark-web-how-much-is-yours-worth/

The Week in Breach 07/09/2018 to 07/18/2018

The Week in Breach

This week there was a TON of attention in the media about dark web markets and what’s bought and sold in these shady marketplaces. Timehop, a social media nostalgia app was breached exposing the PII of at least 21 million individuals, due to lack of 2FA, while Macy’s was hit with a breach where credit card data was accessed.

 Highlights from The Week in Breach:

– Pedal to the metal! Gas stolen in hack.
– Tracking military workouts!
– Macy’s falls victim to a breach.
– Timehop wishes it could turn back time for more security!

In Other News:

Dead Men Do Tell Tales
Hackers on the Dark Web have always sold medical records, as they are valued much higher than credit card info or PII. Researchers found this week that bad actors in these dark corners of the web are also selling medical records of deceased patients, with one vendor claiming to have 60,000 available for purchase. The records for sale include name, SSN, Address, zip code, phone number, birthday, sex, insurance and even date of death. What ever happened to respecting the dead?
https://threatpost.com/deceased-patient-data-being-sold-on-dark-web/133871/

Classified Documents for $200
The U.S. military can’t escape the Dark Web either! A lot of military documents have turned up on dark web markets after a hacker, with only a moderate level of technical skill, was able to access a captain’s computer through a previously-disclosed FTP vulnerability. Some of the documents are classified, and all of them contain sensitive data about military tactics or hardware. One of the documents is a maintenance book for the MQ-9 Reaper drone which is regarded as one of the deadliest drones used by the United States. How much money will classified U.S. military documents fetch on the Dark Web? $200. That says a lot about how much information is available for criminals to buy.
https://www.theverge.com/2018/7/10/17555982/hacker-caught-selling-stolen-air-force-drone-manual-dark-web

A $10 Key into Your Network
Remote access to IT systems is a competitive market on the Dark Web, with some running an interest to criminals for as low as $10! Some of these forums have tens of thousands of compromised systems available for bad actors to choose from, across all versions of Windows and at places such as international airports, hospitals and governments. One international airport found on the site had the administrator account exposed, as well as accounts associated with the companies that provide camera surveillance and building security. That’s not a good look!
https://www.zdnet.com/article/hackers-are-selling-backdoors-into-pcs-for-just-10/

Gassed Up
This week in Detroit, two suspects managed to steal over 600 gallons of gasoline after hacking the gas pump. The fuel is worth about $1,800 and was taken in broad daylight over the course of 90 minutes. At least 10 cars benefited from the hack and the police are at a complete loss on who conducted the hack. The hacker or hackers used a remote device that was able to alter the price of the gas and lock out the clerk from being able to shut off the affected pump. With gas prices being so high, it’s likely that attacks like this will continue in the future.
https://www.clickondetroit.com/news/men-hack-into-pump-at-detroit-gas-station-steal-600-gallons-of-gas_

Fitness App Turned Finder App
A fitness tracking app hailing from Finland has disabled their global activity map after it was revealed it could be used to track the geolocation of military personnel. The map showed the biking and running routes of its users, but also included the usernames of each person, allowing one to cross-reference the username with other websites and possibly identify the person’s name. Using the map, one could see where the person jogged around their home address and around the military base; possibly even bases that are secret to foreign countries.
https://www.bleepingcomputer.com/news/technology/polar-app-disables-feature-that-allowed-journalists-to-identify-intelligence-personnel/

Sex Appall
A twist on a classic email scam has appeared this week, with the classic ‘sextortion’ scam getting an upgrade. Now rather than just an intimidation email where targeted parties pay up out of fear of friends and family finding out what they do privately, the email also includes a password. The password appears to be from a large or multiple large data breaches, but these data breaches appear to be fairly old. Those who reported receiving the email claimed that the passwords were correct… ten years ago. While the passwords are outdated in many cases, this likely indicates that we will see more complex versions of this scam appearing in the near future.
https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/#more-44406

Podcasts:

Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!


United States – Macy’s

Exploit: Supply chain exploit.
Risk to Small Business: High: A bad actor accessing names and card information can severely damage consumer trust in a brand.
Individual Risk: High: Individuals affected by this breach are at high risk of their credit card details being sold on the Dark Web.
Macy’s: Large department store chain.
Date Occurred/Discovered: April 26 – June, 2018
Date Disclosed: July, 2018
Data Compromised:

  • Full name
  • Address
  • Phone number
  • Email address
  • Date of birth
  • Debit/ credit card numbers
  • Expiration dates

Customers Impacted: Unclear but the hacker operated undetected for almost 2 months.
https://cyware.com/category/breaches-and-incidents-news

United States – Timehop

Exploit: Lack of 2FA on cloud infrastructure.
Risk to Small Business: High: All of Timehop’s customers were a part of this breach, which discredits the organization and could have long-lasting effects on the business.
Individual Risk: Moderate: The credentials stolen could be used to compromise other accounts.
Timehop: Social media aggregation site that allows users to see posts made in the past.
Date Occurred/Discovered: July 4, 2018
Date Disclosed: July 8, 2018
Data Compromised:        

  • Names
  • Email addresses
  • Phone numbers
  • Date of birth
  • Gender

Customers Impacted: 21 Million.
https://www.infosecurity-magazine.com/news/timehop-breach-hits-21-million/
https://www.timehop.com/security
https://techcrunch.com/2018/07/11/timehop-data-breach/

United States – Cass Regional Medical Center

Exploit: Ransomware.
Risk to Small Business: High: A ransomware attack on any business in any sector would greatly diminish the organization’s ability to operate as needed. In some ransomware cases the data encrypted is lost entirely.
Individual Risk: Moderate: At this point in time there is no evidence that the data affected was also exfiltrated.
Cass Regional Medical Center: Missouri based medical center.
Date Occurred/Discovered: July 9, 2018
Date Disclosed: July 9, 2018
Data Compromised: The medical center’s internal communications system and access to their electronic health record system were affected by the hack, but there is no public indication that patient data has been accessed.
Customers Impacted: Many details surrounding the attack are being withheld from the public at this time, but restoration of the affected systems were at 50% as of July 10, 2018.
https://cyware.com/news/missouris-cass-regional-medical-center-hit-with-ransomware-attack-92884b12

Germany – DomainFactory

Exploit: Dirty cow vulnerability. (this is a nine-year-old critical vulnerability has been discovered in virtually all versions of the Linux operating system and is actively being exploited in the wild)
Risk to Small Business: High: A breach including banking account numbers would heavily damage the reputation of a small business.
Individual Risk: High: A wealth of PII was accessed during this breach and could leave individuals vulnerable to account takeover or identity theft.
DomainFactory: Web hosting service based in Ismaning.
Date Occurred/Discovered: July 6, 2018
Date Disclosed: July 9, 2018
Data Compromised:

  • Names
  • Addresses
  • Phone numbers
  • DomainFactory passwords
  • Dates of birth
  • Bank names/ account numbers
  • Schufa scores

Customers Impacted: The amount of customers impacted has not been made publicly available.
 https://www.zdnet.com/article/user-data-exposed-in-domain-factory-hosting-security-breach/
https://www.infosecurity-magazine.com/news/unauthorized-party-accessed/


 Did you know?

The cost of a breach
A recent study conducted by IBM provides some context to the same old story that you hear in the news of big bad breaches and how scary they are for your business. The Cost of a Data Breach Study by Ponemon* puts numbers to these stories and provides a wealth of analysis so even someone who has never used a computer before can quantify the seriousness of a breach… as long as they are familiar with money.

The average cost of a breach increased this year by 6.4%, with the per capita cost rising less, but only barely, by 4.8% (page 3). The cost of a data breach varies greatly by country, with the United States average breach price coming in at $7.91 Million and per capita costing $233. Canada’s per capita cost is the second highest out of the nations surveyed at $202 per record, and their average price of a breach is $4.74 million. Australia’s cost of a breach is less than the US and Canada, but Aussies are far from getting off free. The average cost of a breach down under is $1.99 million and the per capita cost averages at $108 (page 13).

The study also explored the main factors that were found to affect the cost of a breach, stating 5 major contributing factors that could make the difference between a manageable breach vs a mega breach. The loss of customers following a breach, the size of the data breach, the time it takes to identify and contain a breach, management of detection costs and management of the costs following a breach are the factors that most contribute to the cost of a breach (page 7). The time it takes to identify a breach being a major contributing factor to the cost of a breach is particularly important due to the fact that organizations saw an increased time to identify a breach this year. This can be contributed to the ever-increasing severity of malicious attacks companies face and highlight the need for proactive monitoring for breaches, as well as a serious focus on cybersecurity on a management level. That’s why tools such as Dark Web ID™ that dredge the Dark Web for personal information and credentials can contribute greatly to decreasing the cost of a breach. Organizations that identified breaches within 100 days saved more than $1 Million (page 9) compared to companies who did not. That says a lot because after all… money talks.

*Source: Ponemon Cost of Breach Study 2018

New Cybersecurity Regulations on Horizon for Corporate America

Image result for horizon

 

Prime Telecommunications, Inc., a leading managed technology services provider, is helping small to mid-sized businesses (SMBs) navigate the recent changes in cybersecurity standards that are highly likely to affect American businesses. Many have heard about Facebook’s recent controversy around Cambridge Analytica and irresponsible data sharing policies. Marc Zuckerburg even testified in front of the EU in order to address these major concerns and the result has been the passing and implementation of the GDPR (General Data Protection Regulation), which took effect in Europe in late May.

This new regulation demands transparency and responsible data practices on the behalf of all companies that do business in the EU. Some examples of GDPR in effect are 1) Requiring all subscribers to opt-in again to receiving all newsletters/marketing emails/etc. and 2) Companies need to report any major data breaches to all of their customers within 72 hours of the breach occurring. There are many more components to the regulation, however, the penalties for not adhering to these standards are in the millions.

This standard is very likely to reach the US marketplace and for most companies, this standard is already affecting their businesses. For example, if a business has any suppliers, customers, or satellite offices in countries located within the EU, they need to take a serious look at their data practices and make sure they are compliant. In time, many experts expect GDPR or some derivation of it to affect US-based businesses. “We strongly believe data regulation is coming to the US marketplace it’s certain that some form of cybersecurity regulation is imminent and severe penalties will follow businesses that aren’t compliant,” stated Vic Levinson, President of Prime Telecommunications. “There’s simply been too many data breaches that have affected major companies like Dropbox and Target for regulation not to come. When it does Prime Telecommunications’ proven cyber security program will play a major role in helping our customers meet these new regulations,” added Mr. Levinson.

Cybersecurity has transitioned from the era where an enterprise could “play dumb,” expect a slap on the wrist, pay minor fines and resume business as usual. Cybersecurity is now a central pillar of any organization’s success or demise and with the stakes as high as they are now, SMBs need to address their data policies and practices immediately.

While most business owners dread the idea of spending time, energy and money on meeting a new compliance, the simultaneous opportunity is for businesses to leverage the expertise of Prime Telecommunications to lower their operating costs through the deployment of advanced technology to offset the new investments in cybersecurity that they will likely be required to make. Whether the organization is large or small, soaring or declining, it’s time to revisit cybersecurity policies today.

The Week in Breach: 07/02/18 – 0706/18

 

While it has been a slow week in terms of the number of breaches, the severity of the breaches that did occur this week is nothing short of disturbing. The information exposed on the open web by ALERRT could be used with far-reaching effects…including both physical and permanent consequences. A cyber-attack conducted against a small business hosting provider in Australia also highlights a “WORST case” scenario for a breach. I strongly encourage everyone to check out their website here for a sobering reminder of what a company crippled by a breach looks like. When you cannot contact your customers to tell them that you have been breached, because you don’t even have a complete list of who your customers are… well, this is a good example of how damaging a breach can be.

In other news…

  • GDPR is inspiring others around the globe to enhance privacy and breach notification laws!
  • Hey T-Mobile Customers, are your photos safe?
  • Big Brother aka “Google” is exposing us again!
  • Privacy and Breach Notification laws are spreading globally

California has enacted a law similar to GDPR. This statute is widely regarded as one of the strongest privacy laws in the country and goes into effect in 2020, giving those who do business in the state some time to prepare for the change. The bill assures that organizations have to tell a consumer if their data is being collected, who it will be shared with, and the business purpose for collecting personal data.
https://www.darkreading.com/attacks-breaches/californias-new-privacy-law-gives-gdpr-compliant-orgs-little-to-fear/d/d-id/1332217

Cali is not the only place that was inspired by the implementation of GDPR. Brazil has passed a data protection bill in early June that if made into law, would prevent organizations from collecting and processing Brazilians’ data without informing users. Breaches are also covered by the bill, which requires organizations to report breaches immediately with fines up to 4% of revenue for those who don’t comply.
https://www.zdnet.com/article/brazil-moves-forward-with-online-data-protection-efforts/

Hello… Photos.
Those who have Samsung phones should be careful what they keep in their photo gallery! There are reports of Galaxy users having their photos sent to random contacts without their knowledge. This bug seems to only affect T- mobile users, but it is probably best to lean on the side of caution, considering the ramifications of sending the wrong photo to the wrong person.

https://techcrunch.com/2018/07/02/some-samsung-users-say-their-phones-randomly-sent-photos-to-contacts/

Gmail has its eye on you!
Google has been allowing third parties to read through people’s inboxes, according to a report by the Wall Street Journal. While the creator of Gmail has promised to stop scanning emails on their platform to curate ads, the organization has been allowing third parties to access inboxes if the user has opted into email-based tools like travel itinerary planners. These third parties are not just using AI to snoop through messages either…oftentimes employees of the organization go digging for information themselves.
https://www.nbcnews.com/tech/security/google-reportedly-allowed-outside-app-developers-read-user-emails-despite-n888571

Podcasts:
Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!


Australia – Cyanweb Solutions – Total Devastation Event

Exploit: DDos Attack, Web server compromise, data encryption/ ransomware & data destruction.

Risk to Small Business: Extreme/Total Devastation: This is a catastrophic event impacting Cyanweb and its 400 customers that relied on them for web hosting.

Risk to Exploited Individuals: Extreme/ Total Devastation: This breach may devastate the businesses that relied on Cyanweb. This will also impact those businesses downstream customers and the employees of the impacted businesses. The goal was maximum data loss/ total devastation.

Cyanweb Solutions: Digital marketing and web provider based in Perth.

Date Occurred/Discovered: June 27th, 2018

Date Disclosed: July, 2018

Data Compromised: Only 12% of customer data survived the attack. 1200- 2500 man hours of work between the 3 employees is estimated for a full recovery.

How it was compromised: A ‘professional’ group distracted the admin with a DDoS attack while simultaneously infiltrating the server and delivering a ‘seek and destroy’ payload.

Customers Impacted: 435 accounts.
https://www.crn.com.au/news/perth-web-hosting-provider-cyanweb-solutions-hit-by-criminal-hacking-data-and-backups-lost-496455
https://www.cyanweb.com.au/

United States – ALERRT

Exploit: Negligence (no password required to access web server.)

Risk to Small Business: High: A breach that is a result of negligence dramatically reduces confidence in the company by consumers.

Risk to Exploited Individuals: Extreme: Compromised PII, password and correspondence that can be used to target and exploit individuals including law enforcement.

ALERRT: A federally funded active shooter training center for law enforcement.

Date Occurred/Discovered: June 2018

Date Disclosed: June 2018

Data Compromised:  

  • Work contact information
  • Personal email addresses
  • Work addresses
  • Cell numbers
  • Who has taken ALERRT courses, with feedback
  • Full name of those who took the course
  • Zip code
  • Histories on instructors
  • Instructors skills and training
  • Names of instructors
  • Geolocations of:
    • Schools
    • Courts
    • Police departments
    • City halls
    • Places where people gather such as universities and malls
  • Officers home addresses
  • 85,000 emails between staff and trainees dating back to 2011 including:
    • Password reset emails
    • Names
    • Email addresses
    • Phone numbers
    • The courses taken
    • When the courses were offered
  • Highly sensitive information about weaknesses in response ability

Customers Impacted: 65,000 officers, but this information could be harmful to anyone in the U.S. given how it could be used by domestic terrorists or other bad actors.
https://www.zdnet.com/article/a-massive-cache-of-law-enforcement-personnel-data-has-leaked/

UK – National Health Service

Exploit: Coding error/ misconfiguration leading to privacy violation.

Risk to Small Business: High: A breach of this size that essentially mislead those who specifically requested for their health information to be kept private would shake the trust of any customer. Privacy laws, including the EU’s GDPR, will impose harsh fines and penalties for similar incidents moving forward.

Risk to Exploited Individuals: Lowthe data was exposed externally and picked up by hackers.

National Health Service: The public health services in the United Kingdom.

Date Occurred/Discovered: March 2015 – June 2018

Date Disclosed: July 2nd, 2018

Data Compromised: 

  • Health Data

How it was compromised: A supplier defect that did not properly indicate that the patient’s data was to be only used for medical treatment.

Customers Impacted: 150,000
https://cyware.com/news/nhs-data-breach-exposing-150000-patients-sensitive-health-details-blamed-on-coding-error-40aa0ccf

https://www.parliament.uk/business/publications/written-questions-answers-statements/written-statement/Commons/2018-07-02/HCWS813/


Often times there is no “why”, just a “because”!

The Cyanweb Solutions breach was well organized and a caused catastrophic damage to both Cyanweb and the hundreds of customers that replied on them for hosting support. It’s nearly impossible to quantify the overall financial impact that this breach has caused.

When conducting post-breach forensics, the first question often asked is “why” – what was their motivation to destroy this small business? Often times, the answer is “because they could”.  The group conducted this takedown overwhelmed Cyanweb with a massive DDos attack, and while distracted, they compromised the servers, escalated their access, encrypted user data and proceeded to destroy almost everything – including backups. It did not take long for Cyanweb to discover the attack, but by the time they did, 88% of their data was permanently deleted.

This attack demonstrates how quick and devastating an attack can be on a small business.  Cyanweb was a trusted provider to hundreds of organizations, yet they lacked the proper security controls to secure their customer’s data, thus breaching their fiduciary responsibility. Whether we like it or not, we have to proactively invest in cybersecurity solutions to protect the continuity of our business and ensure those that count on us are secured.

Regardless of the size of your business or the industry we’re in, we’re all targets.

The Week In Breach! June 15 to June 22 2018

Dark Web

It should serve as no surprise, two of the breaches profiled this week occurred as the result of compromised email address and passwords. The particular events highlight the need to make password hygiene and compromised credential monitoring front and center.

This week also demonstrates that healthcare organizations are increasingly targeted by bad actors. Heathcare related PII/PHI is increasingly valuable and sought after in dark web markets and forums.  

A few more highlights…

– Malware on the move!  New Malware targeting Android phones making the rounds 

– Cortana… the weakest link? An exploit in Windows 10 was patched on Tuesday that allowed one to change passwords

– AI startup working on the United States drone program finds Russian malware on their server

– The Nigerian princes are back! This time, they want to be business partners…

There is a new mobile malware targeting Android phones, containing a banking Trojan, keyloggers, and ransomware. The malware, called MysteryBot will exfiltrate your data and send it back to LokiBot assets. While it’s still not in wide circulation, Android users should exercise caution when downloading apps both in and out of the play store.
https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware/

A vulnerability that used Cortana to access computer files even if the device was locked was revealed this week… just after patch Tuesday.
https://securingtomorrow.mcafee.com/mcafee-labs/want-to-break-into-a-locked-windows-10-device-ask-cortana-cve-2018-8140/

Across the globe, email scammers are a consistent source of problems for those who use the web. This week the FBI made 74 arrests across 7 countries and an email scam bust that targeted mid-sized businesses. The scam originated in Nigeria, the same country where the notorious ‘Nigerian prince’ email scam comes from.
https://www.cnet.com/news/fbi-busts-international-email-fraud-ring-that-stole-millions/

Look out for suspicious .men! Some top-level domains are more likely to be malicious than others, with .men .gdn and .work being the most abused. If you open a .men link there is about a 50/50 chance that you are going to a site loaded with spam or malware. Check those hyperlinks!
https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/

What we’re listening to this week!

Know Tech Talks – Hosted by Barb Paluszkiewicz

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!

Elmcroft Senior Living

Exploit: Outside actor.

Risk to Small Business: High: Lack of Data Loss Protection (DLP) and chain of custody leading to breach

Risk to Exploited Individuals: High: Elevated probability for Identity theft and fraud based on PII compromised.

Elmcroft: Recently ending its management of more than 70 assisted living, memory care, and inpatient hospital rehabilitation, Elmcroft was in wind-down mode when the breach occurred.

Date Occurred
Discovered
Occurred May 10th 2018, Discovered on May 12th
Date Disclosed Elmcroft made an official statement on June 8th, 2018
Data Compromised Names

Date of birth

Social Security Numbers

Personal health information

How it was Compromised A third party had access to information being transferred from Elmcroft to the new management company
Customers Impacted
Residents

Residents family members

Employees

Possibly others

Attribution/Vulnerability Undisclosed at this time.

https://www.mcknightsseniorliving.com/news/data-breach-puts-personal-information-of-residents-workers-at-risk-elmcroft-senior-living-says/article/772385/

Terros Health

Exploit: Phishing scam that compromised one account.

Risk to Small Business: High: Demonstrates phishing is still a primary tactic to generate exploits and how one compromised email account can end in a major breach.

Risk to Exploited Individuals: High: Sensitive personal information, Social Security numbers and medical information were leaked all of which can be used maliciously by an outside actor.

Terros Health: Phoenix-based mental health and addiction services provider.

Date Occurred
Discovered
April, 2018
Date Disclosed June 8th, 2018
Data Compromised
Patient names

Date of birth

Social Security number

How it was Compromised
Phishing scam that compromised a single email account
Customers Impacted
1,600 patients
Attribution/Vulnerability One compromised email due to a phishing scam

https://www.bizjournals.com/phoenix/news/2018/06/10/terros-healthwarns-of-patient-data-breach.html

Clarifi
Exploit: Malware exploit to steal IP

Risk to Small Business: High: Demonstrates the need to harden security when dealing with Intellectual Property and being targets as a Federal Contractor/Supply Chain Sub-contractor.

Risk to Exploited IndividualsHigh: Highly sensitive military information is located at the company, making individuals who work their targets for state-sponsored hacking.

Clarifi: An artificial intelligence startup based in New York involved in improving U.S. military drones.

Date Occurred
Discovered
November, 2017
Date Disclosed June 2018
Data Compromised
Possibly customer data, although Clarifi denies that any data was compromised.
How it was Compromised Unclear, although the origin of the malware is believed to be Russian.
Attribution/Vulnerability Malware
Customers Impacted The company assures that no customer data was compromised

https://www.wired.com/story/startup-working-on-contentious-pentagon-ai-project-was-hacked

https://cyware.com/news/ai-startup-clarifai-working-on-pentagons-project-maven-was-allegedly-hacked-by-russian-source-8a171b30

HealthEquity
Exploit: Compromised email.

Risk to Small Business: High: Demonstrates the need for compromised credential monitoring and implementing stronger authentication tools.

Risk to Exploited Individuals: High: sensitive personal information and Social Security numbers were accessed during the breach.

HealthEquity: Utah based firm that handles millions of health savings accounts.

Date Occurred
Discovered
April 11, 2018
Date Disclosed June  2018
Data Compromised Names of members

HealthEquity ID numbers

Names of employers

Employers HealthEquity IDs

Social Security numbers

How it was Compromised
An email account of a HealthEquity employee was compromised, and the outside actor was able to gather data for two days before the malicious activity was noticed by the company.
Attribution/Vulnerability Compromised employee email.
Customers Impacted 23,000

https://www.infosecurity-magazine.com/news/23000-individuals-affected-in/

https://www.darkreading.com/operations/23000-compromised-in-healthequity-data-breach/d/d-id/1332050

Dixons Carphone
Exploit: Investigation ongoing.

Risk to Small Business: High: Breach response requirements of GDPR will significantly change how quick companies must disclose breach incidents and respond.

Risk to Exploited Individuals: High: Card data of customers was accessed by an outside actor.

Dixons Carphone: Electronics company located in the UK.

Date Occurred
Discovered
July, 2017
Date Disclosed June  2018
Data Compromised Customer Cards

Names

Addresses

Email addresses

How it was Compromised
The investigation is currently ongoing into how the breach happened, but it was only just discovered a little under a year after it happened.
Attribution/Vulnerability Unauthorized access to company data
Customers Impacted 5.9 million

An important takeaway from this week is the damage that a single compromised email account can have on an organization of any size. With one compromised email account a bad actor can send countless employees malware from an unsuspicious and legitimate email, often times without the employee knowing their email is compromised. Don’t let your business end up on the next Week in Breach. Make sure you and your employees’ passwords are strong, not reused or shared, and that your credentials aren’t up for sale on the Dark Web, by monitoring with Dark Web ID™ by Prime Telecommunications.  Please share this week’s breach news with a coworker or friend.

Highlights from The Week in Breach: May 30 to June 6 2018

Highlights from The Week in Breach:

– Finance sector attacks ramping up
– BackSwap JavaScript injections effectively circumventing detection
– Honda has leaky buckets too

This week in breach has all been about money, money, money. The finance sector is getting pelted with attacks recently – even more than usual – and Mexico, Canada, and Poland have been hit the worst.

In other news…

North Korea is still up to their old tricks, targeting South Korean websites with advanced zero-day attacks.
https://www.bleepingcomputer.com/news/security/activex-zero-day-discovered-in-recent-north-korean-hacks/

School is letting out which means grade changing breaches are in season! Two students at Bloomfield Hills High School attempted to fudge their report card and refund lunches for themselves and 20 other students.
https://www.forbes.com/sites/leemathews/2018/05/22/school-hackers-changed-grades-and-tried-to-get-a-free-lunch/#478b6d026e7d

The government of Idaho was hacked 2 times in 3 days which is not a very good look.
https://idahobusinessreview.com/2018/05/22/state-government-hacked-twice-in-three-days/

Coca-Cola had a breach that compromised 8,000 employees’ personal data, but they are also providing identity monitoring for a year at no cost. Ahh… refreshing, isn’t it?
https://www.infosecurity-magazine.com/news/no-smiles-for-cocacola-after-data/


 What we’re STILL listening to this week!

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!

Simplii Financial (CIBC) & Bank of Montreal
Exploit: Spear Phishing
Type of Exploit Risk to Small Business:  High: Personal and account information from a large number of customers were compromised, opening up the possibility of identity theft for business owners or employees.

Risk to Exploited Individuals: High: A large number of both personal and account information was breached from both banks including social insurance numbers and account balances. 

Simplii Financial: Owned by CIBC, Simplii Financial is a Canadian banking institution offering a wide array of services for their customers such as mortgages and investing.

BMO (Bank of Montreal): BMO is also a Canadian banking institution that offers investing, financial planning, personal accounts, and mortgages.

Date Occurred/
Discovered
The weekend of the 25th
Date Disclosed May 28, 2018
Data Compromised Personal and account information of the two bank’s customers. The hackers provided a sample of the breached data, containing the names, dates of birth, social insurance number and account balances of two customers.
How it was Compromised It is believed that both bank data breaches have been carried out by the same group of fraudsters, due to the time frame and ‘blackmail’ strategy of the group rather than selling of the data. It is suspected that a spear phishing attack was used, focusing on individual employees with targeted phishing attempts rather than a ‘dragnet’ approach typically seen in phishing attacks.
Customers Impacted
Between the two banks over 90,000 people’s personal and account information was compromised during the breach. CIBC owned Simplii Financial reported 40,000 accounts compromised compared to BMO who declared 50,000 accounts compromised later on the same day.
Attribution/Vulnerability Undisclosed at this time.

http://www.cbc.ca/news/business/simplii-data-hack-1.4680575

Honda Car India
Exploit: Misconfigured/ Insecure Amazon S3 buckets
Type of Exploit Risk to Small Business: High
Risk to Exploited Individuals: Moderate: Presumably low-risk PII and vehicle information exposed.
Honda Car India: Honda is an international cooperation from Japan that specializes in cars, planes, motorcycles and power equipment.

Date Occurred/
Discovered
The details were left exposed for at least three months. A security researcher who was scanning the web for unsecured servers left a message of warning timestamped February 28.
Date Disclosed May 30 2018
Data Compromised
Names
User gender
Phone numbers for both users and their trusted contacts
Email addresses for both users and their trusted contacts
Account passwords
Car VIN
Car Connect IDs, and more
How it was Compromised
A researcher who was scanning the web for AWS S3 buckets with incorrect permissions left a message in Honda Car India’s server to try and warn them to secure their server. Honda was not even aware that the note was added, signaling a complete lack of monitoring on the companies part.
Customers Impacted
50,000 of Honda Car India’s customers have had their personal info exposed on the internet for three months at the minimum.
Attribution/Vulnerability Negligence. Once the researcher noticed that Honda had still not secured their buckets, he reached out to them but it still took the company 2 weeks to respond.

https://www.bleepingcomputer.com/news/security/honda-india-left-details-of-50-000-customers-exposed-on-an-aws-s3-server/

SPEI
Exploit: Man in the Middle Attack
Type of Exploit Risk to Small Business: Severe: Security certificate exploit, website login spoofing, traffic re-direct. Significant financial loss. Threat intelligence/ data share fail.
Risk to Exploited IndividualsLow:  Financial Institutions will absorb the loss.

SPEI: Mexican domestic payment system.

Date Occurred/
Discovered
A breach was first detected on April 17th, with 5 more financial institutions being breached on April 24th, 26th, and May 8th.
Date Disclosed May 2018
Data Compromised
$15 Million stolen
How it was Compromised The central bank of Mexico experienced a man in the middle attack in April that it was able to stop, but failed to warn other financial institutions in the country about the severity of the incident. This led to 5 other financial institutions being compromised except the attacks were successful. It is unclear exactly how the hackers were able to enter the network, but the situation is constantly developing.
Attribution/Vulnerability Outside actors/ not disclosing breach possibly facilitated more breaches.
Customers Impacted Multiple financial institutions in Mexico

https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret

Polish Banks
Exploit: JavaScript malware injection named BackSwap
Type of Exploit Risk to Small Business: High: Sophisticated JavaScript injection designed to bypass advanced security/ injection detection.
Risk to Exploited Individuals: High: those who used the polish banks targeted by the new malware will take a financial loss, 2FA does not combat this.

Polish Banks: 5 Polish banks are being targeted

Date Occurred/
Discovered
The banking malware was first introduced in March 2018. The malware has been increasingly active since then.
Date Disclosed May 2018
Data Compromised Banking account information and funds
How it was Compromised
A new malware family. This family of banking malware uses an unfortunately elegant solution to bypass traditional security measures, using Windows message loop events rather than process injection methods to monitor browsing activity. When an infected user begins banking activities, the malware injects malicious JavaScript directly into the address bar. The script hides the change in recipient by replacing the input field with a fake one displaying the intended destination.
Attribution/Vulnerability Outside actors, deployed through spam email campaign

https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/

The last couple of months has seen an increase in the number of attacks on financial institutions around the world. Both the Bank Negara Malaysia and Bancomext were targeted in SWIFT-related attacks while two Canadian banks’ data was held at ransom in a massive breach. The largest three banks in the Netherlands were hit by DDoS attacks, the Swiss Financial Market Supervisory Authority stated that cyber-attacks were the greatest threat to their banks, while at the same time British banks spending on fighting financial crime sits at 5 billion pounds.

While no sector is immune from cyber-attack, the nature of the financial industry makes an attractive target. The sector is made up of institutions that store large quantities of sensitive data that can be sold on the Dark Web, as well as institutions that have access to large sums of capitol.

Additional Sources:
https://www.hstoday.us/uncategorized/cyber-attacks-on-banking-infrastructure-increase/

Surprise! What’s The Country Where All The CEO Fraud Gangs Are?

KnowBe4’s Stu Sjouwerman wrote a really great blog about Business Email Compromise. Once upon a time, about 5 years ago, if you got a letter from a Nigerian prince or some sad story about not being able to transfer funds, that was obviously a scam. You knew, I knew, anybody but the most gullible knew it. Those were referred to as Nigerian 419 scams- 419 is the section of the Nigerian criminal code where this practice is codified as illegal.

Image result for nigerian prince

But times have changed and so have the gangs…

What if your CFO got an email from your COO or your CEO? What if your AP clerk got an email from your CFO- or your Comptroller?

A new study by Agari concludes that, despite all the attention nation-state espionage services have been getting for their phishing attacks, the big threat still comes from criminal gangs.

Here is your quick Executive Summary:

  • 97% of people who answer a Business Email Compromise (aka CEO Fraud) email become victims
  • The average BEC incident included a payment request of $35,500 (ranging from $1,500 to $201,805)
  • 24% of all observed email scam attempts between 2011 and 2018 were BEC even though BEC only started in earnest in 2016

And What’s That Country?

Many of those criminal gangs continue to operate from Nigeria, of the ten gangs engaged in the email scams that Agari studied, nine were based in Nigeria. Conclusion: the old Nigerian 419 scam has upgraded big time.

While business email scams are relative newcomers to the world of online crime, becoming popular only as recently as 2016, they’re now the most common kind of attack, accounting for 24% of phishing emails.

Patrick Peterson, Agari’s Executive Chairman said: “The sad irony is that these foreign adversaries are using our own legitimate infrastructure against us in attacks that are far more damaging and much harder to detect than any intrusion or malware.”

BEC, in which the scammer poses as an executive of the business being phished, has the greatest potential for a large, immediate payout. All organizations should make it their policy never to use email to direct fund transfers, and they should train their employees to be aware of this social engineering tactic.

Other scams have similar potential to bankrupt their targets. Real estate brokers, for example, have been targeted with malicious attachments that enable criminals to conduct man-in-the-middle account takeover scams that hit escrow accounts.

Scammers Use A Multi-Step Process

An interesting finding of Agari’s study is the multi-step process many of the scammers use: a probe email is followed by one or more follow-ups that deliver the scammer’s punch.

In the case of business email compromise, a common and effective probe might ask, “Are you at your desk to make a payment?” We have seen that these organized crime groups are starting to automate and script the process of sending these initial probes to their targets.

Interactive training can help a business arm its employees against social engineering. KnowBe4 actually allows you to monitor what an employee who falls for a simulated CEO fraud attack writes back, and automatically step them through immediate remedial training.

Want a free tool to see how vulnerable you are to spoofing? Cut and paste this link to your browser- https://info.knowbe4.com/domain-spoof-test-partner?partnerid=0010c00001wis6gAAA

Which Users Will Cause The Most Damage To Your Network And Are An Active Liability?


by Stu Sjouwerman

The statistic that four percent of employees will click on almost anything, with “Free Coffee” and “Package Delivery” taking some of the top spots among phishbait subject lines, may not sound like much.

However, keep in mind the most successful marketing campaigns only achieve around two percent. With double the response of most marketing initiatives, it’s no wonder that the phishing attacks keep coming.

That statistic comes from Verizon’s 2018 Data Breach Investigations Report. The report showed that the number of phishing emails continues to grow. The victims include government agencies that house some of our most sensitive records. The report also reveals that one quarter of all malware detected was ransomware, and it indicated that 68 percent of breaches go undetected for months.

The answer to fending off phishing campaigns may lie in the same employees who choose to click. Using a type of crowd-sourced security that turns employees into human sensors, could be the answer. One example of this approach is the US Department of Defense Cyber Security/Information Assurance program, where contractors share intelligence with each other and the DOD.

With the right training, employees can learn to recognize phishing attempts and alert others of the impending threat. This type of information gives the IT team an advantage leading to a faster response.

Here are a few steps that can empower your employees to be human sensors using a Phish Alert Button:

– An aware victim can be a good sensor. Encourage employees to ask how reading a suspicious email makes them feel. Rushed, pressured, exploited? Then be wary. Train your employees to recognize how the email makes them feel.

– Build an intelligence network. If you make it easy to report potential threat emails, you’ll build a steady stream of alerts.

– But don’t overuse the “Abuse Box.” Phishing needs to be reported. Flooding an underprepared IT department with messages that need to be checked, may be counterproductive. Make sure the IT department is ready to handle the volume. So build user awareness as you build capacity.

The number of phishing emails can be expected to grow. But with a change in the way your organization perceives and responds to social engineering, users can become your best defense and not your weakest leak. As always, consider interactive, new-school security awareness training. It’s effective and extremely affordable.

GCN has the story, written by Lex Robinson who works at Cofense.

Free Phish Alert Button
When new spear phishing campaigns hit your organization, it is vital that IT staff be alerted immediately. One of the easiest ways to convert your employees from potential targets and victims into allies and partners in the fight against cybercrime is to roll out KnowBe4’s free Phish Alert Button to your employees’ desktops. Once installed, the Phish Alert Button allows your users on the front lines to sound the alarm when suspicious and potentially dangerous phishing emails slip past the other layers of protection your organization relies on to keep the bad guys at bay.

Don’t like to click on redirected links? Cut & Paste this link in your browser:

https://info.knowbe4.com/free-phish-alert-partner?partnerid=0010c00001wis6gAAA

Our friend, Kevin Lancaster from ID Agent, continues in his weekly posting of the week in breaches and phishing attacks. This is important- not just for enterprises, but also for small and medium sized businesses. Attacks are coming in from all directions- here are some highlights from his post:

Protection from Hacks

Two-factor Authentication Hackable?
Our friends at KnowBe4 show 2 Factor may not be enough in some cases.

Student of The Month in California!
Phish Teacher, Change Grades, Get Felony!  You can’t make this stuff up!

Good on ya Mate, Good on ya!
Crikey! Australians appear to have better password hygiene than the rest of us?


What we’re listening to this week:   

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!


Highlights from The Week in Breach

  • Retail Point of Sale Systems (POS) can’t catch a break! can’t get their s*** together.
  • Healthcare insider threat strikes again.
  • Your legal case may have been closed… or deleted.
  • Your personality is revealing and, it may have been revealed.

Chili’s Restaurants
Retail

Small Business Risk: High (Malware/ Forensics, Brand Reputation/ Loyalty)
Exploit: Malware-based Point of Sale Exploit
Risk to Individuals: Moderate (Replacement of Credit/ Debit Cards with limited liability)

What you need to know:  Small business retailers should take the time to educate themselves on POS exploits and how they typically occur. Since most systems do not reside within the traditional network environment, processing systems are most commonly exploited via compromised trusted 3rdparty vendors, common credential stuffing and exploit kits delivered via email.

Chili’s Restaurants

Date Occurred/Discovered March-April 2018 / Discovered 5/11/18
Date Disclosed 5/14/18
Data Compromised Preliminary investigation indicates that malware was used to gather payment card information, including credit and debit card numbers, as well as names of cardholders who made in-restaurant purchases.
How it was Compromised Malware
Customers Impacted Chili’s has not disclosed the restaurants impacted and/or the number of customers impacted.
Attribution/Vulnerability Undisclosed at this time.

http://time.com/money/5276047/chilis-data-breach-2018/

Note: Breaches have huge repercussions, often resulting in customers losing trust in the brands. According to a study from KPMG, 19% percent of consumers said they would stop shopping at a breached retailer, and 33% would take a long-term break.

https://www.sfgate.com/technology/businessinsider/article/Chili-s-restaurants-were-hit-by-a-data-breach-12911248.php

Nuance Communications
Healthcare

Small Business Risk: High (PII Exposure, Brand Damage, Compliance Violation & Fines)
Exploit: Former Employee/ Insider Knowledge Exploit.  System and security control failure
Risk to Individuals: Moderate (Compromised Data Contained and not posted for exploit)

What you need to know:  Coming on the heels of a costly malware outbreak in 2017, it seems that Nuance had the limited ability to detect on-network anomalous behavior. With such a large percentage of its target market comprised of organizations that operate in regulated industries including Healthcare, Nuance should have invested in aggressive insider threat/insider mishap detection.

Organizations operating in regulated markets should take a more aggressive approach to both inside threat detection and threats originating within the supply chain as was demonstrated in this case.

Nuance Communications (speech recognition software)

Date Occurred/Discovered 11/20/17 – 12/9/17
Date Disclosed 5/14/18
Data Compromised Exposed data included names, birth dates, medical record and patient numbers, as well as service details such as patient conditions, assessments, treatments, care plans and dates of service. The incident did not include information such as social security number, driver’s license number or financial account numbers.
How it was Compromised An unauthorized third party, possibly a former Nuance employee, accessed one of its medical transcription platforms, exposing 45,000 individuals’ records.
Customers Impacted Personal information of thousands of individuals from several contracted clients, including the San Francisco Department of Public Health. The Justice Department said that it does not appear that any of the information taken was used or sold for any purpose. All the data has been recovered from the former employee.
Attribution/Vulnerability  Unknown/undisclosed at this time.

Note: News of the data breach follows the company having been hit by the NotPetya malware outbreak in June 2017. Earlier this year, Nuance reported that the outbreak cost it $92 million. “For fiscal year 2017, we estimate that we lost approximately $68 million in revenues, primarily in our healthcare segment, due to the service disruption and the reserves we established for customer refund credits related to the malware incident,” Nuance reported in a Feb. 9 form 10-Q filing to the SEC. “Additionally, we incurred incremental costs of approximately $24 million for fiscal year 2017 as a result of our remediation and restoration efforts, as well as incremental amortization expenses.”

The incident is a reminder that Insider breaches remain one of the most difficult kinds of improper access attacks to defend against. There are a variety of tools and methods to monitor which resources an employee accesses, but preventing insiders from stealing data or intellectual property remains challenging.

https://www.bankinfosecurity.com/nuance-communications-breach-affected-45000-patients-a-11002

Mason Law Office
Legal

Small Business Risk: High (Compliance Violation & Fines, Brand/ Reputation Damage)
Exploit: Apparent Credential- based, account take-over exploit
Risk to Individuals: High: Sensitive PII and Legal Information loss and/ or deletion  

What you need to know:  It’s not 100% clear that this was an insider threat-based exploit. Regardless, Mason Law Office suffered an all-too-common account-based takeover compromise.  Legal firms leveraging 3rd party case management systems should take the time to review their security controls and procedure.  They should also conduct a full audit to determine who has access to what data within these 3rd party systems and make the required corrections.

Mason Law Office – Sacramento, CA (mycase.com)

Date Occurred/Discovered Discovered 5/5/18
Date Disclosed 5/14/18
Data Compromised Client data was potentially accessed, client case information was deleted, and other administrative changes were made to the system. Generally, any information uploaded to mycase.com was potentially accessed, and information has been deleted. Information potentially accessed includes client names, social security numbers, driver’s license numbers, phone numbers, email addresses, as well as legally privileged/protected information, including legal documents, case notes, disclosures, financial statements, evidence, photos, invoices, transcripts, trust balances, and attorney-client communications.
How it was Compromised The firm discovered evidence of unauthorized access to mycase.com by an unknown individual or group of individuals. It is unclear how this access was made.
Customers Impacted Clients of Mason Law Firm using mycase.com.
Attribution/Vulnerability Unknown/undisclosed at this time.

https://www.databreaches.net/mason-law-office-notifies-clients-of-hack-involving-mycase-com/

myPersonality app
Information Technology / Lifestyle

Small Business Risk: High (Forensic, Data Loss via GitHub Post, Brand / Reputation Damage, Fines and Damages)

Exploit: Application security misconfiguration resulting in credential-based exploit

Risk to Individuals: High (PII, Psychological Characteristics & Profile,)

What you need to know: The developers of the personality app failed committed several major blunders in this case.

  1. Poor website/application security allowed for easy and unmonitored access to their website and underlying datasets.
  2. They failed to notice that their data set had been sitting out in the open for 4 years.
  3. The data stored within the platform was easily unkeyed and de-anonymized.

myPersonality app

Date Occurred/Discovered Exact dates unknown – 2014 – 2018
Date Disclosed 5/14/18
Data Compromised The data was highly sensitive, revealing personal details of Facebook users, such as the results of psychological tests. The credentials gave access to the “Big Five” personality scores of 3.1 million users. These scores are used in psychology to assess people’s characteristics, such as conscientiousness, agreeableness and neuroticism. The credentials also allowed access to 22 million status updates from over 150,000 users, alongside details such as age, gender and relationship status from 4.3 million people.
How it was Compromised Academics at the University of Cambridge distributed the data from the personality quiz app myPersonality to hundreds of researchers via a website with insufficient security provisions, which led to it being left vulnerable to access for four years. Each user in the data set was given a unique ID, which tied together data such as their age, gender, location, status updates, results on the personality quiz and more. With that much information, de-anonymizing the data can be done very easily.
Customers Impacted 3 million users of the app
Attribution/Vulnerability Publicly available credentials allowed access to the data. For the last four years, a working username and password has been available online that could be found from a single web search. Anyone who wanted access to the data set could have found the key to download it in less than a minute. The publicly available username and password were sitting on the code-sharing website GitHub. They had been passed from a university lecturer to some students for a course project on creating a tool for processing Facebook data. Uploading code to GitHub is very common in computer science as it allows others to reuse parts of your work, but the students included the working login credentials too.

 

https://www.databreaches.net/mypersonality-app-data-leak-exposed-intimate-details-of-3m-users/

https://www.newscientist.com/article/2168713-huge-new-facebook-data-leak-exposed-intimate-details-of-3m-users/