The target: MCA Wizard, a now defunct mobile app for loaning money to small business owners developed jointly by Advantage Capital Funding and Argus Capital Funding in 2018.
The take: 425GB of data comprising over 500,000 documents, including credit reports, bank statements, contracts, legal paperwork, driver’s licenses, purchase orders & receipts, tax returns, social security information and more.
The attack vector: Even though the app itself was pulled from both Google Play and the App Store, the data behind it remained online, stored in an unsecured AWS S3 bucket which was accessible without a password. Security researchers noted that while the app was no longer available, new documents were being added to the database right up until its removal, suggesting that another application or service could have been using the same bucket.
While this is yet another example of a misconfigured storage bucket, it also raises the issue of security controls and management of the lifecycle of data. If an app or service reaches its end of life, there is absolutely an onus on the responsible firm to manage any sensitive data collected or processed by that app through to secure deletion.
Computer Weekly: Developed countries in Asia-Pacific (APAC) with more established digital economies may be most vulnerable to cyber attacks, but they are also among the most prepared in the region to deal with cyber threats, a new study has found.
ZDNet: Almost half of businesses have experienced a cyberattack or data breach in the past year – and almost all of the organisations that know they've been on the receiving end of attacks have reported being targeted by phishing and other fraudulent emails as the volume of these attacks continues to rise.
Reuters: A U.S. cybersecurity firm said Wednesday it has detected a surge in new cyberspying by a suspected Chinese group dating back to late January, when coronavirus was starting to spread outside China.
ZDNet: Automation is something businesses in almost every sector are familiar with, as part of their efforts to make systems more efficient. It's something that the cybersecurity industry is increasingly using, with automated data collection and processing playing an ever-growing role in protecting against data breaches and cyberattacks.
Reuters: UK banks are stepping up fraud prevention measures to protect customers from scammers eager to exploit the coronavirus pandemic with a whole range of new tricks, including fake sales of medical supplies and bogus government relief schemes.
JDSUPRA: COVID-19 has created many new concerns for private fund managers; however, managers should be particularly mindful of heightened cybersecurity and fraud risks. With increased numbers of employees teleworking, there are increased vulnerabilities for cybercriminal intrusions creating privacy-related risks for fund portfolio information, LP confidential data, and other sensitive electronically-stored materials.
Reuters: Elite hackers tried to break into the World Health Organization earlier this month, sources told Reuters, part of what a senior agency official said was a more than two-fold increase in cyberattacks.
The target: Virgin Media, a British telephone, television and internet provider
The take: ‘Limited contact information’ of 900,000 customers, including names, home and e-mail addresses, and phone numbers along with some birth dates and technical and product information.
The attack vector: A misconfigured marketing database left the information exposed for nearly a year, and was confirmed to have been accessed ‘on at least one occasion’ by an outside party.
This incident highlights the need to ensure regimented security controls are established and verified anywhere that an organization stores personally protected information. Security controls must always be commensurate to the type of data being stored, and they must travel with that data to protect the firm and it’s clients from a data breach.
ZDNet: vpnMentor researchers led by Noam Rotem said the database appears to be connected to MCA Wizard, a now-defunct app that appears to have been developed by Advantage Capital Funding and Argus Capital Funding.
Cision: According to the report, cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, and will be more profitable than the global trade of all major illegal drugs combined.
Katten: In the wake of the coronavirus (COVID-19) pandemic, government officials have urged companies to allow more employees to work from home in an effort to halt the spread of the disease. As businesses shuffle to operationalize remote work policies, bad actors continue to exploit the vulnerabilities associated with remote work and target employees working from home.
Citywire: A compliance expert has issued a warning after a number of advice firms received a scam email purporting to be from the FCA.The email, seen by several financial planners and passed to New Model Adviser, claims to be from an FCA employee in the ‘claims and firm-authorization' department, and includes a request for a letter to be certified by the recipient, by the end of the working day. The letter is not attached.
Bloomberg: Norm Hullinger was heading into work one day in October when he got a call that his company’s network was acting up. It was no simple glitch. Hackers had started freezing the data of Alphabroder, a sportswear distributor. They wanted more than $3 million to restore it. Grappling with whether to pay, Hullinger, the chief executive officer, embarked on a journey that’s increasingly familiar to law firms, hospitals, and cities that have found themselves on the other end of negotiations with ransomware criminals.
Bloomberg: The U.S. Health and Human Services Department suffered a cyber-attack on its computer system, part of what people familiar with the incident called a campaign of disruption and disinformation that was aimed at undermining the response to the coronavirus pandemic and may have been the work of a foreign actor.
Checkmarx: Checkmarx, the global leader in software security solutions for DevOps, today announced that Hellman & Friedman (“H&F”) has entered into a definitive agreement to acquire the Company from Insight Partners, which will continue to own a substantial minority interest. The deal represents the largest acquisition of an application security company to date.
The target: Angeles Investment Advisors, an asset manager based in Santa Monica, California
The take: The e-mail account of Michael Rosen, Chief Investment Officer, was compromised and used to send a bogus ‘bid for proposal’ link to his contacts.
The attack vector: While details have not been published at this time, it is likely that the initial compromise of Rosen’s account was as a result of a targeted phishing attack. Once attackers had control of his e-mail account, they were able to send a malicious attachment to his contact list, and even responded to individuals who questioned the legitimacy of the e-mail – assuring them that attachment was safe, and that they should open it post-haste.
One of the most insidious risks in an e-mail compromise is that the compromised account will be used as a pivot point, and that the trust in that individual will be exploited for criminal gain. These attacks highlight not only the need to ensure that technical controls are in place to prevent accounts from being compromised in the first place – but also the need to train staff to think critically about the content of messages they receive, and to confirm any suspicious communications or requests via a separate channel of communication.
The Washington Post: Chinese hackers have used fake documents about the coronavirus to deliver malicious software and steal sensitive user information, according to a report Thursday from researchers documenting a growing wave of cybercrime exploiting fears about the global pandemic.
CPA: The average cost of cybercrime surged 29 per cent in the U.S. between 2017 and 2018, reaching US$27.4 million per organization, according to an Accenture Security and Ponemon Institute study, which was based on interviews with more 2,600 senior security professionals at 355 companies in 11 countries (including Canada).
The Crime Report: The U.S. government should adopt structural changes not seen since the 2001 terrorist attacks to confront proliferating cyber threats that increasingly endanger national and economic security, a federal commission concluded, reports the Wall Street Journal.
The Straits Times: An engineer who attended the annual RSA cybersecurity conference in San Francisco last month (February 2020) has tested positive for the coronavirus and is seriously ill with respiratory issues.
ETF Trends: Cybersecurity breaches over the years have certainly put the need for preventative measures at the forefront, and that can only intensify as the financial technology (fintech) space continues to advance. For investors looking to park their capital at the current low prices amid the coronavirus outbreak, cybersecurity and fintech ETFs is one area to watch.
The Next Web: There are a few things we just won’t stand for in 2020 – but first on the list is the phrase, “employees are the weakest link in cyber security.” It’s a saying that people really should have ditched in 2019.
Central Bank: The Central Bank has today published the findings of a Thematic Inspection into the cybersecurity risk management practices in Asset Management firms. The purpose of the Inspection was to determine the adequacy of cybersecurity controls and cybersecurity risk management practices of the inspected firms and to identify good practices.
The target: C3UK, a provider of Free WiFi at railway stations across the UK
The take: Personal data of more than 10K rail passengers including dates of birth, email addresses and travel plans
The attack vector: A security researcher discovered that C3UK had left a database backup publicly exposed on an Amazon Web Services storage device with no password protection.
While security controls around production systems and databases are missions critical, care must also be taken when storing and transferring backups and duplicate copies of production data. Security controls must always be commensurate to the level of sensitivity of data being handled, and must travel with that data throughout its lifecycle.
ABC News: To thwart increasingly dangerous cyber criminals, law enforcement agents are working to “burn down their infrastructure” and take out the tools that allow them to carry out their devastating attacks, FBI Director Christopher Wray said.
BBC: The UK watchdog said the airline's computer systems had exposed details of 111,578 UK residents and a further 9.4 million people from other countries. These included names, passport details, dates of birth, phone numbers, addresses and travel history. "Appropriate security" was not in place between October 2014 and May 2018.
Bob's Guide: According to James Kemp, managing director, Association for Financial Markets in Europe (AFME), there is uncertainty over how to regulate concentration risk in a way that does not stifle innovation or eradicate smaller third-party suppliers.
Coindesk: The world of blockchain, unsurprisingly, is not exactly Joe Biden’s bailiwick. But don’t let his age fool you. He’s not blind to tech, data privacy or the thorny issues of digital misinformation. For instance, he recently called for the revoking of Section 230 (which protects companies like Facebook from liability for material published on its networks), saying Facebook “is not merely an internet company. It is propagating falsehoods they know to be false.”
Hedgeweek: DrawbridgeConnect allows customers to aggregate cybersecurity program data to drive analysis and determine program strength, remediation, and create and manage a resilient program to fulfil evolving regulatory and investor demands.
Cryptopolitan: As per the report, hackers have stolen at least 9.8 billion dollars in crypto from investors and holders. KPMG, one of the big four accounting firms, stated that it was essential for the crypto industry to improve security before it can truly grow.
Institutional Investor: Hackers this week took over the email account of Michael Rosen, chief investment officer of consulting and asset management firm Angeles Investment Advisors.