The target: Marriage Tax Refund, a UK-based tax relief organization.
The take: 100,000 records of personally identifiable information including: full name, gender, home address, partner name and address, and refund amounts.
The attack vector: The firm had misconfigured its WordPress based Client Management Service, exposing a directory list containing PDF documents to the public. There was no password protection or credential management in place, meaning anyone with an internet connection could have viewed and downloaded the contents of the database.
Compromised management software of client data poses a high risk for a firm. Robust credential control around software which manages personally identifiable information is critical to maintaining a firm’s security and that of their clients. This breach highlights the importance of the management of client systems which contain client data, and how this information is accessed and secured, giving a critical reminder of how closely it needs to be managed.
MSN: Cybersecurity exchange-traded funds surged Wednesday, adding to a string of gains after a high-profile hack of U.S. government systems early in the week of Dec. 13. The ETFMG Cyber Security ETF was up 1% mid-morning, and the First Trust NASDAQ Cybersecurity ETF gained 1.3%. The Global X Cybersecurity ETF jumped 1.7%. The broader market was flat ahead of a Federal Reserve press conference and a fiscal aid package decision from Congress.
Security Magazine: The coronavirus pandemic has sparked a new round of digital transformation. But in many cases, the rapid pace of digital acceleration has enlarged the digital footprint of both businesses and consumers beyond the capacity of our cybersecurity infrastructure to keep up. The scary reality is that the business impact of COVID-19 may be creating the perfect storm for a cybercrime pandemic; digital citizens will have to act aggressively to secure their data before it’s too late.
CRN: SolarWinds majority owners Silver Lake and Thoma Bravo sold $286 million of stock just before the company announced a new CEO and disclosed a cyberattack.
Claims Journal: As details of the most audacious hack on the U.S. government in recent memory continued to stun lawmakers and the public, a government watchdog released a blistering report saying that federal agencies have failed to implement key safeguards for their information technology supply chains.
Reuters: Ransomware attacks increased in terms of both severity and costs this year, forcing insurers to become more selective and even scale back on the cover they offer against cyber crimes, a report from a leading insurer showed.
Cision: In 2019, the FBI’s Internet Crime Complaint Center recorded 23,775 complaints about business email compromise (BEC), which resulted in more than $1.7 billion in losses. In the wake of COVID-19, fraudulent cybercrimes and email schemes are on the rise.
Lupa Express: The federal banking businesses are poised to suggest new guidelines that would spell out banks’ obligations to inform their regulators promptly a few knowledge breach.
The target: The NHS, the United Kingdom’s national healthcare service provider.
The take: 284 records of personally identifiable information including: names, dates of birth, contact information, and hospital identification numbers.
The attack vector: The breach was the result of human error and internal process failure when a spreadsheet containing the personal information was accidentally emailed to thirty-one individuals outside the NHS.
This incident could have been avoided with the implementation of data classification controls – appropriate tagging of sensitive materials could have provided an additional stopgap before this document left internal systems. Ultimately, this breach serves as an important reminder that wherever sensitive personal data is in play, vetted processes should be implemented and followed, with regular training and reminders, to ensure its protection. It is an organization’s responsibility to provide the tools and training necessary to maintain safe and consistent approaches to handling data, and to impress upon staff the importance of adherence to procedure.
IMF: Kristalina Georgieva , IMF Managing Director. (Virtual) Conference on Financial Inclusion and Cybersecurity. Co-hosted by International Monetary Fund, Carnegie Endowment for International Peace, World Bank, and the World Economic Forum.
Forbes: Effective cybersecurity requires an understanding of the adversary. Insight into the motivation behind attacks and the steps attackers take enables you to anticipate and defend against those attacks. Attacks have become more complex and sophisticated, though, as the line between cyber criminals and nation states has gotten fuzzy in recent years. As technology evolves and the threat landscape expands, it is important for cybersecurity vendors to fight fire with fire and be prepared to defend effectively against cyber attacks.
CNet: Hackers were able to get documents related to approved COVID-19 vaccines after they hit the European Medicines Agency with a cyberattack. The attackers "unlawfully accessed" regulatory documents related to the coronavirus vaccine candidate put forward by biotech firm BioNTech and partner pharmaceutical company Pfizer, BioNTech said in a statement.
ZDNet: It's this sort of collaborative attitude that is needed to help combat challenges and reduce cyber risk to societies, says Pete Cooper, deputy director of cyber defence for the UK Cabinet Office and lead of the government sector of the National Cyber Security Programme.
CNN Business: The cybersecurity firm FireEye (FEYE) said Tuesday that it had come under cyberattack by "highly sophisticated" actors likely sponsored by a nation-state, in a rare and extremely serious instance of a mainstream security vendor being compromised. The hack could even give the perpetrators the means to launch attacks against other targets.
ABC News: Researchers at a cybersecurity firm say they have identified vulnerabilities in software widely used by millions of connected devices — flaws that could be exploited by hackers to penetrate business and home computer networks and disrupt them.
BusinessWire: McAfee Corp. (Nasdaq: MCFE) –McAfee today released a new global report titled “The Hidden Costs of Cybercrime,” which focuses on the significant financial and unseen impacts that cybercrime has worldwide. The report, conducted in partnership with the Center for Strategic and International Studies (CSIS), concludes that cybercrime costs the world economy more than $1 trillion, or just more than one percent of global GDP, which is up more than 50 percent from a 2018 study that put global losses at close to $600 billion. Beyond the global figure, the report also explored the damage reported beyond financial losses, finding 92 percent of companies felt effects beyond monetary losses.
The target: Apodis Pharma, a France based digital supply chain management company.
The take: 1.7 Terabytes of information including: 4,400 records of client, partner, and employee names. 17 million records of confidential sales data, prices, and order quantities between Apodis and their customers.
The attack vector: A publicly accessible Kibana dashboard was left unsecured and accessible to anyone with an internet connection. This Kibana dashboard gave access to the database, exposing all of the contained information inside.
Compromised management software can lead to a waterfall effect of exposures. Robust credential control around software which grants multiple levels of access is extremely critical to maintaining a firm’s security. This breach highlights the importance of the management of employee tools and how they are accessed, used, and secured, offering a stark reminder of how tightly managed access should be.
Yahoo Finance: IBM security researchers say they have detected a cyberespionage effort using targeted phishing emails to try to collect vital information on the World Health Organization's initiative for distributing COVID-19 vaccine to developing countries.
Cision: Acronis, a global leader in cyber protection, today released its Acronis Cyberthreats Report 2020, its in-depth review of the current threat landscape and projections for the coming year. Based on the protection and security challenges that were amplified by the shift to remote work during the COVID-19 pandemic, Acronis warns 2021 will bring aggressive cybercrime activity as criminals pivot their attacks from data encryption to data exfiltration.
Yahoo Finance: As reported by Business Insider Australia , the exchange revealed the names and email addresses of over 270,000 users when it sent out mass emails. The error saw names and addresses placed in the “to” section rather than individually addressing each recipient or using blind carbon copy.
BNN Bloomberg: A Russian who admitted carrying out one of the largest known cyberattacks against a U.S. bank is a “brazen and prolific” hacker who should serve as long as almost two decades in prison, U.S. prosecutors told a federal judge in advance of his sentencing.
FINRA: FINRA warns member firms of an ongoing phishing campaign that involves fraudulent emails that include the domain “@invest-finra.org”. FINRA recommends that anyone who clicked on any link or image in the email immediately notify the appropriate individuals in their firm of the incident.
Reuters: Cybersecurity could be one of the key post-pandemic investment themes in an equity-friendly world of low interest rates and vaccine-led recovery, LGIM CIO Sonja Laud said.