The target: Bonobos, a men’s clothing store.
The take: 70GB database containing personally identifiable information such as: 7 million order records, account information of 1.8 million customers with phone numbers, shipping and email addresses, 3.5 million partial credit card records, and hashed passwords.
The attack vector: While Bonobos’ own internal systems show no signs of breach, an externally hosted backup of the database was accessed in a provider’s cloud storage environment.
Security controls must always be commensurate with the sensitivity of data being stored, and must travel with that data, both within internal systems, and when transferring sensitive data to backup media or external vendor or partner’s systems. This attack highlights the importance of auditing and validating security controls at every stage of the data lifecycle.
Investment Week: WisdomTree Cybersecurity UCITS ETF (WCBR) has been developed alongside venture capital firm Team8 and will track the bespoke WisdomTree Team8 Cybersecurity index. It will be available to investors on the London Stock Exchange, Borsa Italiana and Börse Xetra for a total expense ratio of 0.45%.
Cnet: Based on what we know so far, hackers didn't steal as much personal data in 2020 as they did in previous years, but that doesn't mean they weren't able to make plenty of money. According to a report released Thursday by the Identity Theft Resource Center, hackers and identity thieves used stolen passwords and personal information to profit in new ways from your information.
Yahoo Finance: European and North American cyber cops have joined forces to disrupt what may be the world's largest network for seeding malware infections. The operation appears to strike a major blow against criminal gangs that have used that network for years to install ransomware for extortion schemes and to steal data and money.
Autorité des marchés financiers: The Autorité des marchés financiers (AMF) is concerned by the increasing number of security incidents, including cyber incidents, affecting major institutions in Québec’s financial sector. The AMF is therefore again calling on the financial institutions and businesses it supervises to adequately assess information technology risks and take all necessary steps to bolster privacy safeguards and cybersecurity.
Reuters: New Zealand’s financial markets regulator said the country’s stock exchange operator’s technological systems were “insufficient” following a probe into the multiple outages and cyber attacks that hit the bourse operator last year.
Nasdaq: Companies, insurers and governments need to work together to help businesses cope with major risks such as climate change and cyber security, company executives said.
Reuters: Australia’s securities regulator said on Monday there was a cyber security breach at a server it used to transfer files including credit licence applications where some information may have been viewed.
The target: Pixlr, a popular, free online photo editing application.
The take: 1.9 million user records of personally identifiable information including: email addresses, login names, hashed password, and user’s county of origin.
The attack vector: The breach occurred when an AWS storage bucket was left unsecured and online by Pixlr’s parent company, Inmagine. This allowed the attacker to download a copy of the data and then post it on a public hacking forum, vastly increasing the negative area of effect for the compromised users.
This leak shows the negative and cascading effects a breach can have, not only in the personal or financial risk to the user, but in how far the stolen data can be distributed to malicious actors. Robust password controls and user authentication are critical to maintain data integrity and confidentiality. In addition, this breach highlights the importance of protecting against credential stuffing attacks by using strong, unique passwords which are not shared among logins - a security strategy recommended to every firm.
Hedgeweek: In the early stages of the pandemic, the major tech challenges centred around endpoint security. Individuals may have been using personal devices for professional purposes, and the prevalent model was of decentralised security and centralised data. We no longer look to secure a network or server in the same way. Endpoint security is now key, and every device needs security protection. With so many entry points to firms' applications and data, managing the security at the end point has been at the forefront since early 2020 across the sector.
IT World Canada: Several cybersecurity issues will be among the many early priorities for the 46th president of the United States, Joseph Biden. These include responding to recent cyberattacks believed to come from nation-states, reorganizing and reprioritizing cyber in Washington, and encouraging allies to adopt a more unified approach to issues like Internet governance and cyber norms.
Channel Asia: Spending on cyber security around the world is expected to grow as high as 10 per cent this year, to US$60.2 billion, following claims that 2020 saw record high levels of data breaches, compromised records and ransomware attacks.
BNN Bloomberg: Suspected Russian hackers used a previously unknown piece of malware called “Raindrop” in the SolarWinds cyberattack, potentially infecting more computer systems than had been thought, according to digital security firm Symantec.
Engadget: Europe’s new privacy protection regime has led to a surge in fines for bad actors, according to research published today. Law firm DLA Piper says that, since January 28th, 2020, the EU has issued around €158.5 million (around $192 million) in financial penalties. That’s a 39-percent increase on the previous 20-month period Piper examined in its report, published this time last year. And as well as the increased fines, the number of breach notifications has shot up by 19 percent across the same 12-month period.
ZDNet: Hackers who stole information about COVID-19 vaccines in a cyberattack against the European Union's medical agency and then published it online also manipulated what they found in order to spread disinformation designed to undermine trust in vaccines.
Business Times: The Monetary Authority of Singapore (MAS) on Monday issued revised technology risk management guidelines amid "clear indication" of a worsening cyberthreat environment.
The target: United Nations Environmental Programme (UNEP)
The take: 100,000 records containing: employee personally identifiable information, project funding records, employment evaluation records, and most critically 7 sets of administrative credentials to other databases.
The attack vector: The leak originated from an unsecured Git directory and credential files (Git is one of the world’s most popular software version control systems). Within these exposed files were unencrypted, plain text administrative passwords for not only the repository which was accessed, but for other datasets and systems as well.
This breach demonstrates the importance of appropriate credential storage – privileged credentials should never be stored in plaintext scripts or configuration files replicated in git repositories. Data must always be held with security controls commensurate to the sensitivity of that data.
Chicago Tribune: Stefan Thomas, a German-born programmer living in San Francisco, has two guesses left to figure out a password that is worth, as of this week, about $220 million.
Finance Feeds: FXCM has been hacked three times in five years, this time it’s Israel office being the target. The first time was in 2015, when customer money was withdrawn by fraudsters, sending the shares to an all time low. This time, FXCM Israel says no customer accounts were compromised. We explain why cyber security is vital in our industry.
Yahoo Finance: The Defense Department has halted deployment on its classified networks of a $2 billion cybersecurity project intended to detect intrusions and prevent attacks because of poor test results, according to the Pentagon’s testing office.
Cision: Cybersecurity vulnerabilities are a major concern to business and organizations. The most recent massive computer breach, which allowed hackers to spend months exploring numerous U.S. government networks and private companies' systems around the world, has reignited the urgency in securing computer and information systems. According to a report by NPR, hackers attached their malware to a software update from SolarWinds, a company based in Austin, Texas. Many federal agencies and thousands of companies worldwide use SolarWinds' Orion software to monitor their computer networks.
The target: Solution for Healthcare. a Vietnamese technology firm which provides software for electronic health records and hospital management.
The take: 12 million records of an estimated 80,000 patients and healthcare staff. The personally identifiable information included: full names, dates of birth, postal codes, email addresses, phone numbers, passport details, credit card numbers, and detailed medical records.
The attack vector: The data was initially exposed due to an unsecured Elasticsearch server the company maintained which had no monitoring or credential management. The lack of any security measures whatsoever led to the further development wherein the exposed database was attacked by a malicious, automated software script named Meowbot. This led to the deletion of an unspecified amount of information in the server.
Leaving databases exposed to the without any credential management impacts its confidentiality, integrity and availability. Furthermore, when vulnerable data is left wide open, other kinds of attacks which could make its recovery impossible are easily executed. Ensuring data is protected with the appropriate measures is critical for operational success.
Bank Info Security: In an alert, the agency notes hackers posing as ACSC employees are sending emails requesting that recipients download antivirus software. When the victim clicks on a link, malicious code that can steal banking credentials is downloaded onto the compromised device.
Politico: Anne Neuberger, who joined the NSA more than a decade ago and has been serving as the agency’s director of cybersecurity since 2019, will be named deputy national security adviser for cybersecurity in the incoming NSC, according to two people familiar with the plans.
Yahoo Finance: The Justice Department and the federal court system disclosed on Wednesday that they were among the dozens of U.S. government agencies and private businesses compromised by a massive, months-long cyberespionage campaign that U.S. officials have linked to elite Russia hackers.
SC Magazine: SolarWinds and some of its top executives have been hit with a class action lawsuit by stockholders, who allege the company lied and materially misled them about security practices leading up to a massive breach of its Orion management software that has reverberated throughout the public and private sector.
Yahoo Finance: The acquisition will support White Ops in its next phase of growth and further accelerate its expansion into new markets. The Company's core focus is to protect enterprises from sophisticated bot attacks and fraud across the domains of cybersecurity, digital advertising, and marketing, serving some of the largest enterprises and internet platforms.
Institutional Investor: The Equifax case — a breach that jeopardized the personal data of up to 143 million people but went unreported for more than a month after surfacing — is a good example of how things can go south quickly. The weeks-long disclosure gap provided abundant opportunity for those in the know to take advantage of the information, and insiders did.