learn more
<https://castlehalldiligence.com>
shutterstock_490960141-1

Industry News: ESG5

      Know Your Breach: GoDaddy

      The target: GoDaddy, a U.S based website domain registrar and web hosting company.

      The take: 1.2 million records of customer information including: email addresses, SSH keys, and database usernames and passwords.

      The attack vector: The threat actor gained access to GoDaddy’s hosting servers through a compromised employee account, granting them the same access to all the systems the firm’s user had. Multi-factor authentication was not enabled.

      This breach highlights not only the ever-present threat that compromised employee accounts pose to firms, but also the critical importance of proper credential management. Employing Multi-factor authentication is a key part of maintaining a robust cybersecurity posture and ensuring company and customer data Is only accessed by authorized parties.

      Read more...

      Know Your Breach: RedDoorz

      The target: RedDoorz, a Singapore based hotel booking site.

      The take: Exposure of 5.9 million records of Personally Identifiable Information including: names, contact numbers, email addresses, dates of birth, encrypted passwords and booking information.

      The attack vector: The attacker gained access to an Amazon Web Services key which was embedded in an APK (Android Application Package), a piece of software used in their systems. Had the firm examined the APK, they could have prevented the exploit by removing the AWS key from the APK.

      This breach highlights the critical importance of IT asset management, specifically just how necessary it is that firms are aware of what software they are using and how it is being deployed. Regular auditing of all software configurations, especially where customer data is stored, across the firm is essential for maintaining a robust cybersecurity posture.

      Read more...

      Know Your Breach: Robin Hood

      The target: Robin Hood, a U.S based investment and trading platform.

      The take: Exposure of an estimated 7 million customer accounts with Personally Identifiable Information including: 5 million email addresses and 2 million full names. For a small number of the exposed records, dates-of-birth and zip codes were also vulnerable.

      The attack vector: The attacker used social engineering to target one of Robin Hood’s Customer Support Representatives, tricking them into thinking they had authentication to access the firm’s internal systems and handed over their credentials. Using these legitimate permissions, the threat actors immediately accessed the sensitive data. 

      This breach highlights the great and always on-going risk that social engineering attacks pose to organizations. The strongest security controls are often only as effective as the employees who maintain them. Regular awareness testing and training, along with an emphasis on the importance of critical thinking and caution when receiving access requests from third parties is critical to a robust cybersecurity posture.

      Read more...

      Know Your Breach: Umass Memorial Health

      The target: UMass Memorial Health, a Massachusetts-based healthcare network.

      The take: 209,000 records of Personally Identifiable Information including: names, dates of birth, medical record numbers, health insurance information, and clinical treatment information with dates of services, diagnoses, procedure information, and prescription details.

      The attack vector: The firm’s IT system was compromised when an employee fell for a phishing email. This granted the attackers access to all the files and programs to which the employee’s account was authorized to view. 

      This breach highlights the ongoing threat that phishing attacks pose for firms and remain one of the greatest security threats to an entire organization. Regular social engineering and awareness testing and training, along with tone-from-the-top messaging to emphasize the importance of critical thinking and caution are crucial to protecting sensitive information assets.

      Read more...

      Know Your Breach: University of Colorado Boulder

      The target: CU Boulder, a U.S based University.

      The take: Exposure of support and procedural documents, configuration files, and personally identifiable information of 30,000 students including: names, student IDs, addresses, dates of birth, phone number, and gender.

      The attack vector: The breach occurred to a known configuration vulnerability in a third-party software that the University employs. While a patch was released by the third party some months prior, it had not been implemented and this let an attacker gain access to the data. 

      This data leak highlights the importance of patching and testing software in a timely manner. Complying with industry standard practices of software management is essential to ensure every point of access to data is secure, up-to-date, and protected against known gaps in third-party applications.

      Read more...

      Know Your Breach: Premier Patient Healthcare

      The target: Premier Patient Healthcare, a Texas based accountable care organization.

      The take: Exposure of 38,000 records of Personally Identifiable Information including: name, age, sex, race, county, state of residence, zip code, and Medicare beneficiary information.

      The attack vector: The data was illegally accessed by a former terminated employee of the firm, who used their still active access to view, download and steal the files from a third-party vendor that had a contract with Premier Patient.

      This breach highlights two important lessons for firms. Access control around terminated employees is paramount to maintaining a secure environment for sensitive data. Furthermore, while Patient Data may have followed these steps for their own systems, the attack took place on a third-party vendor, showing that access control must also be applied across all platforms to be fully effective.

      Read more...

      Know Your Breach: Portpass

      The target: Portpass, a private proof-of-vaccination mobile application.

      The take: Exposure of potentially 650,000 records of personally identifiable information including: email addresses, names, blood types, phone numbers, birthdays, and driver's licences

      The attack vector: Portpass stored user profiles on their website, accessible to the public, which exposed the above information to anyone visiting the site. This data not encrypted and was stored as plain text.

      Use of industry standard authentication protocols is an integral part of maintaining a rigorous cybersecurity posture, and it is critical to employ robust practices of credential management, user authentication and validation, around all points of access, especially public facing ones, in a firm’s IT network. This breach also highlights the important of encryption as a method to improve the security of stored data, which can still protect the exposed information.

      Read more...

      Know Your Breach: Twitch

      The target: Twitch.tv, a U.S based video game streaming service.

      The take: Exposure of 125GB of information including source code and commit history dating back to the company’s founding, creator payout revenue from 2019 to 2021, their internal cybersecurity tool NOC tool, and which AWS services they use.

      The attack vector: A misconfiguration error left one of its servers exposed, allowing the attacker to gain access to the server and exfiltrate the data of some 6000 repositories of firm storage. 

      It is critical to employ robust practices of credential management, user authentication and validation around all points of access. An unprotected point of entry on a key piece of equipment like a server can lead to a breach with a cascading effect on data exposure.

      Read more...

      Know Your Breach: Portpass

      The target: Portpass, a private proof-of-vaccination mobile application.

      The take: Exposure of potentially 650,000 records of personally identifiable information including: email addresses, names, blood types, phone numbers, birthdays, and driver's licences

      The attack vector: Portpass stored user profiles on their website, accessible to the public, which exposed the above information to anyone visiting the site. This data not encrypted and was stored as plain text.

      Use of industry standard authentication protocols is an integral part of maintaining a rigorous cybersecurity posture, and it is critical to employ robust practices of credential management, user authentication and validation, around all points of access, especially public facing ones, in a firm’s IT network. This breach also highlights the important of encryption as a method to improve the security of stored data, which can still protect the exposed information.

      Read more...

      Know Your Breach: Coninsa Ramon

      The target: Coninsa Ramon, a Colombian based architecture, engineering, construction, and real estate firm.

      The take: 5.5 million files of 100,000 customers of their personally identifiable information including: full names, addresses, email addresses, transaction data, and asset values.

      The attack vector: An unsecured Amazon S3 storage server was misconfigured, allowing anyone with an internet connection to access and download the data. In addition, malicious code was discovered that would allow attackers to maintain a persistent connection to the website, letting them redirect traffic to fraudulent pages. 

      The exposure of personal information can lead to highly targeted phishing and fraud attacks. Given how detailed the information was in this exposure, the threat of spear-phishing campaigns is high. Use of authentication protocols is an integral part of maintaining a rigorous cybersecurity posture, and it is critical to employ industry standard practices of credential management, user authentication and validation, around all storage of customer data.

      Read more...