learn more

Industry News: ESG5

Know Your Breach: Carter’s

The target: Carter’s, a U.S based retailer of baby clothing and apparel.

The take: An estimated 410,000 records of personally identifiable information including: full names, physical addresses, email addresses, phone numbers, shipping tracking ID’s, and purchases and transaction details.

The attack vector: The breach occurred because of the failure to implement authentication controls for the URL shortener used on the site. When a customer made a purchase online, they were redirected to the shortened purchase cart page URL which had no credential management. Furthermore, the links were not set to expire, letting anyone with the URL access the sensitive information at any time for any length of time.

Any page where customer data is stored should follow industry standard practices be managed with proper credential deployment and security. The exposure of detailed personal information makes a firm’s users extremely vulnerable to phishing attacks and fraud.


Know Your Breach: 20/20 Hearing Care Network

The target: 20/20 Hearing Care Network, a vision and hearing benefits administrator.

The take: 3.3 million records of Personally Identifiable Information including: names, addresses, member numbers, date of birth, and health insurance information.

The attack vector: An unsecured Amazon Web Services cloud storage database server was left online with no password protection. This meant anyone with an internet connection was able to connect and download the data. In addition, after the data was removed by the attackers, it was then deleted.

This breach highlights the critical importance of firm’s data backups, and if there should be an incident where information is deleted, it’s essential to be able to restore data to fully ascertain the scope of the breach. Proper credential management to ensure accounts and permissions are appropriately deployed and used, is an integral part of maintaining a robust cybersecurity posture.


Know Your Breach: Bergen Logistics

The target: Bergen Logistics, a U.S based fulfillment provider.

The take: Personally Identifiable Information including: names, sur names, city, zip code, addresses, order numbers, email addresses, plain-text passwords to customer accounts.

The attack vector: An unsecured Elasticsearch database server was left online, meaning anyone with an internet connection was able to connect and download the data.

The exposure of personal information can lead to highly targeted phishing and fraud attacks. More critical was how this firm stored their customer account passwords in plain text on the server with no encryption or protections. Ensuring credentials are adequately and appropriately protected through encryption is an integral part of maintaining a robust cybersecurity posture.


Know Your Breach: FastTrack

The target: FastTrack Reflex Recruitment, a U.K based online recruitment firm.

The take: Exposure of 20,000 records of personally identifiable information including: email addresses, home addresses, full names, phone numbers, dates of birth, and passport photos.

The attack vector: The information was exposed due to a misconfigured cloud storage account, allowing anyone with an internet connection to access and download a full copy of the details.

Leaving databases exposed to the internet without any credential management impacts its confidentiality, integrity, and availability. Taking the stance of using industry standard practices of password length, complexity, two-factor authentication, and email verification, will raise the level of protection needed for sensitive information.


Know Your Breach: Fermilab

The target: The U.S based Fermilab Physics Laboratory

The take: Exposure of databases containing proprietary documents, project names, configuration files, passwords, and personality identifiable information such as employee names and emails.

The attack vector: Security researchers found wide open ports in Fermilab’s systems and were able to use these unprotected points of access to gain access to their IT ticketing support system and file transfer service. This led to further exposures of employee name and titles, as well as many sensitive documents attached to individual help tickets. Fermilab’s file transferring service was also online with no password protection.

This breach highlights the importance of credential management and thorough testing of points of access in a firm’s IT systems. All entry points should be secured through robust password controls, using the appropriate length and complexity, along with proper management and monitoring.


Know Your Breach: Peloton

The target: Peloton, an exercise equipment manufacturer.

The take: Exposure of an unknown number of its 3 million user’s personally identifiable information such as: user ID, instructor ID, location, workout statistics, gender and age, and studio check-ins.

The attack vector: The leak occurred due to lack of authentication and authorization controls in the API endpoints used in Peloton’s mobile app, website, and backend (An API is an Application Programming Interface, a software intermediary that allows two applications to exchange data). Unauthenticated individuals were able to manually send an API request and return profile information for Peloton users, even if those profiles were marked as ‘private’. 

This breach highlights critical importance of robust authentication whenever user data is being requested and transferred in a firm’s IT systems which are available to the public. Thorough testing of authentication protocols is an integral part of maintaining a rigorous cybersecurity posture. Exposed personal data can lead to extremely effective phishing attacks and further data breaches of a firm’s customers.


Know Your Breach: First Horizon Bank

The target: First Horizon Bank, a U.S based financial services company.

The take: An amount up to $1 million USD, and 200 online customer accounts with personally identifiable information.

The attack vector: The attacker used illicitly gained login credentials and exploited a vulnerability in third party security software, letting them access customer accounts and siphon funds. In additional to the funds stolen, the detailed personally identifiable data exposed is highly valuable for further phishing and fraud attacks.

This breach emphasizes the importance of controls around the authentication process – requirements for strong, unique credentials, and implementation of multiple factors of authentication wherever possible to mitigate stolen or brute-forced passwords. Third party software components in an authentication process must also be implemented properly, with security patches tested and applied in a timely manner to maintain a secure posture.


Know Your Breach: Codecov

The target: Codecov, a software company which provides code testing and code statistics.

The take: Security tokens and keys for 29,000 customers and employees, admin credentials, and application source code.

The attack vector: Attackers gained access to Codecov’s ‘Bash Uploader’ script, a method of uploading unencrypted data to Codecov’s servers used by clients and employees, through a previously unknown vulnerability which let them extract credentials with authority to modify the script. They then used these credentials to have all data sent to Codecov also be sent to their third-party server.

This breach highlights the importance of securing and testing applications and processes which interact with a firm’s data storage. Wherever information is uploaded, either by clients or employees, the method used should be highly scrutinized to ensure its security is in line with industry best practice and standards.


Know Your Breach: Kentucky Career Centre

The target: The Kentucky office of Unemployment Insurance.

The take: Unauthorized access to claimant accounts which had the ability to alter the destination bank accounts of the benefit payments, forwarding the funds to fraudsters.

The attack vector: Attackers leveraged the lack of robust password hygiene and modern credential management in Unemployment Office’s IT systems. It was reported that some 4000 users had created passwords such as “1-2-3-4” and 1500 used the phrase “2020”, both easily exploited with moderate computing power and password cracking applications.

Enforcing strong password management across all platforms is critical to protecting customer data. Industry standard practices of password length, complexity, two-factor authentication, and email verification will only be effective if these methods are enforced. Doing so will ensure users, and their data, are protected as much as possible.


Know Your Breach: Office Depot

The target: Office Depot, a European online seller of office equipment

The take: 974,050 wide-ranging records of sensitive information including: monitoring logs, server IP addresses, secure remote login credentials, and customer’s personally identifiable information such as names, physical addresses, and order history. 

The attack vector: A non-password protected, unencrypted Elasticsearch database was left online, allowing anyone to access the information by entering the URL. 

Leaving databases exposed to the internet without any credential management impacts its confidentiality, integrity, and availability. Furthermore, collecting and storing sensitive data in plain text without encryption increases the risk to clients. In some cases, the database credentials needed to access the encrypted data is stored on the same server, rendering the encryption ineffective. Proper credential access, along with best encryption practices is essential in keeping data secure.