learn more
<https://castlehalldiligence.com>
shutterstock_490960141-1

Industry News: ESG5

      Know Your Breach: Walgreens

      The target: Walgreens, a U.S based drug store and pharmacy chain.

      The take: Millions of records of personally identifiable information including: name, date of birth, gender, phone number, address, email, and in some cases results from Covid-19 tests.

      The attack vector: Walgreens failed to secure their test appointment registration system. When a user requests a test and fills out the online form with their personal info, they are given a unique 32-digit ID number and a link to their appointment request page. This URL has no authentication or credential control whatsoever. Anyone can use the link to view the personal information.

      Security-by-obscurity is not a reliable method, or industry standard, way of securing personal data. Authentication and credential management are an essential strategies that should be taken into high consideration in every area where user information is accessed.

      Read more...

      Know Your Breach: MyRepublic

      The target: MyRepublic, a Singapore based Internet Service Provider

      The take: 80,000 user records containing personally identifiable information such as:  national identity cards with photos and addresses, names, copies of utility bills needed for verification, and mobile phone numbers.

      The attack vector: The occurred due to unauthorized external access to from a 3rd party vendor employed by MyRepublic to store the firm’s documents needed for registration with their mobile service.

      This breach highlights the risks of using third party vendors as the personal information exposed could lead to high targeted phishing attacks against the firm’s users. Up to date monitoring on where and what systems a firm’s data resides on, and regular audits on the effectiveness of the deployed protections, is essential for maintaining the expected industry standard of cybersecurity.

      Read more...

      Know Your Breach: T-Mobile

      The target: T-Mobile, a U.S based cellphone carrier.

      The take: Exposure of Personally Identifiable Information of 50 million customers including: addresses, social security numbers, dates of birth, drivers’ licenses, and a small number of account PINs.

      The attack vector: The attacker penetrated T-Mobile’s IT systems through an unsecured router, using the lack of credential controls as a launchpad to steal data.

      Use of industry standard authentication protocols is an integral part of maintaining a rigorous cybersecurity posture, and it is critical to employ robust practices of credential management, user authentication and validation, around all points of access in a firm’s IT network. An unprotected point of entry on a key piece of equipment like a router can lead to a breach with a cascading effect on data exposure.

      Read more...

      Know Your Breach: Revere Health

      The target: Revere Health, a Utah based multispecialty physician group. 

      The take: Personally Identifiable Information of 12,000 patients including: medical record numbers, dates of birth, provider names, and procedures and insurance names.

      The attack vector: An employee of Revere Health fell victim to a phishing attack, allowing the attacker control of their email account.

      Phishing attacks against individual employees remain one of the greatest security threats to an entire organization. Regular social engineering and awareness testing and training, along with tone-from-the-top messaging to emphasize the importance of critical thinking and caution are crucial to protecting sensitive information assets.

      Read more...

      Know Your Breach: Ford

      The target: Ford, a U.S based maker of automobiles.

      The take: Exposure of Personally Identifiable Information including: customer and employee records, finance account numbers, database names and tables, internal support tickets, user profiles, and authentication access tokens,  

      The attack vector: A known vulnerability present in one of Ford’s misconfigured customer management interfaces named Pega Infinity, could have allowed an attacker access to the backend web panel. From here, they could execute malicious commands through the URL to retrieve data base tables, run queries, and more critically, perform administrative actions.

      This breach highlights the importance of having processes in place to update software in a timely manner, an essential part of complying with industry standard cybersecurity practices. Furthermore, this exposure also demonstrates how one exposed point of access can have a cascading and multiplying effect on the severity of a breach.

      Read more...

      Know Your Breach: Reindeer

      The target: Reindeer, a U.S-based online marketing company.

      The take: The exposure of 50,000 records of Personally Identifiable Information including: names, addresses, date of birth, email addresses, Facebook ID’s, and phone numbers.

      The attack vector: Reindeer failed to secure this AmazonS3 bucket with any credential management whatsoever, allowing anyone with an internet connection to access the data.

      While Reindeer is no longer in operation, the data they held belonged to firms that are currently operating, and this breach highlights not only the necessity of robust credential controls, but also the risks of using third party vendors. Up to date monitoring on where and what systems a firm’s data resides on is essential for maintaining the expected industry standard of cybersecurity.

      Read more...

      Know Your Breach: UC San Diego Health

      The target: UC San Diego Health, the academic health system of the University of California. 

      The take: Exposure of personally identifiable information including: full name, address, date of birth, email, fax, claims information, medical diagnosis and conditions, social security number, student ID number and password, payment card number or financial account number.

      The attack vector: The breach occurred when an employee clicked on a phishing email and unknowingly gave away their login credentials, company username and password, to the attackers. Using the employee’s legitimate credentials, the threat actors accessed the sensitive data.

      Phishing attacks against individual employees remain one of the greatest security threats to an entire organization. Regular social engineering and awareness testing and training, along with tone-from-the-top messaging to emphasize the importance of critical thinking and caution are crucial to protecting sensitive information assets.

      Read more...

      Know Your Breach: Lake County Health Department

      The target: Lake County Health Department, a Chicago-based centre for management of health services.

      The take: Exposure of name, date of birth, phone number, email address, and Covid-19 vaccination status for over 700 patients.

      The attack vector: The data was exposed through an unsecured Google sheet saved on an employee’s private Google Drive account which was being accessed by company employees.

      This breach is a critical reminder of the importance of robust security controls wherever customer data is concerned. Using private services poses a great threat as these are not subject to a company’s cybersecurity standards, and nor are their authentication controls in place. It also exposes the data to credential stuffing attack. If the employees personal account was compromised anywhere else, access to the company data is now at risk. Strict separation between personal and professional IT systems is critical for maintain an accurate picture of access and control.

      Read more...

      Know Your Breach: Artwork Archive

      The target: Artwork Archive, an online platform used to connect artists and buyers based in Denver, Colorado.

      The take: 200,000 records of Personally Identifiable Information including: first and last name, physical addresses, email addresses, phone numbers, and purchase details with sales agreements.

      The attack vector: An unsecured Amazon S3 storage server was misconfigured, allowing anyone with an internet connection to access and download the data.

      The exposure of personal information can lead to highly targeted phishing and fraud attacks. Given how detailed the information was in this exposure, the threat of spear-phishing campaigns is high. Use of authentication protocols is an integral part of maintaining a rigorous cybersecurity posture, and it is critical to employ industry standard practices of credential management, user authentication and validation, around all storage of customer data.

      Read more...

      Know Your Breach: Morgan Stanley

      The target: Morgan Stanley, an investment banking firm providing banking, securities, and wealth management services worldwide.

      The take: Stock plan participant’s names, addresses, dates of birth, social security numbers, corporate company names.

      The attack vector: The breach occurred within a third-party vendor, Guidehouse, used by Morgan Stanley. Guidehouse in turn was using Accelion’s FileTransferApplication, which had been compromised earlier this year. Using a known exploit in Accelion’s FTA service, attackers were able to penetrate Guidehouse’s systems and access files Morgan Stanley had stored there. While the data was encrypted, access to the decryption key was also not secure, allowing the attackers to steal and read the data.

      This incident highlights the ease with which a single breach can lead to a pivot into other systems. While Morgan Stanley’s own systems were not at risk, their data was stored with a third-party who failed to fully secure their own systems by using an exploited piece of software. The cascading nature of data breaches cannot be understated, and every effort should be made by firms to secure their data no matter where it is being stored.

      Read more...