learn more

Industry News: ESG5

Know Your Breach: NHS

The target: The NHS, the United Kingdom’s national healthcare service provider.

The take: 284 records of personally identifiable information including: names, dates of birth, contact information, and hospital identification numbers.

The attack vector:  The breach was the result of human error and internal process failure when a spreadsheet containing the personal information was accidentally emailed to thirty-one individuals outside the NHS.

This incident could have been avoided with the implementation of data classification controls – appropriate tagging of sensitive materials could have provided an additional stopgap before this document left internal systems. Ultimately, this breach serves as an important reminder that wherever sensitive personal data is in play, vetted processes should be implemented and followed, with regular training and reminders, to ensure its protection. It is an organization’s responsibility to provide the tools and training necessary to maintain safe and consistent approaches to handling data, and to impress upon staff the importance of adherence to procedure.


Know Your Breach: Apodis Pharma

The target: Apodis Pharma, a France based digital supply chain management company.

The take: 1.7 Terabytes of information including: 4,400 records of client, partner, and employee names. 17 million records of confidential sales data, prices, and order quantities between Apodis and their customers.

The attack vector: A publicly accessible Kibana dashboard was left unsecured and accessible to anyone with an internet connection. This Kibana dashboard gave access to the database, exposing all of the contained information inside.

Compromised management software can lead to a waterfall effect of exposures. Robust credential control around software which grants multiple levels of access is extremely critical to maintaining a firm’s security. This breach highlights the importance of the management of employee tools and how they are accessed, used, and secured, offering a stark reminder of how tightly managed access should be.


Know Your Breach: Levitas

The target: Levitas, an Australian based hedge fund manager.

The take: $8 million

The attack vector: The attack was initiated when one of the founders clicked on a fake Zoom meeting link. This gave the attackers the ability to inject their own malicious software to take control of the high level email account, and with these powerful credentials in hand, the attackers created fake invoices for a bogus company and then sent requests for payments to be made from the firm. Authorizations from the compromised email account were sent shortly after the requests, prompting the transference of funds to the unknown companies. The threat actors then withdrew the cash.

This breach demonstrates the critical nature of verification processes, and the inherent power of high level credentials and their management. There were several flags raised along throughout the scheme and this attack shows just how important it is to review, verify, and certify transactional processes no matter to origin within a firm.


Know Your Breach: TronicsXchange

The target: TronicsXhange, a California-based electronics retailer

The take: 80,000 images of personal identification cards and 10,000 fingerprint scans. Information included: driver license number, full name, birthday, home address, gender, hair and eye color, height and weight, and a photo of the individual. 

The attack vector: The breach occurred when an unsecured Amazon S3 bucket was discovered online even after the company had ended its operation. The database was connected with no password protection meaning anyone who found the correct URL could access and freely download the data. 

The breach is serious as the sensitive information stored could lead to severe cases of fraud. Asset management is a critical procedure for any company, and the fact that this server was kept online even after the company had supposedly closed its doors for business highlights the extreme importance of proper decommissioning procedures to ensure sensitive information is securely destroyed or taken offline.


Know Your Breach: Vertafore

The target: Vertafore, a U.S based insurance provider. 

The take: 27.7 million records of personally identifiable information including: driver license numbers, first and last names, date of birth, address, and vehicle registration history. 

The attack vector: Three database files containing the above information were placed, through human error, on an unsecured external, third-party storage service with no authorization access. Meaning anyone with an internet connection had the ability to access and download the data.

This breach highlights the importance of robust cybersecurity protocols and processes. Rigid steps around the transfer andmovement of data is needed to ensure maximum protection of sensitive information, with multiple checks to verify that the destination of the information is secure and expected safeguards are in place. When data is moved, the proper controls commensurate with the sensitivity of the data must travel with it.


Know Your Breach: GrowDiaries

The target: GrowDiaries, an online community for marijuana growers.

The take: 2 million user records including: usernames, email address, IP addresses, user posted articles, and user account passwords. 

The attack vector: The breach occurred because of a credential management and best practice failure . The site failed to secure its database management application, Kibana, which was left exposed online with no password protection, allowing anyone with an internet connection to access the site. Furthermore, passwords stored in one of the databased were encrypted with weak format known as MD5, which is insecure and can be easily cracked.

Management applications which grant access to user data should always be secured with commensurate levels of security protection. In addition to securing all access points, protection of data ‘at rest’ should include rigorous controls around password tables including hashing, salting, and strong encryption to ensure that if a breach does occur, the damage to clients is mitigated as much as possible.


Know Your Breach: Gunnebo

The target: Gunnebo, a Swedish-based security firm.

The take: 38,000 sensitive company documents including: schematics of client bank vaults and surveillance systems, blueprints for monitoring and alarm equipment, and security function of Automatic Teller machines.

The attack vector: Compromised credentials to an employee’s Remote Desktop Protocol account which had a password of ‘password01’. While the confirmation of this particular RDP account’s role in the attack is unverified, security researchers highlight the extremely poor password hygiene here and infer this practice is likely widespread within the firm.

The breach highlights the critical important of robust password polices. Length, complexity, and aging standards for every company account are invaluable to preventing credential compromise.


Know Your Breach: MAXEX

The target: MAXEX, an Atlanta-based residential mortgage trading company.

The take: 9GB of internal company and client data including: confidential banking information, login credentials, emails, penetration test reports, and full mortgage documentation for 23 individuals.

The attack vector: The breach took place due to an unsecured, publicly exposed Jenkins server. A server of this type is used in a variety of highly sensitive activities in the operation and development of software applications. Notably in this breach, MAXEX had stored login credentials in plain text with enough permissions to compromise many of its other systems.

This breach highlights the importance of properly securing data. Furthermore, it underscores the critical importance of credential management as a compromise in one system can easily lead to a pivot to other systems, which can have a cascading negative impact upon company and client data.


Know Your Breach: Broadvoice

The target: Broadvoice, a Voice-over-IP service provider.

The take: 350 million total customer records of personally identifiable information including: full names, date of birth, phone number, and voice-mail transcripts with highly sensitive details such as medical records, loan applications, and mortgage information.

The attack vector: A misconfigured Elasticsearch database housing 10 separate clusters of data. There was no authentication or security in place meaning anyone with an internet connection could have full access to the data. These storage servers are easily discoverable with scanning tools available to administrators and malicious attackers alike.

The type of data exposed in this breach poses enormous risk for Broadvoice’s customers as the intricate details leaked, in voice calls and prescription records for example, would give phishing and fraud attacks a high chance of success. This breach demonstrates the extreme importance of securing access to a firm’s data. Proper authentication, monitoring, and credential management are some of the critical tools which can be implemented to prevent these occurrences.


Know Your Breach: Snewpit

The target: Snewpit, an Australian-based news sharing platform. 

The take: 80,000 user records of personally identifiable information including: usernames, full names, email addresses, profile pictures, and log data detailing the amount time users spent on the app and other behaviour metrics.

The attack vector: The information was exposed on an improperly secured, and publicly accessible, Amazon Web Services server. Bad actors can locate these unsecured storage buckets very easily and the complete lack of security on the database means the records were open to anyone with an internet connection.

The combination of data exposed in this incident could lead to very targeted and successful scams by fraudsters. Personally Identifiable information helps these attackers build a complete profile of their victims, and in this case, the log data which outlined the actions taken by users on Snewpit’s app greatly increases the credibility of their scams, vastly increasing the chance they are successful. Data and credential management are critical for ensuring sensitive information is stored safely and securely.