The target: Magellan Health, a for-profit managed health care and insurance firm
The take: Names, addresses, employee ID numbers, W-2 or 1099 details, social security and Taxpayer ID numbers, and in some cases, usernames and passwords for an undisclosed number of ‘current employees’.
The attack vector: After an initial round of phishing e-mails, attackers obtained user credentials and accessed internal systems, deploying software to capture login credentials for some staff, and exfiltrating personal employee information before deploying a ransomware attack on Magellan’s system some days later.
This example illustrates the cumulative and progressive nature of a breach, once initiated – no cyber-attack exists in isolation. Once an attacker has gained access to privileged accounts and systems, they can execute multiple attack vectors – exfiltrating sensitive data, and triggering a ransomware attack on internal systems, either to distract from their earlier activities or for purely financial gain. Security controls must be many and layered to ensure that a compromise of one can still be mitigated and contained.
The target: Covve, an ‘intelligent contact management solution’.
The take: a 90GB database containing names, e-mail addresses, phone numbers, business names & titles, social networking links and personalized notes affecting more than 23 million individuals.
The attack vector: While this incident was, at its core, another all too familiar instance of an unsecured database left publicly exposed, the notable factor in this breach is that the personally identifiable information leaked wasn’t that of the service’s users. Since Covve is a contact management app, the names, contact details, notes and social networking handles that were publicly leaked all belong to individuals who do not and probably never have used the service.
From an individual standpoint, this breach highlights just how challenging it can be to maintain control over personal information – 23 million people, through no action of their own, saw their personal information exposed in this breach. From an organizational standpoint, again – a firm must be acutely aware of the kind of data they are storing and processing, and be able to ensure that it is being handled and protected in a manner commensurate to the sensitivity of that data.
The target: Norfund, a Norwegian state-owned Private Equity company.
The take: $10 million USD, diverted from a microfinance institution in Cambodia to a Mexican bank account.
The attack vector: Attackers gained access to Norfund’s e-mail system, likely via a phishing attack, and studied communication between Norfund and their partners. This allowed them to identify those responsible for money transfers, and create a false Norfund e-mail address to impersonate the individual authorized to wire large sums of money via their bank. The attackers diverted the payment intended for the Cambodian institute to a Mexican bank account, fraudulently created in the same name. The attackers delayed discovery of the fraud by over a month by continuing communication in both directions with both Norfund employees and the Cambodian institute, thereby ensuring that the banks would be unable to reverse the fraudulent transfer.
This is, unfortunately, yet another example of a sophisticated business e-mail compromise attack, wherein a very capable group of attackers used access to an internal system to learn the patterns, habits, and procedures of an organization and then proceeded to exploit them. Addressing complex threats like this one require complex and multi-levelled controls – user phishing training and two-factor authentication for e-mail accounts, monitoring of access to e-mail systems, and robust and layered controls around cash transfers that require multiple channels of verifiable communication.
The target: Small Business Administration (SBA), a US government agency that supports entrepreneurs and small businesses.
The take: Up to 8,000 applications for Economic Injury Disaster Loans may have been improperly exposed to other applicants, including such sensitive data as social security numbers, addresses, phone numbers, dates of birth, income and financial/insurance information.
The attack vector: A flaw in the caching configuration of the online loan application portal, implemented to accommodate increased demand, meant that when one applicant pressed the ‘back’ button in their web browser during the application process, they may have been served a page containing the application data belonging to another business.
Scalability of critical infrastructure is an essential component of web applications and electronic tools – sudden increases in demand for certain services are a reality in the face of the evolving COVID-19 pandemic. It is equally critical, however, that while considering system capacity, security controls are not weakened.
The target: Council of the City of Sheffield in South Yorkshire, England
The take: 8.6 million records of vehicle movements, labelled with license plate numbers and millions of photographs from the county’s 100 surveillance cameras.
The attack vector: The city’s Automatic Number Plate Recognition (ANPR) system was left exposed and publicly available to anyone with an internet connection – furthermore, the internal dashboard on this exposed system employed absolutely no password protection or other method of authentication. Anyone with the public IP address of the system could immediately access and search the system by license plate number, potentially allowing bad actors to recreate the travel patterns and movements of individual citizens, minute by minute.
As we have previously emphasized, security controls must be commensurate with the level of sensitivity of data being stored, and must travel with that data throughout its lifecycle. When personally identifiable information is being collected and processed, best practise would prescribe multiple compensatory layers of protection, as consequences for breaches of such data can include falling afoul of the GDPR and privacy legislation in other jurisdictions.
The target: Three large UK and Israeli-based Private Equity firms, among others, were targeted by an organized criminal enterprise dubbed ‘The Florentine Banker’ by security researchers.
The take: 1.1M GBP, transferred to fraudulent bank accounts – only half of which was able to be recovered.
The attack vector: The unnamed victims were targeted with a prolonged business e-mail compromise attack, where targeted phishing e-mails were sent to various employees, until eventually, attackers had access to multiple e-mail accounts. Over time, the attackers reviewed correspondence in these accounts to compile an overview of the structure of the firms, relationships with outside parties, and gained an understanding of the channels and procedures used to move money. From there, they added mailbox rules to redirect messages pertaining to wire transfers, and interjected themselves into those conversations using look-alike domains in order to intercept and redirect funds.
This story highlights the vital importance of compensatory controls and secondary validation steps around critical actions like transfer of cash (voice/video confirmation of the details of an e-mail request, for example). Furthermore, incidents like these serve to highlight the necessity of enabling (and enforcing) two-factor authentication on e-mail accounts and rigorous social engineering training and testing of staff to help prevent compromise. Ultimately, firms must nurture a culture of critical thought and encourage employees to question requests or actions which seem out-of-the-ordinary.
The target: General Electric, a Fortune 500 technology firm
The take: Personally identifiable information and documentation of current and former employees, as well as their beneficiaries – including direct deposit forms, driver’s licenses, passports, birth certificates, marriage certificates, child support orders, and many others.
The attack vector: While their own systems were not compromised, GE were notified by a service provider of a breach affecting their data. Canon Business Process Services reported that one of their employee’s email accounts was breached by an unauthorized party for a period of just under two weeks in February of this year. This employee had processed data on behalf of GE and the attackers gained access to a litany of confidential information.
Service provider relationships continue to pose increasing challenges for firms in today’s security landscape, as subcontracted entities may handle a firm’s sensitive data – be that business-critical data or the PII of their employees. A firm is ultimately responsible for their data regardless if they or a subcontractor are the ones handling it, and as such, a firm’s own security controls must follow that data and extend to third party processors.
The target: MCA Wizard, a now defunct mobile app for loaning money to small business owners developed jointly by Advantage Capital Funding and Argus Capital Funding in 2018.
The take: 425GB of data comprising over 500,000 documents, including credit reports, bank statements, contracts, legal paperwork, driver’s licenses, purchase orders & receipts, tax returns, social security information and more.
The attack vector: Even though the app itself was pulled from both Google Play and the App Store, the data behind it remained online, stored in an unsecured AWS S3 bucket which was accessible without a password. Security researchers noted that while the app was no longer available, new documents were being added to the database right up until its removal, suggesting that another application or service could have been using the same bucket.
While this is yet another example of a misconfigured storage bucket, it also raises the issue of security controls and management of the lifecycle of data. If an app or service reaches its end of life, there is absolutely an onus on the responsible firm to manage any sensitive data collected or processed by that app through to secure deletion.
The target: Virgin Media, a British telephone, television and internet provider
The take: ‘Limited contact information’ of 900,000 customers, including names, home and e-mail addresses, and phone numbers along with some birth dates and technical and product information.
The attack vector: A misconfigured marketing database left the information exposed for nearly a year, and was confirmed to have been accessed ‘on at least one occasion’ by an outside party.
This incident highlights the need to ensure regimented security controls are established and verified anywhere that an organization stores personally protected information. Security controls must always be commensurate to the type of data being stored, and they must travel with that data to protect the firm and it’s clients from a data breach.
The target: Angeles Investment Advisors, an asset manager based in Santa Monica, California
The take: The e-mail account of Michael Rosen, Chief Investment Officer, was compromised and used to send a bogus ‘bid for proposal’ link to his contacts.
The attack vector: While details have not been published at this time, it is likely that the initial compromise of Rosen’s account was as a result of a targeted phishing attack. Once attackers had control of his e-mail account, they were able to send a malicious attachment to his contact list, and even responded to individuals who questioned the legitimacy of the e-mail – assuring them that attachment was safe, and that they should open it post-haste.
One of the most insidious risks in an e-mail compromise is that the compromised account will be used as a pivot point, and that the trust in that individual will be exploited for criminal gain. These attacks highlight not only the need to ensure that technical controls are in place to prevent accounts from being compromised in the first place – but also the need to train staff to think critically about the content of messages they receive, and to confirm any suspicious communications or requests via a separate channel of communication.