Please fill in the form below to subscribe to our blog

Categories

Tags

Australia BullPhishID BullPhish ID Canada commercial credential stuffing cyberattack cybercrime cybersecurity Dark Web dark web credential loss Dark Web ID dark web monitoring dark web threat Data Breach Data Breach Alerts data compromised data loss prevention data theft France hacking healthcare insider threats Japan MSPs MSP Solutions MSP Space nation-state hackers Passly passwords phishing phishing resistance phishing resistance training ransomware remote working retail security security awareness training SMB cybersecurity stolen credentials supply chain risk The Week in Breach third party risk United Kingdom United States

The Week in Breach: 07/02/18 – 07/06/18

July 11, 2018

While it has been a slow week in terms of the number of breaches, the severity of the breaches that did occur this week is nothing short of disturbing. The information exposed on the open web by ALERRT could be used with far-reaching effects…including both physical and permanent consequences. A cyber-attack conducted against a small business hosting provider in Australia also highlights a “WORST case” scenario for a breach.

I strongly encourage everyone to check out their website here for a sobering reminder of what a company crippled by a breach looks like. When you cannot contact your customers to tell them that you have been breached, because you don’t even have a complete list of who your customers are… well, this is a good example of how damaging a breach can be.
In other news…

  • GDPR is inspiring others around the globe to enhance privacy and breach notification laws!
  • Hey T-Mobile Customers, are your photos safe?
  • Big Brother aka “Google” is exposing us again!

Privacy and Breach Notification Laws are Spreading Globally
California has enacted a law similar to GDPR. This statute is widely regarded as one of the strongest privacy laws in the country and goes into effect in 2020, giving those who do business in the state some time to prepare for the change. The bill assures that organizations have to tell a consumer if their data is being collected, who it will be shared with, and the business purpose for collecting personal data.
https://www.darkreading.com/attacks-breaches/californias-new-privacy-law-gives-gdpr-compliant-orgs-little-to-fear/d/d-id/1332217

Cali is not the only place that was inspired by the implementation of GDPR. Brazil has passed a data protection bill in early June that if made into law, would prevent organizations from collecting and processing Brazilians’ data without informing users. Breaches are also covered by the bill, which requires organizations to report breaches immediately with fines up to 4% of revenue for those who don’t comply.
https://www.zdnet.com/article/brazil-moves-forward-with-online-data-protection-efforts/

Hello… Photos.
Those who have Samsung phones should be careful what they keep in their photo gallery! There are reports of Galaxy users having their photos sent to random contacts without their knowledge. This bug seems to only affect T- mobile users, but it is probably best to lean on the side of caution, considering the ramifications of sending the wrong photo to the wrong person.
https://techcrunch.com/2018/07/02/some-samsung-users-say-their-phones-randomly-sent-photos-to-contacts/

Gmail has its eye on you!
Google has been allowing third parties to read through people’s inboxes, according to a report by the Wall Street Journal. While the creator of Gmail has promised to stop scanning emails on their platform to curate ads, the organization has been allowing third parties to access inboxes if the user has opted into email-based tools like travel itinerary planners. These third parties are not just using AI to snoop through messages either…oftentimes employees of the organization go digging for information themselves.
https://www.nbcnews.com/tech/security/google-reportedly-allowed-outside-app-developers-read-user-emails-despite-n888571

Podcasts:
Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!

 Australia – Cyanweb Solutions – Total Devastation Event

Exploit: DDos Attack, Web server compromise, data encryption/ ransomware & data destruction.

Risk to Small Business: Extreme/Total Devastation: This is a catastrophic event impacting Cyanweb and its 400 customers that relied on them for web hosting.

Risk to Exploited Individuals: Extreme/ Total Devastation: This breach may devastate the businesses that relied on Cyanweb. This will also impact those businesses downstream customers and the employees of the impacted businesses. The goal was maximum data loss/ total devastation.

Cyanweb Solutions: Digital marketing and web provider based in Perth.

Date Occurred/Discovered: June 27th, 2018

Date Disclosed: July, 2018

Data Compromised: Only 12% of customer data survived the attack. 1200- 2500 man hours of work between the 3 employees is estimated for a full recovery.

How it was compromised: A ‘professional’ group distracted the admin with a DDoS attack while simultaneously infiltrating the server and delivering a ‘seek and destroy’ payload.

Customers Impacted: 435 accounts.
https://www.crn.com.au/news/perth-web-hosting-provider-cyanweb-solutions-hit-by-criminal-hacking-data-and-backups-lost-496455
https://www.cyanweb.com.au/

United States – ALERRT

Exploit: Negligence (no password required to access web server.)

Risk to Small Business: High: A breach that is a result of negligence dramatically reduces confidence in the company by consumers.

Risk to Exploited Individuals: Extreme: Compromised PII, password and correspondence that can be used to target and exploit individuals including law enforcement.

ALERRT: A federally funded active shooter training center for law enforcement.

Date Occurred/Discovered: June 2018

Date Disclosed: June 2018

Data Compromised:  

  • Work contact information
  • Personal email addresses
  • Work addresses
  • Cell numbers
  • Who has taken ALERRT courses, with feedback
  • Full name of those who took the course
  • Zip code
  • Histories on instructors
  • Instructors skills and training
  • Names of instructors
  • Geolocations of:
    • Schools
    • Courts
    • Police departments
    • City halls
    • Places where people gather such as universities and malls
  • Officers home addresses
  • 85,000 emails between staff and trainees dating back to 2011 including:
    • Password reset emails
    • Names
    • Email addresses
    • Phone numbers
    • The courses taken
    • When the courses were offered
  • Highly sensitive information about weaknesses in response ability

Customers Impacted: 65,000 officers, but this information could be harmful to anyone in the U.S. given how it could be used by domestic terrorists or other bad actors.
https://www.zdnet.com/article/a-massive-cache-of-law-enforcement-personnel-data-has-leaked/

UK – National Health Service

Exploit: Coding error/ misconfiguration leading to privacy violation.

Risk to Small Business: High: A breach of this size that essentially mislead those who specifically requested for their health information to be kept private would shake the trust of any customer. Privacy laws, including the EU’s GDPR, will impose harsh fines and penalties for similar incidents moving forward.

Risk to Exploited Individuals: Low: the data was exposed externally and picked up by hackers.

National Health Service: The public health services in the United Kingdom.

Date Occurred/Discovered: March 2015 – June 2018

Date Disclosed: July 2nd, 2018

Data Compromised: 

  • Health Data

How it was compromised: A supplier defect that did not properly indicate that the patient’s data was to be only used for medical treatment.

Customers Impacted: 150,000
https://cyware.com/news/nhs-data-breach-exposing-150000-patients-sensitive-health-details-blamed-on-coding-error-40aa0ccf

https://www.parliament.uk/business/publications/written-questions-answers-statements/written-statement/Commons/2018-07-02/HCWS813/

 A note for MSPs to their customers:

Often times there is no “why”, just a “because”!

The Cyanweb Solutions breach was well organized and a caused catastrophic damage to both Cyanweb and the hundreds of customers that replied on them for hosting support. It’s nearly impossible to quantify the overall financial impact that this breach has caused.  

When conducting post-breach forensics, the first question often asked is “why” – what was their motivation to destroy this small business? Often times, the answer is “because they could”.  The group conducted this takedown overwhelmed Cyanweb with a massive DDos attack, and while distracted, they compromised the servers, escalated their access, encrypted user data and proceeded to destroy almost everything – including backups. It did not take long for Cyanweb to discover the attack, but by the time they did, 88% of their data was permanently deleted.

This attack demonstrates how quick and devastating an attack can be on a small business.  Cyanweb was a trusted provider to hundreds of organizations, yet they lacked the proper security controls to secure their customer’s data, thus breaching their fiduciary responsibility. Whether we like it or not, we have to proactively invest in cybersecurity solutions to protect the continuity of our business and ensure those that count on us are secured. 

Regardless of the size of your business or the industry we’re in, we’re all targets.   

Are you an ID Agent Partner? Feel free to re-use this blog post (in part or in entirety) for your own social media and marketing efforts!  Just send an email to [email protected] to let us know! And be sure to reference your Empowerment resources where we’ve added graphics to accompany this week’s breach data.