The Week in Breach: 5/7/18 – 5/14/18
Two-factor Authentication Hackable?
Our friends at KnowBe4 show 2 Factor may not be enough in some cases.
Student of The Month in California!
Phish Teacher, Change Grades, Get Felony! You can’t make this stuff up!
Good on ya Mate, Good on ya!
Crikey! Australians appear to have better password hygiene than the rest of us?
What we’re listening to this week:
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!
Highlights from The Week in Breach
- Retail Point of Sale Systems (POS) can’t catch a break! can’t get their s*** together.
- Healthcare insider threat strikes again.
- Your legal case may have been closed… or deleted.
- Your personality is revealing and, it may have been revealed.
Small Business Risk: High (Malware/ Forensics, Brand Reputation/ Loyalty)
Exploit: Malware-based Point of Sale Exploit
Risk to Individuals: Moderate (Replacement of Credit/ Debit Cards with limited liability)
What you need to know: Small business retailers should take the time to educate themselves on POS exploits and how they typically occur. Since most systems do not reside within the traditional network environment, processing systems are most commonly exploited via compromised trusted 3rd party vendors, common credential stuffing and exploit kits delivered via email.
|Date Occurred/Discovered||March-April 2018 / Discovered 5/11/18|
|Data Compromised||Preliminary investigation indicates that malware was used to gather payment card information, including credit and debit card numbers, as well as names of cardholders who made in-restaurant purchases.|
|How it was Compromised||Malware|
|Customers Impacted||Chili’s has not disclosed the restaurants impacted and/or the number of customers impacted.|
|Attribution/Vulnerability||Undisclosed at this time.|
Note: Breaches have huge repercussions, often resulting in customers losing trust in the brands. According to a study from KPMG, 19% percent of consumers said they would stop shopping at a breached retailer, and 33% would take a long-term break.
Small Business Risk: High (PII Exposure, Brand Damage, Compliance Violation & Fines)
Exploit: Former Employee/ Insider Knowledge Exploit. System and security control failure.
Risk to Individuals: Moderate (Compromised Data Contained and not posted for exploit)
What you need to know: Coming on the heels of a costly malware outbreak in 2017, it seems that Nuance had the limited ability to detect on-network anomalous behavior. With such a large percentage of its target market comprised of organizations that operate in regulated industries including Healthcare, Nuance should have invested in aggressive insider threat/insider mishap detection.
Organizations operating in regulated markets should take a more aggressive approach to both inside threat detection and threats originating within the supply chain as was demonstrated in this case.
Nuance Communications (speech recognition software)
|Date Occurred/Discovered||11/20/17 – 12/9/17|
|Data Compromised||Exposed data included names, birth dates, medical record and patient numbers, as well as service details such as patient conditions, assessments, treatments, care plans and dates of service. The incident did not include information such as social security number, driver’s license number or financial account numbers.|
|How it was Compromised||An unauthorized third party, possibly a former Nuance employee, accessed one of its medical transcription platforms, exposing 45,000 individuals’ records.|
|Customers Impacted||Personal information of thousands of individuals from several contracted clients, including the San Francisco Department of Public Health. The Justice Department said that it does not appear that any of the information taken was used or sold for any purpose. All the data has been recovered from the former employee.|
|Attribution/Vulnerability||Unknown/undisclosed at this time.|
Mason Law Office
Small Business Risk: High (Compliance Violation & Fines, Brand/ Reputation Damage)
Exploit: Apparent Credential- based, account take-over exploit
Risk to Individuals: High (Sensitive PII and Legal Information loss and/ or deletion)
What you need to know: It’s not 100% clear that this was an insider threat-based exploit. Regardless, Mason Law Office suffered an all-too-common account-based takeover compromise. Legal firms leveraging 3rd party case management systems should take the time to review their security controls and procedure. They should also conduct a full audit to determine who has access to what data within these 3rd party systems and make the required corrections.
Mason Law Office – Sacramento, CA (mycase.com)
|Date Occurred/Discovered||Discovered 5/5/18|
|Data Compromised||Client data was potentially accessed, client case information was deleted, and other administrative changes were made to the system. Generally, any information uploaded to mycase.com was potentially accessed, and information has been deleted. Information potentially accessed includes client names, social security numbers, driver’s license numbers, phone numbers, email addresses, as well as legally privileged/protected information, including legal documents, case notes, disclosures, financial statements, evidence, photos, invoices, transcripts, trust balances, and attorney-client communications.|
|How it was Compromised||The firm discovered evidence of unauthorized access to mycase.com by an unknown individual or group of individuals. It is unclear how this access was made.|
|Customers Impacted||Clients of Mason Law Firm using mycase.com.|
|Attribution/Vulnerability||Unknown/undisclosed at this time.|
Note: News of the data breach follows the company having been hit by the NotPetya malware outbreak in June 2017. Earlier this year, Nuance reported that the outbreak cost it $92 million. “For fiscal year 2017, we estimate that we lost approximately $68 million in revenues, primarily in our healthcare segment, due to the service disruption and the reserves we established for customer refund credits related to the malware incident,” Nuance reported in a Feb. 9 form 10-Q filing to the SEC. “Additionally, we incurred incremental costs of approximately $24 million for fiscal year 2017 as a result of our remediation and restoration efforts, as well as incremental amortization expenses.”
The incident is a reminder that insider breaches remain one of the most difficult kinds of improper access attacks to defend against. There are a variety of tools and methods to monitor which resources an employee accesses, but preventing insiders from stealing data or intellectual property remains challenging.
Information Technology / Lifestyle
Small Business Risk: High (Forensic, Data Loss via GitHub Post, Brand / Reputation Damage, Fines and Damages)
Exploit: Application security misconfiguration resulting in credential-based exploit
Risk to Individuals: High (PII, Psychological Characteristics & Profile)
What you need to know: The developers of the personality app failed committed several major blunders in this case.
- Poor website/application security allowed for easy and unmonitored access to their website and underlying datasets
- They failed to notice that their data set had been sitting out in the open for 4 years.
- The data stored within the platform was easily unkeyed and de-anonymized.
|Date Occurred/Discovered||Exact dates unknown – 2014 – 2018|
|Data Compromised||The data was highly sensitive, revealing personal details of Facebook users, such as the results of psychological tests. The credentials gave access to the “Big Five” personality scores of 3.1 million users. These scores are used in psychology to assess people’s characteristics, such as conscientiousness, agreeableness and neuroticism. The credentials also allowed access to 22 million status updates from over 150,000 users, alongside details such as age, gender and relationship status from 4.3 million people.|
|How it was Compromised||Academics at the University of Cambridge distributed the data from the personality quiz app myPersonality to hundreds of researchers via a website with insufficient security provisions, which led to it being left vulnerable to access for four years. Each user in the data set was given a unique ID, which tied together data such as their age, gender, location, status updates, results on the personality quiz and more. With that much information, de-anonymizing the data can be done very easily.|
|Customers Impacted||3 million users of the app|
|Attribution/Vulnerability||Publicly available credentials allowed access to the data. For the last four years, a working username and password has been available online that could be found from a single web search. Anyone who wanted access to the data set could have found the key to download it in less than a minute. The publicly available username and password were sitting on the code-sharing website GitHub. They had been passed from a university lecturer to some students for a course project on creating a tool for processing Facebook data. Uploading code to GitHub is very common in computer science as it allows others to reuse parts of your work, but the students included the working login credentials too.|
Stay tuned for next week’s edition of The Week in Breach. And Partners, please remember to share this timely information with your clients. Email us at [email protected] and let us know how you’re spreading the weekly breach news!
Not a Partner? Find out how Dark Web ID™ can help you protect your customers’ credentials, upsell your services and close new deals. Learn about ID Agent’s Partner Program now!