Monthly Breach Report: June 2020 Edition on Jun 8, 2020
Covid-19 has been spreading since Fall 2019 and has become a raging global pandemic. In that time, developers across the world have been working around the clock, building dozens of apps and systems for COVID-19 contact tracing. Each of the apps attempts to identify individuals who come in contact with a COVID-19 carrier in order to notify them. Some apps are less intrusive and voluntary, and others are extensive, invasive, and mandatory. In several countries, these apps suck up data that includes citizens’ identity, location, and other personal histories.
Plenty of questions remain unanswered: What data should or will the contact tracing apps collect? Where will that data be stored? With whom would the data be shared, for what other uses? What policies, where, are in place to prevent abuse? Total sensitive data from contact tracing apps will be measured at least in gigabytes. Sensitive data in this context will have to be defined, identified, and its multiple locations are known before it can be safely managed.
Sensitive data typically sits in a variety of companies’ and agencies’ data stores —on-premises, in the cloud— and in a range of business applications. It has been collected and stored (sometimes inadvertently) over months, years, or decades. Identifying and finding all of it is extraordinarily difficult. Your organization has to discover all of its sensitive data in order to protect it. And it is not optional. It is the law, and there are penalties for neglecting it. A data breach would be costly to your brand and bottom line. “Looking at your potential risk and knowing where your data is, controlling who has access to it, and making sure it’s secure should be an absolute priority,” reports Bill Strain, Product Development Director of the research company, iomart. Source
In this industry, we hear over and over about financial costs to companies that are using applications and systems, but failing to detect and protect their sensitive data. That failing also costs their customers and brands. Breach can happen in any part of the world, to companies serving customers in all walks of life. Read the varied stories about just a handful of May data breach exposures around the world. As you do, consider what first step your company can take to establish strong policies and practices and to avoid financial and reputational risk based on discovering and protecting the personal information you collect, use, and store.
Advanced Info Services (AIS): user records exposed
Over eight billion user records in a database of Thailand’s largest mobile operator were left open on the internet with no password protection for at least three weeks in May. The database contained DNS queries and Netflow data, making it easy for anyone to quickly understand what those individuals do on the internet. The browser converts the web addresses to their IP addresses, disclosing where the web page is. AIS admits that they had a lapse and breach of its systems and yet contends no directly identifiable personal information was exposed. Given today’s technology capabilities and uses of data, there is no possible guarantee of that for the 8.3 million users. Consider this: high-risk individuals in the media, politics, or social activism may have had their protected sources identified by an intruder tracking their internet records. It was possible to identify:
- what devices someone owned,
- what browsers they used,
- which antivirus they run,
- what social media they frequented, in addition to
- what websites and apps they used
In an authoritarian country that strictly censors its citizenry, access to information about individuals’ activities presents significant privacy and social justice risks to those users. The database has been pulled offline.
Cyware Social commented about the AIS data breach, “In essence, [this] data leak instance proves the challenges faced by companies, including the big ones, in understanding where the data is stored and who has access to it.”
EasyJet: credit card accounts and travel details accessed
EasyJet admitted in May that a “highly sophisticated cyber-attack” exposed the personal details of up to 9 million customers including email addresses and travel details. Of those, 2,208 individuals’ credit card details with CVV security codes were accessed and compromised. EasyJet became aware of the attack in January this year. EasyJet warned customers to be wary of unsolicited emails as they may be phishing emails that link to cloned websites to steal personal data. While not yet determined whether there had been negligence, if so, EasyJet could be fined 4% of its total revenue plus possible claims of customer compensation.
Resume Aggregator: 29 Million individuals’ personal data leaked
Cybersecurity firm Cyble reported in May that 29 million user credentials of Indians were leaked on the dark web, and they had found the untraceable breach on an unknown hackers forum. It became clear the source was a resume aggregator service pulling individuals’ personal data from job portals. The data likely was initially exposed by an unprotected Elasticsearch instance. The instance is no longer accessible. The consequences to the 29 million potentially include identity thefts and phishing scams.
GoDaddy: customer domains breached through unauthorized access
The largest domain name registrar in the world suffered 28,000 customer domains being abused in recent months, discovered late April and reported publicly in May. The breach involved an intruder accessing accounts using SSH cryptographic network protocol and went undetected for months. While they believe they fixed their issue, GoDaddy continues working on other possible methods for account takeover. Malware email used campaigns such as disguised UPS shipping noticed. Some unknowns remain about the GoDaddy breach. Matt Walmsley of Vectra AI said, “Regardless of how the unauthorized access was gained, it’s a sharp reminder that the monitoring of how privileged credentials are used, not just granted, can make the difference between detecting an active attack and being blissfully ignorant to a breach.”
Grubman Shire Meiselas & Sacks: personal data of celebrities stolen
High net worth and celebrity status do not protect individuals from data leaks. An unnamed hacker group launched an attack involving REvil malware on the systems of Grubman Shire Meiselas & Sacks, a law firm representing celebrities such as Madonna, Priyanka Chopra, Robert De Niro, Bruce Springsteen, and Nicki Minaj. The hackers stole 756 GB of data, and when the initial $21 million ransom demanded was not paid by their May deadline, and the firm instead hired cyber-extortion specialists, the hacker group started releasing 2.4 GB batches of folders. The first folder included legal work performed for Lady Gaga that reveal expense sheets, performer agreements, confidentiality agreements, reimbursement forms, and reams of other sensitive data. The demanded ransom quickly doubled to $42 million. Once undetected and protected sensitive data is in the hands of bad-faith actors whose intent is to expose and monetize it, it’s simply too late.
Antivirus software maker Emsisoft’s threat analyst Brett Callow said, “They’ve stolen information from banks, people’s credit card numbers are online, tax returns, veterans’ PTSD claims, medical records, missile schematics…you name it: it’s online. And most people have no clue it’s going on.” Callow adds, “Companies must do more to protect their data, their customers’ data, and their business partners’ data.”
State of Ohio: workers laid-off during COVID personal information exposed
Thousands of part-time workers and independent contractors as laid-off workers in Ohio were delivered a second gut punch in May: they could be potential victims of identity theft. Personal information of applicants in the state’s Pandemic Unemployment Assistance program was left open to be viewed by other claimants in the program, according to the Ohio Department of Job and Family Services.
Deloitte Consulting was contracted with ODJFS to develop the system to administer the program.
There was a flaw in the system that allowed some applicants to view the personally identifiable information of thousands of others. The fallout is not immediately clear. Deloitte wrote to applicants, “Personal information such as names, Social Security numbers, street addresses, and receipt of unemployment compensation benefits were inadvertently available for others to view.”
“Within an hour of learning of [the unauthorized access] issue, we identified the cause and stopped the unauthorized access to prevent additional occurrences. Out of an abundance of caution, we are offering 12 months of free credit monitoring to those PUA claimants potentially impacted.”
A class-action lawsuit has been filed against Deloitte Consulting. “We are outraged that this private company has put so many people already impacted by the COVID-19 crisis at risk. So we are taking immediate action to hold Deloitte Consulting accountable for allowing this serious data breach to occur,” wrote Marc Dann of The DannLaw Firm.
A 23-year-old worker and mother explained she had waited weeks for the system to provide payments and was flagged the very next day her personal information had not been protected. “The anxiety and uncertainty of being laid off for two months was alleviated for one day. Now I have to worry about someone possibly stealing my identity and wreaking havoc on my credit.”
Similar situations arose in Colorado and Illinois, as well as with emergency relief loans of the Small Business Association and sensitive information of Native American tribes mistakenly being released by the U.S. Department of Interior.