Monthly Breach Report: October 2020 Edition on Oct 7, 2020
With just over a month to go before the US 2020 Presidential election, a company whose software shows election results was attacked by potential ransomware. The attack on Tyler Technologies so close to the nation’s elections has rattled the FBI, Department of Homeland Security, and US Cyber Command. As of this blog entry date, it’s unknown how the efforts to login to clients’ systems have impacted individuals’ privacy data, but it’s expected the attackers are working to freeze voter registration data amidst other tampering efforts. The agencies are investigating to determine whether this tampering might be with criminal intent to be paid in exchange for releasing freezes, or a Russian interference effort against the US elections. “Tyler Technologies is in the process of responding to a security incident involving unauthorized access to our internal phone and information technology systems by an unknown third party,” the Plano, Texas-based company said in a message on its corporate web site.
This incident was not the first of these types of attacks in September. At a time of political unrest, in the first two weeks of September alone, there were seven other attacks where personal data was stolen from the government. These attacks are strategically targeted to wreak havoc in voters’ minds and ignite fear across the nation. Cybersecurity and Infrastructure of the DHS have been working with local election offices to ensure they all print out their poll books to have a hard copy backup on hand from now through tally, certifications, and acceptance of the country’s voting outcomes.
Throughout September and around the world, data leaks affecting personal data have been reported involving employees and trusted individuals, some making honest mistakes, and others resulting from outsider attacks. Here are some of the unfortunate events.
Global eCommerce dominator, Shopify discovered and confirmed late in September that two of its “rogue” employees on their support team had been accessing customer transactional records of up to 200 merchants and not yet assessed customers’ numbers. Two employees were subsequently fired. The personal data includes people’s names, addresses, email addresses, order details, but not full credit card details. Shopify is used by over a million merchants, including Tesla and Allbirds.
Within a day or so of the discovery, merchant Kylie Cosmetics, a popular makeup company owned by Kylie Jenner, issued a warning to its customers. Through the Shopify data compromising incident, Kylie Cosmetics noted that the last four digits of customers’ credit card accounts had also been stolen in addition to names and addresses. Jenner wrote in an email to the company’s customers, “Your trust is so important to us and we wanted to let you know we’re working diligently with Shopify to get additional information about this incident and their investigation and response to this matter.” This is not the email any CEO wants to have to issue. This story warns companies to be vigilant in assigning access and tracking employees who can access customer data.
Insult to Injury
An employee of Public Health Wales accidentally leaked personally identifiable information of over 18,000 COVID-19 positive people. Information was uploaded to a public server by an employee who pushed the wrong button while trying to load it to their internal business intelligence software in Tableau and was available for 20 hours the last day of August. All Welch COVID-19 patients’ data was exposed and PHW indicated there was no way to know or track who had seen or accessed the data. It was September 15 when the government released their statement. Personal data included date of birth, geographical areas, sex, and initials of names.
More Salt In That Wound
A pioneer in digital rights management that provides application security solutions published, ‘Intertrust security report on global mHealth apps 2020’ at the end of September. Assessments were performed on the Appknox vulnerability assessment solution. Some of the weaknesses that stood out are storing private information in SharedSpaces APIs that allow tested apps to store and retrieve information and weak crypto keys. So, had application protection techniques like obfuscation and tampering protection been used, 83% of the high-level threats could have been managed. The study suggested pressures to revamp COVID-19 care delivery have traded off mobile application security.
Cryptocurrency exchange Kucoin lost more than $200 million in hot wallets, after initially reporting $150 million of customer funds on its crypto platform had been stolen. By September 30th, Kucoin was able to trace and recover about $140 million of the funds. This hack is the first known of its kind, a high-profile decentralized exchange being used to launder stolen funds. So far, over $17 million worth of stolen tokens have been sold. There are concerns that some cryptocurrency exchanges treat security as a bit of an inconvenient bother. Any lapse in protection will make the ecosystems and customers more vulnerable. Further concern involved what seemed to be a slow response by Kucoin, when it was made known, “the exchange shut down its server once it noticed funds were being moved out of its hot wallets. The intervention failed because the private passwords to the hot wallet had already been impaired.” Companies must be ever vigilant in establishing and implementing careful data management policies and security practices to avoid personal data they are entrusted with being fraudulently accessed.
In September, Service New South Wales reported that 738 GB of personal data of 186,000 customers was stolen in April. The theft was a result of a successful phishing campaign cyber-attack on 47 staff email accounts. Investigative steps began immediately in April, including bringing forensic specialists. 3.8 million documents had to be reviewed, including scans, forms, records of transactions applications, unstructured personal data in handwritten forms and notes. As of now, it is known that leaked personal information has been accessed. Shifting to the phase of notification and offering support for the persons whose information has been compromised, notifications of the incident will go out by mail from now through December. Service NSW is hiring an independent security consultancy and enhancing the security of customers. Relevant agencies have also been briefed.
No Breach Defense?
46,000 Veterans’ personal data was accessed in a Veteran’s Affairs’ data breach in September. It is reported the hackers used “social engineering techniques” to access the VA Financial Services Center through the authentical protocol. Once accessed, the hackers were able to change financial information and divert VA payments meant to pay for the veterans’ medical treatments. The VA believes accessed data includes veteran records and social security numbers. The online app has been taken down and is undergoing an extensive security overhaul, and a multifactor authorization program will be included when the app is made available again. The VA will engage a service to conduct regular checks and educate veterans for awareness of social engineering threats. The VA notified the veterans whose personal information was accessed, and in the case of any deceased veteran, their next of kin are being advised. The communication includes a description of potential risk to personal data and an offer for a credit monitoring service.