November 14, 2019

Another week, another list of data breaches teaching us that cybersecurity is a number one business priority in our digitally transforming age.

This week professional hacker and head of cybersecurity for Okta, Marc Rogers, told Business Insider there is a “common thread” across high-profile data breaches including this summer’s Capital One breach. Rogers says it’s all about how companies manage the servers where they store sensitive personal information:

“That’s probably the most common vector that I’m seeing across all of these breaches, is that companies don’t seem to know what data assets are out there. And consequently, there [are] a lot of insecure systems hanging on the internet that can be readily accessed.”

The Capital One breach exposed data of 100 million US citizens and six million Canadians. The suspected cybercriminal responsible may have exploited a firewall misconfiguration in Capital One’s cloud network.

Rogers told Business Insider that fixing poor server security could prevent millions of records being compromised:

“If we just got rid of that, I think you’d reduce the number of breaches we’re hearing about by at least half.”

Let’s look at some of this week’s breaches.

University of Hertfordshire, UK

Not a server issue, but an employee’s mistake. The University of Hertfordshire has mistakenly shared the personal details of around 2,000 students by sending an email about a lecture which had an attachment of the 2000 recipient’s names and email addresses. The university, as per the BBC, says:

“The email was not sent to all students and the incident affected a group of students in one of our schools of study.”

It also recalled the email, which may only have worked if it had been left unopened by recipients. And it contacted students immediately as well as confirming:

“We are contacting all affected students with information and advice. We are carrying out an internal investigation and have informed the Information Commissioner’s Office.”

– Engage your staff with scenario-based security awareness training or “In-the-Moment” training.

Starling Physicians, Connecticut, US

Just yesterday a US healthcare group, Starling Physicians, told its patients they may be affected by a data breach that occurred in February. The incident may have been a phishing attack and after an investigation it appears affected email accounts contained patient data including passport numbers, social security numbers, medical information, and health insurance and billing data.

The company has sent letters to affected patients which included advice on protecting themselves against fraud or identity theft. It has also advised patients to monitor their accounts closely.

Veritas Genetics, Massachusetts, US

DNA testing startup Veritas Genetics has revealed a data breach has led to the unauthorized access of some customer information. Other than “recently” it has not confirmed when the breach happened but has said its customer portal was breached affecting a “handful” of customers. The portal, as per TechCrunch, did not contain medical information or test results.

A Veritas Genetics spokesperson has denied data “theft” occurred and the company has not issued a public statement to date.

TechCrunch writes that privacy is an “emerging concern” in genetic testing as law enforcers increasingly serve legal demands against DNA testing companies for information and records to help solve criminal cases.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Orvis.com, Vermont, US

A retailer of fishing equipment and sports goods has accidentally leaked hundreds of internal passwords relating to company firewall protection, routers, administrator accounts, and database servers.

KrebsonSecurity reports that the incident was “inadvertent” and many of the logins and passwords had already expired. Orvis is the oldest mail-order retailer in the US and has nearly 70 stores in the US and 18 in the UK.

Hold Security reportedly revealed that a file containing the usernames and passwords had been posted to Pastebin.com. An Orvis spokesperson, Tucker Kimball, has said the file was only published for a day before Orvis had it removed and that:

“The file contains old credentials, so many of the devices associated with the credentials are decommissioned and we took steps to address the remaining ones. We are leveraging our existing security tools to conduct an investigation to determine how this occurred.”

However, Hold Security argues the file was posted to Pastebin on two occasions in October. KrebsOnSecurity writes the incident is the “most extreme” example of a credentials file being publicly published and that:

“By all accounts, this was a comprehensive goof: The Orvis credentials file even contained the combination to a locked safe in the company’ server room.”

The file’s breach may have been due to an outside contractor and is an example of a third-party or supply chain breach. Hold Security founder, Alex Holden, says:

“This is a continuously growing trend of exposures created not by the victims but by those that they consider to be trusted partners.”

KrebsOnSecurity warns:

“Long gone are the days when one could post something for a few hours to a public document hosting service and expect nobody to notice. Today there are a number of third-party services that regularly index and preserve such postings, regardless of how ephemeral those posts may be.”

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this: