Tag Archives: Data Breach

Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak

Roughly four million records containing the personal details of Time Warner Cable (TWC) customers were discovered stored on an Amazon server without a password late last month.

The files, more than 600GB in size, were discovered on August 24 by the Kromtech Security Center while its researchers were investigating an unrelated data breach at World Wrestling Entertainment. Two Amazon S3 buckets were eventually found and linked to BroadSoft, a global communications company that partners with service providers, including AT&T and TWC.

Not all of the TWC records contained information about unique customers. Some contained duplicative information, meaning the breach ultimately exposed less than four million customers. Due to the size of the cache, however, the researchers could not immediately say precisely how many were affected. The leaked data included usernames, emails addresses, MAC addresses, device serial numbers, and financial transaction information—though it does not appear that any Social Security numbers or credit card information was exposed.

Time Warner Cable was purchased by Charter Communications last year and is now called Spectrum, though the leaked records date back from this year to at least 2010.

Other databases revealed billing addresses, phone numbers, and other contact info for at least hundreds of thousands of TWC subscribers. The servers also contained a slew of internal company records, including SQL database dumps, internal emails, and code containing the credentials to an unknown number of external systems.

A leak of administrative credentials typically heightens the risk of further systems and sensitive materials being compromised. But Kromtech did not attempt to access or review any of the password protected data, and so the contents of any other servers potentially vulnerable remains unknown.

CCTV footage, presumably of BroadSoft’s workers in Bengaluru, India—where the breach is believed to have originated—was also discovered on the Amazon bucket.

“We see more and more examples of how bad actors use leaked or hacked data for a range of crimes or other unethical purposes,” said Bob Diachenko, Kromtech’s chief communications officer. “In this case engineers accidentally leaked not only customer and partner data but also internal credentials that criminals could have easily used to monitor or access company’s network and infrastructure.”

Publication of the breach, which Kromtech detailed on its website Friday, was delayed so that BroadSoft could privately alert its customers.

A spokesperson for BroadSoft said the company had verified that customer data was exposed to the public internet, but that it does not believe the information to be “highly sensitive.” The company also does not believe it was accessed by anyone with malicious intent. “We immediately secured these Amazon S3 bucket exposures and are continuing to aggressively investigate these exposures and will take additional remedial actions as needed.”

Charter Communications sent the following statement:

“We were notified by a vendor that certain non-financial information of legacy Time Warner Cable customers who used the MyTWC app became potentially visible by external sources. Upon discovery, the information was removed immediately by the vendor, and we are currently investigating this incident with them. There is no indication that any Charter systems were impacted. We encourage customers who used the MyTWC app to change their user names and passwords. Protecting customer privacy is of the utmost importance to us. We apologize for the frustration and anxiety this causes, and will communicate directly to customers if their information was involved in this incident.”

Seems to be an everyday occurrence, cybersecurity is something everyone should be aware of.

 

 

Trove of Private Military Contractor Job Applicants Exposed Online

Another day another trove of data goes public – This time, personal and sensitive data of American citizens who applied for jobs at North Carolina-based Private Military Contractor (mercenary and security firm) TigerSwan and hundreds of those claiming “Top Secret” US government security clearances.

According to Chris Vickery, director of cyber risk research at security firm UpGuard; Resumé files of 9,402 people were found available publically on an unprotected Amazon Web Services ran by a third-party vendor TalentPen who used the files for recruitment purposes until February 2017.

A look at the exposed files revealed applicant names, home addresses, phone numbers, email addresses, driver’s license numbers and highly sensitive job history of US military veterans, mercenaries and even Iraqi and Afghan nationals who worked alongside US forces and government institutions back in their countries.

Rich Campagna, CEO at Bitglass, told HackRead.com that: “In the last few months, we’ve seen a string of high profile data incidents of this nature, including Deep Root Analytics, Verizon Wireless, and Dow Jones. These exposures are difficult to stop because they originate from human error, not malice. Just one wrong tick box in the cloud set-up process can put vast amounts of sensitive customer data at risk. This is why Amazon recently introduced ‘Macie’: to discover, classify and protect sensitive data in AWS S3.

Organisations using IaaS must leverage at least some of the security technologies available to them, either from public cloud providers, IDaaS providers, or CASBs, which provide visibility and control over cloud services like AWS. It could also be argued that these AWS server misconfigurations could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks.”

TigerSwan was founded in 2008 by retired US Army lieutenant colonel and Delta Force operator James Reese. Since then the international security and global stability firm have provided its services during the infamous Iraq war, 2014 Sochi Olympics and Standing Rock Protests (Dakota Access Pipeline protests, DAPL).

However, in May 2017, The Intercept cited leaked documents indicating that the firm used counterterrorism tactics at standing rock to “defeat pipeline insurgencies.” In 2011, the firm also won a one year contract in Saudi Arabia where it provided construction and security services for the South Gate Entry Control Point, Eskan Village, Riyadh.

In their statement, the firm has acknowledged the issue and said that:

“At no time was there ever a data breach of any TigerSwan server. All resume files in TigerSwan’s possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants. TigerSwan is currently exploring all recourse and options available to us and those who submitted a resumé.”

It is unclear for how long the data remained unprotected or whether it was accessed by anyone else other than UpGuard researchers.

“A cursory examination of some of the exposed resumes indicates not merely the varied and elite caliber of many of the applicants as experienced intelligence and military figures, but sensitive, identifying personal details, said UpGuard.

At the time of publishing this article, there was no official response from TalentPen, LLC since the company has been dissolved. However, TigerSwan forwarded an email to Gizmodo showing conversation with a former TalentPen employee.

“I’m afraid that it does show activity that seems to be consistent with the number of files and overall size of the total number of files. I want to know exactly how there could even be a possibility of this happening given the security in place to protect data and files. The account was setup to only give access to you and I. I even had to provide you with security credentials to access the information. While I no longer work for TalentPen since it had been dissolved earlier this year, I certainly want to help you get to the bottom of this,” the email said.

Here is an archive look at the now offline TalentPen’s website.

This is not the first time when unprotected trove of data has been discovered online. In January 2017, medical data of Veterans affected by sleep disorders was exposed online. The database contained personal details of over 1,200 veterans who have been suffering from of sleep disorders.

In March this year, a misconfigured drive led to data leak of thousands of US Air Force officials including passports, names, social security numbers and other highly sensitive and personal data.

In June this year again, UpGuard discovered secret Pentagon files left unprotected on an Amazon server. The data included over 60,000 files with some of the very sensitive info publicly accessible and not even protected with a password.

If you are working as a database administrator, it’s time to run a security check and keep the data secure.  If you are using a third party “cloud” provider, double check the security features and your contract with the provider.

 

Chipotle says hackers hit most restaurants in data breach

Hackers used malware to steal customer payment data from most of Chipotle Mexican Grill Inc’s (CMG.N) restaurants over a span of three weeks, the company said on Friday, adding to woes at the chain whose sales had just started recovering from a string of food safety lapses in 2015.

Chipotle said it did not know how many payment cards or customers were affected by the breach that struck most of its roughly 2,250 restaurants for varying amounts of time between March 24 and April 18, spokesman Chris Arnold said via email.

A handful of Canadian restaurants were also hit in the breach, which the company first disclosed on April 25.

Stolen data included account numbers and internal verification codes. The malware has since been removed.

The information could be used to drain debit card-linked bank accounts, make “clone” credit cards, or to buy items on certain less-secure online sites, said Paul Stephens, director of policy and advocacy at the non-profit Privacy Rights Clearinghouse.

The breach could once again threatens sales at its restaurants, which only recently recovered after falling sharply in late 2015 after Chipotle was linked to outbreaks of E. coli, salmonella and norovirus that sickened hundreds of people.

An investigation into the breach found the malware searched for data from the magnetic stripe of payment cards.

Arnold said Chipotle could not alert customers directly as it did not collect their names and mailing addresses at the time of purchase.

The company posted notifications on the Chipotle and Pizzeria Locale websites and issued a news release to make customers aware of the incident.

Linn Freedman, an attorney at Robinson & Cole LLP specializing in data breach response, said Chipotle was putting the burden on the consumer to discover possible fraudulent transactions by notifying them through the websites.

“I don’t think you will get to all of the customers who might have been affected,” she said.

Security analysts said Chipotle would likely face a fine based on the size of the breach and the number of records compromised.

“If your data was stolen through a data breach that means you were somewhere out of compliance” with payment industry data security standards, Julie Conroy, research director at Aite Group, a research and advisory firm.

“In this case, the card companies will fine Chipotle and also hold them liable for any fraud that results directly from their breach,” said Avivah Litan, a vice president at Gartner Inc (IT.N) specializing in security and privacy.

Chipotle did not immediately comment on the prospect of a fine.

Retailer Target Corp (TGT.N) in 2017 agreed to pay $18.5 million to settle claims stemming from a massive data breach in late 2013.

Hotels and restaurants have also been hit. They include Trump Hotels, InterContinental Hotels Group (IHG.L) as well as Wendy’s (WEN.O), Arby’s and Landry’s restaurants.

Shares in Chipotle Mexican Grill ended marginally lower at $480.15 on Friday following the announcement.

 

Breach exposes at least 58 million accounts, includes names, jobs, and more

Another breach!  “Cloud” is often touted as being more secure than on-premise hosting.  But that only goes if your cloud provider does proper pro-active security.  In the case mentioned in the article, they didn’t.  How does your cloud provider do?   Are they open about security, or is it hidden behind an SLA?
“Buyer beware” it’s priceless.

data_breach_challenge
With 2 months left, more than 2.2 billion records dumped so far in 2016.

There has been yet another major data breach, this time exposing names, IP addresses, birth dates, e-mail addresses, vehicle data, and occupations of at least 58 million subscribers, researchers said.

The trove was mined from a poorly secured database and then published and later removed at least three times over the past week, according to this analysis from security firm Risk Based Security. Based on conversations with a Twitter user who first published links to the leaked data, the researchers believe the data was stored on servers belonging to Modern Business Solutions, a company that provides data storage and database hosting services.

Shortly after researchers contacted Modern Business Solutions, the leaky database was secured, but the researchers said they never received a response from anyone at the firm, which claims to be located in Austin, Texas. Officials with Modern Business Solutions didn’t respond to several messages left seeking comment and additional details.

Risk Based Security said the actual number of exposed records may be almost 260 million. The company based this possibility on an update researchers received from the Twitter user who originally reported the leak. The update claimed the discovery of an additional table that contained 258 million rows of personal data. By the time the update came, however, the database had already been secured, and Risk Based Security was unable to confirm the claim. The official tally cited Wednesday by breach notification service Have I Been Pwned? is 58.8 million accounts. In all, the breach resulted in 34,000 notifications being sent to Have I Been Pwned? users monitoring e-mail addresses and 3,000 users monitoring domains.

mbs

 

According to Risk Based Security, the account information was compiled using the open source MongoDB database application. The researchers believe the unsecured data was first spotted using the Shodan search engine. The publication of the data happened when a party that first identified the leak shared it with friends rather than privately reporting it to Modern Business Solutions.

By the tally of Risk Based Security, there have been 2,928 publicly disclosed data breaches so far in 2016 that have exposed more than 2.2 billion records. The figures provide a stark reminder of why it’s usually a good idea to omit or falsify as much requested data as possible when registering with both online and offline services. It’s also a good idea to use a password manager, although this leak was unusual in that it didn’t contain any form of user password, most likely because the data was being stored on behalf of one or more other services.

 

 

IT Security Vulnerabilities that Can Lead to an Inside Job

Vlad de Ramos, a 22 year veteran at IT Management and IT Security, guest blog writer today, giving us some practical advice on IT Security Vulnerabilities.  What a timely piece of writing.  So many industries are facing security issues today both external and internal.  Vlad will cover how to take steps to guard your business from all fronts.  Please help me welcome Vlad to TheDigitalAgeBlog.

Data breach can happen to anyone and IT security failures are not only damaging and costly for businesses, but customers would suffer as well, and people lose their jobs too.

In a study conducted by Scott & Scott, LLP, researchers found that 85 percent of businesses suffered a breach in their data security. Despite the prevalence, about 46 percent did not employ encryption solutions following the IT security failure. About 74 percent of the companies surveyed report losing customers, while others faced potential lawsuits (59 percent) and fines (33 percent).

It’s not enough that you guard your business against outside threats. There are many dangers inside the organization that should be managed before they can cost your leadership team their jobs and the business its integrity.

Companies who take IT security seriously should guard their business against all fronts. Unfortunately, many companies admit that they are still lacking in terms of securing safety from the inside. And one of the reasons many organizations fail to set up effective safeguards is because they are in denial about the magnitude of IT security threats stemming from an inside job.

Here are some of the reasons your employees can contribute to IT security failures.

Inside Insider Jobs

There are a variety of reasons a company’s very own employees can take part in inside jobs such as financial gain, desire for power and recognition, revenge on a co-worker or boss, and response to blackmail from inside and outside the organization.

Some employees are lured into inside jobs due to their loyalty to some people in the organization or to colleagues who recently left on not-so-good terms, while others do it for personal and political beliefs.

There are also insider jobs that are linked to activist groups and organized crimes. In a 2012 report by Carnegie Mellon University’s CERT (computer emergency readiness team) Insider Threat Center, researchers found that out of 150 cases of IT security failures analyzed, about 16 percent were linked to organized crime.

According to a psychologist, Monica Whitty, from the University of Leicester, employees who “willingly” assist in IT security attacks may be suffering from one or more of the following conditions: narcissism, psychopathy, and Machiavellianism, which is defined as the “the employment of cunning and duplicity in statecraft or in general conduct”.

In a 2013 study by Centre for the Protection of National Infrastructure (CPNI), findings showed that people who engage in insider attacks might have two or more of the following qualities: low self-esteem, lack of ethics, immaturity, tendency to fantasize, impulsiveness, lack of conscientiousness, instability, and manipulativeness.

Regarding work behaviors, the CPNI study found that insiders often engage in unusual copying jobs such creating copies of sensitive materials beyond what is necessary and removing protective markings on documents when creating their own copies. Insiders also often engage in usual IT activities such as searching for keywords in a company-sensitive database.

Management Vulnerabilities

Motivations and unusual behaviors are just one side of the story.

The lack of an effective IT security protocol opens up vulnerabilities within the organization that employees can use. Some of these include:

  • Administrator and other privileged access that aren’t monitored.
  • Unattended company devices such as USB’s and laptops.
  • Hard drives that weren’t properly disposed.

But even with an advanced security practice, human error can still pose a threat. Most of the time these are innocent mistakes due to the lack of knowledge in IT security. These include improper file transfers, illegal uploads and downloads, as well as using personal devices in the workplace for business purposes.

In other cases they are intentional because of management issues. Disgruntled, burned out, and dissatisfied employees can turn to accomplices. The Verizon Data Breach Report 2016 have found that employees transferred data via USB before they left the company. Companies who have fraud detection were able to weed out the employees who provided information in weeks, but those who don’t identified them in months or years.

Secure Your Posts

Don’t just look for loopholes in the IT infrastructure. In ensuring the safety of your business and customers, you also have to analyze the status of the people within your organization. Ensure the security of all your posts by looking not just outside in but also inside out.
Please feel free to comment on Vlad’s post.

ABOUT THE AUTHOR:
Vlad
Vlad de Ramos has been in the IT industry for more than 22 years, focusing on IT Management, Infrastructure Design and IT Security. He is a certified information security professional, a certified ethical hacker, a forensics investigator, and a certified information systems auditor. Vlad joins Homegrown.ph to help increase knowledge on IT security awareness in the Philippines. Outside the IT field, he is a professional business and life coach, a teacher, and a change manager.

 

 

Sixth Circuit: Suit Challenging Data Breach Caused by Hacking May Proceed

Sixth Circuit: Suit Challenging Data Breach Caused by Hacking May Proceed

Dropbox employee’s password reuse led to theft of 60M+ user credentials

Drop_Box
Dropbox disclosed earlier this week that a large chunk of its users’ credentials obtained in 2012 was floating around on the dark web. But that number may have been much higher than we originally thought.

Credentials for more than 60 million accounts were taken, as first reported by Motherboard and confirmed by TechCrunch sources. The revelation of a password breach at Dropbox is an evolution of the company’s stance on the 2012 incident — the company initially said that user emails were the only data stolen.

Here’s the exact phrasing from the 2012 blog post:
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

Dropbox disclosed in 2012 that an employee’s password was acquired and used to access a document with email addresses, but did not disclose that passwords were also acquired in the theft. Because Dropbox stores its user passwords hashed and salted, that’s technically accurate — it seems that hackers were only able to obtain hashed files of Dropbox user passwords and were unable to crack them. But it does appear that more information was taken from Dropbox than was previously let on, and it’s strange that it’s taken this long for the breach to surface.

According to a Dropbox source, in addition to the user emails initially disclosed in 2012, a batch of hashed passwords associated with those emails was also taken. At the time of the breach, Dropbox was moving away from using the hashing function SHA-1, a standard algorithm at the time, and replacing it with the more robust standard called bcrypt. Some of the stolen passwords were hashed with SHA-1, while 32 million were hashed with bcrypt, Motherboard reports. The passwords were also secured with a salt, a random data string added to strengthen the hash. Even though these passwords have now been dumped online, it does not appear that the hash protections have been cracked.

In a November 2012 interview with Forbes, Dropbox CEO Drew Houston said the service had drawn around 100 million users, double from the same a year prior. The company most-recently said it now has 500 million registered users, though it won’t say exactly how many of those are monthly active users. If Dropbox had roughly 100 million users at the same time the hack occurred, this breach represented a staggering three-fifths of the company’s user base.

Hackers who used an employee’s password, re-used from the LinkedIn breach, to access Dropbox’s corporate network and steal the user credentials, sources said. So the fault doesn’t 100% rest on Dropbox, though it’s still a breakdown of security standards within the company and emphasizes the perils of password re-use that can extend into a corporate environment.

Dropbox has taken steps to ensure that its employees don’t reuse passwords on their corporate accounts, Patrick Heim, head of trust and security for Dropbox, told TechCrunch. The company has licensed the password management service 1Password for all employees, in an effort to encourage the use of unique and strong passwords. Dropbox also requires two-factor authentication for all internal systems, Heim said.

Given that Dropbox has continued to grow and there have been no colossal security snafus (that we know about) the company appears to have gotten by largely unscathed. Online cloud storage services are frequent targets for hackers because of the variety of content stored. One of the most poignant examples is the massive private celebrity photo leak that happened in September 2014. Dropbox was not linked to that hack, and sources stress that the passwords contained in the 2012 breach do not appear to have been cracked.

And again, this happened in 2012, when Dropbox was still a young company (worth only $4 billion, compared to its $10 billion valuation now). Security breaches like this occur, though for Dropbox to be so light on the details can be frustrating given the necessity of transparency during security breaches.

 

All U.S. and Canadian Eddie Bauer stores infected by point-of-sale malware

It happens again: The clothing chain said payment card information of customers was stolen.
credit_card-100594349-large

Clothing retailer Eddie Bauer has informed customers that point-of-sale systems at its stores were hit by malware, enabling the theft of payment card information.

All the retailer’s stores in the U.S. and Canada, numbering about 350, were affected, a company spokesman disclosed Thursday. He added that the retailer is not disclosing the number of customers affected. The card information harvested included cardholder name, payment card number, security code and expiration date.

The retailer said that information of payment cards used at its stores on various dates between Jan. 2 and July 17, 2016 may have been accessed, but added that not all cardholder transactions were affected. Payment card information that was used for online purchases at its website was not affected.

The company is the latest in a long list of retailers, hotels and other establishments that were hit by point-of-sale malware that skimmed payment card information.

Eddie Bauer learned during the investigation that the malware found on its systems was “part of a sophisticated attack” directed at multiple restaurants, hotels, and retailers, besides its own operations, CEO Mike Egeck said in a statement. “Unfortunately, malware intrusions like this are all too common in the world that we live in today,” he added.

The company said it has been working closely with the FBI, cybersecurity experts, and payment card organizations, and wanted to reassure customers that it had fully identified and contained the incident. Customers would not be responsible for any fraudulent charges to their accounts, it added.

Eddie Bauer said it had taken measures to strengthen the security of its point-of-sale systems to prevent a similar hack in the future. Kroll, a provider of risk mitigation and response, would provide 12 months of complimentary services to affected customers, it added.

Businesses need to be able to watch more closely  the data passing through a corporate network to have a better chance of preventing breaches or at least minimizing the damage by stopping them soon, said John Christly, chief information security officer of Netsurion, a provider of remotely-managed security services for multi-location businesses, in an emailed statement.

“Some of these breaches may look like normal web traffic coming out of the firewall, and other attacks can even seem like legitimate DNS traffic, which may pass right by the typical un-managed firewall,” he added.

Hyatt Hotels, Target, Starwood Hotels & Resorts Worldwide, Hilton Worldwide Holdings, Omni Hotels & Resorts, HEI Hotels & Resorts and Neiman Marcus have also reported previously data breaches through their point-of-sale systems.

Ransomware Incidents at Health Organizations are now Classified as a Data Breach

Healthcare_Breach

According to new guidelines issued by the United States Department of Health and Human Services (HHS), ransomware incidents in HIPAA regulated organizations are now classified as a data breach. HIPAA is the Health Insurance Portability and Accountability Act, that must be followed by any health care provider who transmits health information in electronic form. In America, with the use of electronic medical records, this means just about every health care provider.

To most security professionals, this is an unusual approach, as a data breach has previously indicated the exfiltration of data by an attacker. In fact, the Code of Federal Regulations defines a breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted . . .”

Although there have been rumors of ransomware that steals data, there is still no proof of any such ransomware in the wild.

The HHS has codified a breach as the following:

“A breach has occurred because the Electronic Protected Health Information (ePHI) encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information). . .”

In a parenthetical statement, the HHS has memorialized the act of encrypting data as “control” of the information. I would hope that this new classification will have many scratching their heads, wondering, “If I have good backups, then the control is mitigated.” (Failure to protect data is also a violation of HIPAA rules.)

In fairness to the Department of Health and Human Services, the new guidelines also allow an organization to demonstrate that there is a “low probability that the Protected Health information has been compromised,” however, the 4-step risk assessment is geared more towards a general malware outbreak, rather than a ransomware event.

Ransomware simply does not work the way the authors of the new HHS guidelines have implied. Even in a targeted attack, the ransomware authors are not seeking to use any of the data that is encrypted; they are after the value of the target getting back in operation. In random ransomware events, the attacker simply fires up the spam-generating engine and hope for some bites on their phishing lures.

Ransomware is a lucrative business. One strain has been reported to cost victims over $18 million in one year. Ransomware criminals do not have to waste their time trying to fence stolen data.

The greatest concern with this new breach classification is that it can spread to other regulations, and eventually find its way into the general practice of corporate risk officers.

Nothing could be more wasteful of a security team’s time than explaining that no data was stolen every time a piece of ransomware is detected.

Of course, the best protections against ransomware remain the same:

  • A layered defense;
  • Good backups that are stored offline and regularly tested;
  • Security awareness training for all staff;
  • Access controls;
  • Vulnerability assessments and penetration testing (including hunt team exercises);
  • Maintaining a patch management strategy.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor.