Feb 27 2023

Hacker Claim Telecom Provider Data Including Source Code, Employee Data Stolen

Category: Data Breach,HackingDISC @ 11:29 am

Telus, a Canadian national telecommunications company is looking into whether employees’ data as well as the source code for the system were stolen and then sold on a dark web marketplace.

Subsequently, the threat actor published screenshots that appear to depict the company’s payroll data and private source code repositories.

“We are investigating claims that a small amount of data related to internal Telus source code and select Telus team members’ information has appeared on the dark web,” Richard Gilhooley, director of public affairs at Telus said in an email. 

“We can confirm that to this point our investigation, which we launched as soon as we were made aware of the incident, has not identified any corporate or retail customer data.”

Source Code, Employee Data Stolen

A threat actor offered what they claimed to be TELUS’ employee list (including names and email addresses) for sale on a data breach forum on February 17.

“Today we’re selling email lists of Telus employees from a very recent breach. We have over 76k unique emails and on top of this have internal information associated with each employee scraped from Telus’ API”, the forum post says.

The post provides what looks to be a list of email addresses for Telus employees as proof. “It isn’t known if these are the current or former staff — or even real”.

Later on Tuesday, February 21, the same threat actor published a new forum post with an offer to sell TELUS’ private GitHub repositories, source code, and payroll data.

“In the repositories are the backend, frontend, middleware [information,] AWS keys, Google auth keys, Source Code, Testing Apps, Staging/Prod/testing, and more!” says the seller’s latest post.

Forum post with TELUS sample data set
The claimed TELUS data and source code are posted in a second forum post

The seller also stated that the company’s “sim-swap-api,” which is supposed to allow attackers to conduct SIM swap attacks, was included in the stolen source code.

Despite the malicious attacker calling this a “Full breach” and stating that they will sell “anything related to Telus,” it is still too soon to say whether an event actually happened at TELUS or whether a breach at a third-party vendor actually occurred.

“It’s important to note that it’s not clear whether the data being sold is real”, commented Brett Callow, a British Columbia-based threat analyst for Emsisoft. 

“If it is real, this is a potentially serious incident which exposes Telus’ employees to increased risk of phishing and social engineering and, by extension, exposes the company’s customers to risk”. 

“The alleged exposure of the private Github repositories, supposedly including a sim-swap API, represents an additional tier of potentially significant risk.”

Tags: data breach, telecom security incidents


Oct 20 2022

Why chasing risk assessments will have you chasing your tail

Category: Risk Assessment,Security Risk AssessmentDISC @ 10:07 am

Third-party risk assessments are often described as time-consuming, repetitive, overwhelming, and outdated. Think about it: organizations, on average, have over 5,000 third parties, meaning they may feel the need to conduct over 5,000 risk assessments. In the old school method, that’s 5,000 redundant questionnaires. 5,000 long-winded Excel sheets. No wonder they feel this way.

The reason why risk assessments have become so dreaded is that it has always been a process of individual inspection and evaluation. For perspective, that’s roughly 14 risk assessments completed per day in the span of one year. How can we expect security, risk, and procurement professionals to get any other work done with this type of task on their plate? With the state of today’s threat landscape, wouldn’t you rather your security team be focused on actual analysis and mitigation, rather than just assessing? And, not to mention the fact that a tedious risk assessment process will contribute to burnout that can lead to poor employee retention within your security team. With how the cybersecurity job market is looking now, this isn’t a position any organization wants to be in.

So, now that you know how the people actually with their ‘hands in the pot’ feel about risk assessments, let’s take a look at why this approach is flawed and what organizations can do to build a better risk assessment process.

The never-ending risk assessment carousel ride

The key to defeating cybercriminals is to be vigilant and proactive. Not much can be done when you’re reacting to a security incident as the damage is already done. Unfortunately, the current approach to risk management is reactive, and full of gaps that do not provide an accurate view into overall risk levels. How so? Current processes only measure a point-in-time and do not account for the period while the assessment is being completed–or any breaches that occurred after the assessment was submitted. In other words, assessments will need to be routinely refilled out, a never-ending carousel ride, which is not feasible.

It should come to no surprise that assessments are not updated nearly as much as they should be, and that’s to no one’s fault. No one has the time to continually fill out long, redundant Excel sheets. And, not to mention, unless the data collected is standardized, very little can be done with it from an analysis point of view. As a result, assessments are basically thrown in a drawer and never see the light of day.

Every time a third-party breach occurs there is a groundswell of concern and company executives and board members immediately turn to their security team to order risk assessments, sending them on a wild goose chase. What they don’t realize is that ordering assessments after a third-party breach has occurred is already too late. And the organizations that are chosen for a deeper assessment are most likely not the ones with the highest risk. Like a never-ending carousel ride, the chase for risk assessments will never stop unless you hop off the ride now.

Show me the data!

The secret ingredient for developing a better risk management collection process is standardized data. You can’t make bread without flour, and you can’t have a robust risk management program without standardized data. Standardized data is the process of gathering data in a common format, making it easier to conduct an analysis and determine necessary next steps. Think of it this way, if you were looking at a chart comparing student test grades and they were all listed in various formats (0.75, 68%, 3/16, etc.), you would have a difficult time comparing these data points. However, if all the data is listed in percentages (80%, 67%, 92%, etc.), you could easily identify who is failing and needs more support in the classroom. This is the way using standardized data in the risk assessment process works. All data collected from assessments would be in the same format and you can understand which third parties are high risk and require prioritized mitigation.

CISOs who are still focused on point-in-time assessments are not getting it right. Organizations need to understand that risk assessment collection alone does not in fact equal reduced risk. While risk assessments are important, what you do with the risk assessment after it is complete is what really matters. Use it as a catalyst to create a larger, more contextual risk profile. Integrate threat intelligence, security ratings, machine learning, and other data sources and you’ll find yourself with all the data and insights you need and more to proactively reduce risk. You’ll be armed with the necessary information to mitigate risk and implement controls before the breach occurs, not the rushed patchwork after. A data-driven approach to third-party risk assessment will provide a more robust picture of risk and put an end to chasing assessments once and for all.

risk assessment

Security Risk Assessment

How to do an information security risk assessment for ISO27001

Tags: data breach, Risk Assessment, Third Party Risk


Sep 01 2022

List of Data Breaches and Cyber Attacks in August 2022 – 97 Million Records Breached

August 2022 has been a lesson in being careful with whom you provide sensitive information. In a month that saw the former US president accused of misappropriating classified government documents, there were also a spate of malicious insiders compromising their employer’s systems.

Meanwhile, the bastion of password security, LastPass, announced that its systems had been breached – although the organisation is confident that customers’ details remain secure.

In total, we identified 112 publicly disclosed security incidents in August, resulting in 97,456,345 compromised records.

You can find the full list of incidents below, broken into their respective categories.


Contents

Data Breaches

Data Security

Free Basic network and Data Security Awareness

Tags: data breach, data security, infosec breach


Dec 04 2021

How MFA Can Help Prevent Data Breaches

Category: 2FA,Data BreachDISC @ 2:01 pm

The Current Authentication Landscape

To authenticate a user means to verify that the user is genuine. Classically, the way to authenticate a user is to request their login credentials and ensure those credentials match the credentials stored in your directory service or authentication server. The full history and background of authentication is more complex, but that’s the gist of it. 

The need to ensure users are who they claim to be is critical in the context of today’s hybrid IT infrastructures. Organizational data and apps often exist outside the traditional corporate network perimeter in public cloud services. Furthermore, employees, business partners and contractors are accessing IT resources from home or public locations.

Many security professionals say that identity is the new perimeter. This claim about identity extends to devices and applications, but securing machine identities is another topic altogether. If identity is the new perimeter, then making authentication as secure as possible is paramount to protect your critical assets, including sensitive data about customers and intellectual property. 

Why Passwords Aren’t Enough

In an ideal world, passwords would be sufficient to authenticate users and ensure that they are genuine. Unfortunately, passwords are susceptible to theft, often through poor password hygiene. Whether it’s reusing multiple passwords across different applications or not creating secure enough passwords to begin with, password theft is rife. 

To understand how easy it is to steal a password, consider a study that looked at over 15 billion passwords. The results of this study revealed that the top four most commonly used passwords were:

  1. 123456
  2. 123456789
  3. qwerty
  4. Password

These passwords are all incredibly easy to guess even for a beginner cybercriminal looking to access a corporate network. This is confirmed by the fact that 80% of hacking incidents stem from stolen credentials or passwords guessed using brute force tactics. 

How MFA Can Help Prevent Data Breaches

Multifactor Authentication for E-Commerce: Risk-Based, FIDO Universal Second Factor Implementations for Purchasers

Multifactor Authentication for E-Commerce: Risk-Based, FIDO Universal Second Factor Implementations for Purchasers by [National Institute of Standards and Technology]

Tags: data breach, MFA


Dec 01 2021

List of data breaches and cyber attacks in November 2021 – 223.6 million records breached

Luke Irwin  1st December 2021

In November, we discovered 81 publicly disclosed cyber security incidents, accounting for 223,615,390 breached records.

With one month left in 2021, the annual total running total of compromised records is to just shy of 5 billion.

Keep an eye out for our end-of-year report in the next few weeks, where we’ll break down the findings of these lists – or subscribe to our Weekly Round-up to get the latest news sent straight to your inbox.

In the meantime, you can find the full list of security incidents below, with those affecting UK organizations listed in bold.

Contents

Different techniques and tools used by cyberattackers to exploit a system are thoroughly discussed and analyzed in their respective chapters.

Use promo code XMASTOOLS to redeem your 10% discount on any toolkit, but hurry – this exclusive offer ends December 5.

Toolkits are sets of documents and tools that allow you to easily create and maintain up-to-date compliance documents. Each toolkit contains:

* Pre-written policies, procedures, and templates created by industry experts that will save you time and money

* Additional tools to ensure complete coverage of the relevant standard, framework, or regulation

* Work instructions and guidance

Tags: cyber attacks, data breach, infosec toolkits


Jul 29 2021

IBM Cost of a Data Breach study: average Cost of Data Breach exceeds $4.2M

Category: Data BreachDISC @ 9:44 am

The ‘Cost of a Data Breach’ report commissioned by IBM Security states that the cost of a data breach exceeded $4.2 million during the COVID19 pandemic. IBM Security presented today the annual study “Cost of Data Breach,” conducted by Ponemon Institute…

Tags: data breach, data breach cost


Apr 20 2018

Nine Things That Are Poised To Impact Cybersecurity

Category: cyber security,data securityDISC @ 6:18 pm

Read Forbes Technology Council list nine things that can impact cybersecurity on Forbes :

From the Equifax breach this past September to the recent hack of MyFitnessPal data through Under Armour, the number of high-profile cyberattacks has continued to climb in recent months. Every company, regardless of size, must be prepared for the possibility that they may be the next victim.

Read the full article here.




Tags: Business Insider Intelligence, data breach, equifax


Mar 26 2014

Most common type of data breaches

Category: data security,Security BreachDISC @ 9:24 pm

DataSecurityBreach

Cyber attacks have become a regular occurrence in the last few years; in fact, you can’t turn the news on without some mention of a business suffering an attack. Most attacks are fuelled by criminals looking to steal valuable information, but what type of information is being stolen?

According to a report by Veracode, the top 5 types of information that are stolen are:

Payment Data

No surprises here of course. Card payment data is a very attractive form of information for cyber criminals to steal. Card data provides quick access to money in multiples ways such as siphoning the victims account, using their card for purchases or selling on the black market.

Selling and purchasing card payment data online is terrifyingly easy, so easy in fact that you could have bought several card details in the time it’s taken you to read this far.

Authentication Details

Details that allow authorised access into online systems are very valuable on the black market. Imagine the price tag on login credentials for the email address of a celebrity, or the president of an international bank.

Unfortunately, humans are subjects to bad habits such as using the same password for online accounts. So if cyber criminals manage to get hold of your Facebook password, then they will most likely be able to login to any of your accounts.

Copyrighted Material

Why would a cyber criminal pay for software when they could just steal it? With most websites being vulnerable to attack, a cyber criminal could in theory steal any software they fancy, costing organisations a large sum of money.

Medical Records

Thieves could sell your stolen personal health information on the Internet black market, use your credentials to obtain medical services and devices for themselves and others, or bill insurance companies for phantom services in your name.

Medical ID theft is worse than financial identity theft, because there are fewer legal protections for consumers. Many victims are forced to pay out of pocket for health services obtained by the thieves, or risk losing their insurance and/or ruining their credit ratings.

Classified Information

Depending on how you define classified, this could include information such as your organisation’s top secret product idea or the code for your security door. Either way, if it’s labelled classified then you don’t want it to be in the hands of cyber criminals.

Protecting this information

There is a high chance that the five forms of information listed above can be found on your organisation’s network, so what are you doing to protect it?

Data Security Breaches: Notification Law




Tags: Computer security, data breach, data stolen, data theft, Identity Theft


Jul 22 2013

Your employees aren’t the only threat to InfoSec and Compliance

Category: cyber security,Information SecurityDISC @ 1:18 pm

Information security

Information security (Photo credit: Wikipedia)

July 22nd, 2013 by Lewis Morgan 

I overheard a conversation the other day, one which left me so stunned that I’ve decided to write about it….

Two men having dinner behind me (I got the impression they were both directors) were discussing the £200k fine the NHS received for losing patient data. Eventually, the conversation turned into a discussion about information security as a whole. I won’t go into all the details but one of them said, “We don’t particularly focus on cyber security, it’s always large organisations which are in the news about getting hacked and being a small company, we’re not under threat”. It bothered me (probably more than it should have) that someone in control of an organisation has that attitude to cyber security. If an organisation of 5 employees was hacked, the same day as, let’s say DELL, were hacked – who’d make it into the news? DELL would, why? Because it’s likely to be more of an interest to the readers/listeners and will have a bigger impact on the public compared to that of the smaller organisation.

I never see stories in the news of someone being hit by a bus in my local town, but it doesn’t mean I’ll walk in front of one holding a sign saying ‘hit me’. That’s effectively what this director is doing, turning a blind eye to a large threat just because he’s not seen an example of a small organisation being hacked – chances are he doesn’t even read the publications which cover those stories.

Ignorance

It’s a strong word, isn’t it? Personally I hate calling people ignorant, I’d rather use a more constructive word such as ‘unaware’, but I feel that using the word ignorance will raise some eyebrows.

As a director of a company, your aim is to maximise revenue, minimise costs and anything in between.

You need a future for your organisation; this is usually done by investing in your marketing efforts, improving your products/services and providing the best customer service possible. But what do you do to actually secure a future? It’s all good and well having a 5 year plan which see’s 400% growth in revenue, but how do you make sure that your organisation will even exist in 5 years?

2 years into your plan and you’re hitting your targets – but you’ve just discovered that there’s been a data breach and your customers credit card details have been sold online.

Your plans have now become redundant; they are depending on how prepared you are to handle the situation, so are your staff. The cost of recovering from a data breach for a small organisation is between £35 – 65K (and that’s not including fines). Can your organisation afford that? Probably not, but you could have afforded the costs which would have prevented this breach in the first place.

Let’s say that the breach happened because a new member of staff was unaware that they shouldn’t open emails in the spam folder. An email was opened, malicious software was installed and login credentials were stolen. You could have trained that member of staff on basic information security in under an hour, for £45. But instead, you chose to ignore your IT Manager who’s been raising spam issues at each monthly meeting but all you chose to hear is “we’ve not been hacked” and “invest” which is enough for you to move on.

What your IT Manager is really telling you is “We’ve recently been receiving a large amount of emails into our spam filter, and some are getting through. I think we need to invest in a more advanced spam filter, and perhaps train some of the staff on which emails to avoid. A virus from an email could lead to a hack, it’s not happened yet but there’s a chance it will.”

Forget blaming the IT Manager or the new member of staff when that breach happens, it comes down to you and your:

Inability to perceive cyber threats

Grey areas in appropriate knowledge

Naivety

Overhead cost restrictions

Refusal to listen to something you don’t understand

Absent mindedness

No interest in the customer’s best interests

Careless decisions

Eventual disaster

 

Cyber security threats are real, so why are you ignoring them?

To save money? Tell that to a judge

Introduction to Hacking & Crimeware

You don’t understand the threats? Read this book

 




Tags: Computer security, data breach, Email spam, hackers, Information Security, Malware


Mar 18 2011

RSA Security breach sparks reseller concern

Category: Security BreachDISC @ 10:33 pm

An older RSA SecurID token without USB connector

Image via Wikipedia

By Doug Woodburn

Rival SecurEnvoy claims channel partners are being inundated with calls from panicked RSA end users in wake of security attack

RSA Security ‘s customer-data breach has sparked “panic” among the vendor’s customers and channel partners, according to rivals.

In an open letter to customers posted on RSA’s website yesterday, executive chairman Art Coviello admitted that an attack had resulted in “certain information being extracted from RSA’s systems”.

Some of that information relates to the EMC-owned company’s SecurID two-factor authentication (2FA) products, Coviello said.

“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack,” he said.

Andy Kemshall, co-founder of rival 2FA vendor SecurEnvoy, told ChannelWeb that he had been fielding calls from concerned resellers since 1am.

“Channel partners are being inundated with calls from customers panicking regarding their security,” he said. “They believe their tokens have been compromised.”

Former RSA executive Kemshall claimed that RSA’s customers were still in the dark as to whether or not the vendor’s centrally stored ‘seed records’ had been compromised.

If this was the case, any tokens associated with those seed records would also be compromised, said Kemshall.

“Our resellers and end users believe the seed records have been compromised,” he said. “This would mean anyone with the Cain and Abel [password recovery] tool could compromise the second-factor token code so only the pin is left. RSA has suggested that customer data has been compromised but it hasn’t confirmed whether it is seed data, nor has it denied it.”

Kemshall as well as Jason Hart, European chief executive at 2FA vendor Cryptocard, argued the fact RSA customers do not generate their own seed records is a flaw in RSA’s strategy.

Hart said: “It is very worrying and very scary. We have had a lot of inbound enquiries from partners and customers. The fact RSA has come out publicly and said it’s a problem is the right thing to do.”

Ian Kilpatrick, chairman of security distributor Wick Hill, said: “It’s very positive that RSA have publicly addressed it but it appears to be quite a significant incident.”

Coviello urged customers to follow the steps outlined in its SecureCare Online Note.

“We are committed to applying all necessary resources to give our SecurID customers the tools, processes and support they require to strengthen the security of their IT systems in the face of this incident,” he said.

“Our full support will include a range of RSA and EMC internal resources as well as
close engagement with our partner ecosystems and our customers’ relevant partners.”

a cross-discipline overview of smart card including attacks




Tags: Customer, data breach, EMC, EMC Corporation, Jason Hart, RSA The Security Division of EMC, SecurID, Two-factor authentication


Jul 21 2010

Data Breach and Legislation: What’s Coming Your Way?

Category: Information SecurityDISC @ 11:34 am
From wired: data breaches
Image by Agathe B via Flickr

Prepare now to prevent a ‘security breach’: 45 states and the District of Columbia have laws spelling out procedures when personal information has been … article from: New Hampshire Business Review

By David Scott

It’s rather interesting to monitor what’s happening in the UK right now. Data protection legislation is moving forward. And… business there supports data protection legislation.

A survey of 1200 businesses indicates that those businesses are concerned about the strength of laws: Nearly 50% feel that laws are weak and require revision, and 87% believe that organizations should be required to divulge breaches of sensitive content where information about the public is involved. [Source: Sophos].

Here in the U.S., I rather doubt business is keen on more legislative oversight. Generally speaking, I’m wary of new legislation – new laws must be thoroughly reviewed so as to guard against unintended – and negative – consequences, particularly where business is concerned. In today’s economy, we don’t want to impinge businesses’ opportunities for hearty conduct and growth.

However, I do like the breach notification idea. It serves a couple purposes that come readily to mind:

– Stakeholders (the public, customers, allied agencies…) are entitled to know about breaches that affect them, or ones that just have the potential to affect the general well-being of the business.

– Also, healthy exposure and just that potential help to motivate businesses in the currency of their ongoing security measures.

Particularly for small/medium business, and smaller government agencies such as those at county/municipality level: Do you have in-house security professionals who cast the horizon for new threats, with attendant posture of proactivity? And, do you have strong security partners in the form of advisors, vendors and allied security products?

How do readers of the Exchange feel about it? Would you welcome new legislation? Are you confident regarding data security in your organization?




Tags: Data, data breach, data security, Information Privacy, security legislation


Nov 06 2009

Laptop Heist Exposes Doctors’ Personal Data

Category: hipaa,Security BreachDISC @ 6:50 pm

doctor

Another stolen laptop puts thousands of people’s personal data at risk but this time it’s the caregivers — not the patients — who are at risk.

November 6, 2009
By Larry Barrett:

More than 10,000 physicians’ and dentists’ personal data was exposed last week in New Hampshire after an employee at Anthem Blue Cross and Blue Shield transferred the health care providers’ Social Security numbers and other data to a personal laptop that was later stolen.

Anthem spokesman Christopher Dugan said the security breach took place at the national level and the files did not include any patients’ personal data.

The Blue Cross Blue Shield Association said the employees’ ill-fated decision to transfer the sensitive information to a personal laptop violated the insurer’s security policies.

Just last week, more than 33,000 patients receiving care from a Daytona Beach, Fla. medical center were notified that their data may have been compromised when a laptop was stolen from an employee’s car.
New Hampshire is one of 43 states that require companies and organizations to notify people when their personal or financial information is accidentally or deliberately compromised.

Anthem officials said it will provide free credit-monitoring services to all the affected physicians and dentists for a year.

It’s not been the best of months for the insurer.

On Oct. 5, Blue Cross warned another 39,000 doctors that a yet another laptop stolen from the company’s Chicago headquarters could have potentially exposed an assortment of personal information including Social Security numbers and tax identification numbers.
A Ponemon Institute by Traverse City, Mich.-based data security researcher Ponemon Institute estimates that more than 12,000 laptops are stolen or lost at airports alone each week.

It also found that the average large company has 640 laptops, 1,985 USB memory sticks, 1,075 smart phones and 1,324 other various data devices stolen or lost each year — ;a total of 800,000 data-sensitive memory devices a year.

Reblog this post [with Zemanta]




Tags: arra and hitech, crime, data breach, data security, Health Insurance Portability and Accountability Act, hipaa, laptop, Physician, Security, stolen laptop