Information Exposures & Misuse Continue to Plague Everyday Life

Personal information episodes, whether through breaches, misuse or lax handling and storage, affect daily life in one way or another. Three recent incidents at home and abroad emphasize today’s treacherous cybersecurity landscape.

The incidents involved Exactis, a data broker based in Palm Coast, Fla., which exposed a database containing almost 340 million consumer and business records; FastBooking, a Paris-based company that sells hotel booking software to more than 4,000 hotels in 100 countries, which revealed personal details and payment card data of guests from hundreds of hotels; and Ticketmaster UK admitted that they had a data breach that affected up to 40,000 customers.

In this first of two articles from CU Times, security experts agree continued data incidents like these should set off alarms for all organizations, including credit union; and provide recurring cybersecurity lessons that need comprehending.

In early June, a security researcher Vinny Troia of Night Lion Security discovered the Exactis records on a publicly accessible server. The precise number of records is unknown and the disclosure does not seem to include credit card information or Social Security numbers. It does contain phone numbers, home and email addresses and 400 variables on an assortment of characteristics such as interests, habits, age, and gender of the individual’s offspring.

Setu Kulkarni, VP of corporate strategy at WhiteHat Security, said, “Interestingly, the researcher (who initially reported the vulnerability to Exactis and the FBI) got to the unprotected database by scraping digital logs after he was able to connect to the log management system (in this case, Elasticsearch). Elasticsearch, unfortunately, did not have a high level of security in place.”

While it’s inconclusive if any hackers accessed the database, Troia indicated it would have been easy enough for them to find since he noticed the database while using the search tool Shodan, which permits the scanning for all types of internet-connected devices.

Troia found two versions of Exactis’ database, contained around 340 million records, divided into about 230 million records on consumers and 110 million on business contacts. Without financial information or SSNs, the exposed database is not a clear-cut instrument for identity theft, but could help scammers with frauds built around social engineering

“A year or two ago, a breach such as this would have caused little concern among anti-fraud professionals, but with the increasing use of artificial intelligence in attacks, hackers will be able to use the detailed personal data that was exposed to craft more effective phishing campaigns and this will place members and financial institutions at greater risk,” John Gunn, chief marketing officer with OneSpan, said.

Rebecca Herold, president of SIMBUS and CEO of The Privacy Professor, put the exposure in perspective. “Think the Equifax breach was huge/? It was (145 million Americans’ records).” But the Exactis fissure, at 340 million records, dwarfs that. “They basically had their data sitting out in the open for anyone to take.” Herold pointed out when data becomes left to the mercy of the online population, no one knows who has collected copies of it. “And now that data could be, and possibly is, currently being used for harmful actions against all those whose data (basically everyone in the USA, and beyond).” Herold added that includes anything from identity theft, to phishing, to financial fraud, and even in-person crimes.

This incident also relates to third party involvement. “When you get to a point where researchers go out and find about two terabytes of data on a publicly accessible server on the Internet, somebody is not doing their due diligence and oversight,”. Gene Fredriksen, chief information security strategist for St. Petersburg, Fla.-based CUSO PSCU, observed. “Credit unions related to an Exactis kind of breach really need to be concerned about social engineering and using that personal information.” He explained that does not mean replacing credit cards, but it’s certainly time for some heightened awareness.

John Buzzard, CO-OP Financial Services Industry Fraud Specialist, maintained, “We see an abundance of information aggregated in cyberspace today, and quite often there is merit and need.” But, the continued shame, Buzzard added is information custodians not securely storing and managing that information with vigilance. “Our ability to detect identity theft and account takeover fraud lessens with each new data loss. Thankfully, that’s where excellent fraud strategy and fraud prevention practitioners pick up the slack by preventing as much fraud as possible. It’s a huge ongoing mountain to climb.”

Matan Or-El, Panorays CEO & co-founder commented, “Sadly, this serves as a reminder that breaches may also stem from simply firing up a misconfigured un-protected server. While we hear a lot about cybersecurity attacks and malware trying to pry out data from their targets, and we should certainly not dismiss those, the truth is that misconfigured servers result with the same severe consequences.”

In emails the company sent out to affected hotels, FastBooking disclosed their incident took place June 14, when an attacker used a vulnerability on its server to install malware. This tool permitted the hacker to exfiltrate data from the server remotely. The booking site said it closed the breach five days later.

According to FastBooking, the intruder snatched data such as a hotel guests’ first and last names, nationality, postal addresses, email addresses, and hotel booking-related information. It said in some cases, but not all, the hacker attained payment card details. The incident did not affect all of its hotel clients the same.

Setu Kulkarni, vice president of corporate strategy at leading application security provider WhiteHat Security, commented on the FastBooking incident. “Modern organizations deploy a plethora of web applications, accessible from any location. These are an easy target for hackers, who can exploit them and gain access to back-end corporate databases. WhiteHat Security’s annual Application Security Statistics Report examines ‘windows of exposure’ across multiple industries each year.” In addition, Kulkarni stated what is arming is the consistently high rate of web applications that are ‘always vulnerable,’ every single day of the year.

In addition to their Ticketmaster login information, users’ payment data, addresses, name and phone numbers are also at risk. Ticketmaster says it first detected the breach on June 23. Ticketmaster advised all its customers to change their passwords if they use the same password on other sites.

According to WIRED magazine, an upstart bank Monzo detected the fault on April 6 when 70% of its customers who reported fraud that day also made a purchase through Ticketmaster. “Monzo alerted Ticketmaster, but the company apparently paid little attention.”

Ticketmaster emailed all affected customers and said the breach was likely to have only affected UK customers who purchased or attempted to purchase tickets between February and June 23,2018. But, as a precaution, it said it had also informed international customers who had purchased or attempted to purchase tickets stating with September 2017.

According to the BBC, Ticketmaster said it is confident it has complied with General Data Protection Regulation rules – acting very quickly and informing all relevant authorities, including the Information Commissioner’s office. The UK’s National Cyber Security Centre – a division of GCHQ – said it was monitoring the situation.

Jeannie Warner, security manager at WhiteHat Security, said, most organizations have many web apps, a percentage of which will have horrific vulnerabilities that put the entire organization—and its customers—at risk. “These vulnerabilities are well-known, very prevalent and usually straightforward to remediate. The challenge in this instance lies with a trusted third-party plugin chat app from Inbenta, which ended up compromised and serving up malware.”

The Exactis massive data exposure resulted in the filing of the A-class action lawsuit in U.S. District Court in Florida by attorneys Adam Levitt and Amy Keller, who is also co-lead counsel in the recent Equifax data breach class action.