Hackers Bag More Personal Info … and Oh Snap, Photos

During a recent busy week of cybersecurity news, news aggregator Flipboard reset millions of user passwords following hacker break-ins, and Checkers & Rally’s restaurant locations in 20 states experienced a card data breach.

Adding to the troubling reports, security researchers discovered unsecured databases that exposed the security logs of some major hotels, including Marriott locations, and millions of photos taken by Ricoh Theta camera owners.

Here is a recap and some commentary:

Hackers gained access to the Palo Alto, Calif.-based Flipboard’s systems multiple times between June 2, 2018 and March 23, 2019, and April 21 and 22, 2019. But Flipboard did not detect the invasions until April 23 of this year, according to the social sharing site, which has about 150 million monthly users. The intruders took usernames, email addresses and passwords, plus account tokens for third-party services, which give Flipboard access to data from accounts set up through other services, like Facebook, Google and Samsung.

According to a Flipboard notice, the breach did not involve all users’ account data. It failed to specify the number of users affected. “We’re still identifying the accounts involved and as a precaution, we reset all users’ passwords and replaced or deleted all digital tokens,” the notice read.

Ben Goodman, vice president of global strategy and innovation for ForgeRock, commented, “Data theft and cyberattacks represent the number four and five global risks facing organizations across every vertical according to the World Economic Forum’s ‘Global Risks Report 2019.’” Goodman said companies must prepare to defend user data from malicious outsiders, or suffer the consequences of lawsuits, sanctions from data privacy laws, decreased user trust, tarnished brand reputation, damaged investor relations and more.

Robert Prigge, president of Jumio, said, “It looks like Flipboard is following the standard breach recourse playbook. After some portion of their 150 million users had their usernames, email addresses, passwords and account tokens for third-party services stolen, Flipboard is now resetting the passwords for all their users and replacing/deleting all digital tokens. The larger, more important question, is why continue to rely on usernames and passwords?”

Prigge issued a warning: Every time there is a data breach, more personal data creeps into the dark web and is offered for sale for pennies.

“Proactive security measures need to be in place at all times to protect the enterprise attack surface and to secure the sensitive data it collects,” Kevin Gosschalk, CEO for Arkose Labs, held. “Flipboard did not have enough insight into their systems to determine that 150 million users’ data was exposed to hackers for nine months.” Gosschalk also pointed out the information hackers accessed can now be weaponized in future account takeover attacks.

Anurag Kahol, chief technology officer for Bitglass, said, “Unfortunately, people commonly reuse passwords across multiple accounts, which means if a cybercriminal gains access to one password, they can potentially gain access to various accounts for that individual across multiple services.” Kahol also emphasized organizations must simultaneously defend their data against leakage and authenticate their users in order to avoid breaches. “Fortunately, security technologies like data loss prevention, multi-factor authentication, user and entity behavior analytics, and encryption of data at rest can help ensure that enterprise data is truly safe.”

Meanwhile, the Tampa, Fla.-based Checkers & Rally’s reported malware on some payment card readers at just over 100 of its locations in 20 states tapped an unknown number of cardholder names, card numbers, expiration dates and verification codes. Dates differed by locations, but most of the affected POS systems had malware installed between early 2018 and April 2019. The earliest listed was in September 2016.

Tim Erlin, vice president, product management and strategy at Tripwire, said, “At a time when we’re regularly seeing millions of records compromised via misconfigured cloud storage, malware stealing payment cards might seem almost quaint, but only if it wasn’t your card that was compromised.”

Erlin added, “The successful introduction of EMV, or so-called chip-and-pin technology, has noticeably reduced card fraud, and as a consequence the incidents of stolen card numbers. It’s important, however, that merchants adopt the newer technology in order to take advantage of new security features.”

Jonathan Bensen, senior director of product management and CISO at Balbix, held, “The amount of time that passed from when the first restaurant location was infected with the malware to the time the company detected the intrusion is unacceptable.” He added that armed with the card data, malicious actors can make fraudulent purchases and sell the information on the dark web.

“There’s nothing surprising or new about POS malware stealing customer data, however, the time between first infection and eradication of the malware, in this case, is shocking. Every business needs to do better to improve visibility between departments, customer communications and the payment network to minimize the impact of malware,” David Vergara, director of security product marketing for OneSpan, said.

According to ZDNet, security researchers Noam Rotem and Ran Locar of vpnMentor discovered an unsecured database that exposed 85.4 GB of security audit logs connected to the Pyramid Hotel Group, which manages properties of major hotels in the U.S., the Caribbean, Ireland and the U.K., including Marriott locations.

vpnMentor said the information exposed dates back to April 19, 2019 and includes API keys and passwords, device names, IP addresses of incoming connections, firewall and open port data, malware alerts, restricted applications, login attempt records, application errors, and both brute-force attack detection and malware infection logs. In addition, vpnMentor said other data exposed included hotel employees’ full names and usernames, local PC names and addresses, server designations, operating system specs and cybersecurity policy details.

Jake Olcott, a vice president at BitSight, advised that while other sectors like finance and utilities maintain a laser-focus on measuring and monitoring third-party cyber-risk, the hospitality sector does not face the same regulatory pressures. “These incidents should serve as a wakeup call to the industry. They’re going to have to take a closer look at these issues or face reputational and economic damage.”

Rotem and Locar also exposed millions of photos taken by Theta camera owners in an open database without a password. The research team reported the leaky database to Ricoh, which secured the database within a day. However, anyone with access to the database could access any of the 11 million photos stored online for a period of time.

Bensen articulated, “Exposing personal photos publicly is a major violation of customer privacy. Database misconfigurations are an incredibly simple mistake to fix, especially the lack of a password, but unfortunately, we see companies leave sensitive data exposed over and over again through this error.”

Bensen noted while it was good that Ricoh took immediate action once it was alerted of the issue, it took an entire month to notify users. “This is why organizations should not be relying on third-party researchers to detect this kind of vulnerability.”