Leaks & Breaches Creating Chaos Globally, Domestically

Cybersecurity has its own chaos theory-type effect where a leak or breach creates disorder in some part of the world every day and ensuing affect can result in larger complications later.

Whether the incident is domestic or somewhere else these events reveal one lasting effect, individuals’ information is constantly in play or exposed around the world.

Take for example the leaking of personal data on Ecuador’s citizens, containing 20.8 million user records, including 6.7 million children, a number larger than the country’s total population, on an Elasticsearch server.

Kevin Gosschalk, CEO of Arkose Labs, said, “The digital economy is built on data and businesses trying to harness the insights from the vast amount of information, they have in order to make real-time decisions across their customer touch points.” He added, each breached identity represents a real person behind it who has now been made vulnerable to fraudsters across the globe trying to monetize the credentials.

“The scope of this breach is probably the scariest part about it,” suggested Robert Prigge, president of Jumio. “We fully expect that this data — which included full names, dates of birth, places of birth, home addresses, marital status, cedulas (national ID numbers), work/job information, phone numbers, and education levels — will soon make its debut on the dark web, making these victims potential targets for identity theft and account takeovers.”

Todd Peterson, Security Evangelist at One Identity, said “This case further illustrates how organizations of all kinds are still getting security wrong because generally, security is a hassle to their business. No one likes entering user IDs and passwords and even fewer like entering the second factor of authentication that should be used by all organizations.” Peterson added, server misconfigurations are in the news every week, and in some cases lead to massive data leaks.

Anurag Kahol, CTO, Bitglass, noted, “Organizations must have full visibility and control over their customer data to prevent these types of misconfigurations. To ensure data is always safe, companies should look for security platforms that enforce real-time access control, detect misconfigurations through cloud security posture management, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information.”

“Misconfigurations are frightfully common, but there are simple and highly effective ways to prevent them,” Chris DeRamus, CTO, DivvyCloud, said. “All organizations, everywhere in the world, should deploy automated cloud security solutions that can ensure databases are configured correctly from the beginning, so there is never a risk of misconfiguration.”

Alexander García-Tobar, CEO/co-founder, Valimail, stated, “Often when we hear of data leaks, people tend to only think of the cyber-implications, but in this incident, the physical risks are very real, and very serious.” Garcia added among other repercussions, this kind of data is more than enough for cybercriminals to orchestrate sophisticated business email compromise scams.

“It’s inexcusable for organizations to expose sensitive databases with no security controls,” according to Stephan Chenette, co-founder and chief technology officer, AttackIQ. “it’s imperative for those that do wrap databases with security controls to continuously validate their security controls and the third parties they work with to ensure their protection capabilities are effective.”

Other recent incidents unleashed concerns as well.

The United Nations children’s agency, UNICEF, inadvertently leaked personal information when an Aug. 26 email containing details of 8,253 users enrolled in courses went out to nearly 20,000 users of Agora, a website providing free training courses on issues such as child rights, humanitarian action, research, and data.

Lamar Bailey, senior director of security research at Tripwire, commented: “You can have the all the industry-leading security controls in place, but nothing stops human error. Training employees is often overlooked or the investment is not as high as it needs to be. The training programs can be too simplistic and this causes people to ignore them or blow them off.”

Improperly secured Wi-Fi networks at New York based real estate company WeWork exposed an ‘astronomical amount’ of private data, according to a CNET investigation, including bank account credentials, email addresses, client databases, ID scans, and more. Scans reviewed by CNET showed the exposure of 658 devices, including computers, servers and coffee machines.

Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team, said: “The practice of WeWork using shared WPA2 (Wi-Fi protected access) passphrases across many users in many locations is in many ways no more dangerous than working from a Starbucks or a hotel. For the most part, as people connect to networks with shared passphrases, they are opening their devices up to be tricked onto a rogue wireless network.”

Click2Gov, a self-service bill-pay portal for utilities, community development and parking tickets, suffered another breach, this time impacting over 20,000 payment records from eight U.S. cities. Six of the cities — Deerfield Beach, Palm Bay, Milton and Coral Springs, Fla.; Bakersfield, Calif., and Ames, Iowa — also suffered Click2Gov compromises in the first attack wave in 2017 and 2018. Pocatello, Idaho, and Broken Arrow, Okla. are new victims.

Ben Goodman, vice president of global strategy and innovation, ForgeRock, explained “Being the second time that Click2Gov suffers from a breach in their payment portals, proves the system is still vulnerable. Following this breach, users should regularly check their payment-card statements for any abnormal activity over the next several weeks.” Goodman also explained, “Click2Gov and similar self-service billing and payment applications should employ security strategies and tools that support real-time, contextual and continuous security that detects unusual behavior and prompts further identity verifications.”

A new phishing campaign form Cobalt Dickens, considered an Iranian government-directed threat group, targets universities in an attempt to steal usernames and passwords.

Peter Goldstein, chief technology officer and co-founder, Valimail, pointed out, “A convincing phishing email executed from anywhere in the world can be an extremely effective and detrimental attack vector. By impersonating online library services and directing users to a seemingly legitimate URL requesting login details, Iranian hackers are attempting to steal academic research and other valuable data from universities around the world.”