Feed aggregator

JPMorgan Chase Notifies Customers of Data Breach

Info Security - Thu, 08/19/2021 - 15:05
JPMorgan Chase Notifies Customers of Data Breach

American banking and financial services company JPMorgan Chase is warning customers in Montana that a technical glitch may have presented their personal data to other customers.

The malfunction allowed users of the website chase.com or the Chase Mobile app to view the banking information of other customers whose personal details were similar for nearly two months earlier this year. 

Data that may have been compromised included customers' names, account numbers, account balances, and details of their transactions. 

"We learned of a technical issue here that may have mistakenly allowed another customer with similar personal information to see your account information on chase.com or in the Chase Mobile app, or receive your account statements," wrote JPMorgan Chase in a data breach notification letter available via the Montana attorney general’s website.

The data breach was reported to the Montana Office of the Attorney General on August 13 as having begun on May 24 and having ended on July 14. 

JPMorgan Chase advised customers: "The other customer might have seen information about your accounts, including balance(s) and transactions as well as your name and account numbers."

The bank said that no evidence has been found to suggest that the personal information of customers who were impacted by the data breach has been "used inappropriately."

Customers were informed that they will not be held liable "for any fraudulent activity on your Chase accounts that you promptly tell us about," and were encouraged to check their accounts regularly for suspicious activity.

After apologizing for the accidental data exposure, JPMorgan Chase offered the seven customers who were impacted by the breach one year of free credit monitoring. 

The data breach is the second to be reported to the Montana Office of the Attorney General by JPMorgan Chase. Last year, the company notified two customers that between April and November 2020 a call center employee may have allowed an unauthorized third party to overhear phone calls in which personal information about their Chase account was shared.

Data compromised in the 2020 breach may have included name, address, account number, Social Security number and email address. The breach was reported on December 23, 2020. 

Categories: Cyber Risk News

Data Stolen as Social Housing Group Suffers Ransomware Attack

Info Security - Thu, 08/19/2021 - 14:57
Data Stolen as Social Housing Group Suffers Ransomware Attack

Hackers have stolen data from a Salford-based social housing group that houses thousands of tenants and other clients.

ForHousing and Liberty, which manages and maintains homes across the North West, were reportedly victims of a ransomware attack. The group confirmed that no data of tenants or staff were accessed, but a 'small amount' of data was compromised, which resulted in the systems being taken offline as a precautionary measure

Ransomware is a type of malware that employs encryption to steal a victim’s information at ransom. The information is encrypted so files, databases or applications cannot be accessed.

Ray Jones, group managing director of Liberty, said the investigations into the incident have now ended. He said, "We can confirm that a small amount of data was compromised during the incident.

"We have liaised with the relevant authorities, and are currently working closely with any of our partners who have been affected to allow them to be extra vigilant."

ForHousing and Liberty are part of the ForViva group, based in Eccles.

ForViva group CEO Colette McKune said, "Tenant and staff safety is our priority and this includes the safety and integrity of their data."

"We have informed tenants about this incident and confirmed that their data is safe."

Other housing associations have been attacked recently. In November 2020, a housing association in East Anglia was hit by a ransomware attack. The attack forced Flagship Group to take its IT systems offline after the Sodinokibi strain entered the company via a phishing attack. 

Categories: Cyber Risk News

IT Leaders: Nation State Campaigns Are Inspiring Cybercrime Attacks

Info Security - Thu, 08/19/2021 - 11:00
IT Leaders: Nation State Campaigns Are Inspiring Cybercrime Attacks

Nearly three-quarters (72%) of IT leaders are concerned that tools and techniques used by nation-states will eventually end up in the hands of cyber-criminals and be used to attack their organization, according to HP.

The findings come from a poll of 1100 IT decision-makers in the UK, the US, Canada, Mexico, Germany, Australia and Japan.

Ian Pratt, global head of security, personal systems at HP, argued that such concerns are well-founded. He cited recent events such as the Kaseya attack on MSPs which appear to be partly inspired by the Kremlin’s SolarWinds campaign.

“Now the return on investment is strong enough to enable cyber-criminal gangs to increase their level of sophistication so that they can start mimicking some of the techniques deployed by nation-states,” he noted.

“The [Kaseya attack] is the first time I can recall a ransomware gang using a software supply chain attack in this way.”

Independent software vendors (ISVs) in particular must be extra alert to similar “stepping stone” attacks in the future, even if they don’t have major enterprise customers, Pratt warned.

Respondents to the HP poll also flagged their concerns about direct attacks from nation-states. Over half (58%) said they were worried about such an eventuality, while 70% said they could become collateral damage in a cyber-war.

The top concerns among IT decision-makers were sabotaged data and systems, disruption to operations, theft of data and impact on revenue.

The poll follows a significant report by HP released in April, which warned that the world has never been closer to a full-scale war, waged due to state-backed cyber-attacks.

President Biden seemed to acknowledge this point when he warned last month that if the US ended up in a “real shooting war” with another major power, it would likely result from a severe cyber breach.

Categories: Cyber Risk News

US Census Bureau Slammed for 2020 Breach

Info Security - Thu, 08/19/2021 - 09:06
US Census Bureau Slammed for 2020 Breach

The US Census Bureau has been heavily criticized by a government inspector after a 2020 breach which could have been prevented by prompt patching.

Although the attacker was not able to access servers used for the 2020 census, they could modify user account data to prepare for remote code execution, according to the US Office of Inspector General (OIG) report.

Fortunately, the attacker’s attempt to maintain access to the system by creating a backdoor was unsuccessful, thanks to the Bureau’s firewalls. However, the report highlighted a string of failures by the Bureau, which directly led to the attack and complicated incident response efforts.

First, it failed to patch a critical vulnerability on its remote access servers that was exploited by the attacker, despite the vendor publishing a fix more than three weeks earlier.

Second, it failed to promptly discover and report the incident because its SIEM was not set up to analyze suspicious activity in real-time. That created a delay of two weeks before the incident was detected.

Third, an incident investigation was hindered because none of the Bureau’s remote access servers sent system logs to its SIEM platform.

According to the report, the organization also operated servers no longer supported by the vendor and did not prioritize decommissioning these, further exposing it to attacks.

Finally, the Census Bureau didn’t hold a formal “lessons learned” session with incident responders and other stakeholders, which could have improved its processes in preparation for future breaches.

The Census Bureau welcomed the feedback from the OIG and repeated that “no systems or data maintained and managed by the Census Bureau on behalf of the public were compromised, manipulated, or lost because of the incident highlighted in the OIG’s report.”

Categories: Cyber Risk News

T-Mobile: 49 Million Customers Hit by Data Breach

Info Security - Thu, 08/19/2021 - 08:34
T-Mobile: 49 Million Customers Hit by Data Breach

T-Mobile has admitted that threat actors have stolen personal information on 48.6 million current, former and prospective customers.

The US carrier revealed in a notice yesterday that the breach affected 7.8 million current T-Mobile post-paid customer accounts, over 40 million records of former or prospective customers who had applied for credit and 850,000 active T-Mobile prepaid customers.

Previous reports had claimed that over 100 million customers might have been hit after a threat actor offered customer records for sale on a hacking forum.

T-Mobile said its investigation is still ongoing, and it’s unclear for now how the compromise occurred. However, the firm claimed that the “highly sophisticated cyber-attack” did not affect customers’ financial information.

Compromised personal data of post-paid customers and those applying for credit is thought to have included first and last names, dates of birth, Social Security numbers (SSNs) and driver’s license/ID information.

For the 850,000 active T-Mobile prepaid customers affected by the attack, the hacker is thought to have obtained names, phone numbers and account PINs.

T-Mobile said it’s offering affected customers free identity protection services for two years and recommends post-paid customers change their PIN, even though these numbers are not thought to have been compromised. The firm said it’s also offering account takeover protection for post-paid customers.

Ian McShane, field CTO at Arctic Wolf, said he was skeptical of the phrase “highly sophisticated” given the multiple breaches affecting T-Mobile in recent years.

“The disclosure is of course the right thing to do ethically and legally, but now people need to be on guard against opportunistic phishing and smishing attempts that take advantage of this new incident,” he added.

“The free ‘ID Theft Protection Service’ will be of little comfort for those who have had their SSN and related personal information exposed. The onus is once again on the consumer to change PINs and passwords, and maybe even consider switching phone numbers, as so many services can be linked for authentication purposes.”

There are fears that affected customers may be particularly exposed to SIM swapping attacks, where criminals use stolen personal information to pose as customers. They then trick sales staff into transferring the victim’s phone number to a SIM under their control, effectively hijacking any calls or texts, including log-in authentication codes from banks and other providers.

Categories: Cyber Risk News

Airline Employee Jailed for Spending Passengers’ Money

Info Security - Wed, 08/18/2021 - 20:51
Airline Employee Jailed for Spending Passengers’ Money

A former United Airlines employee has been sent to prison for stealing passengers' financial data and using it to make fraudulent purchases. 

Hayder Lefta, of Manchester, New Hampshire, worked as a customer service representative at Manchester-Boston Regional Airport in 2018 and 2019. Court documents showed that while assisting customers at the airport, the 25-year-old made a copy of their credit card numbers. 

Lefta later used these stolen card details to purchase airline flights and meals for himself and for friends without the card owners' consent. 

Other expenses Lefta ran up on customers' cards included bills for hotels he used for his personal leisure travel. 

An investigation into Lefta was launched after a United Airlines customer who had used the airport in September 2018 discovered charges on their credit card statement that they hadn't made. 

The fraudulent charges included tickets on Turkish Airlines priced at $2,657 and $1,488, and a $112.31 order placed with a Manchester branch of pizza restaurant Domino's. 

Investigators linked Lefta's phone number with the fraudulent Domino's pizza order and determined that he had been working at the airport when the victim had traveled through it. 

Lefta was eventually linked to more than $31,500 in charges made with stolen credit card numbers. 

Police arrested Lefta on January 8, 2019, while he was working at the airport. A search of his three cell phones, iPad, and computer revealed images of multiple credit card numbers displayed on airline computers along with screen shots of passengers' personal information.

At least 12 of the passengers whose personal information was found in Lefta's possession had been the victim of credit card fraud. 

On April 21, 2021, Lefta pleaded guilty to access device fraud. He was sentenced on August 17 to 10 months in prison and ordered to pay restitution in the amount of $75,778.47 to his victims.

“This defendant’s theft and use of credit card numbers from airport customers was a brazen crime that allowed him to go on an undeserved spending spree," said Acting US Attorney John Farley.  

"As a result of the hard work of our law enforcement partners, he is now a convicted felon who will serve prison time for his offenses and will need to pay restitution to his innocent victims.”

Categories: Cyber Risk News

US Hospitals Divert Care After Cyber-attack

Info Security - Wed, 08/18/2021 - 19:51
US Hospitals Divert Care After Cyber-attack

A cyber-attack forced hospitals in West Virginia and Ohio to divert patients to other care providers and work from paper records.

Threat actors targeted Memorial Health System with ransomware on the morning of August 15. The assault disrupted the IT systems at nearly all the health system's 64 clinics and three hospitals – Marietta Memorial, Selby General, and Sistersville General.

By midnight on Sunday, the hospitals were turning away patients, except for heart-attack, stroke and trauma patients, and sending them to Camden Clark Medical Center and Belpre Medical Campus. This may have increased the waiting time for care by as much as an hour for some patients.

The attack triggered the cancellation of radiology examinations and non-urgent operations as staff were unable to access IT systems. 

On August 18, the health system issued a statement announcing that it worked with national cybersecurity experts to resolve the impact of the attack.

"We have reached a negotiated solution and are beginning the process that will restore operations as quickly and as safely as possible," said Memorial Health System president and CEO Scott Cantley. 

"We are following a deliberate, systematic approach to bring systems back online securely and in a manner that prioritizes our ability to provide patient care."

Cantley did not state whether the negotiations involved the health system's agreeing to pay a ransom to the attackers but added that IT systems could be back online as early as Sunday. 

Early indications are that the attack did not involve a data leak. 

Cantley said: "As we conduct our IT remediation work, our security experts have been monitoring and have not noted any indication that any patient or employee data has been publicly released or disclosed."

He added that the health service planned to strengthen its existing cybersecurity defenses.

"Moving forward, the health system will continue to focus on remediation technology that will be added to already intensive security systems," said Cantley. 

"It is unfortunate that many health care organizations are confronting the impacts of an evolving cyber-threat landscape. We continue to implement enhancements to our information security, systems, and monitoring capabilities."

Categories: Cyber Risk News

ICS Vulnerabilities Increase 41%

Info Security - Wed, 08/18/2021 - 18:51
ICS Vulnerabilities Increase 41%

Disclosures of vulnerabilities affecting industrial control systems (ICS) have grown by 41% in the past six months, according to a report released today by Claroty.

The third Biannual ICS Risk & Vulnerability Report found a rapid acceleration in the number of disclosures being reported since the start of 2021. 

In the last half of 2020, 449 vulnerabilities were disclosed. During the first half of 2021, more than 600 ICS vulnerabilities were disclosed, impacting 76 vendors. 

Claroty researchers described the rise in the number of disclosures as "particularly significant given that in all of 2020 they increased by 25% from 2019 and 33% from 2018."

Most of the vulnerabilities disclosed represented a serious risk to industrial control systems, with 71% being classified as high or critical. 

Researchers found that 81% of vulnerabilities were discovered by sources other than the affected vendor, including independent researchers, academics, third-party companies, and other research groups.

Worryingly, 90% of the vulnerabilities were identified as not requiring any special conditions to be exploited. Therefore, an attacker who exploited these "low attack complexity" vulnerabilities could expect to enjoy repeatable success every time.

Nearly two-thirds of disclosures (61%) were remotely exploitable, and 66% did not require any user interaction to be exploited. 

Almost three-quarters of vulnerabilities (74%) did not require privileges, so they could be exploited by an attacker who was unauthorized and who did not have access to settings or files.

Amir Preminger, vice president of research at Claroty, said that modernization was raising risks for companies. 

“As more enterprises are modernizing their industrial processes by connecting them to the cloud, they are also giving threat actors more ways to compromise industrial operations through ransomware and extortion attacks,” said Preminger.

They went on to describe the latest cyber-attacks on critical infrastructure in the Unites States as a wake-up call. 

“The recent cyber-attacks on Colonial Pipeline, JBS Foods, and the Oldmsar, Florida, water treatment facility have not only shown the fragility of critical infrastructure and manufacturing environments that are exposed to the internet but have also inspired more security researchers to focus their efforts on ICS specifically," said Preminger.

Categories: Cyber Risk News

Phishing Costs Surge to $15m Annually for US Organizations

Info Security - Wed, 08/18/2021 - 09:36
Phishing Costs Surge to $15m Annually for US Organizations

The average cost of phishing for large US organizations has soared by 289% over the past six years, with firms now losing nearly $15m annually, according to Proofpoint.

The security vendor commissioned the Ponemon Institute to poll nearly 600 IT and IT security practitioners to compile its latest Cost of Phishing study.

It revealed that the average large US organization loses $14.8m per year to phishing-related cybercrime, up from $3.8m in 2015 and calculated at $1500 per employee.

Phishing for credentials is a common starting point for ransomware and Business Email Compromise (BEC). The study claimed that ransomware costs large organizations $5.7m annually, while BEC accounts for $6m.

However, although these are average figures, they could rapidly escalate in some circumstances. Companies including Cognizant, Sopra Steria and Norsk Hydro have all suffered losses in the tens of millions of dollars following ransomware incidents. The FBI recorded total BEC losses of $1.8 billion from reported incidents in 2020.

Ponemon Institute founder Larry Ponemon warned firms that the cost of a ransomware attack could amount to much more than the initial pay-out to threat actors.

“What we found is that ransoms alone account for less than 20% of the cost of a ransomware attack,” he explained. “Because phishing attacks increase the likelihood of a data breach and business disruption, most of the costs incurred by companies come from lost productivity and remediation of the issue rather than the actual ransom paid to the attackers.”

According to Proofpoint, the cost of resolving malware infections has doubled since 2015, from $338,098 to $807,506.

Yet, it’s not just infections that can eat into profits. The report claimed that the average cost to contain initial credential phishing compromises increased from $381,920 in 2015 to $692,531 in 2021 — with companies typically experiencing over five of these incidents each year.

“Because threat actors now target employees instead of networks, credential compromise has exploded in recent years, leaving the door wide-open for much more devastating attacks like BEC and ransomware,” said Ryan Kalember, EVP of cybersecurity strategy at Proofpoint.

“Until organizations deploy a people-centric approach to cybersecurity that includes security awareness training and integrated threat protection to stop and remediate threats, phishing attacks will continue.”

Categories: Cyber Risk News

Critical Bug Could Allow Remote Snooping Via Millions of Devices

Info Security - Wed, 08/18/2021 - 09:06
Critical Bug Could Allow Remote Snooping Via Millions of Devices

Security researchers have found yet another critical IoT supply chain vulnerability affecting millions of devices, which could enable attackers to eavesdrop on real-time camera feeds.

Mandiant revealed the CVE-2021-28372 bug yesterday after reporting it to the Cybersecurity and Infrastructure Security Agency (CISA).

It affects devices using the “Kalay” platform from Taiwanese firm ThroughTek, which makes software for OEMs to use in IP cameras, baby and pet monitoring cameras, digital video recorders (DVRs) and more.

Although Mandiant wasn’t able to ascertain exactly how many devices are affected, the firm warned that, according to ThroughTek, more than 83 million are currently using Kalay.

The news comes just a couple of months after Nozomi Networks discovered a critical bug in the ThroughTek P2P SDK. However, unlike that flaw, this one allows threat actors to communicate with devices remotely, opening the door to remote code execution attacks, Mandiant claimed.

That said, exploitation is far from easy.

“An attacker would require comprehensive knowledge of the Kalay protocol and the ability to generate and send messages. The attacker would also need to obtain Kalay UIDs through social engineering or other vulnerabilities in APIs or services that return Kalay UIDs,” the security firm explained.

“From there, an attacker would be able to remotely compromise affected devices that correspond to the obtained UIDs.”

Mandiant worked closely with ThroughTek on vulnerability disclosure, and both they and CISA recommend any organizations using Kalay to upgrade to new version 3.1.10 without delay. Affected firms are also urged to enable DTLS, which protects data in transit, and AuthKey, which adds an extra layer of authentication during client connection.

Andy Norton, European cyber risk officer at Armis, warned that IoT devices are increasingly the weakest link in the corporate security chain.

“Despite IoT devices carrying very similar risks to organizations, there is currently a lack of mitigating controls in comparison to IT devices,” he added.

“Understanding the purpose of an IoT device and monitoring for changes to the way it behaves … is the current state of the art method for IoT device risk management."

Categories: Cyber Risk News

CISA Urges Organizations to Patch Critical BlackBerry QNX Bug

Info Security - Wed, 08/18/2021 - 08:32
CISA Urges Organizations to Patch Critical BlackBerry QNX Bug

A vulnerability in BlackBerry’s QNX Real-Time Operating System (RTOS) could pose a serious security risk to critical infrastructure providers, the US government has warned.

Microsoft first discovered the so-called “BadAlloc” flaws in April. These remote code execution (RCE) bugs cover over 25 CVEs and take the form of integer overflow or wraparound vulnerabilities, it said at the time.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning that the QNX RTOS is vulnerable to one of them, CVE-2021-22156, potentially enabling an attacker to perform denial-of-service or remotely control sensitive systems. It has a CVSS score of 9.0, marking it as “critical.”

Although no current reports suggest the bug has been exploited in the wild, CISA urged any organizations “developing, maintaining, supporting, or using” affected systems to patch immediately.

The issue is more urgent given the widespread deployment of QNX in critical infrastructure. BlackBerry claims that the RTOS “is trusted in more than 195 million vehicles” and embedded in systems across “aerospace and defense, automotive, commercial vehicles, heavy machinery, industrial controls, medical, rail and robotics.”

The US Food and Drug Administration has also issued a bulletin, claiming that medical device manufacturers are currently assessing and working to mitigate the vulnerability.

It has been reported that BlackBerry officials first denied that BadAlloc affected their software and then chose not to go public with the news when the flaws were first revealed several months ago.

However, this stance changed after the firm concluded that it could not identify all affected downstream customers that may be using the RTOS via OEM-ed products, according to Politico.

“Software supply chain issues are main stage now, and are the gateway drug to extortion, ransomware, and botnets,” argued BreachQuest CISO, AJ King.

“It’s always better to take early, proactive measures to show your consumers that you’re doing everything in your power to keep their data — and in this case their physical security — safe.”

Categories: Cyber Risk News

Yik Yak Returns

Info Security - Tue, 08/17/2021 - 21:51
Yik Yak Returns

An app that allows users within a 5-mile radius to communicate anonymously has been relaunched four years after it shut down.

Yik Yak was first launched in 2013 and quickly became the ninth most downloaded social media app in the United States, reaching 1.8 million downloads by September 2014. 

Created by college students Tyler Droll and Brooks Buffington, the app was a hit with America's teens but became dogged by instances of cyber-bullying and violent threats. 

Schools, including Palisades Charter High School (PCHS) in Los Angeles and Russellville High School in Alabama, were forced to evacuate their students after anonymous bomb threats were posted on the app. 

One parent, speaking after the evacuation of PCHS, told NBC News that the app "gives people freedom to post without fear of retribution."

In 2014, University of Georgia student Ariel Omar Arias was arrested and charged with two felony counts of terroristic threats after posting a threat to commit violence at a campus building via the app. 

Arias claimed the post, which purportedly read, “If you want to live don’t be at the MLC at 12:15,” was a prank.  

Yik Yak Inc., which is based in Nashville, Tennessee, announced the app's return on Monday in a tweet. Currently, only iPhone users in the US can download the app. However, the company said it planned to make Yik Yak available to other countries and devices. 

The new incarnation of Yik Yak comes with an extensive list of often vaguely defined Community Guardrails detailing what users are not allowed to share in a yak (a post).

Among the content users are barred from posting is "gossip," "excessive sarcasm," and "excessive commentary on an individual's physical attributes, character, or personal life."

Children should not be identified "under most circumstances" and "license plate numbers, social security numbers, or personal information that identifies someone" should not be posted "in most cases."

Users are asked to "immediately downvote and report" yaks that don't "vibe with the Community Guardrails."

The app's makers said their plan is to "rely on our community to help make Yik Yak a constructive venue for free and productive speech."

Categories: Cyber Risk News

Records Missing from Illinois Vaccination Portal

Info Security - Tue, 08/17/2021 - 19:52
Records Missing from Illinois Vaccination Portal

Illinois residents who have been vaccinated against COVID-19 are complaining that their immunization records are missing from the state's new online vaccination portal.

The Illinois Department of Public Health (IDPH) launched the Vax Verify portal on August 11 to allow residents aged 18 and over to check their COVID-19 vaccination records.

“As more businesses, events, organizations, and others require proof of vaccination, Illinois residents will be able to confirm using Vax Verify that they have been vaccinated for COVID-19,” said IDPH director Dr. Ngozi Ezike as the portal went live. 

“With the current surge in cases, more people are making the decision to get a COVID-19 vaccine, and this new tool will aid residents in confirming their vaccination where needed.”

News source CBS 2 has reportedly received emails from multiple vaccinated Illinois residents who have registered with the portal only to receive a "no records found" message when they log in and search for their immunization records.

One resident said in an email to CBS 2, “IDPH does not have my vaccination records, and as far as the State of Illinois knows, I am not vaccinated.”

The state told CBS 2 that residents whose immunization information is absent from the portal or listed incorrectly must contact their vaccination provider to ask for the portal to be updated.

The IDPH said that the portal “cannot change records or update demographic/contact information.”

Illinois created the portal in partnership with Experian. Residents who wish to download proof of their vaccination must complete an identity verification process. In a non-typical arrangement, residents who have frozen their credit must unfreeze it and wait a day before they can register. 

Director of engineering for the Electronic Frontier Foundation, Alexis Hancock, has been reviewing vaccination record portals set up all over America. She criticized the Illinois portal's link with residents' credit. 

“I would say it’s one of the worst ones in terms of initial barrier to entry,” said Hancock. "In New York and California and Louisiana, you can just provide the information that you have on your CDC card, the one you are issued with when you get vaccinated."

Categories: Cyber Risk News

Indiana Contact Tracing Data Breached

Info Security - Tue, 08/17/2021 - 18:00
Indiana Contact Tracing Data Breached

Hundreds of thousands of Indiana residents are being notified of a data breach involving responses collected via the Hoosier State's COVID-19 online contact tracing survey.

A software misconfiguration that left information exposed to the public was discovered by an unnamed vulnerability-hunting company. The company informed state officials of the breach on July 2 after they were able to access and download the data. 

The breach was announced by state health officials on Tuesday. Information that was compromised in the incident included names, addresses, email addresses, gender, race, ethnicity, and dates of birth. 

The Indiana Office of Technology and the Indiana Department of Health (IDOH) said immediate steps were taken to correct the misconfiguration and re-secure the records that had been accessed. 

“We take the security and integrity of our data very seriously,” said Tracy Barnes, chief information officer for the state, in a statement.

“The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business. We have corrected the software configuration and will aggressively follow up to ensure no records were transferred.”

The company that discovered the breach returned the sensitive data on August 4 and signed a certificate of destruction to confirm that the information had been permanently deleted.

State health commissioner Dr. Kris Box said they believe the impact of the data breach will be minimal owing to the nature of the information that was accessed. 

"We believe the risk to Hoosiers whose information was accessed is low. We do not collect Social Security information as a part of our contact tracing program, and no medical information was obtained," said Dr. Box.

"We will provide appropriate protections for anyone impacted."

Affected Indiana residents will receive data breach notification letters and will be provided with one year of free credit monitoring. The state is partnering with credit monitoring company Experian to set up a call center that will serve victims of the data breach. 

Nearly 750,000 residents have been impacted by the data breach. The Indiana Office of Technology said it will use scanning techniques to ensure that the compromised information was not passed to any additional parties.

Categories: Cyber Risk News

MoD Invites Innovators to Reduce Military's Cyber-Attack Surface

Info Security - Tue, 08/17/2021 - 09:24
MoD Invites Innovators to Reduce Military's Cyber-Attack Surface

The UK’s Ministry of Defence (MoD) is calling on startups to help the military reduce its cyber-attack surface by designing a new generation of more secure hardware and software.

The MoD’s Defence and Security Accelerator (DASA) issued the call-to-arms on Monday, claiming it is prepared to fund proposals up to £300,000 for a nine-month contract.

“The Defence Science and Technical Laboratory (DSTL) on behalf of the MoD is interested in identifying and accelerating next generation hardware and software technologies to ‘design-out’ the vulnerabilities prevalent within current and future computer networks and systems (with a particular focus on operational technologies), thereby dramatically reducing defense exposure to cyber effects,” it explained.

“Intelligently applying these technologies would significantly reduce the opportunity for manipulation of such vulnerabilities on MoD systems and platforms; effectively raising the barrier to entry for adversaries and providing greater confidence and a level of assurance against cyber-enabled attack.”

The MoD wants solutions “applicable across a whole “class” of attack surface” rather than those that might only work against a specific threat. However, it said that proposals could be designed for future systems or retrofitted to existing capabilities.

To secure the initial round of funding, proposals must be within Technical Readiness Level 4 – 7. For further funding, interested parties would need to produce a roadmap describing how they would achieve a technical demonstrator by the end of the financial year 2023.

Cycle 1 of the Reducing the Cyber Attack Surface focus area is open now and will close at midday BST on October 20 2021. Cycle 2 will run from October 20 2021 to January 5 2022.

The news comes just a fortnight after the MoD completed its first bug bounty program to help find and remediate vulnerabilities across the department’s networks and 750,000 devices.

Categories: Cyber Risk News

Colonial Pipeline Reportedly Admits Data Breach

Info Security - Tue, 08/17/2021 - 08:45
Colonial Pipeline Reportedly Admits Data Breach

Colonial Pipeline has reportedly admitted that nearly 6000 individuals may have had their personal information compromised by ransomware attackers when they struck earlier this year.

The fuel pipeline operator, which was crippled by the attack in May, confirmed to CNN Business that it had begun sending out breach notification letters to 5810 victims. Most of those affected are thought to be current and former employees and family members.

The compromised information is thought to include names, contact information, birth dates, Social Security numbers, driver’s license details, military ID numbers, and health insurance information.

Speaking to the news channel, a spokesperson from the critical infrastructure operation thanked employees and the public for their understanding as it continues to work through the incident.

“Though our pipeline system is now fully operational, we have been hard at work with third-party cybersecurity experts determining what, if any, personal information may have been affected as a result of the attack,” they added in a statement.

“Based on this review, we learned that an unauthorized party acquired certain personal information in connection with the attack.”

The May ransomware attack forced one of the biggest fuel pipelines in the US offline for several days, pushing prices up and hardening the Biden administration’s stance on cyber-criminals operating from Eastern Europe.

The DarkSide gang thought to have been responsible for the malware soon appeared to disband due to the extra scrutiny from the US government.

Since the attack, ransomware has the attention of heads of state across the globe and has led to sharp words from Washington, NATO and the G7 directed at Russia, which is thought to turn a blind eye to such attacks operating from within its borders.

Data exfiltration is now a common tactic for ransomware actors looking to increase their chances that victim organizations pay up following an attack. According to Coveware, 81% of raids in Q2 2021 involved the threat to leak stolen data, up 5% from the previous quarter.

Categories: Cyber Risk News

Misconfigured Server Leaks US Terror Watchlist

Info Security - Tue, 08/17/2021 - 08:22
Misconfigured Server Leaks US Terror Watchlist

A secret watchlist of suspected terrorists maintained by the FBI was exposed online after a configuration error and then not fixed for several weeks after being reported, according to Comparitech.

Head of security research at the firm, Bob Diachenko, said he discovered the Terrorist Screening Center (TSC) list on July 19, when the exposed Elasticsearch server was indexed by search engines Censys and ZoomEye.

The list was left online without a password or any other authentication to secure it. It contained 1.9 million records, including full name, TSC watchlist ID, citizenship, gender, date of birth, passport number and more.

The TSC is a classified list of suspected terrorists, including a smaller “no-fly” list. The information is shared with the Departments of State and Defense and customs officers, TSA staff and international partners.

Although he didn’t check the entire database, Diachenko suggested that it may have contained the whole TSC list.

“The terrorist watchlist is made up of people who are suspected of terrorism but who have not necessarily been charged with any crime. In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families,” he argued.

“It could cause any number of personal and professional problems for innocent people whose names are included in the list. There have been several reports of US authorities recruiting informants in exchange for keeping their names off of the no-fly list. Some past or present informants’ identities could have been leaked.”

The exposed server, which was found on a Bahrain rather than a US IP address, was apparently left online without any security for three weeks after Diachenko informed the Department of Homeland Security (DHS).

Categories: Cyber Risk News

DOJ to Consider Expanding Use of AI Prisoner Monitoring Tech

Info Security - Mon, 08/16/2021 - 20:59
DOJ to Consider Expanding Use of AI Prisoner Monitoring Tech

A House of Representatives panel has asked for a study to be done on the use of artificial intelligence (AI) to analyze prisoners’ phone calls.

Reuters reports that the United States Department of Justice (DOJ) has been asked to report on the use of AI monitoring as a tool to prevent suicide and violent crime. 

The monitoring systems would be used to analyze and automatically transcribe inmates' conversations, flagging particular words or phrases. Such technology is already in use in prison facilities in AlabamaNew York, and Georgia.

A House Democratic aide said that the DOJ was being actively encouraged “to engage with stakeholders in the course of examining the feasibility of utilizing such a system.”

Commenting on the prospect of AI's being used to monitor inmates' phone calls, Texas resident Heather Bollin, whose fiancé is in prison, told Reuters: “It’s very unsettling. What if I say something wrong on a call? It could be misconstrued by this technology, and then he could be punished.”

Privacy groups have questioned the use of AI call monitoring in prisons. 

“This Congress should be outlawing racist policing tech - it shouldn’t be funding it,” said Albert Fox Cahn, executive director of New York-based advocacy group the Surveillance Technology Oversight Project (STOP).

“People who have been caught up in the criminal justice system are always turned into the subjects of experimentation for new technology systems.”

A Stanford University and Georgetown University study into technology that transcribes voice conversations concluded that such tech has a high error rate when used to analyze words spoken by black people. 

The study's lead author Allison Koenecke, said: “Speech-to-text technology is not in a place where it can be used to make these kinds of criminal justice decisions."

Police in Oxford, Alabama, already use Verus voice monitoring technology to listen in on prisoners' phone conversations. Oxford chief of police Bill Partridge said that the tech had helped to prevent suicides and that inmates had been captured discussing "actually committing the murder."

He said: “I think if the federal government starts using it, they’re going to prevent a lot of inmate deaths."

Categories: Cyber Risk News

T-Mobile Investigates Possible Data Breach

Info Security - Mon, 08/16/2021 - 19:45
T-Mobile Investigates Possible Data Breach

T-Mobile has launched an investigation into a claim that the personal data of more than 100 million of its customers had been compromised. 

The claim was first discovered and reported by Vice News. Researchers came across a hacker on an online forum asking for Bitcoin in exchange for Social Security numbers.

Though T-Mobile isn't mentioned in the forum for sale post, the hacker told Vice that the data was a subset of 100 million records that had been taken from T-Mobile servers. 

The hacker alleged that the company misconfigured a gateway GPRS support node used for testing, exposing it to the internet and allowing the attacker to eventually pivot to the LAN.

It is alleged that the stolen information includes customers' phone numbers, names, physical addresses, Social Security numbers, and driver licenses.

The hacker said that the rest of the data, which isn't being offered for sale on the forum, is being sold privately. 

In a statement to Reuters, T-Mobile said: "We are aware of claims made in an underground forum and have been actively investigating their validity. We do not have any additional information to share at this time."

Sharon Besser, SVP of Guardicore, said that if the data breach does prove to be genuine, it shows how important it is to properly segment internal environments to limit attackers' ability to access 'crown jewel' data. 

"Repeated instances like this highlight the fact that organizations still struggle with reducing the attack surface and limiting lateral movement once a trusted network has been compromised," she said. 

Jack Chapman, VP of Threat Intelligence at Egress, said the data breach "could be one of the most serious leaks of consumers’ sensitive information we’ve seen so far this year" due to the number of potential victims.

"The data leaked in this breach is reported as being already accessible to cyber-criminals, who could now weaponize it to formulate sophisticated phishing attacks targeting the victims," said Chapman. "Follow-up attacks may utilize the information accessed through this data breach to trick people into sharing more personal data that can be used for identity and financial fraud."

Categories: Cyber Risk News

Cadbury Campaigns Against Cyber-bullying

Info Security - Mon, 08/16/2021 - 18:44
Cadbury Campaigns Against Cyber-bullying

The formerly British-owned chocolate maker Cadbury has launched the second phase of a campaign that encourages people to take action when they witness cyber-bullying.

The #HeartTheHate campaign asks internet users to mark social media posts that have attracted online abuse with a purple heart emoji. 

Cadbury, which was bought by American multinational company Mondelēz International in 2003, initially cooked up the campaign in 2019 to show solidarity with abuse victims. 

The campaign was launched after a poll of 89,685 internet users conducted by Cadbury in partnership with Indian media company Inshorts found that 57.6% of respondents has been cyber-bullied, and 46.5% of victims had been harassed online more than once.

Anil Viswanathan, senior director of marketing at Mondelez India, said: "Cyber-bullying is something which affects everyone, especially today’s youngsters. 

"Apart from the direct impact of bullying, the apathy of the silent bystander impacts the victims in a big way. While we were pleased to see the impact created online through #HeartTheHate, which leveraged this insight in 2019, we knew there was a lot of work still left to do."

Phase two of the ad campaign follows a more recent poll by Inshorts and Cadbury that surveyed 170,000 people. Researchers found that 42% of respondents reported being cyber-bullied, and 55% said that they had not been given any assistance from friends after falling victim to online abuse.

"Through the next phase of the campaign, we hope to further reiterate Purple Heart as an emoticon that helps express solidarity with the bullied," said Viswanathan. 

"This campaign leverages technology in a smart way to make consumers understand how breaking their silence and standing up for the victims can make a huge difference in their lives.” 

In the campaign, Indian abuse victims are shown in different scenarios being comforted by seeing the purple hearts left by supporters or getting bullied more when bystanders ignore the first round of abuse.

India represents the third biggest market for Cadbury chocolate products after the UK and Australia. Cadbury Dairy Milk has also teamed up with cyber-psychologist Nirali Bhatiato to run training courses at 20 universities around the country about the impact of cyber-bullying.

Categories: Cyber Risk News