Week of May 20, 2019


Week of May 20, 2019

Uniqlo Parent Company Says Hack Compromised 461,091*

  • Fast Retailing Co., parent company of Uniqlo and Asia's largest retailer, confirms data belonging to 461,091 people was compromised in a cyberattack on its Uniqlo and GU shopping websites.
  • Officials say the breach took place between April 23 and May 10, 2019, when it was confirmed, as reported in a statement on Fast Retailing's website.
  • An investigation began when customers reported strange account activity — for example, notice of registration information changes.
  • So far, officials have learned this is a "list-type attack" on the firm's Japanese websites, meaning intruders reused credentials that were also used on, and stolen from, other sites.
  • Compromised data includes: full name, physical and email address, phone number, gender, birth date, purchase history, and partial credit card numbers.
  • The company reports credit card numbers are hidden except for the first and last four digits; CVV numbers are not stored.
  • Fast Retailing has invalidated the account passwords of affected users and notified them to reset their passwords.

*Source: Dark Reading, May 14, 2019


Google Announces Security Flaw That Could Let An Attacker Access Your Device*

  • On Wednesday, Google announced on its security blog that it has found a bug in the Bluetooth Low Energy (BLE) version of its Titan Security Key that exposes users to a potential attack when pairing the device via Bluetooth.
  • These keys are a low-cost method of two-factor authentication that provides an added layer of security when logging in to your Google account.
  • According to Google, "it is possible for an attacker who is physically close to you at the moment you use your security key to (a) communicate with your security key, or (b) communicate with the device to which your key is paired."
  • The chances that you'll be affected by this particular vulnerability are relatively small.
  • The circumstances that would have to align include an attacker in close proximity (less than 30 feet or so), who is able to time their attack to the exact moment that you connect with your security key.
  • Hackers could then connect their device and take advantage of the two-factor authentication offered by Titan key, or masquerade their device as your key and connect to your laptop.
  • In that scenario, they'd still have to have your username and password and time their attack perfectly.
  • Or, they could, in effect, use their device as a Bluetooth accessory like a keyboard to take control of your computer.
  • While the chances are remote for the average user, the consequences could be significant.
  • If you did fall victim to this attack while connecting to your company's intranet or customer database, for example, you might expose sensitive or personal data that could be accessed or modified.
  • To tell if you might be affected, check the back of your key. If it's marked T1 or T2, Google will replace it for free.

*Source: Inc, May 16, 2019


Exposed Elasticsearch Database Compromises Data On 8 Million People*

  • An unprotected Elasticsearch database exposed information belonging to eight million people in the United States who submitted their personal details as part of online sweepstakes entries, surveys, and free product sample requests.
  • Survey websites typically offer samples, prizes, or contest entries in exchange for personal data that's later used in marketing campaigns, BleepingComputer reports.
  • The information collected by one organization was kept in an Elasticsearch database, which was found unprotected by security researcher Sanyam Jain.
  • It contained data including the full names, physical and email addresses, phone numbers, birthdates, gender, and IP addresses of individuals who entered their info on survey sites.
  • Further investigation by Jain showed the site belonged to PathEvolution, an online marketing firm owned by Ifficient, another marketing company.
  • Ifficient secured the database when contacted by Amazon, which Jain reached out to when contacting PathEvolution proved difficult.
  • The business says it doesn't capture or store social security numbers, drivers license numbers, state ID numbers, or financial account or payment card numbers in its database.
  • Ifficient also reports that due to a high number of duplicate records, the amount of records affected is lower than the 130 million that Jain saw in the Elasticsearch database.

*Source: Dark Reading, May 17, 2019


5 Most Vulnerable Industries For Data Breaches In 2018*

  • Web:
    • Websites are been targeted by scammers and hackers, especially gaming and casino websites.
    • Criminals wanted to hack that’s kind of websites to steal personal information, money, and serious transactions.
    • That is why many websites are investing in high-level security and employing a professional IT security expert to monitor the security and safety of the websites.
    • Cybersecurity becomes the main important parts of every website protecting clients and users, especially casino and gaming niches.
    • There are gambling websites see more that using real money is one of the higher threats website and the most target of hackers.
  • Healthcare:
    • The healthcare industry is being targeted at a higher rate than any other, suffering at least one incident a day.
    • Electronic health records contain valuable information, as a patient’s file typically includes a credit card number, medical insurance number, biometric data, and other personal information.
    • All these sensitive data can be abused to obtain health benefits like Medicare, Medicaid, or prescription medication.
    • Healthcare is the only industry that is more vulnerable from inside than from outside.
    • More than half of incidents happened involved insiders motivated either by financial gains, convenience (storing sensitive files on unapproved media), or curiosity (snooping on a family member or celebrity).
    • With hospitals accounting for approximately 30 percent of all healthcare data breaches, their computers continue to be easy targets because they contain a wealth of information, including patient charts, nursing reports, and referral letters.
    • With 24 percent of all 2018 data breaches happened in medical organizations, almost one in eight Americans have had their patient records compromised.
    • Misconfigurations, disposal errors, omissions, programming errors, and data entry errors are among the top reasons for a data breach in healthcare.
  • Accommodation:
    • The accommodation also has been consistently cited as being one of the most vulnerable to data breaches accounting for 15 percent of all breaches happened in 2018.
    • This sector of the hospitality industry constantly collects information about their customers, when they book online, check-in, or get notifications.
    • Coupled with public Wi-Fi networks and smartphone key cards, these interconnectivity places are vulnerable to serious data breaches.
    • In addition to credit card numbers that can only be used until they get expired, hotels gather other personal customer information that can be compromised by sophisticated intruders.
    • This personal data can be abused to impersonate individuals or to break into their bank accounts. Most of the breaches in accommodations happen because of third-party vendors.
    • Third parties provide various services to hotels, but the hospitality is particularly reliant to check their cybersecurity policies.
    • While subcontractors are better equipped to provide specialized services, in most cases, they gain unlimited access to information collected by hotels: credit card numbers, reservations, payroll, human resources, and so on.
    • Unfortunately, many hotels in the accommodations industry haven’t fully recognized the need to monitor third parties yet.
  • Public:
    • While highly publicized breaches of well-known corporations dominate in the news on a regular basis, the public sector also has its share of vulnerabilities in cybersecurity.
    • In fact, the US government experiences the highest number of attacks compared to other countries.
    • But lack of funding and budget cuts prevent the government from effectively defending itself against hackers.
    • Not only are so many agencies open to attack, but very few of them have visibility into their systems to effectively detect data breach attempts.
    • Thus, more than a third of incidents remain without a response, meaning that the relevant agency may never determine how the attack was perpetrated.
    • Cyber-espionage continues to be the biggest issue for the public sector, with nation-state related attackers accounting for over half of all incidents.
    • Privilege misuse and insider error are responsible for a third of breaches.
    • Phishing attacks, backdoors, or C2 channels are among the most commonly used in espionage-related attacks.
    • Personal information and state secrets are the two types of data that make the public sector so attractive to cybercriminals.
  • Retail:
    • Larceny has always been an issue for retailers, but now digital thieves aim to steal retailers’ most valuable possession — their customer’s credit card data.
    • It can be compromised anonymously, and because all financial transactions are now fast and convenient, the cash can be quickly skimmed out of bank accounts.
    • Several factors are driving the boost in data breaches.
    • The retail sector often keeps customers’ data in the cloud in plain text.
    • Increased reliance on outside third-party contractors, from software to infrastructure services, also contributes to the rise of breaches.
    • Companies whose business activity require their online presence continue to be targeted by DoS attacks, while payment card skimmers persist to be an issue for physical stores.
    • Web application attacks continue to be the problem with some of well-known input validation vulnerabilities being the leading cause.
  • Finance:
    • The last year’s breach at Equifax affected over 100 million people showing that the finance industry continues to be a prime target for hackers.
    • Financial services companies are being hit mostly because that’s where the money is.
    • And while they are getting better at defending against ordinary attacks, they face more sophisticated threats as a result.
    • Most of the incidents involve web app attacks that are difficult to detect since millions of legitimate users visit them every day.
    • Besides, identifying malicious activity is hard in the noise especially if attacks are carried out over time and done through multiple proxy servers.
    • A possible attack surface in the financial industry increases significantly as more financial organizations turn to third parties to handle internal processes, move to the cloud, and use more channels to interact with customers.
    • With ATM jackpotting being the leading form of physical access tampering, the web application authentication tools, malware, and privilege misuse count among the top 5 attack patterns.

*Source: HackerNoon, May 13, 2019


Microsoft SharePoint Vulnerability Exploited In The Wild*

  • A critical vulnerability in Microsoft’s SharePoint collaboration platform has been exploited in the wild to deliver malware.
  • The security hole, tracked as CVE-2019-0604, got its first patch in February and another one in March after the first fix turned out to be incomplete.
  • Microsoft described the issue as a remote code execution vulnerability caused by the software’s failure to check the source markup of an application package.
  • It can be exploited without the need for authentication.
  • Markus Wulftange, the researcher who reported the flaw to Microsoft through Trend Micro’s Zero Day Initiative (ZDI), disclosed details and proof-of-concept (PoC) code on March 13, one day after Microsoft released the second round of patches.
  • Several PoC exploits were later made public and the first attacks exploiting CVE-2019-0604were apparently spotted in early April.
  • The Canadian government’s Canadian Center for Cyber Security published an alert on April 23 to warn organizations that the SharePoint vulnerability had been exploited to deliver the China Chopper web shell to affected servers.
  • China Chopper, which has been around since 2012, is one of the five most commonly used hacking tools, according to a report published last year by Five Eyes cybersecurity agencies.
  • Saudi Arabia’s National Cyber Security Center issued an alert last week to warn organizations of attacks targeting the same vulnerability and delivering the same China Chopper web shell.
  • The Saudi agency said it had spotted several “advanced groups” exploiting the flaw, mainly against organizations within the country.
  • The agency said the attackers used the web shell to deliver other tools, including what it described as a new and custom backdoor.
  • The vulnerability appears to have been exploited by both advanced persistent threat (APT) actors and financially-motivated cybercrime groups — some links have been found to a notorious group tracked as FIN7, which was recently spotted using new malware.
  • AT&T Alien Labs reported on Friday that it had found what appeared to be an earlier version of the backdoor spotted by the Saudi agency.
  • The malware, shared by someone in China, allows attackers to execute commands on compromised systems and download or upload files.

*Source: Security Week, May 13, 2019


Retailers Walking A Tightrope Between Data Privacy And Personalization*

  • As consumers are increasingly shopping beyond the boundaries of their home countries, retailers and brands are faced with not only meeting differentiated needs and personalized preferences specific to different markets, but also complying with a widening set of data protection requirements.
  • Data protection laws are expanding globally, according to Consumers, which currently cites more than 100 countries around the world which now have data protection laws in place.
  • Even in the U.S., the California Consumer Privacy Act of 2018 (CCPA), slated to go into effect on January 1st of 2020, mandates (similar to GDPR) that companies gather consent from their consumer base when it comes to collecting and using data.
  • Retail is walking a fine line as consumers want to have their cake and eat it, too.
  • According to recent research, while most consumers in the United States would welcome personal data protection rights similar to GDPR, research from Segment found that on average, 71% of consumers express some level of frustration when their experience is impersonal.
  • The same report found that 49% of consumers have purchased a product that they did not initially intend to buy after receiving a personalized product recommendation from a brand.
  • Retailers and brands are understandably concerned about how to move forward, as many have spent years curating consumer data and building systems to offer personalized services.
  • Before GDPR, most technology solutions enabled retailers to gather Personally Identifiable Information (PII) that would then allow these retailers to go back and provide personalized offers, products and recommendations.
  • PII is a big NO nowadays, as it enables the retailer to identify individuals directly.
  • Just last month, Harriet Carter Gifts was hit with a potential class-action lawsuit accusing them of using a technology that captures keystrokes and IP addresses that can be used to identify people.
  • As regulations on data privacy tighten faster than retailers can adjust, it’s likely that we will continue to see these kinds of lawsuits.
  • Another rising privacy concern according to Sourcing Journal is how retailers are finding and using location data from customer’s phones.
  • Retailers leverage these data to determine what consumers are shopping for, how to advertise and the market voids open to new opportunities.
  • So how does a retailer or brand capture data on a shopper that will enable them to offer personalized preferences in line with expectations while adhering to new privacy laws?
  • The answer lies in “Zero Party Data”, or data that are intentionally given to retailers by consumers.
  • There have already been studies which discuss how retailers and brands are benefiting from this type of data, as consumers who volunteer their information are likely to give richer information and be more open to engaging.
  • This data set enables retailers and brands to build direct relationships with consumers, and, in turn, better personalize their marketing efforts, services, offers and product recommendations without the guesswork.
  • An example is one new study which found that marketers that were prepared to meet and exceed the GDPR standards, when introduced, saw a marked increase in consumer trust, loyalty and engagement levels.
  • This is according to the results of a survey by the CMO Council in partnership with SAP Customer Experience.
  • Further, according to a recent report by the Interactive Advertising Bureau (IAB), two-thirds of European brands indicated that they actually increased their programmatic ad spending in the eight months after the GDPR came into force on May 25th, 2018.
  • Three-quarters (76%) of UK brands reported some level of data quality improvement.
  • U.S. retailers are starting to catch on as well.
  • Walmart, Kroger and Target are exploring how they might use the customer data they possess to build an advertising business, with the aim of both increasing basket value and using ads in the age of GDPR.
  • As retailers and brands continue to arm themselves for the coming onslaught of new regulations around data and consumer privacy globally with no end in sight, ensuring their technology partners bring a Zero Party Data approach is a good start, as is ensuring they are compliant with GDPR, which is increasingly becoming the standard for other countries as they develop their own laws.

*Source: Forbes, May 17, 2019


Two People Indicted For Massive Anthem Health Data Breach*

  • The US thinks it knows who’s behind the vast breach that siphoned off 78.8 million customer and employee records from US health insurer Anthem between 2014 and 2015.
  • On Thursday, the Justice Department unsealed an indictment against two people who prosecutors say are part of a sophisticated hacking group, based in China, that was behind not just the Anthem attack, but also attacks against three other US businesses.
  • The DOJ didn’t name the other businesses but did say they were data-rich.
  • One was a technology business, one was in basic materials, and the third was in communications: all businesses that have to store and use large amounts of data – some of it confidential business information – on their networks and in their data warehouses.
  • The suspects are 32-year-old Fujie Wang – following the Chinese convention of putting a surname first, that would be Wang Fujie; he also used the Western nickname of “Dennis” – and a John Doe.
  • Investigators haven’t yet figured out Doe’s real name, but the indictment said he goes by various online nicknames, as well as “Deniel Jack,” “Kim Young” and “Zhou Zhihong.”
  • The charges are one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer.
  • The four-count indictment alleges that beginning in February 2014 and up until around January 2015, Wang, Doe and other members of the gang hacked into the targeted businesses using “sophisticated techniques” including spearphishing and malware.
  • They allegedly rigged tailored spearphishing emails with links to malware and sent the messages to employees at the targeted companies.
  • When employees clicked on the links, their systems would get infected by malware that, among other things, planted a backdoor that gave the hackers remote access via their command and control server.
  • Once in, the suspects and their accomplices moved laterally across the infected network in order to escalate their network privileges and to thereby boost their ability to get at information and to tweak the network environment.
  • They were in no rush, the indictment says. Sometimes, they’d allegedly wait months to take the next step, all the time quietly maintaining their access to the infected network.
  • Once the time was right, the hackers would allegedly sniff around for valuable personally identifiable information (PII) and confidential business information.
  • In the case of Anthem, that information included names, health identification numbers, dates of birth, Social Security numbers, addresses, telephone numbers, email addresses, employment information and income data, according to the indictment. In other words, a veritable toolkit for identity theft.
  • Then, the suspects and other hackers allegedly exfiltrated the data using encrypted archives, shuffling it through multiple computers as it wended its way on to its final destination: China.
  • The indictment says they used Citrix ShareFile data storage for data storage and transfer.
  • Then, in an attempt to cover their tracks, they allegedly deleted the encrypted archives.
  • Wang is accused of having set up the servers, hosted in California and Arizona, that were used for the Anthem attack.

*Source: Naked Security by Sophos, May 13, 2019


Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

scroll top