Monthly Breach Report: April 2019 Edition
With the growing popularity of newer technologies like the Internet of things (IoT) and big data, an upsurge has been witnessed in data breaches across geographies and industry verticals. This is one of the reasons why businesses are feeling the heat constantly to ensure data security and minimize the exposure to data related threats as far as possible.
Keen to know what and how data breach impacts in an organization? Go through our list of the top data breach incidents of March to get a sense of how businesses handle a data breach situation because fixing data leak is not an easy task.
US-based virtualization software company Citrix was recently hit by a data breach. The software enterprise that offers services to the US military was informed by the FBI that international cyber criminals accessed the company’s internal network.
Los Angles-based security enterprise Resecurity claims in a blog that the Iranian-linked hacking group known as IRIDIUM executed the crime. It further added that an early warning notification was sent to Citrix last year in December about a data breach and targeted cyber-attack. Resecurity has said that a combination of tools, techniques, and procedures were used to intrude the Citrix network. The main aim was to gain access of at least 6 terabytes of sensitive data stored in the Citrix enterprise network, comprising email correspondence, files in network shares, and other services leveraged for project management and procurement.
This wasn’t the first time IRIDIUM engaged in a cyber attack. In the past, it has executed cyber-attacks against over 200 government agencies globally, oil and gas enterprises, technology companies, and more.
Post this data breach incident, Citrix initiated a forensic investigation, engaged a cybersecurity player to take stalk of the situation, adopted measures to make their internal network more secure, and cooperating FBI in every possible way to secure their future.
The Hacker News
Federal Emergency Management Agency (FEMA)
Last month the Federal Emergency Management Agency (FEMA) reported a data breach in which it exposed the personal information of 2.3-million disaster survivors to a contractor. The survivors of the 2017 California wildfires, as well as hurricanes Harvey, Irma, and Maria were part of this data leak incident. The Department of Homeland Security’s (DHS) Office of Inspector General announced that the data leak was found in an audit of the disaster relief agency’s Transitional Sheltering Assistant program.
In a Department of Homeland Security OIG report released on March 15, all the details of the data breach were mentioned. It was reported that FEMA accidentally shared twenty varied types of sensitive personal data of the survivors, who now face the risk of fraud and identity theft. The Office of the Chief Information Officer and FEMA’s Joint Assessment Team have initiated an audit of the network of the contractor to find out if the data may have been further exposed. In the OIG’s report, the name of the contractor has been redacted and not released publicly.
According to FEMA’s cybersecurity experts, 11 security vulnerabilities were identified in the contractor’s network and only four were remediated. FEMA also informed that no intrusion was found in the past 30 days although the contractor failed to maintain a record of the past one month.
Many news reports state that FEMA was only supposed to share the names, birth dates, Social Security and other relevant administrative data, but details like victim’s street addresses, bank names, and account numbers were mistakenly shared with the contractors.
In several instances, US government agencies suffered data breach as they lost control of individuals’ personal information. In 2015, approximately 14 million personal records of federal employees from the Office of Personnel Management, including 6 million biometric fingerprints, were stolen.
China-based online retailer Gearbest became a victim of a data breach in March when it left 1.5 million customer records (including payment information, email addresses, and other personal data for customers worldwide) exposed.
Security researcher Noam Rotem (who discovered caller ID app Dalil data breach) reported the leak in the Shenzhen-based ecommerce site that ships goods to overs 250 countries and ranks among the top 100 websites in these regions. According to news reports, Rotem’s team were able to access varied areas of Gearbest’s unencrypted database, such as orders database, invoices, and payments database, and also the members’ database. Using this information, they were able to log into the customer’s Gearbest accounts and view order detail, accumulate points, and use customer accounts with full privileges.
After Rotem announced their findings, the online retail giant confirmed that their firewalls were mistakenly taken down, which directly exposed the customer’s data and ended up affecting 280,000 newly registered consumers and also those who placed orders between March 1, 2019, and March 15, 2019. Gearbest also clarified that the data leak issue was resolved within two hours of detection.
Gearbest is among one of the top Chinese shopping sites and has warehouses in Europe where GDPR is applicable. It is expected that this data breach will significantly hamper the company’s image and lead to it incurring a large penalty.
Oregon Department of Human Services
The Oregon Department of Human Services fell prey to a data breach in early January this year that not just compromised but also potentially exposed the private health details of more than 350,000 people.
A phishing email campaign was used that resulted in nine DHS employees allowing hackers access to their accounts. While the data breach took place on January 8, 2019, the cybersecurity team discovered it on January 28, 2019.
DHS confirmed that it has initiated a forensic review with the help of an outside agency to bring clarification on the number and identities of the Oregon residents whose personal details were exposed which may include the customer names, date of birth, addresses, Social Security numbers, and other relevant information under the Health Insurance Portability and Accountability Act.
Despite DHS’ clarification on the role of IT security processes to contain the damage, many feel that transparency is a systematic problem at DHS. The agency is planning to provide identity theft recovery services at no additional cost to potentially impacted individuals. DHS has already announced that after the complete assessment of this breach is done, affected individuals and customers will be notified about it.
University of Waterloo
Usually businesses are most commonly targeted for data scams, but the recent data breach incident at the University of Waterloo proves that even educational institutions are not spared.
In March this year, it was acknowledged by the University of Waterloo that it became a data breach victim when sensitive details of 15 students were emailed out to a list of 2,000 students which included banking information, home address or mailing address, names, and student numbers. All the 15 affected students are pursuing higher education at the University of Waterloo.
Apart from sending their apologies for the mishap, the University has informed that necessary measures are put in place to ensure no emails were shared and implementing different software settings on the systems they are using.
Moreover, a review of the procedures with the staff in the department that was hit by this incident was also undertaken. Human error has been the reason for this data breach as notified to the Ontario’s Information and Privacy Commissioner by the University officials.
Hartwig Moss Insurance Agency
Hartwig Moss Insurance Agency, which specializes in commercial and personal insurance, recently revealed that it was stung by a data breach that may have impacted approximately 1,100 clients.
According to a news release released by this fifth-generation New Orleans insurer, the breach was discovered recently that involved basic details such as names, dates of birth, and the driver’s license numbers. The company realized that its account security was compromised when two employee email accounts were found to be engaged in suspicious activity. On further investigation, it was found that an unauthorized outside party may have gained access via emails.
The insurance agency has undertaken a detailed review of its policies taking the breach into account and implementing changes, comprising reeducating employees on how to successfully identify and respond to suspicious emails and other threats. The insurance company has decided to provide identity theft protection cost and undertake credit monitoring through Kroll for affected customers.
The agency has advised customers to get in touch with their customer support team to find out if their account was impacted in this data breach.