At a glance.
- StopCovid adoption overcomes privacy fears.
- San Francisco retirement system breached.
StopCovid adoption overcomes privacy fears.
The BBC says France's StopCovid contact-tracing app is "off to a good start." Some six-hundred-thousand users are thought to have installed the app within hours of its initial availability. The app uses contact logs to warn people if they’ve come near someone infected with the COVID-19 virus.
San Francisco retirement system breached.
The San Francisco Employees’ Retirement System (SFERS) has disclosed that it suffered a data breach on February 24th. An unauthorized person gained access to a database that was hosted in a test environment maintained by a contractor. The disclosure reads in part:
"The Retirement System contracts with vendors to provide SFERS members with on‐line access to their account information. One of the vendors, 10up Inc., set up a test environment on a separate computer server which included a database containing data from approximately 74,000 SFERS member accounts as of August 29, 2018. The server data was not subsequently updated. On March 21, 2020, 10up Inc. learned that this server had been accessed by an outside party on February 24, 2020. The vendor promptly shut down the server and began an investigation. The vendor found no evidence that the information of SFERS members was removed from its server, but at this time, it cannot confirm that the information was not viewed or copied by an unauthorized party. On March 26, 2020, the vendor notified SFERS of the server breach and both SFERS and the vendor continue to investigate the potential exposure of data."
BleepingComputer points out that, while no bank account information or Social Security Numbers were exposed, enough data were available to be useful in mounting subsequent attacks, presumably through social engineering, identity theft, or other exploitation of broken privacy. The incident is interesting in the way it highlights the risks to privacy that even test systems are capable of posing. We received several comments from industry experts on the incident.
Jayant Shukla, CTO and Co-Founder of K2 Cyber Security, wrote, “The SF Employee’s Retirement System breach is a good reminder that even applications on test systems need to be secured against threats, whether they are internal (bad actors in the organization and its partners) or external (coming from hackers trying to exploit vulnerabilities). Vulnerabilities, misconfigured servers, and misused credentials are among the top reasons systems get breached.”
Javvad Malik, Security Awareness Advocate at KnowBe4, commented, "Test environments are usually not secured or monitored to the same level as production environments, and it is never advisable to use real data in test cases. Rather, dummy data, or heavily redacted data should be used so that even if it is leaked or breached, it does not impact any real customers. Anyone impacted by this breach should keep a close eye on their credit rating, and be wary of unsolicited emails which may appear to originate from official bodies relating to this breach."
Comforte AG product manager and data security expert Trevor Morgan sees the attack on a test server as another example of how the threat can move through or around perimeter security systems:
“While the reported breach with SFERS is bad in its own right, it comes with a silver lining and a clear call to action. Threat actors will always find a way through or around perimeter security. However, by taking effective measures to protect data in ways that go beyond ordinary encryption and perimeter defenses—measures such as tokenization—the detrimental impact of these breaches can be eliminated. How? Tokenization replaces sensitive data with harmless and representational tokens, so no matter who gets ahold of that data, and no matter where that data travels, it prevents any inherent meaning from being conveyed. Sensitive information remains hidden, and the data becomes worthless to those who would steal it, sell it, or use it to compromise others. And that’s a bit of good news for anybody who wants to secure their data and prevent situations like these.”