At a glance.
- Experian sustains data breach, says it's prevented loss of information.
- Third-party data exposure affects healthcare, insurance firms.
- Vishing's contribution to social engineering.
Experian's South African unit sustains data breach.
ZDNet reports that Experian's South African branch yesterday disclosed a data breach the credit bureau characterized as an "isolated incident" that involved a "fraudulent data inquiry." The company says that it regrets any inconvenience, and that, while its investigation continues, it's confident that the breach has been contained:
"We can confirm that no consumer credit or consumer financial information was obtained. Our investigations do not indicate that any misappropriated data has been used for fraudulent purposes. Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.
"We have identified the suspect and confirm that Experian South Africa was successful in obtaining and executing an Anton Piller order which resulted in the individual’s hardware being impounded and the misappropriated data being secured and deleted. We are continuing the legal process in this regard, including coordination with law enforcement and relevant authorities."
Experian's confidence that the breach was successfully contained rests upon its conclusion that the data didn't leave the suspect's device or devices. How many were potentially affected Experian doesn't say, but the South African Banking Risk Centre puts the figures at twenty-four-million individuals and 793,749 "business entities."
AI company associated with leaked PII.
Secure Thoughts reports the discovery of medical and personal data by Cense, a process automation services company with customers in healthcare and insurance. Some two-and-a-half-million records were inadvertently exposed. The information in them included such items as names, insurance records, and medical diagnoses. Cense secured the data upon notification of the exposure. We received comment from Mark Bower, senior vice president at comforte AG, who saw the incident as an instructive case of third-party risk and regulatory exposure:
“Sensitive insurance claims processing data, which looks to be in the data in question, is regulated under HIPAA, GLBA, and various state security and privacy mandates in the US. Yet clearly, this data interchange lacked any data security to meet such rules. To receive such information, organizations must at least operate under a HIPAA Business Associate Agreement with the data provider. The BAA outlines mandatory data security controls including data de-identification, encryption and audit.
"While the benefits of third party AI services are clear, to avoid breaches like this, the data owner as well as the AI service should also consider protecting the data set before sharing and use, for example, with modern data-centric tokenization. This technology balances insight and utility with exposure risk, enabling insight and use of data in low-trust IT.
"In this case, there’s likely to be significant regulatory response cost which could have been avoided with some very low cost and simple data-security investments that pale in comparison to the cost of remediation.”
The vishing threat, and its growing complexity.
The hijacking of high-profile Twitter account has raised awareness of the threat of vishing, that it, phishing by voice phone call. KrebsOnSecurity sees a trend: the technique is being employed in more complex ways, in conjunction with malicious sites and email phishing methods. It represents a convergence of cyberattack and traditional confidence scams. Erich Kron, security awareness advocate at KnowBe4, emailed comments on this sort of social engineering:
“Voice phishing, or vishing as it is also called, has become more targeted and advanced than many people realize. This is an example of how attackers leverage social engineering techniques to gain access to even large organizations.
"Social media is a great tool for networking and meeting people, however it can be abused rather easily. This is interesting in the fact the attackers are, at times, creating the fake LinkedIn accounts to be used in an effort to belay any suspicions the potential victim has during the calls. While the source of the list of targets and associated phone numbers the people are using to call is not mentioned, a lot of information can be found on LinkedIn as well, especially when people announce their new role at an organization. For extremely high-value organizations, cybercriminals will do regular searches for new employees who, having just started, may have a harder time identifying when process or questions being asked are unusual.
"To protect against these, organizations need to ensure they educate employees about these types of scams and follow the proper protocols and procedures when they do require support from within the organization. The IT department will never ask employees for their password as part of a training exercise. In this attack, they are not asked for their password, but are instead told to enter it into a site they assume is safe. While they feel safe since the attacker is not asking them for their password, employees need to understand how to identify lookalike websites and URLs.”