At a glance.
- Airbnb vulnerability reported.
- Shopify insiders under investigation.
- Data exposure at fitness company.
- More Blackbaud customers disclose data risk.
Airbnb could share more than homes.
A Security Week tipster discovered an Airbnb vulnerability related to reused cell numbers. Customers in possession of a number previously associated with another profile could log in to that profile via the “create a new account” function after entering a security code texted to their phone. Airbnb apparently did not warn the account owner about the unauthorized access or advise the new user that they were signing into an existing account. The home-sharing company claims to have resolved the problem.
The incident illuminated an additional strategic cybersecurity shortcoming: the customer who unearthed the bug was unaware of Airbnb’s official vulnerability reporting channel, and customer support did not know how to handle her complaint, repeatedly telling her to “use a different phone number.”
The FBI is investigating two “rogue” Shopify employees who accessed around two-hundred merchants’ data, according to a statement by the e-commerce company. Affected information may include customers’ names, contact details, and order information. BleepingComputer says the event highlights the hazards of both deliberate and accidental “insider threats,” with cybersecurity company Code42 cautioning, “On average, a typical employee causes 20 file exposure events per day...We found that in the past 30 days alone, literally millions of files were exposed.”
We received some comments on insider threats from Dr. Vinay Sridhara, CTO of Balbix. He thinks the Shopify incident highlights a need for more rigor in risk management:
“The Shopify data breach highlights the all too sobering reality of insider threats, and that security is only as strong as the weakest link. Incidents such as these signal to customers that the company is not the best steward of sensitive information and can cause them to lose trust in the company.
"Today's unfortunate reality is that the enterprise attack surface is massive, and there are nearly unlimited things that can go wrong. Unfortunately, prioritization is typically done based on gut feel or prior experience, resulting in strong security posture in some areas, but leaving big weaknesses elsewhere. The trend towards risk-based cybersecurity has allowed security teams to use data, rather than intuition, to prioritize cyber risk across the entire attack surface, resulting in considerable breach risk reduction and more efficient teams."
Gyms’ database security unfit.
Fitness club holding company Town Sports International accidentally published 600 thousand customers’ contact details, gym use records, and account notes online in an unsecured database, TechCrunch reports. The exposed “terabyte of spreadsheets,” which was available for a year before its discovery, also included firm financial documents. “The good news is that the company secured the database the day after it was informed of the data leak,” Security Affairs commented. Town Sports operates gyms on the US East and West Coast and in Switzerland—or it did, before the pandemic. The company filed for bankruptcy earlier this month.
Comparitech warns that “cybercriminals could use the information stored in the database to scam and phish Town Sports customers and employees. Staff and gym members should be on the lookout for emails, text messages, and phone calls from fraudsters posing as Town Sports or a related company.”
We also heard from Mark Bower, senior vice president at comforte AG, who notes the ripple effects of the loss of PII, even when it doesn't contain immediate data of financial relevance:
“Businesses that are already stressed from pandemic market shifts really don’t need to be dealing with a data breach and the associated costs and loss of trust. While valuable data like credit cards wasn’t stolen here, the history and other sensitive personal data can be used for social attacks – for example, it’s very likely that members will suffer email, phone and text attacks which might ask for credit card details through fake messages. They should definitely be on the lookup for that. However, businesses collecting such data should really go the extra mile beyond protecting the bare minimum credit card details and look to secure personal details too. Its not hard, and there are established and very simple data-security approaches precisely designed to avoid this attack. When deployed, attackers get nothing they can use to compromise citizens, and the business wouldn’t be facing the scrutiny of regulators or the media – and now their own upset customers with compromised data.”
The Daily Swig says the names and contact information of 235 thousand University of Tennessee Medical Center patients along with those of 31 thousand patients of Our Lady of the Lake Regional Medical Center in the US state of Louisiana were exposed in the Blackbaud breach. The software vendor experienced a ransomware attack in May of this year.
And the Spokesman reports that Tacoma, Washington-based MultiCare Health System has also warned its donors that their information may have been compromised in the Blackbaud incident.