At a glance.
- Online proctoring firm takes itself offline over security concerns.
- Anthem settles claims over 2014 breach.
- Barnes & Noble customer data breached.
- Dickey's Barbecue breached, and customer data sold on the dark web.
ProctorTrack’s security fails the test.
The CyberWire recently reported about student concerns regarding privacy of virtual proctoring platforms used by colleges and universities relying on distance learning during the pandemic. This week, Bleeping Computer reports, one such platform was the victim of a cyberattack. ProctorTrack, owned by Verificient, became aware their systems had been compromised when students received emails from an intruder posing as support staff, using racial slurs and claiming that ProctorTrack was shutting down. Perhaps taking a page from the students ProctorTrack services, the attacker also “rickrolled” the Verificient website, forcing it to play the infamous Rick Astley music video. Source code for some of Verificient’s apps was leaked last week, but it is unclear if the two breaches are connected.
Anthem reaches settlement for 2014 breach.
In 2014, health insurance company Anthem suffered the largest healthcare data breach in American history after a phishing attack compromised the data of over 78 million people. JDSupra reports, Anthem has reached settlement with the states impacted -- a coalition of 41 states and the District of Columbia, and a separate settlement for California -- to the tune of $48.2 million. This brings Anthem’s total paid for legal action concerning this breach up to $179.2 million, as they previously settled with the US Department of Health’s Office for Civil Rights over HIPAA violations resulting from the breach, and also settled a class action lawsuit for the individuals affected.
Barnes & Noble breached; customer data exposed.
US book retailer Barnes & Noble has confirmed that they suffered a malware attack on October 10, reports ZDNet. The first indicators of the breach were issues with the company’s Nook ebook platform, with customers complaining on social media of difficulty accessing their libraries. The possibility of a cyberattack became more apparent when stores reported issues with PoS terminals, suggesting more than just a system malfunction. Barnes & Noble released a statement confirming that their corporate systems had indeed been attacked, and that while some customer data -- email and snail mail addresses, phone numbers, and transaction histories -- had been compromised, no payment information had been leaked, as all credit card data is encrypted. Threatpost notes that this common practice among retailers of only encrypting financial information is shortsighted, as often scammers utilize basic unprotected customer data to launch personalized email phishing campaigns to steal more sensitive info. Dark Reading reports, researchers have noted a possible weakness that could have led to the breach: Barnes & Noble has been running Pulse Secure VPN servers without patching against the CVE-2019-11510 vulnerability, even though login info for Pulse Secure VPN servers had been leaked on the Dark Web over the summer.
We received reactions to the incident from several industry experts. Timothy Chiu, Vice President of Marketing at K2 Cyber Security, wrote:
"Breaches on high profile targets like this newly reported one at Barnes and Noble continue to dominate security headlines. While we still don’t know the exact source of this breach, it's likely to have started with an attack on a vulnerable application. Exploited vulnerabilities remain one of the primary attack vectors in data breaches. The Barnes and Noble breach is another good reminder to keep software, firmware and operating systems up to date and patched, and for organizations to consider implementing newer technologies like Runtime Application Self-Protection (RASP), as recently required by NIST in their latest security framework SP800-53 Revision 5."
Chris Hauk, consumer privacy champion at Pixel Privacy, pointed out that the breach opens up the possibility of further exploitation by better-crafted phishbait:
“This data breach could provide a somewhat fresh approach for the bad actors of the world, allowing them to use a victim's previous Barnes & Noble purchases against them. Customers could see emails that look like the familiar "Because you read...'' newsletters that book sellers send out, but that contain malicious links and attachments instead of exciting new reading opportunities.
"Phishing phone calls could also be a possibility since phone numbers were exposed. "This is Suzy down at Barnes & Noble, the new Jack Reacher thriller is in, and if you want to give me your credit card info, I'll be glad to ship it right over to you."
Mark Bower, senior vice president at comforte AG, sees it as a pattern in recent breaches:
“We’ve seen a repeating pattern in recent scaled breaches like this case – partial protection of sensitive data perhaps for compliance, but not the full gamut within the scope of customer data privacy and trust responsibility.
"Fundamentally, organizations have an increasing obligation to their customers to secure a lot more than just the minimum. Privacy regulations like CCPA are transferring increasing data rights to citizens over data management and security, and today, business leaders have to consider personal data as a trusted donation, not just data acquisition.
"The challenge for CISOs is balancing data use, security and data privacy in equal measures. Technologies like tokenization, particularly those suited to agile and scaled use, help avoid data breaches while preserving analytic utility in data. As such, this technology has to [be] prioritized for investment as an foundation for risk-reduced digital transformation and cloud migration.”
Breach at Dickey's Barbecue.
A data breach at Dickey's Barbecue, a US restaurant chain, has exposed some three-million customers' paycard data, KrebsOnSecurity reports. The incident affected about a hundred sites in the chain, and the stolen information has appeared on the dark web carding site Joker's Stash, binned together as a set the thieves are calling “BlazingSun,”
We heard from Warren Poschman, senior solutions architect with comforte AG, who sees beyond the obvious risk to cardholders and on to the risk to businesses who sustain breaches of this kind. “As the breach at Dickey’s BBQ reminds us, there is still plenty of meat left on the bone of credit card fraud despite the dramatic shift in coverage to privacy and identity theft," he said, adding, "With COVID-19 pushing businesses in the fast casual restaurant segment to the brink, attackers are taking advantage of lax security while many are in survival mode. Regardless of the ill timing, organizations need to ensure that every step in the payment cycle is secured from acquisition to settlement. For merchants in the store, this means requiring the use of secure connections from the payment entry device to the backend using point-to-point encryption and tokenization to remove cardholder data from these vulnerable systems. For backend payment processors and the merchants that outsource to them, this means without exception tokenizing all data, both payment and personal, to ensure that any breach or leak of data will not result in exposure.”