At a glance.
- Proctortrack is back.
- Pfizer discloses data exposure from a cloud misconfiguration.
- Dr. Reddy's suffers a data breach,
- Trends in data security.
- Nevada warns of phishing campaign.
Proctortrack resumes services.
Protortrack, a virtual proctoring service for online learning, suspended its services when it detected an incident on October 13th. (The Western Gazette has an account of the incident.) After an external security firm completed an investigation and concluded that no personal information was accessed in the attack, Proctortrack resumed operations yesterday. Rajnish Kumar, CEO of Proctortrack's corporate parent Verificient, emailed us these comments:
“Fortunately, the audit confirmed that our existing security infrastructure limited the extent of the intrusion. As determined by the audit, the unauthorized individual was quickly isolated and removed from the company’s server. Verificient immediately fixed the configuration vulnerability that the individual exploited. Although we are relieved to be able to report that none of our customers’ private data was breached, I sincerely apologize for the understandable concern that this incident has caused. We are committed to taking further steps to ensure the security of the private data with which we are entrusted while limiting any future disruptions in service to our educational partners and student communities. We will be sharing details on these measures with our customers and valued partners.”
Pfizer leaks customer data in the cloud.
The highly sensitive medical info of prescription drug users was leaked by leading pharmaceutical company Pfizer, reports Threatpost. The source of the data exposure was a Google Cloud storage bucket, probably one used by Pfizer’s US Drug Safety Unit, that had possibly gone unsecured for years. The compromised data included the personally-identifiable information of hundreds of users of such pharmaceuticals as smoking-cessation aids, menopause medication, and cancer treatments. Also leaked were the phone transcripts of customers calling a support line to discuss their medication-related concerns about such matters as side effects and dosages. Sensitive data like this would be invaluable to a threat actor looking for personal details to craft more effective (and potentially more lucrative) phishing campaigns. The leak is representative of a recent increase in the number of organizations misconfiguring cloud databases. Though researchers contacted Pfizer about the vulnerability in July, the pharmaceutical giant did not respond for several weeks and the data were not secured until September. Pfizer has said the bucket was operated by an external vendor, and that the issue was addressed as soon as it was brought to their attention.
Dr. Reddy's Laboratories shuts down plants as it responds to data exposure.
Pfizer's not the only pharmaceutical company to suffer a data exposure incident. The large Indian pharma company Dr. Reddy's Laboratories Ltd. shut down its plants as it seeks to contain and recover from a large data breach. Reuters reports that Dr. Reddy's has most recently been engaged in testing the Russian-developed Sputnik V COVID-19 vaccine. Servers and plants in the United States, the United Kingdom, Brazil, India, and Russia were affected. According to CNBC TV18, the company disclosed the incident in a regulatory filing today, saying, "In the wake of a detected cyber-attack, we have isolated all data center services to take required preventive actions." CIO Mukesh Rathi expects all services to be back to normal within twenty-four hours.
Survey says: Trustwave Data Security Index.
Researcher Trustwave has released their annual Data Security Index, which reports on the practices of nine hundred sixty-six IT professionals overseeing cybersecurity at organizations in the US, UK, Australia, and Singapore. Some highlights of their findings:
- Organizations are moving more sensitive information to the cloud, with 96% of respondents saying they intend to use cloud storage for more data over the next two years. Nearly half use a hybrid model composed of on-premises databases as well as public cloud storage.
- Companies seem to be worried about the wrong threats, with 38% stating they’re most concerned about malware and ransomware, even though phishing and social engineering scams were the most commonly experienced threats.
- Cybersecurity teams tend to be small, as nearly half of the teams surveyed have just six to fifteen members, while 89% rely on automation for the performance of some security processes.
- Surprisingly, well over half of the respondents said that data regulations like the General Data Protection Regulation and California Consumer Privacy Act do not influence their cybersecurity strategies.
Nevada government agency warns of phishing scam.
Threat actors are impersonating the Department of Employment, Training, and Rehabilitation (DETR) in the US state of Nevada in a phishing campaign, reports Fox5 Las Vegas. Victims receive an email claiming there is an error involving their DETR benefits and that an immediate response is needed to receive further instructions. The email address, though fraudulent, mimics a DETR domain name. A DETR spokesperson stated that the emails are definitely not agency protocol and victims should not reply and delete them immediately.