At a glance.
- Mercedes-Benz data exposure.
- More questions about privacy on TikTok.
- US Supreme Court clarifies what counts as damage in privacy torts.
Mercedes-Benz suffers data breach fender-bender.
Bleeping Computer reports that German luxury carmaker Mercedes-Benz experienced a third-party data breach that exposed 1.6 million customer records, data entered by customers and interested buyers on Mercedes websites between January 1, 2014 and June 19, 2017 that had been stored in an unsecured cloud storage bucket by a vendor. For most, the compromised data was limited to names, addresses, emails, phone numbers, and vehicle information, but for fewer than one thousand customers, more sensitive data like credit card information, social security numbers, and driver’s license info were exposed. However, Mercedes explained that an intruder would have required specialized expertise to access the data: “To view the information, one would need knowledge of special software programs and tools - an Internet search would not return any information contained in these files." Roadshow adds that the vendor swiftly secured the cloud storage database as soon as it was detected by an external researcher.
The incident drew a lot of industry comment (no one, however, actually told us what they drove). Trevor Morgan, product manager with data security specialists comforte AG, wrote to draw our attention to nth-party risk:
“Organizations not only need to be attentive to the way that they handle and process sensitive customer data, but they also need to make sure that their vendor and partner organizations with whom they share data treat sensitive information with the same care and diligence. As the Mercedes-Benz USA breach displays, vendors can utilize your enterprise data for a variety of reasons, but one mishap or misconfiguration of a cloud service can trigger an inadvertent incident, or worse. Then you bear the responsibility for mitigating and rectifying the situation.
"This is the reason that applying data-centric security to your collected customer data as soon as it enters your ecosystem has the best chance of securing that sensitive information for the long run. Tokenization obfuscates sensitive data elements, but enterprise applications such as data analytics can still work with and process protected data with no negative effects.”
Anurag Gurtu, CPO of StrikeReady, noted that the rapid movement of organizations to the cloud carries risk with it:
"There is a rapid adoption of cloud technology by many organizations, which has led to a bigger attack surface for hackers to compromise, as shown in this case of the attack on Mercedes-Benz where it was found that a hacker had compromised cloud storage.
"It's hard for most organizations to find cybersecurity practitioners who are experienced in protecting cloud technologies. They also lack the tools to evaluate the security posture of cloud deployments."
"Even though this data is not visible through conventional search engines, which anyways aren't meant for searching for data like this, it remains to be seen how quickly the attacker will be able to publish this data on the dark web."
Tom Garrubba, CISO, Shared Assessments, also notes that the incident should raise awareness of the security of the cloud:
"While it was reported by Mercedes-Benz that no MB system was directly compromised as a result of this incident, the reported breach of 1,000 existing and prospective customers via their cloud storage vendor’s platform should raise awareness of the importance of proper due diligence and understanding as to how your cloud service providers are protecting your data. I applaud the diligence and craft of the MB-hired security researcher in identifying this and bringing this to the attention of MB and ultimately to the CSP. With all the cyber incidents that have been reported recently it is refreshing to see that swift action taken by MB in addressing the incident with their CSP and ultimately, with their customers."
Rajiv Pimplaskar, CRO of Veridium, thinks the incident shows the value of moving to passwordless authentication:
“Traditional customer databases present an enticing honeypot of Personally Identifiable Information (PII). According to the Verizon Data Breach Investigations Report (DBIR) over 80% of data breaches rely on exploiting lost or stolen credentials. Furthermore over 50% of such breaches originate from 3rd parties or contractors. Companies need to aggressively shift to a passwordless MFA paradigm using modern authenticators like phone as a token or FIDO2 security keys. These authentication methods create an un phishable relationship between the end user and the IT system thereby reducing the attack surface of vulnerable passwords and making the environment more resilient to such cyber incidents. Furthermore these methods offer better user satisfaction as they have less friction in use.”
James McQuiggan, security awareness advocate at KnowBe4, noticed that less than a thousand records were exposed:
“For an exposed database of over three years, it is concerning that only less than a thousand records were disclosed. With the length of the exposed data, it would seem based on previous attacks, thousands of records would have been exposed.
"Cyber criminals will consider this data at a higher value because most customers of Mercedes Benz are people who have a solid financial position, possibly more than the typical victim.
"This position can only increase the value of the data for sale on the dark web. The cyber criminals can hope to extort money from the victims by leveraging the stolen information and will claim to delete it if paid. Additionally, they can craft very targeted emails to trick victims and access their systems or data for further exploitation.”
Demi Ben-Ari, CTO and Co-Founder of Panorays, also sees an interested (and arguably avoidable) case of third-party risk:
"The recent Mercedes-Benz data leak highlights an issue that we keep on seeing again and again: Private data that is accidentally left publicly accessible on a cloud storage platform by a vendor. Such information can be exploited by cybercriminals for identity theft, blackmail and more. This is a situation that is completely preventable, but it requires companies to monitor how their third parties manage their data with cloud services. In particular, companies should be sure to check whether their third parties’ cloud services have a public listing enabled for cloud storage buckets. Since companies can work with hundreds or even thousands of third parties, it’s necessary to use an automated solution that can accomplish this quickly and efficiently."
TikTok continues to push privacy limits.
As the CyberWire noted last week, social media giant TikTok could be facing a lawsuit for allegedly collecting the data of Dutch minors without consent. (SecurityWeek offers an overview of the case.) Now, several former TikTok employees have disclosed to CNBC that TikTok’s Chinese parent company, ByteDance, has an alarming degree of control over TikTok’s operations, including access to American user data. One employee cited a specific occasion when, in order to obtain US user activity data necessary to complete their job, they had to contact a data team in China. A TikTok spokesperson explained, “We employ rigorous access controls and a strict approval process overseen by our US-based leadership team, including technologies like encryption and security monitoring to safeguard sensitive user data.” However, TikTok’s privacy policy states that user data is shared with ByteDance, and Bryan Cunningham of University of California, Irvine’s Cybersecurity Policy & Research Institute said this gives ByteDance a great degree of privilege: “If the legal authorities in China or their parent company demands the data, users have already given them the legal right to turn it over.”
US Supreme Court ruling has ramifications for privacy legislation.
On Friday the US Supreme Court ruled against consumers claiming credit-reporting bureau TransUnion LLC hurt them by falsely labeling them as suspected terrorists, the Wall Street Journal reports. Asserting that the plaintiffs in the class-action lawsuit needed to prove that the mislabeling harmed them, the court voted 5-4 that the consumers had no standing to sue. “[A]n injury in law is not an injury in fact,” Justice Brett Kavanaugh wrote. Legal experts say the ruling could mean that in the future more privacy cases might be handled by state courts where such specific, concrete harm might not be required. This could put an end to multi-state class-action lawsuits and limit financial remuneration for plaintiffs. The court’s decision could also shape future privacy legislation in the US, where there are currently sector-specific privacy laws, but no broad consumer privacy protections.