At a glance.
- Updates on the sale of scraped LinkedIn data.
- Risks to health insurance data.
- Student data exposed.
Even public data can pose a security risk.
As the CyberWire noted yesterday, for the second time in recent months LinkedIn user data was published on the dark web, and WeLiveSecurity points out that the 700 million exposed records constitutes nearly the entirety of the professional networking platform’s user base. Researchers at Privacy Sharks were the first to encounter the data for sale on popular hacker marketplace RaidForums. LinkedIn spokesperson Leonna Spilman stated that the data was scraped from public profiles, and therefore does not indicate a data breach of the platform’s systems. That said, and while the platform's API may have been abused, it's worth recalling that scraped data can still provide valuable info for phishing scams or identity theft, and the incident serves as a warning to users to use caution when deciding what to share in public accounts.
We received a number of comments on the incident from industry leaders. Alex “Jay” Balan, Director of Security Research at Bitdefender, ran through some of the categories of data hawked in criminal fora, and urges some reflection on what's being shared about you over the Internet:
“Social media companies continue continue to improve at preventing scraping bots and other information gathering tools. It’s our job as informed consumers to be aware of the information we expose publicly and how it can be used by cybercriminals in a worst case scenario.”
Uriel Maimon, senior director of emerging technologies at PerimeterX, wanted to remind users that leaks of this kind reverberate for years:
"It’s important to remember that when sensitive information leaks, it doesn’t affect just the website that leaked it. The users can be affected for years to come in completely unexpected ways.
"For example, private information can be used to create synthetic identities that are then used to generate fraudulent credit card or loan applications which inevitably affects the original users but also the financial institution. Our recent PerimeterX Automated Fraud Benchmark Report found that ATO and credential stuffing are two of the most damaging types of automated attacks faced by businesses today, which affect the original website whose brand and image will inevitably suffer and whose reporting obligations and liability may be very costly.
"Web app security is everyone’s problem, and we must all work together to make the web a safer place."
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, observed similarities between this incident and others LinkedIn has sustained, and cautions against giving in to a sense of learned helplessness:
"This appears very similar to other recent LinkedIn data leaks and while the initial reaction may be to shrug off the information disclosed as being unimportant or harmless to be public there are a few notable exceptions. Phone numbers can be used to harass individuals or perform SIM swapping attacks to take over other online accounts. Physical addresses and especially geolocation data can be used to stalk users in person. Moreover, the combined information will enable attackers to develop more targeted and convincing social engineering lures to compromise unsuspecting victims.
"The size and regularity of mass scale data leaks can lend itself to a defeatist attitude about the future of privacy and security online, however, these are problems that can be vastly improved given the right attention and resources. Organizations must adopt a true culture of security to ensure that data users entrust to them remains safe from unintended disclosure. Security must be built into the design of applications with the expectation that any functionality like data export APIs can and will be abused by malicious actors. Even beyond design, all systems and applications should be regularly penetration tested to ensure no mistakes or oversights have been introduced that may expose sensitive data. Continuous monitoring for suspicious behavior is also critical for ensuring that any malicious activities can be caught and stopped before widespread damage has been done."
James McQuiggan, Security Awareness Advocate at KnowBe4, wrote to comment on how common data scraping can be:
"The use of data scraping is a common practice of collecting available data online from a website. In this case, the information that users posted online in the past was the subject of the data taken from the website.
"The concern will be the email addresses, names, phone numbers and other data that can be leveraged for social engineering scams. In today's society, users should always be aware of phishing attacks in their mailboxes and implement a trust but verify mentality regarding emails in their inbox that offer money or that mention deactivated accounts.
"In the past, research has shown that more people fall for phishing emails when it comes to their social media accounts like LinkedIn or Facebook. Users must monitor their email, avoid clicking on any links and visit the actual social media account to determine anything wrong with an account."
Daniel Markuson, digital privacy expert at NordVPN, takes due notice of the role LinkedIn plays as a professional networking platform.
“LinkedIn is such a highly professional social networking site, where it operates as a resume and networking platform, but with such gaps in the site‘s security, users should be more aware of how they can keep their information private when using the platform. While they cannot stop a data breach as reported today, users can help prevent some security issues by regularly updating their password and checking and updating the privacy settings on LinkedIn. They can also use smart protection tools like NordLocker that encrypt their data and keep it safe in the cloud."
Health insurance industry in the crosshairs.
Researchers at Fitch Ratings explain that, as healthcare services increasingly go remote and insurance transactions go digital, the US health insurance industry is at heightened risk of cyberattack. Health insurance providers are required to handle copious amounts of sensitive patient info, making them attractive targets for cybercriminals. US legislation like the Health Information Technology for Economic and Clinical Health Act of 2009 and the Patient Protection and Affordable Care Act have encouraged the digitization of health data, and while insurers have worked to improve their data security, interactions with vendors and healthcare providers who lack adequate protection are often impossible to avoid. Furthermore, recent attacks have resulted in an upswing in ransomware-related insurance claims, leading to increased premiums, higher deductibles, and lower coverage.
Byju student data exposed by vendor Salesken.ai.
TechCrunch reports that data belonging to India’s most valuable startup, education tech provider Byju, was exposed when it was left in an unprotected cloud storage server by another India-based startup, Salesken.ai. Security researcher Anurag Sen discovered the database, which had been left exposed since at least June 14 without password protection. Salesken.ai, which provides customer relationship technology for Byju, quickly took the server down. Most of the data it contained was related to White Hat Jr., an online coding school that Byju has owned since last year, and included student names, classes taken, parent and teacher email addresses and phone numbers, chat logs between parents and staff, and teacher comments about students. Salesken.ai co-founder Surga Thilakan stated that the server was a “non-production, staging instance,” but failed to explain why it appeared to contain real user data.