At a glance.
- Morgan Stanley affected by the Accellion breach.
- Kaseya breach update: REvil claims to have stolen data.
- Insider risk and corporate data leaks.
- One Medical accidentally exposes user emails.
Morgan Stanley reports a third-party data breach connected to Accellion FTA.
The Accellion FTA compromise racked up another victim, as the financial services firm Morgan Stanley disclosed that unauthorized parties obtained access to customer data held by Guidehouse, a third-party vendor used by the investment firm, Bleeping Computer reports. TechCrunch says that the data exposed include customers’ addresses and Social Security numbers.
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, commented on the incident:
"This demonstrates the speed with which modern threat actors capitalize on vulnerabilities. There was reportedly only 5 days between the Accellion patch was made available and it being applied by Guidehouse. All organizations need to implement a plan for emergency security patching when it’s clear that they are at risk of imminent compromise without regard to non-safety related availability concerns.
"It’s also critical for organizations to understand that their customer data is still their own responsibility, even when shared with a vendor. As part of a considered approach to working with any vendor is the acknowledgment that doing so broadens the organization’s attack surface and taking steps to mitigate risk contractually and by being as selective as possible with the amount and duration of time that data is shared."
Kaseya breach update: REvil claims to have stolen data.
A looming question ever since the world learned of the REvil ransomware attack on tech provider Kaseya’s VSA platform has been whether or not the infamous threat group had, as is their modus operandi, exfiltrated any data from the victims. Trustwave reports that REvil is alleging they did in fact steal data and are using it as a tool to pressure the victims into paying up. The hackers have posted messages on dark web forum HappyBlog stating they’re in possession of up to 4TB of data including contracts, finance reports, diagrams, personal information, “and many more!” (Enthusiasm theirs.) Whether the threat of releasing this data will compel the victims to pay the requested $50 million ransom remains to be seen.
Insider Risk and corporate data leaks.
A recent study conducted by strategy firm Aberdeen and commissioned by Code42 indicates that, for many companies, the biggest threat to their data could come from within, BusinessWire reports. By taking a closer look at what researchers are calling “Insider Risk,” the report shows that one in three data breaches involve an internal source and can cost a company up to 20% of yearly revenue. About 80% of these breaches are unintentional; due to poor security protocols, many employees are putting their company’s data at risk by simply doing their jobs. One possible cause, Code42 observes, is a lack of awareness regarding how often sensitive data is being accessed and potentially exposed. About 75% of the organizations in the study stated they’re unsure what data is being exchanged or how, and as the pandemic has led companies to move toward a business model that increasingly relies on remote work, this number is likely to grow. The study found that breaches are 4.5 times more likely to occur on an end-user endpoint than through a back-end server, and that on average thirteen data exposures occur per user, per day. “Data stewardship has become a boardroom imperative,” states Code42’s president and CEO Joe Payne. “And while Insider Risk is not a new problem in security, managing it effectively in today’s open and collaborative business climate – with enough resources – is.”
One Medical accidentally exposes user emails.
Customers of One Medical, a US membership-based primary care practice, are expressing their frustration on social media after their email addresses were inadvertently exposed to other One Medical patients, reports Health IT Security. As one customer stated on Twitter, “Not blaming the intern but someone @onemedical sent 900 of us an email asking us to verify our emails but they failed to BCC our email addresses.” One Medical released a Twitter statement apologizing for the incident and confirming the cause was not an attack, but more likely a very red-faced employee who needs a refresher on mass emailing protocols.