At a glance.
- Update on the Guess breach.
- Covid relief as phishbait.
- US state of Ohio considers data rights legislation.
- Research describes how API vulnerabilities can expose financial data.
Lingering questions in Guess data breach.
As the CyberWire noted yesterday, American fashion retailer Guess suffered a data breach that exposed the personal data -- including payment card numbers, Social Security numbers, and PIN numbers -- of around thirteen hundred individuals. Experts say ransomware gang DarkSide is likely behind the attack, but as the investigation unfolds and details slowly emerge, questions abound. “Why sensitive personal information like SSNs or account details was stored in clear text is one of them.” Dirk Schrader, Global Vice President, Security Research at New Net Technologies told Security Magazine. “That some data sets were apparently incomplete indicates a lack in managing clean and lean data of its customers. Being stock listed, it will be interesting to read through filings for additional details and whether SEC will ask for more details."
Matthew Meehan, chief operating officer of TokenEx, put the incident into the context of the current wave of ransomware attacks:
“It is clear that ransomware attacks and other attempts to breach data stores are growing more frequent than ever, so every organization, especially retailers like Guess, must always be planning for what data to protect, and how to build resilience into company systems, so they can 'reboot,' if needed.
"From a security perspective, the objective should always be to devalue key or sensitive business information, rather than focusing on building bigger moats or higher walls, as attackers have gotten smarter and more sophisticated.
"By devaluing data, we mean that the sensitive data hijackers want isn’t actually there because it's been tokenized. This allows organizations to repopulate critical data into parallel operating environments, so that in the event of a breach, they can get back to business faster, with little or no interruptions for customers.”
Update: 7.14.21: Guess has clarified that it does not maintain customers' Social Security Numbers, passport numbers, or driver's licence numbers. Those data elements, mentioned in the company's disclosure, applied only to some employee records, not to customer information.
Scammers use US covid relief bill as bait.
Researchers at DomainTools investigate a credential harvesting operation taking advantage of individuals seeking federal aid through the American Rescue Plan Act COVID-19 relief bill. Though the bill is legitimate, many of those eligible are unaware that the US Internal Revenue Service will automatically distribute the funds, making them perfect targets for scammers. This campaign targets these potential aid recipients by creating fraudulent signup sites that are actually sending the highly sensitive “registration” data, like Social Security numbers and driver’s license info, to the crooks. After some sleuthing using WHOIS domain lookups and open-source intelligence tools, researchers determined that the operators behind the fake application sites are likely employed by Nigeria-based web development firm GoldenWaves Innovations.
Ohio data rights bill under consideration.
In response to the marked increase in data breaches in 2021, legislators in the US state of Ohio are proposing a bill that would help protect residents’ data privacy rights, the Springfield News-Sun reports. Introduced Tuesday by Lieutenant Governor Jon Husted and two state lawmakers, the Ohio Personal Privacy Act would give individuals the right to have their personal data deleted and prevent it from being sold, as well as require businesses to follow “specified data standards'' enforced exclusively by the Ohio Attorney General. As explained by JobsOhio CEO J.P. Nauseef, “This bill gives consumers nationwide the confidence that when they do business in Ohio, their personal data is better protected than in states we compete with for customers and commerce.”
Report: vulnerable fintech APIs expose personal financial information.
Salt Security, which today announced establishing Salt Labs as its research unit, has published its inaugural study, a look at vulnerabilities in a widely used financial technology API. The researchers found that they were able to run trails of proof-of-concept attacks in which:
- "Any user could read the financial records of any customer"
- "Any user could delete any customer’s accounts in the system"
- "Any user could take over any account"
- "Any user could create a denial-of-service condition that would render entire applications unavailable"
The sort of personal information at risk is what customers are accustomed to entrusting to banks and financial services firms: names, Social Security Numbers, routing numbers, etc. Mitigation, Salt Labs points out, would necessarily depend upon the specific business logic found in any particular user's enterprise.
We heard from Uriel Maimon, senior director of emerging technologies at PerimeterX, who sees the inevitable loss of institutional knowledge as one of the risks that accompany modernization:
"Modern web applications are moving to an API driven model, as opposed to legacy monolithic model in order to support multiple ways of accessing the same data, from the user UI, mobile devices, IoT and partners. Unfortunately, this paradigm shift often means that security controls and programming practices that have been developed over years of experience and “written in blood” are either irrelevant, or ineffectual in this environment. To a great degree, this means that we face a risk of regressing back to the “Wild West” of early Internet days and vulnerabilities, except with much great volume and potential cost.
“Financial services companies, with their complex heterogeneous and legacy environments, now have to reinvest in the complete lifecycle of security for their applications: from reviewing and testing code, to delivery, to monitoring and visibility in run-time and even mitigation. The past controls are ineffective for API traffic and need to be revamped."