At a glance.
- Data voyeurism.
- The strange case of a large marketing database and its inadvertent exposure.
- Lehigh Valley Health Network breach traced to the Accellion breach.
Google employees fired for misuse of user data.
A document has leaked revealing that Google terminated dozens of employees between 2018 and 2020 for mishandling private user and employee data, Motherboard reports. The allegations include sending data intended for internal eyes only to external parties, and 10% of the 2020 terminations were the result of the employee modifying or accessing user or employee data in violation of Google policy. An anonymous Google spokesperson explained that most of the incidents concerned access or misuse of proprietary corporate information. “Every employee gets training annually, we investigate all allegations, and violations result in corrective action up to and including termination,” the spokesperson stated. “We are transparent in publicizing the number and outcome of our investigations to our employees and have strict processes in place to secure customer and user data from any internal or external threats.”
Sensitive data are standing temptation to virtual voyeurs. Erich Kron, security awareness advocate at KnowBe4, lamented that this isn't a new problem, and that curiosity can be a powerful driver behind insider threats:
“Unfortunately, the misuse of data by insiders is not a new problem; however, the fact that it is impacting an organization such as Google demonstrates that there is no easy solution for the issue. While sensitive data is valuable to cyber criminals, stalkers and other bad actors, the simple allure of access to private information is also a powerful motivator. This is true anywhere there is non-public information about someone, whether that be a Hollywood celebrity or an old high school crush, curiosity is a strong emotion.
Mystery surrounding unprotected marketing database.
Researchers at vpnMentor report that OneMoreLead, an American B2B marketing firm, exposed the data of up to 126 million individuals by storing the data in an unsecured AWS cloud storage database. The compromised information includes names, email addresses, home and work addresses, and device IP info, but it’s unclear how or why OneMoreLead was collecting the data, especially given that the company has only existed for just over a year, a short amount of time to accumulate such a hefty amount of data. Oddly, the data is similar to a 2020 leak linked to German B2B marketing company Leadhunter (though Leadhunter denied that data was theirs). Researchers speculate that perhaps both companies acquired the data from the same source, or that either OneMoreLead or Leadhunter acquired the data from the other. vpnMentor even suggests OneMoreLead could have discovered the Leadhunter leak and appropriated the data to build their own lead database. At any rate, OneMoreLead and AWS were informed of the leak upon discovery, and the database was secured shortly thereafter.
Chris Clements, VP of Solutions Architecture, Cerberus Sentinel, sees a lesson about security culture within an organization:
"Data leaks due to unsecured databases and open storage buckets demonstrate time and again why a culture of security is so critical to protecting sensitive information. Whether caused by a mistake or ignorance, there is no excuse for the exposure and associated risk of fraud this resulted in. Organizations must adopt a true culture of security to protect themselves and their data. At every step in the business workflow security must be part and parcel of the design including proper access controls to avoid internet exposure, continuous monitoring for suspicious behaviors, and regular security testing to ensure that no gaps or mistakes have been made that put data at risk."
Erich Kron, Security Awareness Advocate, KnowBe4, finds the whole story a very odd one:
"This is a huge amount of data to be collected by or stored by such a new organization and something seems odd about the ordeal. To have this sort of data sitting exposed on an unfinished website of a company showing no customers, and with no way to sign up for their services should really raise some eyebrows around the source of this data.
"Organizations have a responsibility to protect sensitive information whenever it is collected and regardless of the amount of data collected. The data referenced here is a gold mine for cyber criminals putting together social engineering campaigns to facilitate scams, identity theft and even spread malware and ransomware. By using data such as this, attackers can make phishing emails or text messages seem like they are coming from someone they are familiar with, or who is at least familiar with them, greatly improving effectiveness.
"When organizations store or collect sensitive information, it is critical that the staff be trained to protect the data, policies are in place and technical controls are implemented to ensure that data is not publicly exposed. Training should go a step further than simple awareness, but should focus on changing employee behavior and the organization's security culture."
"Organizations such as Google collect immense amounts of sensitive and potentially embarrassing data about people, including medical queries, research on ways to end relationships, personal issue resolutions and much more. This data could easily be used to extort people or to ruin relationships and cost them jobs.
"An organization that stores sensitive data, whether that is a police department and their non-public information on people or investigations or a search engine giant that stores data about almost every web search you do, needs to have robust data protection controls in place. It is critical to log any access to the data being collected, and this access must be reviewed on a regular basis. Data Loss Prevention (DLP) controls are also critical to make moving data out of the network more difficult and to quickly alert where there are anomalies in data access. Finally, a strong organizational security culture and robust training to help other employees spot people behaving in unusual ways or noticing odd data access themselves, can be a huge help when dealing with internal threats.”
Update on the Lehigh Valley Health Network data breach.
As the CyberWire noted yesterday, US medical system Lehigh Valley Health Network (LVHN) announced that patient data had been compromised after healthcare consulting firm Guidehouse, which serves LVHN, suffered a data breach. The source of Guidehouse’s breach was unclear, as they explained it was the result of an incident involving an unnamed Guidehouse vendor. Now, it appears the mystery vendor was likely tech company Accellion, as Becker’s Hospital Review reports LVHN has just disclosed they were impacted by the massive breach that has been plaguing Accellion clients since the beginning of 2021. LVHN is in good company, as at least a dozen healthcare organizations were also impacted by the breach.