At a glance.
- Misconfigured database exposed information on US, Canadian seniors.
- University of Kentucky training platform breached.
- Third-party breach of health insurance firm.
- Identity theft and US servicemembers.
- Dog bites man: privacy implications of sharing intimate photos.
- Carding gang posts a loss-leader.
Data of elderly exposed in misconfigured database.
Researchers at WizCase found an unprotected Amazon S3 storage bucket containing the data of over three million users of SeniorAdvisor, a leading American/Canadian senior services consumer review website, IT PRO reports. The misconfigured database contained 182GB of information including names, phone numbers, and scrubbed reviews. The incident is especially concerning given that senior citizens are already a target of choice for cybercriminals and are extremely vulnerable to online fraud and identity theft.
University training platform compromised.
WebProNews reports that the University of Kentucky (UK) experienced a data breach that exposed the data of 355,000 individuals. The incident impacted the College of Education database, part of the university’s Digital Driver License platform, which is used for online training and testing. UK’s chief information officer Brian Nichols stated, “We have increased cybersecurity investments and enhanced our mitigation efforts in recent years, which enabled us to discover this incident during our annual inspection process conducted by an outside entity.”
Third-party risk afflicts insurance provider.
Renaissance Life & Health Insurance Company of America has disclosed that it was impacted in the data breach of a third-party vendor that potentially exposed protected health data, PR Newswire reports. The vendor, Secure Administrative Solutions LLC, says the compromised data includes policy holder names, addresses, birthdates, policy numbers, and other health insurance information. Renaissance learned that the stolen data has been destroyed by the threat actor, but the perpetrator has not been identified.
Trevor Morgan, product manager with data security specialists comforte AG, commented that insurance companies and their partners bear an inherently large share of data risk:
“Insurance companies and their partners and vendors are highly data-driven. They handle and process huge volumes of sensitive health and personal information for a variety of reasons, including claims processing, data analytics, and new product development. Unfortunately, threat actors are aware of the treasure trove of valuable data these organizations possess. We can’t be surprised that the Renaissance Life & Health Insurance Company received notice, then, that a third-party vendor experienced a cyberattack targeting their PHI. As a matter of fact, all insurance companies (and enterprises in general) should assume that at some point a successful attack like this one may penetrate protected perimeters, allowing hackers to get their hands on that valuable data.
"To nullify the value of that data on the black market, insurance companies and their partners can apply data-centric security such as format-preserving encryption or tokenization. Tokenization in particular replaces sensitive data elements with meaningless representational tokens, so even if threat actors apprehend the data, the sensitive information is obscured and worthless. Better yet, data-centric security is not restricted to protected borders and can travel with data as it moves through a processing environment.”
US military face a digital warzone.
In an interview with Adam Darrah, ZeroFOX’s director of intelligence services, the Federal News Network discusses why members of the US military are so heavily targeted by identity theft scammers. Darrah explains that the military are disproportionately targeted by romance scams and impersonation schemes, and catfishing and other social engineering operations are the preferred vectors. According to Darrah, these individuals are particularly vulnerable to these schemes for a multitude of reasons including their trustworthiness, social disorientation due to being away from home, and the stressful nature of their jobs.
Survey explores the risks of sharing nudes.
Kaspersky has released the results of a study exploring the exchange of intimate digital images, Forbes reports, and one-third of the respondents said they’d shared explicit photos or videos with an individual they knew only digitally. Unsurprisingly, those under the age of twenty-four were the most likely to engage in this behavior, and there has been a marked increase in the sharing of nudes during the pandemic. Alarmingly, 22% of respondents admit they have intimate images -- either of themselves or someone else -- saved on a smartphone or laptop. David Emm, a principal security researcher at Kaspersky, said, "This data paints an alarming picture of significant sensitive material that can be used to manipulate or coerce victims in areas that go beyond the virtual world." The Revenge Porn Helpline states that when it comes to the non-consensual sharing of intimate images, 75% of victims are female while 67% of the perpetrators are male, and 65% of those men were either current or former partners of the victim. According to the Cyber Civil Rights Initiative, forty-eight US states have established laws to defend victims of revenge porn, and the UK’s Law Commission is currently working on new policies to prosecute the perpetrators.
Data dumps as a loss-leader in the C2C market.
AllWorld Cards, a relative newcomer to the carding market is trying to make a name and position itself in the criminal-to-criminal marketplace by dumping about a million stolen cards online. BleepingComputer reports that Livorno-based security firm D3 Lab has looked at the dump and believes about half the cards are current and valid, which is an unusually high fraction for any carder offering. And security company Cyble told BleepingComputer that the data on offer includes credit card numbers, expiration dates, CVVs, names, countries, states, cities, addresses, zip codes for each credit card, and email addresses or phone numbers.
Javvad Malik, security awareness advocate at KnowBe4, notes that, while card data can be exploited years after it's obtained, the financial services sector has gotten pretty good at parrying fraud. It's not a reason for organizations to relax their vigilance, but it should give them some grounds for confidence that they're not in an impossible position:
"Due to the fact that these were stolen some years ago between 2018 and 2019, it can be difficult to determine where these came from, if indeed these were from a single source or multiple sources.
"It goes to show that even if a breach isn't apparent or noticed, criminals can take advantage of lax security controls many years after the fact. So all organisations should remain vigilant at all times.
"The good news is that banking has tried and tested controls in place to deal with stolen credit cards and fraudulent transactions. Consumers should always check their bank statements carefully and ensure that there are no unknown transactions and contact their bank as soon as possible if there is any suspicious activity to get the card blocked and a new one issued."
Uriel Maimon, senior director of emerging technologies at PerimeterX, wrote that the criminals buying the paycard data have to validate it before they can use it, and that this affords an opportunity for detecting their activities:
“Carding is a serious and very dangerous issue that can greatly impact consumers. In carding attacks cybercriminals use bots to test lists of recently stolen credit card and debit card details on merchant sites. The carders then use the proven credit card details to directly retrieve funds from associated accounts or to purchase gift cards which can easily be converted into high-value goods, such as cell phones, televisions and computers. These goods are then resold – often via ecommerce sites offering a degree of anonymity – for a profit.
"As these cards were stolen between 2018-2019, it stands to reason that most are no longer valid, especially if they’re publicly dumped and multiple actors will jump on them at the same time. That means that attackers MUST validate them before attempting to use them.
"The payment amount of these validation attempts causes a lot of damage, even before you consider the damage done by those used to purchase goods. With increased fraud, merchants must pay higher fees and at some percentage point they’re no longer allowed to handle credit card transactions. These validation attempts are typically very low, so they fly under the radar of most controls and fraud software leading to inevitable chargeback and fraud reports. While the actual monetary sums that need to be returned are negligible, the risk to the business is immense, if a huge carding attack raises the interchange fees or even threatens the viability of the business.
"One way businesses can combat automated attacks like carding is to deploy machine-learning models and behavior-based, predictive analytics to catch—in real time. This approach can detect anomalies in user behavior including login dialogs and web-surfing patterns, and uncover even the most sophisticated bot attacks."
Felix Rosbach, product manager at comforte AG, sees lessons for the data-protection cycle:
“Card data is some of the most sensitive data of all. Fraud is easy to commit with stolen credit card information. Therefore threat actors releasing one million credit cards for free creates a lot of stress on both the issuers’ side and on consumers – regardless of whether an issuer or a merchant in the network was actually the target of a breach. It’s crucial to protect sensitive data over the entire data lifecycle – from the POS device to processing to backup. Implementing data-centric security, which means focusing on data protection at the earliest possible point and de-protecting it only when absolutely necessary, is crucial to minimize the impact of a breach for enterprises.”