At a glance.
- T-Mobile confirms that hackers accessed data on roughly 48 million customers.
- Chase Bank discloses a bug that leaked information from its site.
- Indiana's COVID data breach.
- COVID testing start-up overshares among those getting tested.
- Memorial Health's ransomware attack.
T-Mobile confirms that hackers accessed data on roughly 48 million customers.
As the CyberWire noted yesterday, T-Mobile is investigating a breach that came to light when a hacker claimed he was in possession of stolen customer data. T-Mobile has updated their official statement on their website, confirming the attacker gained access to 7.8 million postpaid customer accounts and over 40 million records of former or prospective customers, including names, dates of birth, Social Security numbers, and driver’s license/identification card info, as well as the names, phone numbers and account PINs of about 850,000 of its prepaid customers. The Wall Street Journal notes it’s unclear if there is any overlap in numbers among the subsets of victims, but regardless, as Gizmodo points out, T-Mobile’s estimates don’t match the hacker’s claims he nabbed the data of nearly 100 million customers. T-Mobile says they’ll release further updates later today as the investigation continues.
We've received considerable security industry comment on the incident:
Ric Longenecker, CISO at Open Systems, wrote to lament an instance of what he sees as a common failure of risk management:
“Another day, another cyberattack on a major company results in the personal information of millions of people being stolen. This has become an all too common occurrence for companies worldwide – and the fifth known data breach for T-Mobile over the past three years. Companies clearly need to take immediate action to prevent such breaches, but they can’t do it alone. Finding a reliable security partner to reduce risk and protect sensitive information should be a company’s first step. Recent attacks only highlight that a collective effort is needed to combat the risk posed by cybercriminals.”
The concerns with breaches of this sort are usually at least two-fold. People worry about identity theft and the attendant possibility of fraud, and they also note that loss of personal data can be used to make social engineering more plausible and hence more effective. Daniel Markuson, Digital Privacy Expert at NordVPN, offered some thoughts on the implications of that second concern:
“Phishing scams are one of the biggest concerns from these types of breaches. Such scams are usually very effective as criminals use a piece of real information, for example, your name and taxpayer ID. Cybercriminals could send fake emails pretending to be your pharmacy, bank, hotel or even governmental institution.”
“Organizations need to enforce reliable security measures and inform their customers about how their data is collected, processed, and stored. T-Mobile needs to assess their cybersecurity risks, make relevant company-wide changes, and improve the overall approach to security, and let their userbase know of this as soon as possible.”
“Every company should start by establishing its security policy and ensuring compliance with any applicable regulations. If a company also chooses the right security tools and educates its employees, it can prevent many potential breaches.”
“The worst thing is that personalized phishing emails are so convincing and look real. Be more vigilant than usual and contact the organization before clicking on any links, filling in forms or transferring funds. Even if you are a customer of the service allegedly sending the email, don't trust it.”
Josh Arsenio, Director at Security Compass Advisory, sees the incident as of a piece with the risks that attend high rates of remote work:
"The T-Mobile breach is demonstrative of the need for telecoms companies and others to stay vigilant across their entire portfolio, through all layers of prevention, detection and response. You don’t want to just focus on whatever's currently making headlines, like phishing. The best route to prevention is for companies to manage their cybersecurity portfolio holistically.
"One of the specific challenges with telecommunications is their sheer exposure, the attack surface is massive. It’s one of the most difficult industries when it comes to cybersecurity because they are globally high-profile targets for so many, such as criminal and state-sponsored hackers. Additionally, handling sensitive data is core to their business and they have a lot of employees that facilitate business. This can lead to a challenge when it comes to insider threats, either through malicious or ill-informed employees.
"What’s unique about the T-Mobile story is, while it’s still under investigation, there is a perfect storm scenario right now with work from home, which possibly closed off a lot of their eyeballs, with data just walking out the door and on the darknet. What's also interesting is that cybercriminals selling that data online seems quaint by today’s standards, since anybody that's making money off these crimes has far better ways of doing it. They have systems in place to collect and launder money, an entire cybercrime ecosystem at their disposal. That’s why, at first glance, this has the hallmarks of more amateur cybercriminals, but of course more will come out in the investigation."
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, notes that incidents of this sort normally result from a chain of oversights or errors, not from a single big mistake:
"I always imagine that the cliche phrases amounting to 'we take security very seriously' doesn’t have an unspoken second half 'just not seriously enough to pay for it.' Getting IT security right is a very tough job and mistakes can and do happen, but by and large it seems that many organizations are unwilling to invest the resources to do so. For T-Mobile, this is the sixth major breach since 2018. The attacker claims to have compromised an end-of-life GPRS system that was exposed to the internet and was able to pivot from it to the internal network where they were able to launch a brute force authentication attack against internal systems with no rate limiting and I’m guessing no alerting functions either. Assuming this is true, then as usual it isn’t just one mistake that leads to a massive compromise, but a string of failures or absence of security controls that occur. This is the type of incident that could have been identified as a risk by a properly scoped penetration test and detected with the use of internal network monitoring tools. Those things aside, this further reinforces that doing security correctly at any organization is a cultural characteristic. If it’s not something that’s part of an organization’s own identity eventually some things, and often many things, will get missed that expose sensitive data to risk. A true culture of security involves buy in from the highest levels of executive leadership and builds in appropriate levels of security checks and balances and redundancies to prevent or limit damage in the event of a single security misstep."
Chase Bank discloses a bug that leaked information from its site.
Chase Bank has disclosed that a flaw in its online banking site led to the exposure of user data to other users, Bleeping Computer reports. The New York-based financial services provider’s data incident notice states, “We learned of a technical issue here that may have mistakenly allowed another customer with similar personal information to see your account information on chase.com or in the Chase Mobile app, or receive your account statements.” It’s unclear exactly how users were able to see this information or which customers were impacted.
Uriel Maimon, senior director of emerging technologies at PerimeterX, noted the difficulty of accurately assessing the damage in this sort of incident:
“It’s very very difficult to know what PII, if any, was exposed with this bug on Chase Bank’s online banking website and app. To know that, you would need to be able to separate the attackers from the bank’s users. This requires extremely advanced analytics. You’d also need to review mountains of data.
"Developing modern applications is a balancing act - you need to constantly make changes and evolve in order to stay relevant, especially in very competitive markets like retail banking where the user experience is currently one of the few differentiators where people are almost completely migrated online from the branches. That said, every time you make a change, it introduces the potential for catastrophic vulnerabilities.
"A good security program must have strong passive and active monitoring to detect these vulnerabilities and not rely entirely on development enforced controls.”
James McQuiggan, Security Awareness Advocate at KnowBe4, drew some lessons for app security from the incident:
"When applications are created for the web, on-premise or mobile devices, organizations want to ensure that all regression and remedial testing is conducted for all changes to avoid errors, data leaks and loss of productivity. With a robust change control and DevSecOps program, organizations can coordinate all changes to determine functionality and verify any data leaks before release. This activity prevents unauthorized access or misconfigurations of the data, leading to damage to their brand reputation and other consequences."
Pravin Madhani, CEO and Co-Founder of K2 Cyber Security, wrote to say that the incident makes a case for deploying RASP:
"The accidental leakage of Chase customer banking information to other customers is a good reminder that organizations need to be vigilant with the security of their public-facing web applications. The most common problems leading to web application compromise are misconfiguration, unpatched software and vulnerabilities in application code. The best way to defend against attacks against existing and undetected vulnerabilities is to keep your software up to date, and deploy RASP (Runtime Application Self-Protection) technology to actively monitor the application during runtime.”
Garret Grajek, CEO at YouAttest, looks to the episode as something that should motivate people to take a close look at best practices:
"The key to identity and data security is proper practices and procedures. These are outlined in the US government's cyber security framework, NIST 800-53 (Rev 5). These include best practices for identity creation, handling and review. These practices are quantified and detailed in the various regulations including PCI-DSS, HIPAA/HITRUST, SOX, SOC and now the D.o.D's CMMC. Best practices and identity governance don't ensure that mistakes won't happen but can help in mitigating the frequency and loss on these accidents."
Indiana's COVID data breach.
Health officials in the US state of Indiana have announced that a cybersecurity company gained unauthorized access to the personal data of 750,000 residents in the state’s online COVID-19 contact tracing questionnaire, the Associated Press reports. Indiana Department of Health’s Megan Wade-Taxter identified the company in question as UpGuard, but an UpGuard spokesperson denies any wrongdoing: “For one, our company did not `improperly access’ the data. The data was left publicly accessible on the internet. This is known as a data leak,” they stated, adding that the company actually helped secure the data once it was discovered.
Trevor Morgan, product manager with comforte AG, points out that it could've been worse. Even so, organizations should strive to do better:
“At first glance, the incident in the State of Indiana involving 750,000 residents’ personal data from a state online COVID-19 contact tracing survey seems mild. However, for most people our personal information, especially when wrapped in the context of our health records, is not something we want unauthorized people or companies to access. We place our faith in the assumption that agencies and other organizations which collect and process that data also put forward the strongest effort to guard that information.
"For any company like this which processes PII or PHI, data-centric security can add another, more appropriate safeguard against unauthorized access alongside more traditional perimeter-based defenses. Methods like tokenization replace sensitive data elements with representational tokens, so even if it falls into the wrong hands the sensitive information is indecipherable and cannot be leveraged.
"While this incident could have been worse, we’d all feel better knowing that our sensitive personal information could never be compromised, no matter who gets their hands on it.”
Erich Kron, security awareness advocate at KnowBe4, observed that:
"Unfortunately, ‘software configuration’ errors such as this often lead to the data being accessed by bad actors, putting the users of the systems at risk. Incidents such as these are learning opportunities for any organization that handles sensitive data. It also drives home the need for constant security testing and for ensuring processes are in place to help protect data, especially when configuration changes are being made.”
COVID testing start-up overshares among those getting tested.
TechCrunch reports that Total Testing Solutions, a start-up that operate ten COVID-19 testing operations in Southern California and that processes tests at "workplaces, sports venues, and schools," has taken down a website it used to notify customers of their test results. A customer found that altering a single digit in the site's address would give them access to another customer's results.
Purandar Das, co-founder and the chief security evangelist at Sotero, sees the incident as a skirmish in the long range war between quick ROI and privacy:
“This is another instance of poor security practice. When organizations are in a hurry to monetize, security and data privacy is usually the first casualty. It is concerning when organizations don’t have rigorous security practices and a commitment to preserve and protect their customers privacy. As the company itself mentions moving data to a more secure cloud-based service immediately solved the vulnerability. It is also a sign that the regulatory and financial pressure isn’t really solving this epidemic problem of losing customer and consumer data. This has to be seen in the light that consumers suffer huge amount of reputational and financial damage while organizations continue to be in business after losing information due to poor practices and budgetary constraints.”
A new reason to sweat.
The Daily Swig explains that vulnerabilities found in fitness and gym management application Wodify, used by over five thousand gyms globally, could allow an intruder to modify data, exfiltrate personal information, and even access payment settings. Researchers at Bishop Fox say that despite reporting the bugs over eighteen months ago, the vulnerabilities remain unpatched.
Who’s watching the baby?
FireEye reports that cybersecurity firm Mandiant, in coordination with the US Cybersecurity and Infrastructure Security Agency , has disclosed a critical risk vulnerability impacting IoT devices operating on the ThroughTek Kalay network. Threatpost explains that Kalay, which is used on approximately 83 million devices, provides a plug-and-play network to easily connect smart devices like security cameras and baby monitors with corresponding mobile apps. Mandiant’s Jake Valletta told Wired, “An attacker could connect to a device at will, retrieve audio and video, and use the remote API to then do things like trigger a firmware update, change the panning angle of a camera, or reboot the device. And the user doesn’t know that anything is wrong.” Due to the way in which Kalay is integrated by manufacturers and resellers, researchers are unable to determine exactly which devices are vulnerable.
Memorial Health's ransomware attack.
Memorial Health continues its recovery from a ransomware attack on Sunday. Stephan Chenette, Co-Founder & CTO of AttackIQ, points out again, that healthcare organizations will remain attractive targets for criminals:
“The healthcare industry is one of the largest targets for cybercriminals due to protected health information (PHI) being extremely profitable on dark web marketplaces because it usually contains fixed information, such as dates of birth and Social Security Numbers, which hackers can use to commit identity theft for years to come. Additionally, Memorial Health System is a non-profit organization, which makes it an even more attractive target for cybercriminals because nonprofits are often viewed as having lower defensive maturity and limited cybersecurity expertise.
"Organizations that manage sensitive health information must adopt a threat-informed cyberdefense strategy tailored to focus on the adversaries most likely to impact their operations to maximize their ability to protect sensitive information. To best defend against ransomware, it’s important to understand the common tactics, techniques and procedures used by the adversary. In doing so, organizations can build more resilient security detection, prevention and response programs mapped specifically to those known behaviors. Additionally, companies should use automated solutions that safely validate their defensive controls against ransomware campaigns and their techniques to avoid falling victim.”