At a glance.
- Industry comment on the spreading consequences of the Accellion security incident.
- CPB's facial recognition program.
Industry comment on the Accellion-linked Singtel breach.
Data breaches connected with Accellion's FTA file-sharing software continue to surface. The Australian medical research organization QIMR Berghoffer has disclosed that Accellion notified the institute that it may have been affected by the breach. Nine employees at QIMR Berghoffer used FTA to collect results of clinical trials of anti-malarial drugs. The institute doesn't believe that any personal data were compromised. "No names, contact details or other personally identifiable details of study participants are in the files held in Accellion. Instead, codes are used to refer to study participants. Some of the documents in Accellion include de-identified information such as the initials, date of birth, age, gender, and ethnic group of clinical trial participants, as well as the participant codes. Some other documents include participants’ de-identified medical histories, along with their codes." QIMR Berghoffer has suspended its use of Accellion's FTA. Investigation continues.
Singapore's telecom company Singtel has also suspended its use of FTA. That incident, too, remains under investigation. Singtel says in its disclosure that "This is an isolated incident involving a standalone third-party system. Our core operations remain unaffected and sound."
We heard from two industry sources who commented on the Accellion breach. Trevor Morgan, product manager with comforte AG, wrote:
“The breaches revolving around Accellion’s decades-old software—most recently affecting Singtel—underscores several points about effective cybersecurity. With older, legacy software embedded within your operations, always work with vendors to update frequently or replace software that works with sensitive information, regardless of the potential costs. The risk of exposure is too expensive not to factor into your decision-making and capital expenditures.
"In addition, take data security seriously, because even if you don’t, the regulators certainly will make sure you do. Reconsider your defensive posture and the tools you use to thwart intentional or even unintentional breaches and data leaks. Ask yourself: am I protecting borders and perimeters around sensitive data, or am I protecting the actual data itself? The latter, which is known as data-centric security, ensures that no matter where data goes (even if it falls into the wrong hands) it remains protected and the sensitive nature of the information obfuscated. If data security is not on the mind of your IT professionals at all times, then an unfortunate data-related incident might be just around the corner. And you don’t want to go there.”
And Niamh Muldoon, global data protection officer at OneLogin, offered this advice to organizations who think they, too, may be at risk:
"Business leaders and organizations need to take time out of their day to carry out due-diligence in relation to the Accellion breach. This will help them determine the likelihood of their exposure to the breach and establish the full use of Accellion in their organizations.
"It's critical to ask each business leader if they are using an Accellion account belonging to a customer, partner, and/or vendor organization to send or receive shared files. An organization may not be directly exposed to the breach, but they could be using the Accellion version of the agent's organization which is exposed. It is important to incorporate access control and data lifecycle management into the risk assessment by asking about past data/files transfers, and whether those files have been properly managed, such as having access removed when it is no longer required.
"The results of the cross-functional risk assessment will determine if the organization is vulnerable per the versions of Accellion exploited by malicious attacker/s. Having your security and/or technology organization monitor and track official communications issued by Accellion will allow them to keep up-to-date. This is especially important because as the investigation continues more data will become available which may impact the associated risk to your organization, and require your organization to take more actions to reduce risk. If you are unclear from official communications if your organization is using a vulnerable version or not, reach out to Accellion for clarity - don’t just assume its ok."
US Customs and Border Protection February 2021 report describes facial scanning at airports.
In its February report, US Customs and Border Protection says it scanned more than twenty-three million travelers at more than thirty ports of entry last year. In the process it didn't detect anyone impersonating another individual. Josh Bohls, Inkscreen's founder, thinks this doesn't necessarily indicate failure. "The system may not have identified anyone using false credentials," he wrote in an email, "but I suspect the agency considers it a huge success in that it was able to collect a massive trove of images of visitors that can be directly linked to their passports. This is the holy grail of AI/ML system training data and will serve to improve the system dramatically over time."