At a glance.
- No, phishing is not the latest dance craze.
- Airline apologizes for customer data breach.
- Millions of students exposed in loan platform breach.
No, phishing is not the latest dance craze.
NordVPN has released the results of a survey in which they asked one thousand Americans about the impact of social engineering on their online habits, and the report shows that while 51% of respondents are unfamiliar with the term “social engineering” (and an alarming 31% thought it referred to a social media job title), 84% have experienced social engineering behavior. The most frequent attacks include suspicious emails asking for their personal information (48%), suspicious texts (39%), persistent pop-up advertisements (also 39%), and emails requesting work or business information (37%). When successful, these phishing scams most frequently resulted in victims having their email, social media, or financial accounts locked, their personal login details stolen, or their purchases lost. It’s promising to hear that many respondents take precautions to protect themselves from scams, with 61% avoiding suspicious links, 50% rejecting requests for financial data, and 50% limiting the information they share on social media. However, there are still a shocking 6% who think phishing involves actual fish, and another 5% believe it’s a dance move. There’s always room for improvement.
Airline apologizes for customer data breach.
New Indian commercial airline Akasa Air has disclosed it experienced a data breach that resulted in an intruder gaining unauthorized access to customer data. DNA India reports that the airline, which is less than a month old, has issued an apology to passengers and has reported the incident to the Indian Computer Emergency Response Team. Akasa explained that the breach was the result of a temporary technical configuration error connected to its login and sign-up service, and that “some Akasa Air registered user information limited to names, gender, e-mail addresses and phone numbers may have been viewed by unauthorized individuals. We can confirm to you that aside from the above details, no travel-related information, travel records or payment information was compromised.” The company added that their records have revealed no indication of an “intentional hacking attempt,” but customers are advised to be wary of phishing attempts.
Millions of students exposed in loan platform breach.
Technology services provider Nelnet Servicing was hit with a data breach that has exposed the data of more than 2.5 million individuals. Nelnet provides tech services, including a web portal, for the Oklahoma Student Loan Authority and student loan provider EdFinancial, and the breach impacted students who use these services to access their loan accounts. Nelnet says that unidentified intruders compromised their system, likely by exploiting a vulnerability, in June, gaining access to their networks until July 22. The impacted data includes users’ full names, street addresses, email addresses, phone numbers, and Social Security numbers, but fortunately no financial information was exposed. Bleeping Computer adds that law firm Markovits, Stock & DeMarco has launched an investigation on the potential of a class action lawsuit.
We received a number of comments on the incident. Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, wrote about why higer education is, and is likely to remain, a target of data theft:
“Given the troves of personal information stored within universities and related higher education institutions, they will always be a likely target for cybercriminals. With an ever-growing attack surface, building just another wall around the institution’s network or a segment of sensitive data is not the best way forward. In the end, the most important thing to do is to protect the students’ and employees’ data, rather than the borders around that information. With modern solutions such as format-preserving encryption or tokenization, you can render useless to hackers any PII (including names, addresses, and IDs) or other data you deem sensitive, even if they manage to penetrate your strengthened perimeters and actually get their hands on it.”
Aaron Sandeen, CEO and co-founder, Cyber Security Works, thinks security teams need to up their game if they hope to prevent this sort of breach:
"Security teams need to be smarter and act proactively before a breach like this occurs. As this incident shows, simply blocking the attack as soon as it is detected is not enough anymore. Crucial data such as names, addresses, and social security numbers have already been exposed.
"IT administrators should be aware of the risks and threats incorporated into their systems. And they should be addressing them! More often than it should, security incidents happen as a result of a well-known problem in a widely used service that has gone unfixed despite a patch being made accessible to the public for months or years. To prevent incidents such as the Nelnet breach, security teams must give priority to proactively patching vulnerabilities that pose significant threats."
Gal Helemski, CTO and co-founder, PlainID, noted that this kind of breach has enduring effects, and offers some advice on how to deal with this risk:
"Data breaches as significant as this have damaging consequences for potentially years afterward. It is time to reinforce all security infrastructure. When it comes to internal breaches where networks are compromised, identity is still the number one challenge. Organizations must adopt a “Zero Trust” approach, which means trusting no one – not even known users or devices – until they have been verified and validated. Zero Trust provides that layer of defense that is unrivaled when it comes to defending internal systems.
Access Policies and Dynamic Authorizations are a crucial part of the zero-trust architecture, they help to verify who is requesting access, the context of the request, and the risk of the access environment. You cannot control human cyber hygiene and thus the power of verification is demonstrated. Organizations need a more focused strategy oriented on purchasing the highest reward tools. Identity and authorization are where the smart money should be going. If we assume adversaries are already in the network, it makes sense to focus budgets on restricting movement inside the network.”
Arti Raman, CEO and Founder, Titaniam, describes how the breah occured, and why it was worth it to the attackers:
“Hackers were able to compromise the servers of technology services provider Nelnet Servicing, and obtain the information of 2.5 million people with student loans from Oklahoma Student Loan Authority (OSLA) and EdFinancial by exploiting a vulnerability in the company’s network. This incident, like the vast majority of incidents these days, shows us that attackers are managing to infiltrate enterprise networks even in instances where there has been a substantial investment in security. Once inside they look to exfiltrate valuable data that can be used to generate revenue for them either via extortion or by simply selling the data.
"It is time for security leaders to acknowledge that in addition to prevention, detection and recovery solutions, the security program needs to include a rock-solid plan for keeping data out of the hands of attackers once they successfully get in. This is where encryption-in-use comes in. Encryption-in-use also known as data-in-use encryption, provides enterprises with unmatched immunity in the face of data-focused cyberattacks. Should adversaries gain access to data by any means, data-in-use encryption keeps the sensitive information encrypted and protected even when it is actively being utilized. This helps neutralize all possible data-related leverage and dramatically limits the impact of a data breach.”