At a glance.
- Update on the Bed Bath & Beyond phishing incident.
- Royal Mail experiences a data breach.
- Davenport, Iowa schools attacked, data released.
- How to spot a hidden camera.
Update on the Bed Bath & Beyond phishing incident.
Bed Bath & Beyond revealed a data breach in an SEC filing last week, SecurityWeek reports. The breach occurred after an employee was victimized in a phishing attack. The hackers gained access to a hard drive and shared drives that the employee had access to, but Fox Business reports that the company said in the SEC filing, "The Company is reviewing the accessed data to determine whether these drives contain any sensitive and/or personally identifiable information. At this time the Company has no reason to believe that any such sensitive or personally identifiable information was accessed or that this event would be likely to have a material impact on the Company."
Tim Prendergast, CEO of strongDM, notes that credentials remain especially attractive targets for criminal phishing campaigns.
"Phishing is a means to the end that every cyber adversary wants: access. Right now, attackers are increasingly looking for improperly stored or secured valid credentials because they're essentially VIP passes into databases, and servers — everything companies don't want to be leaked publicly. Once attackers get those valid credentials, they have oftentimes unlimited access internally. Rather than point fingers, because in truth this could have happened to anyone, it is important for CISOs to re-evaluate the visibility and control of access across both applications and infrastructure."
Arti Raman, CEO and Founder of Titaniam, wrote to point out that phishing remains by far the most common approach threat actors are found to take in data breaches.
“A phishing attack could happen to any of us, and there are statistics to prove it. Data suggests that phishing accounts for around 90% of data breaches. So the first response we must have as a community is empathy for the victims.
"After this, companies should consider investing in education programs to help employees spot these schemes to the best of their ability. For IT administrators, ongoing security awareness training and simulated phishing for employees are highly recommended to keep security top of mind throughout the organization.
"Finally, an extremely effective solution for keeping data safe even after a successful infiltration – and minimizing the risk of extortion – is data-in-use encryption, also known as encryption-in-use. Encryption-in-use provides enterprises with unmatched immunity to data-focused cyberattacks. Should adversaries gain access to data by any means, data-in-use encryption allows all data in files, databases, search platforms to be encrypted while in active use, even in memory. Encryption-in-use is already being used by leading enterprises to secure both structured and unstructured data across clouds, on-prem, and hybrid environments. It is available for state of the art cloud environments as well as legacy infrastructure and helps neutralize all possible data-related leverage and dramatically limits the impact of data exposure, ransomware, and/or breach."
Royal Mail experiences a data breach.
TechMonitor reports that the Royal Mail suffered a data breach of its "Click & Drop" service on Tuesday. The platform gave customers access to parcel data that was not their own, and the platform was temporarily suspended while the issue was investigated, and an update read: “Royal Mail has temporarily suspended its Click & Drop website as a precautionary measure following reports that a limited number of customers were able to see information about other customers’ orders following a technical problem. We are investigating the incident in order to fix the IT issue so that you can post as soon as possible.” Sky News reports that the site was down from 2-6pm on Tuesday, and is now restored.
Davenport, Iowa schools attacked, data released.
Data-extortion group Karakurt claims to have stolen a massive amount of data from Davenport School District and released it, Quad-City Times reports. The group posted online on Tuesday that they were "excited to present to you our new data leak — Davenport Community School," with claims of a "giant massive array" of data from the leak available on the group's site. As of the publication of Quad-City Times' article, there has not been any evidence of actual leaks of data from the district. The group has been threatening to leak data since last week if the district didn't meet their demands, and Emsisoft threat analyst Brett Callow said, "It’s really not possible to predict what will happen next or when. It depends on whether Karakurt believes they may still be able to extract payment, whether the district does pay, whether Karakurt has as much data as they claim, etc."
How to spot a hidden camera.
WeLiveSecurity discusses security cameras in Airbnbs, referencing a study where over half of the surveyed 2,000 American Airbnb customers, 58% were worried about the possibility of hidden cameras on the property. Airbnb's policy on security cameras and noise-monitoring devices says that they are allowed "as long as they are clearly disclosed in the listing description and don’t infringe on another person’s privacy.” However, with the immense amount of listings available on Airbnb, it's hard for them to police it. WeLiveSecurity provides tips for finding hidden cameras, such as physically checking the room, using a flashlight, checking for night vision lights, using an app, and detecting RF signals.