At a glance.
- US HR firm suffers client data breach.
- Four arrested for tax fraud operation.
- The self-proclaimed “creep” of consensual doxing.
US HR firm suffers client data breach.
Sequoia, a US-based human resource, payroll, and benefits management company, has disclosed that an unauthorized party gained access to a cloud storage repository containing personal customer data between September 22 and October 6. The potentially compromised data include names, dates of birth, postal addresses, work email addresses, gender, marital status, employment status, Social Security numbers, benefits information, ID cards, and even Covid-19 test results and vaccine cards. In a notification letter, Sequoia explained that a forensic review “found no evidence that the unauthorized party misused or distributed data.” The company has not disclosed how many individuals were impacted by the breach, but the investigation has not found any malware on Sequoia's systems, any evidence of a data extortion attempt, any compromised computers or servers in Sequoia's infrastructure, nor any ongoing unauthorized access to the company's network. Open source security researcher Jonathan Leitschuh, who was notified that his data was involved with the breach, told WIRED he was not surprised that Sequoia had been targeted, saying that when it comes to third-party firms that handle copious customer data, a breach is almost inevitable. Leitschuh stated, “With third-parties like Sequoia that others contract with, the end user can't really opt out or change anything about the relationship if they want the job. But you don't know how these companies are defending this data long-term.”
Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, wrote to discuss the ways in which cloud migration in some cases might expand an organization's attack surface:
“Enterprises adopt cloud-native strategies because they want to accelerate their processes and their ability to innovate. Unfortunately, most organizations struggle with the right level of data security to avoid compromise within the cloud environment. While cloud service providers offer data security capabilities, those capabilities are usually rather basic, and the particular business is still the responsible caretaker, especially in the eyes of regulators. The increased attack surface of cloud environments makes for a potentially weak overall security posture. In addition, with a hybrid and multi-cloud strategy, data becomes dispersed across multiple clouds as well as their own data centers. Data security becomes even more difficult to manage as cloud infrastructure complexity grows. Data-centric security, such as tokenization that is built specifically for cloud-native applications, can help with this complexity. By protecting the data itself rather than the layered, even amorphous borders surrounding cloud-native application environments, organizations can be assured that data is secure because tokenized sensitive information, even in containers, cannot be compromised if it falls into the wrong hands.”
Four arrested for tax fraud operation.
Dark Reading reports that three Nigerian nationals and one UK citizen have been arrested for a cyber tax refund scam. The group is accused of breaching US company servers, stealing personal information, and using that data to file fraudulent Internal Revenue Service tax documents in order to collect refunds. The four men purchased compromised services and users on underground forum xDedic Marketplace to purchase access to compromised servers and users, and they used the proceeds from their crimes to purchase prepaid debit cards for their personal use. The US Department of Justice says they now face extradition to the US, and Ii convicted each man could be sentenced with up to twenty years in prison.
The self-proclaimed “creep” of consensual doxing.
Can doxxing be a fun, harmless, and educational hobby? Meet Kristen, a TikToker who has gone viral by using her sleuthing talents to deduce the ages of random users based only on social media content – with their consent, of course. She’s become the tech-enhanced version of the “Guess Your Age” barker at a carnival, and her skills have made the thirty-two-year-old restaurant server a self-trained expert when it comes to finding personal data on the web. For instance, in her quests she’s discovered that family members’ profiles are the most valuable source of information on a mark. “When I made a silly TikTok about how I could find someone's birthday, I didn't expect to become a data-privacy educator or someone who taught people how to lock down their social-media profiles. I was just showing people how creepy I am! But I've turned it into a very helpful tool,” Kristin told Business Insider. She isn’t able to crack every case, and the roadblocks she has encountered have become a variable how-to on how to protect your personal data online. “If they have a private profile, and they have no profile picture, and their username is just letters and numbers, that's a dead end for anybody, unless you hack into an account,” she says. “People think the goal is to make me fail, but I think it's a win for people if they're trying to remain anonymous.” She’s also noticed that it’s harder to track down individuals who are Gen X or older, as they tend to share less on social media, while millennials are usually the easiest to dox, because Gen Z, having grown up with social media, are more cautious about what they make public.