At a glance.
- Education publisher breach exposes private college student data.
- Ransomware group sends threatening emails to student body.
- California school district delays notifying victims of data breach.
- Ransomware hits the Guardian.
Education publisher breach exposes private college student data.
The researchers at vpnMentor have disclosed they detected a data breach at US education publisher McGraw Hill. Two misconfigured Amazon Web Services (AWS) S3 buckets apparently belonging to McGraw Hill were discovered to be unprotected. One bucket contained 47 million files and 12TB+ of data related to production, and a non-production bucket contained over 69 million files and 10TB+ of data. Used by hundreds of thousands of students across the US and Canada at prestigious schools like Johns Hopkins University and University of Toronto, McGraw Hill’s online educational platform could provide a hacker with access to a trove of private student information including names, email addresses, and grades.
Higher Ed Dive notes that Federal law prohibits colleges from releasing or posting a student’s grades without student consent, meaning the breach could lead to government action.) As well, the storage buckets contained company data like employee info and private digital keys and source code. As EdScoop explains, vpnMentor detected the data breach in June and spent months attempting to contact the company about the issue before receiving confirmation that it was resolved. The Register adds that for ethical reasons, the researchers refrained from combing through all of the data, instead using publicly available information to verify a small sample of the records by matching students' social media profiles to data in the storage buckets. McGraw Hill says it found out about the publicly available data during routine testing and isn’t aware of any negative effects. Tyler Reed, a McGraw Hill spokesperson, stated, “We are not aware of any further impact at this time,” Reed said. “We are currently undertaking an additional review to see how we could improve our processes in the future.”
Amit Shaked, co-founder & CEO of Laminar, wrote to note the prevalence of sensitive data in cloud storage systems:
"One in five publicly facing cloud storage buckets contains sensitive data. This means that legacy security infrastructure is no longer sufficient enough to defend such sensitive data. Often these exposure incidents are blamed on ‘misconfiguration,’ but more often than not it is more about misplaced data that should never have been stored in an open bucket. The rapid shift to the cloud has enabled organizations to quickly spin up data stores, especially in buckets or blob storage. Unfortunately, however, many companies don't have full visibility into where their sensitive data resides. This shadow data is growing, and is a top concern for 82% of data security professionals. Organizations must have complete observability of their data. With monitoring and control of valuable data, enterprises will have the clarity they need to keep up with today’s fast-paced, cloud environment and avoid similar exposures."
Neil Jones, director of cybersecurity evangelism at Egnyte, sees data isolation as the principal lesson to be learned from the incident:
"The S3 bucket misconfiguration that was recently revealed at McGraw Hill is a classic example of the need to isolate data based on “business need to know.” Although details of the misconfiguration are still emerging, it is surprising that the company’s source code and digital keys were made available in the same location as students’ names, addresses, performance progress reports and grades. On the positive side, this is also a solid example of responsible disclosure by vpnMentor, who notified McGraw Hill of the misconfigurations. Best practices to reduce the impact of vulnerabilities like this one include the following:
- "Implement an effective incident response plan, and practice it via "tabletop-exercises" before an actual event occurs.
- "Restrict access to data based on a user's need to access the information. That approach makes access to sensitive content more time-consuming for potential attackers, and gives the organization additional time to identify potential intrusions.
- "Respond immediately to communications that you receive from responsible disclosure sources like vpnMentor, especially when your data breach may violate legislative mandates such as the US Family Education Rights and Privacy Act (FERPA). According to published reports, McGraw Hill was notified of the misconfigurations up to nine times during a three-week timeframe in June and July 2022, without responding to vpnMentor’s communications."
Arti Raman, CEO and founder at Titaniam, also offered advice on secure use of cloud storage services:
“Data is the lifeblood of the modern enterprise, and as we continue our move towards processing and storing enormous amounts of data across hundreds of platforms, thousands of applications, and millions of users, data exposure is inevitable. It takes a single exploitable vulnerability or a single vulnerable user to render multiple layers of security ineffective. AWS S3 is one of the most useful and heavily utilized cloud object stores and consequently one that attackers continuously probe for misconfigurations and exposure. These days we find that even the best defended enterprises and ones with massive investments in data security are falling prey to cyber attacks.
"So what can a company do to mitigate the risk of losing sensitive data inside S3 to external attackers, malicious insiders, or simply to human error?
"There are three sets of controls that can be used to combat AWS S3 data compromise in increasing order of effectiveness: native encryption-at-rest, access control, and app level encryption/encryption-in-use. An obvious place to start is native encryption that comes with AWS S3. This helps to ensure that valuable data cannot be stolen from your S3 buckets via platform compromise or via AWS employees. Given that this is not how attacks typically take place, let us look at the next level, which would be access control. This helps to ensure that only authorized users have access to S3 buckets. Again, modern attackers easily bypass this by stealing access credentials. The final and most effective recommendation is to utilize app-level granular (object level) encryption and/or encryption-in-use where any direct access to S3 buckets never yields unencrypted data. This eliminates large scale data exposure and exfiltration, reduces ransomware and extortion risk, and also enforces strong privacy compliance."
Ransomware group sends threatening emails to student body.
In another education data breach, Knox College, a small liberal arts school in the US state of Illinois, was hit with a ransomware attack perpetrated by the Hive ransomware group. It’s unfortunate, but not unusual given the recent rise in breaches of educational institutions. What makes the attack stand out is that Hive resorted to an usual tactic: contacting the students directly. On the evening of December 12, students received an email stating, “We have compromised your collage [sic] networks. The data we have includes your personal information, medical records, psychological assessments, and many other sensitive data. Additionally all of your SSN and Medical records will be put for sale, for every hacker to gain access and use your data in whatever illegal activity they want. To us, this is a normal business day. For you, its a sad day where everyone will see your personal and private info.” This is the first known instance of attackers attempting to intimidate students directly and underscores the lengths ransomware groups will go to get schools to pay up. Allan Liska, an analyst at the cybersecurity company Recorded Future, told NBC News, “It’s getting harder and harder to convince victims to pay, so this is the kind of extremes they need to go to…It’s a continual escalation in the extortion market.” The breach temporarily disrupted school services and the Hive website lists Knox as a victim, but no data have yet been released.
California school district delays notifying victims of data breach.
On December 1, the San Diego Unified School District (SDUSD), located in the US state of California, notified employees and students’ families it had experienced a “cybersecurity incident.” However, a report filed this month with the state Attorney General's office reveals that the incident actually occurred in October, five weeks before the potential victims were informed. As NBC 7 San Diego explains, a sample notification letter states that the district's investigation into the incident determined on November 23 that SDUSD files containing personal data had been stolen. SDUSD has released little information about the nature of the incident, but it said "critical systems" were still operational and school safety and emergency mechanisms have not been impacted.
Ransomware hits the Guardian.
A major British newspaper, the Guardian, was hit late yesterday by what appears to have been a ransomware attack. It seems to have affected mostly back office infrastructure, and the paper says it expects to publish both print and online editions as usual. Assuming the attack carries the customary threat to privacy that normally accompanies ransomware incidents, Sammy Migues, Principal Scientist at Synopsys Software Integrity Group offers some reflections on the implications of a ransomware attack:
“While this distinction is likely unimportant to the victim in the middle of the event, we must pull ransomware apart into a few topics. First, while we think of ransomware as an attack, it’s really a monetization scheme that happens after an attacker was able to get administrative access to some systems. Second, payment doesn’t always get your data back and even if it does get it back, it doesn’t mean that your data won’t also be sold to others. Third, restoration from perfect backups that haven’t been corrupted by the attackers can still take quite some time across many users, servers, and databases. Last, while getting operations back online is critical for an organization, finding how the attackers gained initial access and fixing it is paramount; restoring systems that immediately get re-encrypted won’t help.
"Almost all organizations do host, network, and cloud configuration and security testing. They do some application security testing. They have internal awareness training and anti-phishing training. They have advanced SaaS firewalls and third-party log analysts as partners. Yet, we still hear about ransomware events almost daily. That means it can happen to anyone but everyone can be better prepared.”
Dr. Ilia Kolochenko, Founder of ImmuniWeb, reviews some of the possibilities surrounding the incident:
“Based on the currently available information, the alleged ransomware incident does not look like a targeted attack, as the victim will unlikely have a huge budget to pay a ransom. However, we cannot exclude that foreign political forces or organized crime are pulling the strings to perfidiously silence the media or put pressure on The Guardian under the false flag of a ransomware attack.
"Today's cyberattacks are frequently orchestrated by traditional or organized crime to get an unfair advantage in business, obtain valuable intelligence from compromised law enforcement agencies or simply intimidate their adversaries. The number of readily available cyber mercenaries on the market is also rapidly growing, making cyber defense a tough and costly exercise for all industries around the globe.”
Ransomware has become an increasingly common form of attack, well-supported by the criminal-to-criminal markets and well-adapted to use by relatively unsophisticated criminals. Oz Alashe MBE, CEO of CybSafe, writes:
“Ransomware attacks have dominated the headlines in 2022, and The Guardian seems to be the latest victim of the increasingly popular form of attack. In the last few months alone, criminals realised they don’t need to steal or sell data. That takes too much time and effort. Instead, simply threatening to delete the data can produce the same result.
“Ransomware, wiperware, and any other type of malware are preventable. It starts with basic cyber hygiene: network segmentation, backups, regular patching, and vulnerability assessments. However, organisations also need to embrace a working culture that promotes positive security behaviours, treating it as a core value or an active process, not just a yearly compliance exercise. People want to be part of the solution. They are the crucial first and last line of defence. Organisations must give them the tools and training to allow them to be effective.”
Trevor Dearing , Director of Critical Infrastructure Solutions at Illumio, also sees the attack an an instance of a long-running trend:
“We don’t know much about the attack at present, however, if it is ransomware there could be several motives. The most obvious is financial, but it could also be political or nation-state driven, particularly given the publication’s coverage of recent, high-profile world events.
“Regardless of motive, the attack is another example of how any organisation can be a target for ransomware. Companies need to plan for survival, not prevention of attacks. Cyber resilience is now synonymous with business fortitude, so it’s imperative that businesses shift their attention from detecting attacks to containing and limiting the impact of breaches.”
Karen Crowley, Director of Product Solutions at Deep Instinct, reviews the other media organizations that have also recently been hit with ransomware. The Guardian is far from alone:
"In recent months, we’ve seen a worrying trend of reputable news organizations affected by cyberattacks and data breaches and today, The Guardian joins this list of organizations impacted by what is believed to be ransomware. Thomson Reuters, The New York Post, and Fast Company among many others have also been recently impacted. Cyberattacks like these are worrisome as they threaten to disrupt news cycles and degrade the basic principle of knowledge sharing for the public that the media serves.
"In this case, we’re seeing the internal networks of The Guardian under attack, with reports that access to shared corporate services and financial systems have been affected as well as the office WiFi. Attacks such as this can devastate an organization at all levels, reinforcing the need for solutions to prevent incoming threats before they hit servers. Media organizations have a responsibility to implement proactive measures that enable them to stay ahead of attackers.
"Ransomware not only impacts day-to-day operations, but the reputation of the organization and the news that they deliver. The public trust will be lost if they don’t feel these organizations can defend against malicious cyber acts. While The Guardian has stated that they have been able to keep afloat today, this attack should serve as a warning to all organizations to increase security measures to prevent a future ransomware attack."
Added, 11:45 AM, December 22nd, 2022.
Dan Vasile, Vice President, Strategic Development, BlueVoyant, wrote to point out that the media sector is distinctly vulnerable to supply chain threats, and that the effects of incidents can cascade across multiple outlets:
"The recently reported ransomware attack on The Guardian shines an already bright light on the media industry’s cybersecurity challenges. With constant evolution and a desire to stay ahead of the ways readers consume their media, a more distributed and fragmented ecosystem has developed as a result. The media industry is often targeted because of the influence it holds. Media companies get high volume traffic and are trusted by their audience. This puts a target squarely on the backs of news organizations. The domino effect is in full force: Thomson Reuters, The New York Post, Fast Company, and now The Guardian, among countless previously reported breaches.
"The industry should be put on even higher alert following the ransomware attack on The Guardian, which resulted in an internal network compromise, and severed access to corporate services, financial systems, and even the office WiFi. Generally speaking, large media organizations have structured cybersecurity programs in place, but as companies’ digital estates become well defended, malicious actors turn their attention to the supply chain, opening up a whole new attack surface."