At a glance.
- Data exposure at the Texas Department of Insurance.
- ICCL report details RTB ad tracking.
- Credit card scraping operation.
Texas Department of Insurance inadvertently exposes worker data.
A state audit has determined that the personal information of nearly 2 million individuals who filed compensation claims with the Texas Department of Insurance (TDI), an agency that oversees the state’s insurance industry, was exposed for nearly three years. According to the audit, released this week, the compromised data includes Social Security numbers, addresses, dates of birth, phone numbers, and employee injury info and was publicly accessible online from March 2019 to January 2022. The Texas Tribune reports the leak was the result of a flaw in the programming code in the web application used by TDI to manage workers’ compensation data. TDI spokesperson Ben Gonzalez explained, “We found the issue was due to programming code that allowed internet access to a protected area of the application. We fixed the programming code issue and put the TDI web application back online. We began an investigation to find the nature and scope of the issue.” Gonzalez added that the investigation did not uncover any evidence that the data had been misused. Nonetheless, Insurance Business America adds, TDI will send notification letters to the impacted individuals including instructions on how they can enroll for free credit monitoring.
Amit Shaked, CEO, Laminar, finds the kind of error implicated in this incident regrettable. He wrote, "This event is truly unfortunate as it is not due to an attack or malicious activity. It was due to a missed code glitch that left personal data exposed for years. Today’s digital world requires layering on data-centric security where policies are at the data object level, like detecting excessive exposure in this case. To combat the growing threat to data protection in the cloud, data security teams require a set of cloud native tools that are automated and always continuously monitoring. These automated solutions will transform security teams from gatekeepers to enablers of data democratization."
It's also another case of abused privileged credentials, Arti Raman, CEO and Founder of Titaniam, wrote. “As this incident proved, information can be accessed using privileged credentials, or strictly from a code glitch, allowing not only the general public to see this information, but hackers to steal underlying data. To keep customer PII safe and minimize the risk of extortion, encryption, specifically data-in-use encryption, also referred to as encryption-in-use, is recommended. Data-in-use encryption provides unmatched immunity. Should adversaries break through perimeter security infrastructure and access measures, or simply gain access through a technical error, data-in-use encryption keeps the data and IP encrypted and protected even when it is being actively utilized. This helps neutralize all possible data-related leverage and limits the need for breach disclosure.”
Neil Jones, director of cybersecurity evangelism at Egnyte, notes that the data maintained by this agency inevitably includes a great deal of PII. "The recent data breach at the Texas Department of Insurance is especially concerning because worker's compensation data inherently includes PII (Personally Identifiable Information) and PHI (Protected Health Information), which are potential treasure troves for cyberattackers. Although there's no current evidence that the breached information has been used maliciously, it is not uncommon for attackers to wait for just the right time to post their breached data to the Dark Web," he writes. "There are several key lessons that can be learned from this incident:
- "Organizations need to combine data security with effective application security testing and penetration testing programs.
- "Stress testing needs to be conducted before an application's brought live to end-users in a public setting.
- "During these dynamic times, routine technological audits need to occur on a more frequent basis than they did before, to prevent vulnerabilities from being exploited."
Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, notes the special responsibility of state agencies: “We depend on the state agencies to provide us with a basic level of security against all threats. The recent incident with the Texas Department of Insurance in which the personal information of 1.8 million workers has been exposed should underscore the need for data-centric security such as tokenization or format-preserving encryption to be applied to sensitive data wherever it resides in order to render that data incomprehensible and thus worthless for exploitation if bad actors get ahold of it. Preventing attacks and breaches is not 100% foolproof, so we can only hope that governmental agencies have instituted the mitigating measures of data-centric security applied directly to data in case sensitive information falls into the wrong hands.”
ICCL report details RTB ad tracking.
On Tuesday the Irish Council for Civil Liberties (ICCL) released a report including new data on what it’s calling the biggest data breach ever recorded: the real-time-bidding (RTB) system’s abuse of web users’ info for tracking and ad targeting. According to the report, through the use of RTB, a surveillance-based ad auction system, Google and other tech giants have been processing and sharing user data billions of times per day. The ICCL explains, “[RTB] tracks and shares what people view online and their real-world location 294 billion times in the U.S. and 197 billion times in Europe every day.”
Figures in the ICCL’s report, obtained from a confidential source, show that users in the US state of Colorado and the UK are among the most exposed by the system, with 987 and 462 RTB broadcasts respectively per person per day. Americans have their online activity and real-world location exposed 57% more often than Europeans, likely due to differences in privacy regulations across the two regions. The biggest culprit, Google, allows 4,698 companies to receive RTB data about US users, while Microsoft says it may send data to 1,647 companies. Questions have been raised about how RTB could be exposing sensitive data individuals share online, from women’s fertility cycles stored in period tracking apps, to Black Lives Matter protestors’ locations, to the romantic histories of users of Grindr and other dating apps.
The report could have repercussions for European regulators in particular, given that the General Data Protection Regulation (GDPR) has been in place since May 2018 but regulators have been seemingly reluctant to penalize the adtech industry. Johnny Ryan, senior fellow at the ICCL, told TechCrunch, “As we approach the four year anniversary of the GDPR we release data on the biggest data breach of all time. And it is an indictment of the European Commission, and in particular commissioner [Didier] Reynders, that this data breach is repeated every day.”
Alert: US credit card scraping operation.
An FBI Flash notice warns that unidentified threat actors were scraping credit card data from an unnamed US business by injecting malicious PHP Hypertext Preprocessor code into the business’ online checkout page. The scraped data was being sent to an actor-controlled server spoofing a legitimate card processing server. The attackers also established backdoor access to the victim’s system by modifying two files within the checkout page. The notice details new indicators of compromise for e-commerce sites and lists recommended mitigations, which include updating and patching all systems, change default login credential, monitor e-commerce environment requests for possible malicious activity, segregating network systems, and secure all websites transferring sensitive information by using secure socket layer (SSL) protocol.