At a glance.
- Ransomware gang releases data stolen from US city housing agency.
- Personal data inadvertently exposed during an emergency notification test.
- Tesla’s breach notification reveals further details about the incident.
- BlackCat compromises Seiko networks.
Ransomware gang releases data stolen from US city housing agency.
The Raleigh Housing Authority (RHA), which manages public housing programs for the city of Raleigh in the US state of North Carolina, suffered a cyberattack back in May that disrupted the organization’s services for weeks and required the aid of the National Guard and the Federal Bureau of Investigation. Now, the Record reports, the Black Basta ransomware gang has begun publishing private data allegedly stolen in the attack. Cybersecurity expert Dominc Alvieri says the Social Security cards, passports, and financial documents belonging to individuals connected to RHA have appeared online. “Keep it moving, nothing to see here except passports and social security #’s@TheJusticeDept,” Alvieri posted on X. RHA has not directly confirmed or denied the data have been published, but instead responded with a brief statement describing their response to the May attack. RHA CEO Ashley Lommers-Johnson stated, “We immediately notified state and federal authorities, met with Emergency Management, and currently have the National Guard cyber security team on-site investigating.”
James McQuiggan, Security Awareness Advocate at KnowBe4, sees the risk as one liable to dog any organization whose mission requires the collection and retention of personal information. "This unfortunate ransomware attack reveals the cybersecurity issues facing government public sector organizations that need more resources to maintain susceptible personal data, making them prime targets, but are limited by funding that is not always available or allocated to cybersecurity. Even though the attack devastates those victims impacted by the theft of personally identifiable information (PII), it shows the rapid response from experts at the FBI was vital, delivering the value of pre-established relationships and incident response coordination." He added, "Sadly, the exfiltration and personal data leak damaged the housing authority's reputation and resulted in the potential loss of public trust. Data protection must be prioritized and protected with technologies like MFA, strong, non-guessable passwords, and privileged access. Ongoing cybersecurity training and phishing simulations could have detected the intrusion earlier and limited the impact. Training, awareness, and assessment at all levels is vital. Ransomware is a threat to all essential government services, and with the proper precautions and resilience, other agencies can reduce the impacts of inevitable attacks. But prevention remains ideal, and they must continue strengthening partnerships and cyber defenses across the public sector."
Personal data inadvertently exposed during an emergency notification test.
A mistake at New York City’s Department of Finance (DOF) has exposed the sensitive data of all of its employees. In an attempt to test its emergency notification system, the department inadvertently emailed a roster of all of its staff to all of the agency’s employees – approximately 1,800 people. The roster included employee home addresses, cell numbers, and personal email addresses, and was accompanied by mis-timed automated test calls that went out before dawn (and which were more annoying than threatening to data privacy).
One staffer, who asked to remain anonymous, told THE CITY, “We don’t know who out there has our information, how they’re going to use it, and who they’re going to share it with.” In an email to employees after the snafu, Associate Commissioner for Workforce Management Corinne Dickey stated, “We are investigating this matter and working with our partners in Legal and FIT to determine the best course of action.” He added that the city’s Office of Technology & Innovation and Cyber Command had been notified of the incident. Critical incident management firm Everbridge has a $6 million contract with the Office of Emergency Management to support NYC’s citywide mass notification system and has been assisting DOF with the implementation of its emergency notification system. Everbridge spokesperson Jeff Young stated, “We respect the confidentiality of our customers, and take it very seriously.”
Jadee Hanson, CISO and CIO of Code42, frames the accidental release of data as an insider risk incident. “The incident involving the New York City’s Department of Finance employee data leak during a test of its emergency notification system serves as a testament to the pervasive nature of Insider Risk incidents. With the amount of critical information that employees handle day to day, mistakes are bound to happen. However, the impact of these mistakes can be mitigated through visibility of file movement and speed of response. While Insider Risk is not new, it has increased in gravity over the past few years, especially as a distributed workforce and the use of collaboration tools are more prevalent than ever. Data leak, loss, and theft can cost companies an average $16 million per incident. Accidents like these are a reminder for companies to invest in Insider Risk management both in terms of strategy and technology.”
Tesla’s breach notification reveals further details about the incident.
In May, American automotive giant Tesla suffered a massive data breach that exposed a range of data belonging to past and present employees and customers. Yahoo News reports that Tesla has begun notifying the impacted individuals, which, according to a notice posted on the Maine Attorney General’s website on Friday, comes to more than 75,000 people. As Bloomberg notes, the notice also explains that “two former Tesla (TSLA) employees misappropriated the information in violation of Tesla (TSLA)’s IT security and data protection policies” and shared it with German news outlet Handelsblatt. Tesla is suing the two employees, and the devices that contained the stolen data have been seized. The stolen documents, which have been dubbed the “Tesla files,” comprised 100 gigabytes of confidential data, which included employees' names and contact information such as addresses, cell phone numbers, and email addresses.
Business Insider notes that Tesla CEO Elon Musk’s own Social Security number was among the exposed data. As well, the files included thousands of customer complaints regarding issues with Tesla cars accelerating or braking suddenly. Tesla has yet to respond to requests for comment on the new information regarding the breach.
Dor Fledel, co-founder and CEO of Spera, sees the incident as an instance of the difficulty of enforcing least-privilege policies. “Incidents like this are a prime example of how organizations struggle to enforce the principle of least privilege. It is too easy for organizations to fall into the trap of granting access for the sake of productivity without considering the security ramifications" Fledel wrote. "Organizations must have the discipline along with the necessary tools and processes to ensure employees have the appropriate level of access. Without a centralized identity-focused security supporting the rapidly adopted SaaS and cloud infrastructures, it is difficult for organizations to measure, monitor and effectively reduce the permissions sprawl on their own. Unfortunately, we should expect to see more such incidents in the near future until organizations take a holistic approach to identity security.”
Another lesson some draw from the incident is the importance of removing access when employees depart a company. Lior Yaari, CEO and co-founder of Grip Security, commented, “This breach makes it clear that Tesla did not have the right controls in place to prevent this type of breach. It is actually more common than people think to have former employees’ access to systems remain active after they have left the company." Part of the problem is the sheer difficulty, under typically prevailing circumstances, of maintaining knowledge of one's own networks. "With the proliferation of SaaS, most companies do not have a full inventory of all the apps their employees are using, which makes it impossible to secure those apps once the employee leaves. Without more information, it is difficult to know whether this was a lack of security controls or the result of two disgruntled employees who stole the data with malicious intent. Either way, Tesla needs to tighten up their data governance and system access controls or this will happen again and again.”
Dror Liwer, co-founder of cybersecurity company Coro, noted that insider risk can be the toughest kind of risk to mitigate. “Malicious insiders are the most difficult to protect against, as trust is an inherent expectation of co-workers. While this is a case of malicious intent, co-workers can also expose data unintentionally. This is why organizations must have clear, enforced guidelines on who should have access to what, and a clear data retention policy. In both cases, less is more. Less people with access to sensitive information, and retention of sensitive data for the least amount of time absolutely necessary.”
And, finally, Liat Hayun, CEO of Eureka Security, commented on the inherent difficulty of restricting access to personally identifiable information (PII). "Access to extract and share critical PII must be restricted within a company. But the prevailing reality is that just isn't always the case. So many companies today believe having appropriate expertise is enough to secure data. Unfortunate incidents like this are a sobering reminder that while understanding the infrastructure is important, to truly gain a handle on this, security teams must have the proper tools and processes in place so they can understand data and the ways it needs to be protected."
(Added, 6:45 PM ET, August 21st, 2023.) Nikhil Girdhar, Senior Director of Data Security at Securiti.ai, commented on the difficulty of balancing the need for access with the preservation of security. "The recent data breach at Tesla, which compromised the sensitive information of 75,000 employees due to insider misconduct, brings to the forefront a common dilemma many companies face: balancing employees' need for data access for business operations while minimizing security risks," Girdhar wrote. "One best practice for managing insider risk is to limit sensitive data access to only employees and vendors who require it for their tasks. This is easier said than done; manual access governance often leads to "permissions leakage," where employees end up with broader data access than necessary. However, automating access controls based on employee roles and using anonymization techniques such as data masking or synthetic data generation can reduce the number of employees accessing sensitive information without hindering business projects. Continuous monitoring of user activity, especially activity involving access to sensitive data, serves as the second pillar of a strong defense strategy against insider threats. Despite having stringent access controls in place, companies must remain vigilant for signs of suspicious activity, such as substantial data exports or the unauthorized use of external storage devices. AI-based anomaly detection techniques can be powerful, enabling teams to flag and block suspicious activity in real-time and defend against insider risks."
(Added 7:15 PM ET, August 21st, 2023.) Almog Apirion, CEO and Co-Founder of Cyolo, also sees the issue as one rooted in excessive privilege. "This attack underscores the crucial impact of over-permissioned internal users within an organizations’ infrastructure. In this instance, the sheer amount of sensitive employee and customer information – including Elon Musk’s own SSN - publicly distributed poses a serious threat for potential ramifications. The news highlights the need for proper security protocols and overall cyber hygiene. To reduce the risks of insider threats, modern strategies are essential. These encompass adopting advanced technologies like zero-trust access and high-risk identity management, which enable swift asset restriction, constant authentication and real-time access control. Embracing such security measures ensures organizations safeguard their internal infrastructure. While malicious insiders can't be eliminated, internal access can be confined to essential personnel, and in the case of people leaving the company, they no longer have access to any assets."
BlackCat compromises Seiko networks.
The BlackCat ransomware gang (also known as ALPHV) has breached Seiko networks. Much of the material exposed seems to be proprietary business data, BleepingComputer reports, but some employee personal information was apparently also at risk. The watchmaker has posted a disclosure of the incident, expressed its regrets, and said that it's continuing investigation and incident response.
James McQuiggan, Security Awareness Advocate at KnowBe4, points out the role initial access brokers played in the incident. "Knowing that the cybercriminals gained access via Initial Access Brokers (IAB) represents a continuing pattern for cybercriminals quickly gaining access to organizations' infrastructures and systems. Essentially they outsource the first step to gain access by buying exposed credentials or tokens and allowing them to compromise the target. Organizations must have or implement several technologies to improve defenses against this attack vector. They want to ensure that all internet-facing assets like RDP, VPNs, email, and web applications are consistently updated and hardened, as this is the standard attack vector with available credentials." He offered some thoughts on what organizations might do to make themselves harder targets, "Set up and regularly audit robust identity and access management systems with strong, unique passwords and multi-factor authentication, as this decreases the risk of a successful password attack. Ensure that a team of experts paired with technology is monitoring all logs and, if possible, utilizing AI or machine learning of the behavior patterns of the network to identify unusual activity. A threat intelligence and threat hunting team can investigate dark web forums for signs of compromise to catch an IAB activity before an attack. With cybercrime continually evolving, initial access brokers are an excellent practice for less sophisticated actors to bypass security barriers. Organizations must continue developing defenses and improving threat awareness at all levels to disrupt this criminal business model."
Dror Liwer, co-founder of cybersecurity company Coro, simply recommends encryption of data-at-rest. “While encryption is the norm when data travels (either via VPN, or HTTPS protocols), encryption of data at rest still isn’t, and it should be. While encrypting data at rest is not a guarantee against criminal exploitation, it does make things a lot more difficult, and as such, less profitable for the attackers.”