At a glance.
- Medical data exposed in latest GoAnywhere hack.
- Toyota Italy accidentally leaks (phishing) fuel.
- Meriton becomes latest Australian company targeted by hackers.
Toyota Italy accidentally leaks (phishing) fuel.
Carmaker Toyota Motor's Italian sales and marketing arm, Toyota Italy, has been inadvertently leaking sensitive company data for over a year and a half. Cybernews reports that the exposed data include sensitive info from the company’s Salesforce Marketing Cloud, a provider of digital marketing automation and analytics software and services, and Mapbox APIs, which are used to query map data. In the worst kind of Valentine’s Day surprise, the Cybernews research team discovered the data in an environment file on the official public-facing Toyota Italy website on February 14 this year. As Cybersecurity Help notes, the file was first indexed by internet of things search engines on May 21, 2021, meaning it was exposed for nearly two years. In the wrong hands, the data could be used to access Toyota clients’ phone numbers, email addresses, and other details, which could serve as fodder for phishing scams or other cybercriminal operations. The researchers who discovered the file stated, “This leak is significant as it could have been used to launch somewhat sophisticated phishing campaigns, as attackers would have had access and control over Toyota's official communication channels, making it more likely that victims would fall for such an attack, since the sender information would be legitimate.” Toyota says the leak has now been secured, and that they have implemented security protocols to ensure such an incident does not occur again.
Jason Kent, Hacker in Residence, Cequence Security, sees the root causes in a lack of organizational self-knowledge. "As is often the case, a big organization that has staff to make sure this doesn’t happen, has a big data breach. Why? Well, in this case Toyota says someone wasn’t following policy. Or likely, skipped a step. What can happen? Well, you forget a .env file left open publicly. There are several likely scenarios as to how it was found but keep in mind that attackers, the curious, students, everyone can perform their own personal recon of the internet. If something is left out in the open, it will be found," Kent wrote. "Once found, the .env file was a treasure trove of data that can be used for all manner of terrible things. API Keys for 3rd party services can be used and, as often is the case, BOTS will be sent in to scrape data, reset passwords, cause outages or just head out for some simple PHISHING." And the problem seems to have arisen through inattention. "The problem here wasn’t that they didn’t have policies or rules in place to ensure security. The challenge with this breach is that no one was watching to ensure the policies are followed, every time, every transaction. Transaction by transaction monitoring is the only real way to see that something is amiss and needs to be addressed.
Mark Shainman, Senior Director of Data Governance Products at Securiti, wrote about some of the immediate effects of the breach. "Toyota clients’ phone numbers and email addresses are among the exposed information. Unauthorized disclosure of sensitive data could lead to fines, legal action, reputational harm, financial losses, and other major repercussions for the brand." It will, he added, have longer-term implications for the brand as well. "The main long-term impact of a data leak caused by an authorized disclosure could very well be the loss of customers' trust - ending in catastrophic business losses. For the safety of customers’ data and regulatory reasons, enterprises must maintain up-to-date and implement holistic security, privacy, and compliance reports." And, of course, there's the matter of exposure to regulatory risk. "This breach falls under the General Data Protection Regulation (GDPR) which provides laws on data protection and privacy. Serious violations can result in a fine of up to €20 million or 4% of a firm's annual revenue from the preceding year, depending on what is higher. So the fines can be huge for a firm like Toyota if they are found to be negligent and at fault. Large companies that have millions of customers across the world must consistently conduct data breach assessments to gain real-time insights into what threats they face, ensure the deployment of proper countermeasures and understand what obligations various regulations in different regions place on them."
Medical data exposed in latest GoAnywhere hack.
The list of casualties from the ransomware attack on IT firm Fortra continues to grow, TechCrunch reports. The latest victim is Brightline, an American children’s virtual mental health care startup that used Fortra’s popular GoAnywhere file transfer tool. Although Brightline has not yet publicly acknowledged the incident, a breach notification filed by Blue Shield of California, for which Brightline is a provider, states that hackers accessed the data of over 63,000 patients. It’s unclear how many of these victims are children, but the compromised data include patient names, addresses, dates of birth, gender, Blue Shield subscriber ID numbers, phone numbers, e-mail addresses, and plan details. According to the Cl0p ransomware group, which has taken responsibility for the Fortra hack, the cybercriminals exfiltrated the data and have plans to publish it on their leak site.
Javvad Malik, Lead Awareness Advocate at KnowBe4, notes the ease with which organizations fall prey to social engineering. "The ransomware attack on Children's Data Network highlights the need for all organizations to take cybersecurity seriously. The attack shows that even organizations dealing with vulnerable data can fall prey to cybercriminals," he wrote. "Cybersecurity requires ongoing investment and a culture of continuous improvement. It's important to note that most cyberattacks are successful through social engineering tactics such as phishing emails, taking advantage of weak login credentials, or exploiting unpatched vulnerabilities. These methods may seem straightforward and relatively easy, but they can have significant consequences, leading to data breaches, ransomware attacks, and other types of cybercrime. To prevent security breaches, it's essential to train employees to recognize the signs of potential threats, ensure robust password policies, keep software and systems up-to-date with the latest security patches and use multi-factor authentication where possible."
Avishai Avivi, CISO at SafeBreach, describes how the incident fits in with Cl0p's recent rampage through GoAnywhere. “The Brightline breach disclosure is the most recent addition to the growing list of Clop ransomware group victims. I’ve commented in the past about Fortra’s role and the vulnerability exploited in this successful breach. Once the Clop group realized how easy it was to breach, it’s not surprising they moved quickly to identify other vulnerable victims, specifically, organizations that left their administrative console access accessible from the internet, instead of limiting it only to approved addresses," Avivi wrote. "These breaches highlight an important aspect of security controls. Too often, I see organizations that fall into a false sense of security, thinking that they are protected by simply putting a security control in place. In this case, because the organization failed to follow a security best practice, i.e., limiting administrative access to known and trusted addresses, the malicious actors could get control over the secure transport layer.
"An apt analogy for this is a child car seat for the car. The car seat manufacturers can only guarantee the child's safety if the seat is installed or used correctly.
"Unfortunately, in this case, the real victims are not Fortra or Brightline -- the actual victims are the 63,000 individuals whose data was stolen. Unfortunately, healthcare sector organizations are at the top of the list of targets for malicious actors. The data they’re responsible for safeguarding is highly valuable, and there’s a higher likelihood that these organizations will be willing to pay the ransom to prevent the data leak. Sadly, as can be seen through previous breaches involving the sensitive data of minors (see the Bay Area Transit breach from January 2023), the malicious actors have very little regard for the true victims of this breach.
"We urge every organization to leverage all of the resources available from the Cybersecurity and Infrastructure Security Agency (CISA). We also urge that all organizations exercise due care, ensure they are deploying their security tools properly, and then continuously validate them once deployed. Another good analogy to consider is how pilots always physically inspect the plane before a flight and go through a checklist before every takeoff. They don’t simply trust the aircraft manufacturer or even the fact that the airplane just completed a successful flight.”
Meriton becomes latest Australian company targeted by hackers.
Australian property developer and construction company Meriton has disclosed it suffered a data breach potentially exposing staff and customer data. The breach stems from a cyberattack that occurred in January, and the 35.6 gigabytes of compromised data include employee financial, health, and hiring details, as well as client info. Meriton says it has sent breach notification letters to approximately nineteen hundred individuals, as well the Australian Cyber Security Centre and the Office of the Australian Information Commissioner. “We have no evidence that this cyberincident was directed towards any specific individual, and our investigation has revealed no evidence that your information has been misused,” the notification letter reads. “We have been working closely alongside leading cybersecurity and forensic IT professionals and taking all available steps to protect against future risk to data and prevent recurrence.” The Brisbane Times notes that Australia has been experiencing a surge of cyberattacks in recent months, with consumer finance giant Latitude Financial confirming just days ago that their recent breach impacted 14 million customers.