At a glance.
- British criminal records taken offline after security incident.
- US county government HR employee computer hijacked by hacker.
- Report: data exposure at Proskauer Rose.
British criminal records taken offline after security incident.
The UK’s Criminal Records Office (ACRO) has shut down its online customer portal as it investigates a cybersecurity incident. ACRO, which works with British law enforcement, businesses, and even other countries to run criminal background checks on individuals seeking employment or completing applications for visas, pulls its data from the UK's Police National Computer. As such, the Register explains, the data handled by ACRO includes highly sensitive info like the individual’s address history, family details, passport info, as well as cautions, reprimands, arrests, charges, or convictions. ACRO sent an email to users last week stating it recently learned of “a cyber security incident affecting the website between 17th January 2023 and 21 March 2023." The notification goes on to say that no evidence has yet been found indicating that personal user data were exposed. An investigation is being conducted by the Information Commissioner's Office along with the National Cyber Security Centre. The email continues, "We take data security very seriously and will ensure that the matter is fully investigated; part of the investigation will include learning how we can identify, prevent and block any future security threats.” In the meantime, ACRO has warned applicants that processing times could be longer than usual.
US county government HR employee computer hijacked by hacker.
The Chippewa County Human Resources Department, located in the US state of Wisconsin, has disclosed that an intruder infiltrated a county computer and likely exfiltrated private data. According to Toni Hohlfelder, the county's human services director, a remote-controlled application was accidentally downloaded by a Chippewa County employee in February.
"The County cannot confirm how this occurred, but we believe it was by accidentally clicking on an Internet pop-up or malicious link in error that downloaded the application," she stated. As GovTech explains, a few days later the attacker used the remote app to type on the staffer’s computer, and it’s estimated the intruder had access to the computer for about five minutes before the IT department was able to secure it. During that short time, the hacker downloaded 25-35 MB of data, most likely files saved on the employee’s desktop, some of which contained private medical data including patient names, drug prescriptions, and medical history numbers. WEAU reports that approximately 850 individuals were impacted. County administrator Randy Scholz said this type of breach could happen to anyone, and he applauded the department’s response to the intrusion. "Our employee recognized it and took action quickly," Scholz said. "And our IT department mitigated the hacker too. It's just a real credit to our employee and the IT Department. I'm proud of how we reacted; the training paid off."
Report: data exposure at Proskauer Rose.
TechCrunch reports that international law firm Proskauer Rose exposed sensitive client data for more than six months due to a security oversight. During the time in question, approximately 184,000 files from Proskauer’s merger and acquisitions business were being stored in an unsecured Microsoft Azure cloud server. The law firm, which is based in the US state of New York, used the database to store private and privileged financial and legal documents connected to high-profile acquisitions. Although Proskauer secured the data two weeks ago, the firm has not yet notified its clients and has declined to disclose details about the quantity and nature of the exposed data or why it was improperly stored. A Proskauer spokesperson did acknowledge that “an outside vendor that we retained to create an information portal on a third-party cloud-based storage platform had not properly secured it.” The outside vendor has not been named.
Paul Bischoff, Consumer Privacy Advocate at Comparitech, wrote, "Although Proskauer has stated there's no evidence of malice or exfiltration of data, our honeypot studies show misconfigured and publicly-accessible servers are found and attacked within just a few hours, and attacks occur by the minute. Given that this exposure lasted six months, it would be foolish to assume no one stole the data. Big law firms like Proskauer hold a lot of extremely sensitive business information and should take better care to secure their IT environments."
Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, agrees that the incident looks like a case of misconfiguration. "It appears that this is another case of a misconfigured Data bucket (on an unsecured Microsoft Azure cloud server), leaving sensitive client data exposed for over six months. It is vital for organizations to double check their security and privacy settings on their servers to make sure their data is protected against instances like this."
Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, isn't surprised by the incident: holding large quantities of data always carries risk. “This breach of sensitive legal documents and data is not surprising. No organization is safe, especially if the defensive strategy is to rely on traditional perimeter-based security models which isolate sensitive data but only protect the borders. Data-centric security, which protects the data itself, is a much better and safer option that can augment more traditional protection methods, because it focuses on protecting data elements themselves using techniques such as tokenization or format-preserving encryption. In these methods, innocuous representational data replaces sensitive data elements, so the actual information is incomprehensible and ultimately free from being leveraged by threat actors for their own gain. Organizations must make the effort to head off potentially catastrophic repercussions by augmenting their defensive posture with data-centric security. It’s a critical passport for the journey to a more secure data environment.”
Roger Grimes, data-driven defense evangelist at KnowBe4, wrote about the risk of misaligned privileges. "Inappropriately elevated permissions have long been a top problem in cybersecurity, but it has been exacerbated by databases stored on the Internet or in the cloud. Cloud resources, by definition, are reachable on the Internet. On traditional networks, it used to take an attacker getting "inside" an organization's network to find confidential data not adequately protected by the appropriate access controls and permissions. Getting inside used to be a big hurdle to jump. Now it's not so much, but when the resource is directly reachable over the Internet, the attacker no longer has to be inside. The inside is the outside. Now all attackers have to do is scan for unprotected resources. All organizations should implement policies, controls, technical defenses, and education to ensure that all digitally-protected resources are appropriately access controlled and permissioned from the very beginning and throughout the asset's life cycle. It wasn't easy to do this in traditional environments as there are no perfect tools that work on all platforms, but it's even harder to do and ensure in the cloud. The first step is setting up a program to ensure that the correct access controls and permissions are set and managed. Most organizations don't have thorough access control and permission programs, and it shows by the repeated stories of easily available confidential data."