At a glance.
- Update on alleged law enforcement data leak in Philippines.
- Data of nearly 1.5 million American Bar Association members compromised.
- Indian bank denies reported data breach.
- Black Basta walks off with Yellow Pages data.
Update on alleged law enforcement data leak in Philippines.
As we discussed last week, cybersecurity researcher Jeremiah Fowler discovered an unprotected database containing over 1.2 million records of personal data apparently linked to law enforcement in the Republic of the Philippines. Inquirer.net reports that an investigation has been launched by Philippine authorities, and while the country’s privacy regulator says there is no “concrete evidence” yet that the data were leaked, the National Privacy Commission (NPC) agrees with the researcher’s findings that the data were not properly secured. Michael Santos, chief of NPC’s complaints and investigation division, stated, “At this point, we still have no concrete evidence that indeed 1.2 million records [were] leaked. What we know now is that it was left exposed.” The National Bureau of Investigation, Civil Service Commission, and Bureau of Internal Revenue have conducted vulnerability tests on their systems and have found nothing indicating a breach. However, the Philippine National Police (PNP) say they need more time to determine whether their networks were breached, and Santos says the NPC will launch an “onsite investigation” of the PNP’s data processing system today. Fowler has also been enlisted to assist with the investigation. The data in question appeared to belong to individuals who were employed or applied to work in law enforcement, and Santos says the NPC thinks the breach “could be related to [the PNP’s system handling] job applications or job recruitment.”
Data of nearly 1.5 million American Bar Association members compromised.
The American Bar Association (ABA) has disclosed it experienced a data breach that compromised data belonging to 1,466,000 of its members. An intruder was detected in the ABA’s network on March 17th and the organization has begun notifying members that the attacker accessed hashed and salted login credentials for a legacy member system decommissioned in 2018. The notification email reads, “The incident response plan was immediately activated response, and cybersecurity experts were retained to assist with the investigation. The investigation determined that an unauthorized third party gained access to the ABA network beginning on or about March 6, 2023 and may have acquired certain information." The ABA told Bleeping Computer that this was not a ransomware attack and that no corporate or personal data were stolen. However, there are concerns that the credentials could be dehashed and used by cybercriminals to gain access to the current ABA membership portal, as members may have used their old passwords in the new system, and as such, the ABA recommends that members reset their passwords on the portal as well as any other sites where they might have used the same credentials.
Industry experts have been commenting on the incident. Some said that more technical details about the measures in place to protect the data would be needed before an assessment could be made, especially given reports that a decommissioned legacy system may have been exploited. Paul Bischoff, Consumer Privacy Advocate at Comparitech, pointed out that not all algorithms afford equal security. "The ABA says the compromised passwords were hashed and salted, but not which algorithm was used to hash and salt them. For example, if the passwords were hashed with a deprecated algorithm like SHA1 or MD5, then an attacker could theoretically use brute force to obtain plain text passwords. Hopefully the ABA used a modern hashing algorithm like SHA2, which would make it nearly impossible for hackers to crack the passwords. As long as they can't be cracked, then they shouldn't pose a threat. Out of an abundance of caution, ABA members should still change their passwords if they used the same password on the old and new systems."
Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, also observed that the hashing and salting are only as good as their algorithms make them. "While the American Bar Association says the passwords stolen were 'hashed and salted, since the passwords in question may have been in use from before 2018 the algorithm's protection against decrypting may be an earlier, less secure method, leaving the passwords open to brute force attacks. It goes without saying that ABA members should immediately change their passwords, while also changing passwords on any other accounts where they reused the passwords. On the bright side, there should be no shortage of available lawyers if an ABA member decides to sue over the breach. Or more likely, ABA members would simply view it as more of a do-it-yourself project to save on legal fees."
Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, advocated a "data-centric" approach to security, especially by organizations that hold valuable data:
“Data breaches are unfortunately becoming more common in today's digital age, and it is important for organizations to take proactive steps to protect their sensitive information and the information of their clients and members. The news that the American Bar Association (ABA) has suffered a data breach, is concerning news for both the organization and its members. Details about the breach are still emerging, but early reports indicate that the breach may have involved the theft of credentials including hashed and salted passwords.
"Organizations need to understand that they are all potential targets, and they need to assume that a cyber-attack is imminent. They shouldn’t panic, though. IT leaders need to rethink their data security posture, strengthen outdated traditional controls such as border security with next-generation capabilities, and most importantly protect the very data itself that threat actors are after. Data-centric security such as tokenization can convert sensitive data to innocuous and incomprehensible information that hackers simply can’t use or compromise, even if they get direct access to it.”
And, of course, basic digital hygiene and social engineering awareness are always important. Darren James, senior product manager at Specops Software, wrote:
“The American Bar Association (ABA)’s data breach is particularly unfortunate as the hackers gained both user names and passwords which points toward a database compromise. Despite the salting and hashing done in the ABA’s database it’s important to note that some systems use the same salt for all the hashes and have even been known to keep the salt in a table in the same database—which renders the whole salting process worthless!
"Other systems use random salts for each hash, but that means you need to store the salt along with the hash. The negative to this is that the salts are available for all hashes, but the positive is the threat actor has to build hash tables for each salt which can take a lot of time. If that is the case it seems like the time cost wasn’t a deterrent to this particular hacker.
"No matter what the specifics around ABA’s salting and hashing, the advice about changing passwords is still important because the ABA is concerned about the common password mistakes made by users, like password re-use and not changing default password settings. Now those usernames and salted password hashes are out in the wild there is no time limit for the threat actor to be concerned about—therefore it’s important for ABA end-users to change their passwords as soon as possible, wherever they’re in use.
"Finally, it’s particularly important to be vigilant for spear-phishing emails. As with any breach, end-users aim to act quickly to change their passwords but should be vigilant of phishing emails with malicious site links that take advantage of breaches like this one. When in doubt, reach out to your IT administrator to verify the communications before taking any action.”
Indian bank denies reported data breach.
Last week it was reported that Indian financial services giant ICICI Bank suffered a data breach in which 35 lakh records containing bank and client data were leaked from a publicly accessible cloud storage bucket. Researchers say the data were left unprotected due to database misconfiguration, and the allegedly compromised data include customer credit card numbers, names, dates of birth, street and email addresses, and personal identification documents like PAN card information and scanned passports. Resumes of current and prospective employees were also discovered. However, ICICI Bank, which is India’s third largest bank, has released a statement categorically denying that a data breach occurred and has advised its customers to ignore the reports. The bank also released a statement declaring that it does not own or manage the said URLs and therefore could not be responsible for the misconfiguration, and that there is no evidence of the availability of the allegedly leaked records. The bank has also said it will take legal action against any entity reporting on breach, and several news outlets have already removed their coverage of the story. Sanjay Kaushik, managing director at risk consulting and cybersecurity company Netrika Consulting told ETCISO that his sources in cybercrime law enforcement confirm the leak occurred and that the data is legitimate. Kaushik says, "Generally, companies tend to deny reported data breach incidents for the first few days, unless the information is out there, in total. You can have 100% surety only when you have the details in hand.”
Black Basta walks off with Yellow Pages data.
Yellow Pages Group, which operates Canada’s yellow pages directory websites as well as its online Canada411 online service, was hit by a cyberattack, and the Black Basta extortion group is taking credit. Over the weekend the cyber gang posted a sample of the bounty on their leak site, and the compromised data include ID documents bearing dates of birth and addresses, tax documents exposing Social Insurance Numbers, sales and purchase agreements, an 'Accounts Receivable' spreadsheet from earlier this year, and a recent budget and debt forecast. Franco Sciannamblo, YP's Senior Vice President Chief Financial Officer, told Bleeping Computer, "As soon as we became aware of the attack, we immediately commenced a thorough investigation into this issue with the assistance of external cyber security experts to contain the incident and ensure that we had secured our systems. Based on our investigation to date, we have reason to believe that the unauthorized third party stole certain personal information from servers containing YP employee data and limited data relating to our business customers."
James Graham, VP of RiskLens, cautions against regarding this kind of incident as an outlier. "The leaking of this kind of information is not only an issue for the Yellow Pages Group. The type of sensitive data released in this kind of attack creates a much higher risk as it makes other organizations vulnerable. As such, organizations that know they may be impacted in this breach should perform detailed quantitative risk assessments, which allow them to see in dollar terms where they may be most exposed," he wrote in an email. "Before a potential breach hits – organizations must game out loss event scenarios to fully understand their risk in financial terms, including legal and regulatory impacts, and develop a range of communication strategies accordingly.”