This week
T-Mobile data breach exposes personal data of 47.8M people
T-Mobile announced a data breach affecting 47.8M people this week after a post on a dark web marketplace advertised the data on ‘100 million people’ for sale.
If it sounds familiar, that’s because this marks the fourth breach in four years for T-Mobile (vol. 3, iss. 10), making the claims that they “take our customers’ protection very seriously” increasingly hard to swallow.
The data includes first and last names, date of birth, social security number, and driver’s license or other ID information for 40 million former or prospective customers that applied for credit. 7.8M records related to current postpaid customers who may have had IMEI or IMSI (unique device identifiers) accessed.
Details of how the attackers gained access to the information have not been made public at present, though given the company has branded the incident a “highly sophisticated cyber attack.” As the access was able to be closed down so rapidly, I’d speculate someone compromised an account to a business application with really poor internal controls.
The Federal Communications Commission (FCC) has announced an investigation into the incident. The FCC publishes voluntary cyber security guidelines, rather than formal regulation, though has brought penalties for data breaches against AT&T and two budget telcos in 2015.
T-Mobile is offering two years of identity protection services for victims of the breach, though they will also be facing an expensive legal battle: five law firms wasted no time in filing a class-action lawsuit against the company.
The breach is worse than it could have been because the company kept records of potential new customers even if they didn’t take out credit or become T-Mobile customers. Under European privacy regulations, companies must not keep personal data for longer than it is needed. A spot of digital hygiene could have helped reduce the number of records exposed.
vice.com, ft.com, theguardian.com, wsj.com (FCC probe), vice.com (class action)
Interesting stats
37% of 800 international companies surveyed by analyst firm IDC experienced a ransomware attack or data breach in the past 12 months vice.com
$91.6M lost revenues for healthcare provider Scripps during the four-week recovery period following ransomware outbreak, and $21.1M costs associated with the response and recovery from the incident, with $5.9M being reimbursed from their cyber insurance policy therecord.media
Other newsy bits
Pearson fined $1M for misleading investors
Pearson has settled a case with the US Securities and Exchange Commission (SEC) over charges that they made “misleading statements and omissions” about a data breach in 2018 to investors. These filings and disclosures need to be precise and the SEC is frowning on hypotheticals, maybes and veracity of claims.
The agency said that in Person’s semi-annual review filed in July 2019, the company referred to the incident as a “hypothetical risk,” even after the data breach had happened. Similarly, in a statement that same month, Pearson said the breach may include dates of birth and email addresses, when it knew that such records were stolen, according to the SEC. Pearson also said that it had “strict protections” in place when it took the company six months to patch the vulnerability after it was notified.
Risk = Hazard + Outrage
Phil Venables’ post goes into detail on this concept and the use of ‘pre-mortems’ to think not just about the hazard of a scenario but also that the potential outrage may (not) be.
As the equation states, Risk is a function of Hazard and Outrage… Most traditional risk analysis methods, whether they are quantitative or qualitative focus extensively on hazards. That is, they focus on risk as an impact or consequence of various factors of threat and vulnerability. It’s a purely mechanical view of saying we should care more or less about mitigating something based on its operational or other impact to the system or organization… This is fine in theory but for those of you that have done the job of CISO, Chief Risk Officer, Chief Compliance Officer or similar you know a big chunk of the reality of day to day risk management is as much about Outrage as Hazard.
Social media lockdown in Afghanistan
Interesting lead on from Risk = Hazard + Outrage above, Facebook has rolled out features to help Afghans up their OPSEC and protect themselves from being identified as persons of interest to the Taliban. The reports out of Kabul show many people are terrified and searches may be being carried out door-to-door. These sorts of ‘security controls’ and the presence of genuine social and physical harms don’t tend to crop up on many cyber/privacy risk assessments. Facebook is in an unenviable position having to reconcile those factors and protect people.
In brief
Attacks, incidents & breaches
- Almost 2,000 Microsoft Exchange servers were compromised using ProxyShell vulnerabilities therecord.media
- A copy of what seems to be the FBI’s terrorist screening center database was left online for three weeks on an IP address in Bahrain therecord.media
- For almost two months customers of JPMorgan Chase with ‘similar information’ could access other parties bank statements and other personal info bleepingcomputer.com
- 8TB criminal case data unrecoverable after Dallas Police Department migration snafu theregister.com
- $94M stolen from breach of Japanese crypto-currency exchange Liquid therecord.media
- Ransomware attack against Memorial Health System facilities in West Virginia and Ohio has resulted in patients being turned away and cancelling of non-urgent care arstechnica.com
- Colonial Pipeline sending brach notifications to 5,810 current and former employees after ransomware attackers made off with personal data zdnet.com
- Brazil’s National Treasury hit by ransomware attack zdnet.com
- Japanese insurer Tokio Marine also the victim of a ransomware attack, says no indication of customer data theft cyberscoop.com
Threat intel
- Iranian wiper attacks linked to similar ones against Syria via Indra group, according to Checkpoint bleepingcomputer.com
- FBI warning food delivery services like Just Eat, DoorDash and Instacart of credential stuffing attacks against their platforms therecord.media
- Mozi botnet gain DNS spoofing and HTTP session hijacking capabilities microsoft.com
Vulnerabilities
- You probably didn’t realise it, but BlackBerry is still around and makes an operating system used in real-time systems called QNX. It’s used in over 175M cars, plus other automotive, medical and energy applications and they’re vulnerable to BadAlloc cyberscoop.com, cisa.gov
- Fortinet and Rapid7 bickering about vulnerability disclosure - patch fort FortiWeb to be released by the end of the month zdnet.com
- Cisco RV110W, RV130, RV130W, and RV215W small business routers have a remote code execution vulnerability (CVE-2021-34730) with a CVSS score of 9.8 that won’t be fixed because the devices are end of life bleepingcomputer.com
Security engineering
- Don’t allow insecure direct object reference (IDOR) in the web service of your health startup techcrunch.com, how to prevent it: owasp.org
- iCloud Passwords is coming to Windows as Apple expands the (albeit basic) capabilities of its password manager arstechnica.com
Internet of Things
- Potential 83M connected cameras using the ThoughTek Kalay protocol, used in products from Xiaomi and Wyze, have vulnerabilities that allow attackers to view video and access networks cyberscoop.com
Privacy
- List of privacy legislation for each of the US states zdnet.com
- Research into Apple’s NeuralHash algorithm quickly finds hash collisions (false positives) techcrunch.com and is also facing backlash from 90 rights groups: “Apple will have laid the foundation for censorship, surveillance and persecution on a global basis” arstechnica.com
Public policy
- China introduces ‘Regulations on the Security Protection of Critical Information Infrastructure’ requiring annual security reviews, breach reporting obligations and monitoring requirements on infrastructure providers theregister.com
- Sticking with China… Apple is applying its Chinese-mandated political censorship in Hong Kong and Taiwan zdnet.com
Mergers, acquisitions and investments
- Microsoft invests ’low tens of millions’ into cloud backup firm Rubrik zdnet.com
- Cloud-based SIEM for the mid-market: Blumira raises $103M Series A funding round techcrunch.com
And finally
Robin Hood round: funding your startup through ransomware
The founder of a social network startup demonstrated just how innovative his ideas are when he was caught by researchers this week trying to convince employees to install ransomware on their company’s network in exchange for a cut of any ransom payment. The wannabe ransomware actor appeared to share details of his identity and company as a way to build trust with researchers who responded to his approach over email.
You can post LinkedIn job adverts as any company
… because of course you can! Worse, apparently, you can prevent it by emailing an undisclosed LinkedIn email account, though I suspect also paid-for corporate recruiter accounts may also result in similar protection.