Data Breach Round-Up – Last Week (26th Jan – 1st Feb)

Data Breach Round-Up – Last Week (26th Jan – 1st Feb)

Share with your network!
Data Breach Round-Up – Last Week (26th Jan – 1st Feb)

 

Data Breaches Up 20% in 2019. Here’s a Round Up of Last Week’s.

The total data breach figures are coming in for 2019 and there is good and bad news.

Identity Theft Resource Center (ITRC), a non-profit, says the number of breaches rose by 17% from 1,257 in 2018 to 1,473 in 2019. This debunks 2018’s figures which showed the number of data breaches as falling from the previous year. ITRC president Eva Velasquez says:

“It would appear that 2018 was an anomaly in how many data breaches were reported and the number of records exposed. The 2019 reporting year sees a return to the pattern of the ever-increasing number of breaches and volume of records exposed.”

The ITRC study, sponsored by CyberScout, did however find the total number of records exposed in 2019 fell by 50% on the previous year. Notably, there appears to be a 65% reduction in the number of records containing “sensitive personally identifiable information,” which were exposed.  This latter figure is down from 471 million in 2018 to below 165 million in 2019.

Breaches of personally identifiable information (PII) can be more concerning as this data can include social security numbers, actual bank account details, driver’s license numbers, and other such credentials that cybercriminals can use to open accounts and impersonate individuals.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

 

The ITRC also says:

“We also saw the rise of a significant new threat — data exposure from unsecured databases — and growth of an existing tactic known as credential stuffing where data thieves use seemingly innocuous information like stolen email addresses and logins to attempt to access various kinds of accounts. Third-party vendors also continued to be a source of data breaches through accidental release or supply chain cyberattacks.”

Here at The Defence Works we’ve covered these threats over recent weeks. Unsecured databases on cloud servers have been a common trend in the causes of many data breaches we’ve reported. Supply chain and vendor risk is a prominent theme in cybersecurity today, with organisations like Europol and the National Cyber Security Centre (NCSC) warning of the dangers.

MarketWatch reports the average cost of a data breach for a US company is now $8.2 million according to IBM and Ponemon Institute data. The average cost per lost record in the US is $242.

Without further ado, let’s see what we can learn from some of last week’s data breach revelations…

 

St Louis Community College, St Louis, US.

One of the latest education breaches, St Louis Community College may have seen thousands of records exposed after email-based attacks on staff. The “series” of attacks reported by KSDK, gave the cybercriminals access to data held in employee email accounts. The breached information may include names, student identification numbers, addresses and phone numbers for over 5,000 students as well as the social security numbers of 71 individuals.

St Louis Community College revealed the breach on Tuesday and says most affected accounts were secured within 24 hours and all of them within 72 hours.

 

Crew and Concierge Ltd, UK.

Verdict investigation has discovered an exposed server containing 90,000 files belonging to international recruitment agency Crew and Concierge. The database appears to contain records of individuals registered with the recruiter and the personal data of over 17,000 individuals from around the globe who work in the yachting sector may have been breached. The records included CVs and resumes, names, addresses, and visa information, as well as over 1,000 passport copies.

Verdict says the database was left exposed on a “misconfigured unsecured Amazon Web Services (AWS) S3 bucket and appears to have been online and available for anyone to access without a password since February 2019.”

The bucket was reportedly secured within hours of the company being notified.

Sara Duncan, director of Crew and Concierge, in a statement to Verdict, says:

“We have been advised by the cybersecurity consultant that exploitation of S3 buckets is by no means a straightforward activity and that it appears likely that the individual or individuals responsible have developed advanced tools designed specifically to identify AWS customers and whether or not they have misconfigured instance that may leave it open to malicious attack.”

Duncan says Crew and Concierge had placed “confidence” in the developers it had hired, that the company takes “full responsibility as the data controller,” and, she adds:

“In the very short period, we have come to understand the true impact of a cyberattack, and we have learnt many valuable but hard lessons.”

 

The United Nations

Reports also emerged last week that the UN had experienced a data breach in July 2019 pinpointed to a flaw in Microsoft SharePoint. As per Threatpost hackers exploited a vulnerability and gained access to an estimated 400 GB of sensitive data. A document which revealed the attack was reportedly leaked by The New Humanitarian and it says that at least 42 UN servers in Geneva and Vienna were compromised. The data exposed may include information about UN staff and organizations that work with the UN.

Ben Parker, of The New Humanitarian, says:

“Although it is unclear what documents and data the hackers obtained in the 2019 incident, the report… implies that internal documents, databases, emails, commercial information and personal data may have been available to the intruders – sensitive data that could have far-reaching repercussions for staff, individuals and organisations communicating with and doing business with the U.N.”

Threatpost received a statement from the UN which read:

“Although hackers accessed a self-contained part of our system in July 2019, the development servers they accessed did not hold any sensitive data or confidential information. The hackers did manage to access our Active User Directory, which contains the user IDs for our staff and devices. However, they did not succeed in accessing passwords. Nor did they gain access to other parts of the system.”

 

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.