Thought leadership. threat analysis, news and alerts.
Ontario and BC Privacy Commissioners Find LifeLabs Failed to Protect Personal Health Information of Millions of Canadians
Ontario and BC Privacy Commissioners Find LifeLabs Failed to Protect Personal Health Information of Millions of Canadians
A joint investigation by the Information and Privacy Commissioners of Ontario and British Columbia (BC) has found that Canadian laboratory testing company LifeLabs failed to protect the personal health information of millions of Canadians resulting in a data breach in 2019.
In a statement, the Information and Privacy Commissioners of Ontario and BC said the two offices found that LifeLabs failed to take reasonable steps to protect the personal health information in its electronic systems; failed to have adequate information technology security policies in place; and collected more personal health information than was reasonably necessary. LifeLabs is the largest provider of general health diagnostic and specialty laboratory testing services in Canada. It conducts over 100 million laboratory tests annually and supports 20 million patient visits annually. Its website is visited by more than 2.3 million Canadians to access their laboratory results each year.
According to the Information and Privacy Commissioners of Ontario and BC, on November 1, 2019, LifeLabs reported a cyberattack on their computer systems to the two offices. The cyberattack affected approximately 15 million LifeLab customers, including name, address, email, customer logins and passwords, health card numbers, and laboratory test results. Affected customers were mostly from Ontario and British Columbia.
The two offices issued the following orders to LifeLabs: improve specific practices regarding information technology security; put in place written information practices and policies with respect to information technology security; and cease collecting specified information and to securely dispose of the records of that information which it has collected.
“Our investigation revealed that LifeLabs failed to take necessary precautions to adequately protect the personal health information of millions of Canadians, in violation of Ontario’s health privacy law," Brian Beamish, Information and Privacy Commissioner of Ontario, said in a statement. "This breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks."
“LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm,” Michael McEvoy, Information and Privacy Commissioner of British Columbia, said in a statement. “The orders made are aimed at making sure this doesn’t happen again. This investigation also reinforces the need for changes to BC’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights. This is the very kind of case where my office would have considered levying penalties.”
Last March 25, the Ontario government amended its health privacy law, making it the first province in Canada to give the Information and Privacy Commissioner the authority to levy monetary penalties against those who violate Ontario's Personal Health Information Protection Act (PHIPA).
According to the Ontario and B.C. privacy commissioners, to date, they still can't release the full report of their findings as LifeLabs asserted that the information that it provided to the commissioners is privileged or otherwise confidential. The privacy commissioners said they intend to publish the full report unless Lifelabs takes court action.
LifeLabs, for its part, said it's reviewing the report’s findings of the Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner of British Columbia. "We cannot change what happened, but we assure you that we have made every effort to provide our customers with service they can rely upon," LifeLabs said.
According to LifeLabs, one of the changes made as a result of the cyberattack on its IT systems is the appointed of a Chief Information Security Officer (CISO), Chief Privacy Officer and Chief Information Officer. The company added that it has enhanced and accelerated its Information Security Management program with an initial $50 million investment to achieve ISO 27001 certification – a gold standard in information security management.
Stealing of Data and Ransom Demand
According to the Information and Privacy Commissioners of Ontario and BC, LifeLabs told the two offices in November 2019 that the cyberattacker or cyberattackers on LifeLabs penetrated the company’s systems, extracted data and demanded a "ransom".
In December 2019, Charles Brown, LifeLabs' president and CEO, in a statement, admitted to "retrieving the data by making a payment". "We did this [paying the ransom] in collaboration with experts familiar with cyber-attacks and negotiations with cyber criminals...."
To date, based on the statements of the Information and Privacy Commissioners of Ontario and BC as well as LifeLabs, there’s no mention of the word "ransomware". Due to this lack of information, the cyberattack on LifeLabs may or may not be a ransomware attack.
What is clear though is that the cyberattack on LifeLabs involved stealing of data, ransom demand, and in this case, a ransom payment. There are currently over a dozen ransomware groups that openly admit that they don't merely demand ransom to decrypt (unlock) encrypted (lock) files, but they also steal data and leverage this stolen data in case the ransomware victim refuses to pay ransom for the purpose of decryption.
Several months ago, the ransomware called "Maze" started the trend of naming and shaming ransomware victims that refuse to pay ransom for the purpose of decrypting the encrypted files. The group behind the Maze ransomware created a website that names ransomware victims that refuse to pay ransom and further threatens victims that continued refusal to pay ransom will result in the publication of the data stolen prior to the data encryption.
The group behind the ransomware called "REvil", also known by the name "Sodinokibi", recently created an e-bay-like auction site, auctioning the files of ransomware victims that continued to refuse to pay ransom. The REvil ransomware group auctioned the stolen files of a Canadian agricultural production company, one of its ramsomware victims that continue to refuse to pay ransom. The group offered 3 databases and 22,000 files stolen from the agricultural company to the successful bidder.
No organization is immune. Dealing with cyberattack and its consequences is not a matter of IF but a matter of WHEN. Get a head start by identifying and mitigate key IT risks today. Schedule a free assessment today or call 1.888.900.DRIZ (3749)
Healthcare Sector Breach Reports Rise After Mandatory Reporting Implementation
The Office of the Information and Privacy Commissioner of Alberta recently released an annual report, covering the period of April 1, 2018 to March 31, 2019, showing a 407% increase in healthcare sector data breaches. The spike of healthcare sector data breach reports was similarly seen in Ontario.
The period covered by the annual report includes only seven months of mandatory breach reporting in the healthcare sector in Alberta. Alberta’s Health Information Act took effect on August 31, 2018, mandating the more than 54,900 health information custodians in the province, including Alberta Health, Alberta Health Services, Covenant Health, nursing homes, physicians, registered nurses, pharmacists, optometrists, opticians, chiropractors, podiatrists, midwives, dentists, denturists and dental hygienists to notify an individual affected by a privacy breach as well as notify the Information and Privacy Commissioner of Alberta and the Minister of Health.
The Alberta law also provides penalty provisions in case the health information custodian fails to report a breach or fails to take reasonable steps in maintaining safeguards to protect health information.
The Office of the Information and Privacy Commissioner of Alberta reported that a total of 674 breaches were reported under Alberta’s Health Information Act during the period of April 1, 2018 to March 31, 2019, representing a 407% increase compared to the reported average of 130 healthcare sector data breaches for the last few years.
In the report written by Jill Clayton, Information and Privacy Commissioner of Alberta, many of the healthcare sector data breaches are relatively easy to address, requiring only the health information custodians to notify the affected individuals and to take preventive steps to prevent similar events from re-occurring in the future. A significant number of these cases, Clayton said, are much more serious, involving law violation and affecting hundreds to thousands of Albertans. A significant number of these cases, Clayton said, often becomes offense investigations and can result in significant court-imposed fines for offending parties.
The Information and Privacy Commissioner of Alberta said that active offense investigations have risen from 5-6 at any one time to over 20 as of September 30, 2019, with nearly 70 healthcare sector data breaches flagged as potential offenses. Since Alberta’s Health Information Act took effect on August 31, 2018, the Commissioner said there have been 10 convictions for knowingly accessing health information under the said Alberta law.
The Commissioner also reported that since the Health Information Act took effect, more snooping breaches – unauthorized access to health information by authorized users of health information systems – have been reported. “Cyberattacks were also reported more frequently, which is a concern that will need to be monitored,” the Information and Privacy Commissioner of Alberta said.
Healthcare Sector Data Breach Reports in Ontario
The spike of healthcare sector data breach reports was similarly seen in Ontario. In late 2017 Ontario’s Personal Health Information Protection Act took effect, requiring health information custodians, including hospitals, pharmacies, doctors’ offices, and dental clinics to report health privacy breaches to the Information and Privacy Commissioner of Ontario.
In the period covering the first full year of the mandatory healthcare sector breach reporting, from January 1 to December 31, 2018, the Information and Privacy Commissioner of Ontario reported that self-reported breaches in the healthcare sector rose from 322 in 2017 to 506 in 2018. Out of the 506 breaches reported, 120 were snooping incidents, 15 were ransomware and other cyberattacks, while the remaining 371 were due to lost, stolen or misdirected health information, records not properly secured and other collection, use and disclosure issues.
According to the Information and Privacy Commissioner of Ontario, the rise in snooping incidents wasn’t indicative of the rise of snooping incidents, but rather health information custodians have better methods of detection, such as the use of using data analytics to monitor and audit health information systems for unauthorized access and other types of health privacy breaches. The Information and Privacy Commissioner of Ontario also noted that the rise of self-reported breaches in the healthcare sector rose as health information custodians are now required to report breaches, unlike in previous years where it was only recommended to do so.
Cyber Attacks: A Growing Concern in Health Care
In the 2018 Annual Report for the Information and Privacy Commissioner of Ontario to the Legislative Assembly of Ontario, Commissioner Brian Beamish said that in 2018, Ontario’s health care sector was a prime target of ransomware and other cyber-attacks, with victims ranging from local health integration networks to long-term care facilities.
In June 2018, CarePartners, a home care service provider to Ontario's Local Health Integration Networks (LHINs) and an Ontario-based community health care agency, reported a data breach to the Information and Privacy Commissioner of Ontario. “The cyber-attack breached CarePartners' computer system and as a result patient and employee information held in that system, including personal health and financial information, has been inappropriately accessed by the perpetrators,” CarePartners said in a statement. The health care agency, however, didn’t specify the extent of the data breach in the public statement.
Commissioner Beamish said that cyber-attacks, in particular ransomware attacks, underscored the importance of the following:
In the area of snooping or unauthorized access to health information by authorized users of health information systems, Commissioner Beamish said artificial intelligence can be used to curb unauthorized access. "When deployed properly, technology that identifies anomalous behaviour is a valuable tool for health information custodians, to not only detect and deter unauthorized snooping but to immediately identify and respond to cybersecurity threats,” Commissioner Beamish said.
Healthcare organizations are a prime target for cybercriminals. Let us help you protect patient information and mitigate IT security related risks.
Contact us today to get started.
Everything You Need To Know About The Recent Adobe Creative Cloud Data Breach
Adobe recently admitted that it made a mistake in configuring its cloud database, resulting in the inadvertent exposure of its Creative Cloud customer information. This latest cyber incident adds to the growing number of misconfigured cloud databases, resulting in the exposure of important customer data.
Last October 25th, Comparitech and security researcher Bob Diachenko reported that Adobe exposed its Elasticsearch database without a password or any other authentication, leaving nearly 7.5 million Adobe Creative Cloud user records open to anyone with a web browser. According to Diachenko, the Elasticsearch database of Adobe was exposed for almost a week. Comparitech and Diachenko said that Adobe secured the database on the same day it was notified about the data exposure.
Adobe, meanwhile, acknowledged that one of its “prototype environments” was “misconfigured,” which resulted in the inadvertent exposure of Creative Cloud customer information, including e-mail addresses. The company said no passwords or financial information were exposed in the said incident. “We are reviewing our development processes to help prevent a similar issue occurring in the future,” Adobe said.
Elasticsearch Database Misconfigurations
Elasticsearch is a software that allows users to index and search textual, numerical, geospatial, structured and unstructured data. This software was first released in 2010 by Elasticsearch N.V., now known as Elastic.
In January 2017, John Matherly reported that 35,000 Elasticsearch databases were exposed on the internet, with most of them deployed on Amazon Web Services (AWS) – a subsidiary of Amazon that provides on-demand cloud computing platforms. Matherly is the developer of Shodan, a search engine that allows users to find anything connected to the internet, including webcams, routers and servers.
Exposing your organization’s Elasticsearch databases to anyone with a web browser opens your organization to ransomware attacks. In January 2017, security researcher Niall Merrigan reported with the use of Shodan and "crunching some data", he found 4,000 Elasticsearch databases that fell victim to ransomware attacks.
The first report of an Elasticsearch database being hit by ransomware appeared on the official Elastic forum. In a ransomware attack on an Elasticsearch database, data indices are wiped out and replaced with a single index warning that says, “SEND 0.2 BTC TO THIS WALLET: 1DAsGY4Kt1a4LCTPMH5vm5PqX32eZmot4r IF YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER IP AFTER SENDING THE BITCOINS….”
Exposing your organization’s Elasticsearch databases to anyone with a web browser also puts your customers at risk to targeted phishing scams. Attackers, for instance, could create phishing scams that target the Adobe Creative Cloud users whose emails were leaked.
Phishing scams weaponize emails, sending emails to random or targeted individuals, tricking email recipients to open malicious emails that contain malicious links or malicious attachments. Clicking this malicious link or malicious attachment leads to the installation of malicious software (malware) on the email recipient’s computer.
“The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams,” said Comparitech and Diachenko. “Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.”
How to Secure Your Organization’s Elasticsearch Database
Elastic, the company behind Elasticsearch, said that it isn’t responsible for the exposure of sensitive data in internet-facing Elasticsearch. “Recent reports about sensitive data being exposed in Internet-facing Elasticsearch instances are not related to defects or vulnerabilities in Elastic-developed software,” Mike Paquette, security product director at Elastic, told Infosecurity Magazine. “Reports usually involve instances where individuals or organizations have actively configured their installations to allow unauthorized and authenticated users to access their data over the internet.”
Paquette added that Elasticsearch, by default, doesn’t allow outsiders snooping at Elasticsearch database. He said Elasticsearch only communicates to local addresses by default. Paquette said that in case a system administrator wants the Elasticsearch database to be accessed by unauthorized and authenticated users, it has to be configured for this to happen. He added that system administrators often configure Elasticsearch databases to be accessed by unauthorized and authenticated users during testing and then forget to change this configuration during production.
Another reason why Elasticsearch databases keep getting hacked is due to the absence of additional authentication measures such as multi-factor authentication. In the case of Elasticsearch, while its open source features are free, additional features of the software such as multi-factor authentication are available only under the Elastic license and paid subscriptions, which means that organizations have to pay up in order to avail of this extra layer of protection.
Another reason why Elasticsearch databases keep getting hacked is due to the wrong assumption that deployment of Elasticsearch database on AWS protects this database. According to AWS, security of Elasticsearch databases deployed on AWS needs extra work, such as restricting access based on source IP addresses or by locking down access even further based on job functions and roles, such that an “esadmin” has administrator power over the database; “poweruser” has access all domains, but cannot perform management functions; and “analyticsviewer” can only read data from the analytics index.
Critical information, as a rule, shouldn’t be exposed to the public internet. It’s important to practice segmentation when using Elasticsearch database and when deploying this to the public cloud such as AWS. In segmentation, critical information such as those relating to financial information is isolated from the other less sensitive information.
Concerned about cybersecurity posture of your cloud infrastructure? Contact us at firstname.lastname@example.org and we will be happy to help.
NASA Data Breach May Have Put Personnel Information at Risk
In December 2018, news broke of a data breachat NASA. This is just one of the many cybersecurity issues to strike large organizations and businesses in recent months, including Facebook, Marriott and more.
It’s believed the attack may have compromised personnel data, potentially making Social Security numbers vulnerable. The breach was first discovered in October, in servers containing personally-identifiable details of NASA staff, though it was kept from staff for nearly two months.
Obviously, this is a major problem that no doubt inspired dread in anyone who believed they may have been affected. Sadly, it’s an ongoing risk when hackers continue to utilize ever-more sophisticated techniques to bring networks down or simply steal valuable information.
At the time of writing, the extent of the breach was still unknown but was assumed to affect both current and former NASA personnel (including those connected to NASA as far back as 2006).
However, such a breach may not be a surprise to anyone following NASA closely, as its cybersecurity has been flagged for its flaws in the past. Its Office of Inspector General had indicated there were problems with NASA’s entire IT management and security processes overall — something that no company of any size can afford to overlook.
The Importance of Effective Cybersecurity
For something as vast and well-known as NASA, cutting-edge security is essential to both defend against and deter potential attacks. Not only is the data of personnel under threat, but NASA is involved in a large number of important projects, and any interference, delays or disruptions could have significant repercussions.
An audit conducted at NASA’s Security Operations Center (based in California) revealed that it was underperforming in multiple ways. A reportfrom the Office of Inspector General concluded that the Security Operations Center had ‘fallen short’ of its purpose: to act as the driving force behind NASA’s cybersecurity efforts.
Lapses in management can affect cybersecurity in every company: a proper structure must be established to address potential risks, ways to manage attacks when they happen and strategies for handling the aftermath.
The NASA breach demonstrates that even technological powerhouses, responsible for some of the most mind-bending feats in history, may still fall prey to cyber-attacks.
Common Cybersecurity Pitfalls
It’s vital that your business or organization takes steps to avoid common pitfalls that essentially open the door for hackers to step into your network and help themselves to almost anything they like. What are these dangers and how do you address them?
A lack of education
Sadly, human error is one of the biggest culprits in cybersecurity flaws. While we might all like to believe we’re smart enough to stay safe online, it’s easy to make small mistakes with big consequences.
Weak passwords increase a business’s risk of attack, and all employees should be made aware of this. Likewise, sharing sensitive data with others and falling for common phishing scams can all reduce your company’s security.
This is why comprehensive education is so essential today. Even if you have intelligent staff who know their way around all of your tools and software, they could still make one tiny error that brings your entire network down.
Data breaches can chase existing and prospective customers away to competitors offering greater stability. Research shows consumers expect companies to keep their details safe, and 70 percent would walk awayfrom a brand if their finances were affected by a data breach the business should have prevented.
Undertake expert training for all staff, at every level, to minimize cybersecurity dangers. When your employees know how to create strong passwords, keep sensitive data private and spot phishing risks, you can offer customers a higher standard of protection against threats.
Depending on outdated security
Don’t leave your security software outdated — make sure you always update to the latest version and take full advantage of the defenses it offers.
While it can be easy to assume any form of firewalls and other programs designed to keep you safe will repel attacks, that’s not the case. Cybercriminals are well-versed in tiny flaws and know how to exploit them to gain access to systems, no matter how minor such gaps may seem.
If you know your security is weaker than it should be and hackers could find an obvious way into your network, take steps to address it immediately. You can’t depend on outdated software to stop the most up-to-date attacks.
Physical security oversights
Not only is effective cybersecurity fundamental to protect your employees’ and customers’ data, but physical security is just as important.
Your business site must be equipped with the best protection you can afford. Surveillance cameras, alarms, sensors, smart locks — utilize anything and everything available to keep your workplace safe from unwanted visitors.
Why? Because apart from the obvious problems related to theft, any laptops, USB sticks, hard drives or devices stolen from your office could all contain invaluable data. Thieves may either use this themselves or sell it on to cybercriminals set to target your personnel or clients.
Certain members of staff could seize an opportunity to steal sensitive data from your system and pass it on to others.
This may be for profit or out of a malicious aim to disrupt your operations, perhaps if they feel they have been mistreated or are due to leave the company. Whatever the circumstances, anyone with access to important information could cause major problems for your business if left unchecked.
While such individuals can cover their tracks and avoid suspicion for a long time, make sure you stay vigilant. Encourage employees to be aware of potential risks posed by colleagues and understand how important it is to report any suspicions they have.
Looking to learn more about how effective cybersecurity can protect your business from hackers in 2019? Want to work with a team of cybersecurity experts with the tools, training and techniques to help your company’s system stay secure?
Just reach out and get in touch!
Equifax Data Breach Was “Entirely Preventable”, Report Says
The U.S. House of Representatives Committee on Oversight has released a report that concludes that the massive Equifax data breach back in September 2017 was "entirely preventable".
On September 7, 2017, Equifax disclosed a massive data breach affecting 143 million consumers – majority of whom were from the U.S. and some from Canada and the U.K. – this number later rose to 148 million consumers.
Equifax is one of the largest consumer reporting agencies (CRAs) in the world. CRAs collect account information from various creditors, analyze this data to create credit scores and detailed reports, and then sell these to third parties. CRAs’ data collection activities make them a repository of large amount of personally identifiable information, which make them a high-value target for cyber criminals, this according to the report released by the U.S. House of Representatives Committee on Oversight(PDF).
Few weeks prior to the Equifax data breach, former Equifax Chief Executive Officer (CEO) Richard Smithsaid that Equifax was managing “almost 1,200 times” the amount of data held by the U.S. Library of Congress every day.
As a result of the massive data breach, Equifax held several of its officials accountable. Eight days after the data breach disclosure, the company’s Chief Information Officer and Chief Security Officer both took early retirements. Nineteen days after the data breach disclosure, the company’s then Chief Executive Officer Richard Smith left the company and 25 days after the breach, the company terminated its Senior Vice President and Chief Information Officer for Global Corporate Platforms.
Anatomy of the Equifax Data Breach
Based on the report released by the U.S. House of Representatives Committee on Oversight, the Equifax data breach was a result of a series of events that could have been prevented.
On March 7, 2017, Apache Software Foundation, an organization that oversees more than 350 leading open source projects, including Apache Struts, announced and patched on the same day the security vulnerability designated as CVE-2017-5638. This security vulnerability enables attackers to conduct remote code execution (RCE), a cyber attack in which the attacker takes over a computer by exploiting a vulnerability in the computer, regardless of where the computer is geographically located. A proof of conceptof CVE-2017-5638 attack scenario is publicly available on GitHub.
Apache Struts is a popular open source framework for creating web applications. Many of the world’s web applications use Apache Struts, including the web applications used by Equifax, financial institutions, government organizations and Fortune 100 companies. Equifax’s Automated Consumer Interview System (ACIS), a custom-built internet-facing consumer dispute portal, was running a version of Apache Struts containing the CVE-2017-5638 vulnerability.
According to the House Oversight Committee, 2 days after the release of the CVE-2017-5638 patch, Equifax’s Global Threat and Vulnerability Management (GTVM) team emailed over 400 Equifax employees who had Apache Struts running on their system to apply the necessary patch within 48 hours. The Equifax GTVM team also held a meeting about this vulnerability on March 16.
Despite the above-mentioned efforts, Equifax’s ACIS wasn't patched, leaving the company’s computer systems open to attacks. Just a few days after the release of the CVE-2017-5638 patch, that is, on May 13, 2017, attackers started their 76-day long cyber-attack on Equifax, the House Oversight Committee report said.
By exploiting the unpatched Apache Struts of the company’s ACIS, the report said, the attackers located a file containing unencrypted credentials, including usernames and passwords. These unencrypted credentials enabled the attackers to gain access to critical data outside Equifax’s ACIS, specifically access to the company’s 48 databases.
The report added that on these 48 databases, attackers accessed 265 times unencrypted personally identifiable information of Equifax’s consumers and said attackers transferred this data out of the company’s network. The report said Equifax wasn’t aware of this data transfer as the tool used to monitor ACIS network traffic had been inactive for 19 months as a result of an expired security certificate. It was only on July 29, 2017 that Equifax noticed the ACIS network traffic as this was the date that the company updated the expired certificate.
“Equifax failed to fully appreciate and mitigate its cybersecurity risks,” the House Oversight Committee report said. “Had the company taken action to address its observable security issues prior to this cyber attack, the data breach could have been prevented.”
Here are some of the cyber security measures that your organization can implement in order to prevent data breaches similar to the Equifax data breach:
Keep All Software Up-to-Date
Cyber attackers are quick to exploit publicly known security vulnerabilities. In the case of the Equifax data breach, attackers exploited a known security vulnerability on Apache Struts just a few days after Apache Software Foundation patched the vulnerability. It’s important to install critical patches in a timely manner so as not to leave your organization’s IT system vulnerable to cyber attacks.
Encrypt Critical Data
It’s a proactive approach to assume that one day your organization’s critical data could be accessed by an unauthorized party. It’s important to encrypt your organization’s critical data so that attackers won’t have a easy access to this high-value data. In encryption, data in plain text is converted into an unreadable form. The only way to read or unlock this encrypted data is via a decryption key – a time-consuming task on the part of the attackers. In the case of the Equifax data breach, the sensitive data of consumers wasn’t encrypted, making it easy for the attackers to locate the critical data.
Monitor Network Traffic
Monitoring your organization’s network traffic is one of the effective means of detecting intrusion. In the case of the Equifax data breach, at the time of the data breach, the company had no means to monitor its ACIS network traffic.
Look at deploying SIEM or MDRsolutions.
Network access during non-working hours and unusual volume of data transfer are signs of intrusion. A workable automated network monitoring tool is a must to protect your organization’s IT system.
What Can Organizations Learn from the Marriott Data Breach
The recent data breach disclosure by Marriott is an eye-opener to organizations, not only because of the extent of the breach – with up to half a billion guests affected, but also because of the length of time that the breach remained undetected – lasting nearly 4 years.
Marriott, currently the world's largest hotel chain, has over 6,700 properties in 129 countries and territories, including Canada. The company has attained the stature of being the world's largest hotel chain after it completed its acquisition of Starwood Hotels & Resorts Worldwide in September 2016.
Marriot, in a statement, said that from 2014 up to September 10, 2018, an “unauthorized party” accessed the Starwood guest reservation network affecting up to 500 million guests who made a reservation at Starwood properties. Out of the 500 million guests affected, the hotel chain said that data of 327 million of these guests was accessed without authority, including name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
Financial data of an unspecified number of guests was also accessed by the unauthorized party, including payment card numbers and payment card expiration dates. While the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128), the hotel chain said it won’t discount the possibility that the unauthorized party decrypted the payment card numbers.
Marriott didn’t specify what month or exact date in 2014 that the data breach started. It can be recalled that prior to the completion of Marriott’s acquisition of Starwood, in November 2015, Starwooddisclosed its own data breach, affecting nearly 100 Starwood hotels in North America.
Sergio Rivera, President of Starwood Americas, in a statement, said that point of sale systems at certain Starwood hotels were infected with a malicious software (malware), enabling “unauthorized parties” to access payment card data of some of the hotel customers.
Lessons from Marriott Data Breach
Here are some cyber security lessons from the recent Marriott data breach:
Implement Network Segmentation
Marriott said that its own Marriott-branded hotels aren’t affected by the data breach at the Starwood guest reservation network as Marriott-branded hotels’ use a different network that wasn't breached.
Network segmentation is the practice of dividing a computer network into subnetworks, with each network having a different purpose or usage. Implementing network segmentation in your organization ensures that in case one of the networks is infected with a malware, the other subnetworks won’t be infected.
By implementing network segmentation, the data breach at the Starwood guest reservation network was contained to this network alone, preventing the spread of the intrusion to Marriott’s other properties, including Marriott-branded hotels.
Encrypt Important Data
While encryption alone isn’t enough to protect important data, encryption adds a security layer in data protection. Encryption also means that an unauthorized party has to undertake an extra step and extra time to get the decryption key to unlock the encrypted files.
In the case of the Marriott data breach, the only data that was encrypted was limited to payment card numbers. The hotel chain though doesn’t discount that the unauthorized party had gotten hold of the decryption key or keys to unlock the encrypted payment card numbers.
Encryption doesn’t have to be limited to payment card numbers. In the case of the Marriott data breach, important personally identifiable information, including passport numbers, wasn’t encrypted. What happened in the Marriott data breach was that instead of the company doing the encryption to add an additional layer of protection, the unauthorized party did the data encryption in order to avoid detection by any data-loss prevention tools.
Data decryption isn’t an easy thing to do. According to Marriott, while it discovered the data breach on September 8, 2018, it took the company until November 19, 2018 to decrypt the files encrypted by the unauthorized party.
Always Assume that an Intrusion Has Occurred
To date, the cause of the Marriott data breach is still unspecified. The hotel chain, however, identifies the culprit of the data breach as "unauthorized party", a phrase that could mean a malicious insider or a malicious outsider.
Network intrusion carried out by a malicious outsider could happen in many ways. This could happen via phishing attacks using malicious emails containing malicious links and malicious attachments or via unknown security vulnerabilities exploited by a malicious outsider.
Proactive organizations have adopted the assumption that their networks are vulnerable to intrusion. Many organizations today engage the services of “penetration testers”, also known as ethical hackers. These ethical hackers search for and exploit security vulnerabilities in web-based applications, networks and systems and report back to the organization for the organization to fix the security loopholes.
Monitoring any insider activities within the network is also important. Intrusion by a malicious insider should be assumed all the time. An insider has all the tools needed to abuse one’s access to the trove of data that your organization hold. Your organization must have an automated tool that flags unusual activities, such as abnormal working hours, abnormal access to voluminous data and most importantly unusual volume of data transfer.
Contact ustoday if you need assistance in protecting and detecting intrusions in your organization’s networks, resulting from the actions of a malicious insider or malicious outsider.
How to Prevent Accidental Database Leaks
Florida-based marketing and data aggregation firm Exactis is the latest organization that accidentally leaked critical database online.
Security researcher Vinny Troia disclosed to Wiredthat early this month, Exactis exposed nearly 340 million records, 230 million of which pertain to U.S. consumers, while 110 million on business contacts.
"It seems like this is a database with pretty much every US citizen in it," Troia told Wired. "I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen.”
The close to 2 terabytes of data exposed by Exactis didn’t contain credit card information or Social Security numbers. It, however, revealed highly personal information, including phone numbers, home addresses, email addresses, religion, age, gender of the person's children, and interests like plus-size apparel and scuba diving.
Wired confirmed the authenticity of the data exposed by Exactis, commenting that in some cases the information is inaccurate or outdated.
Prior to his disclosure to Wired, Troia said he contacted both Exactis and the FBI about his discovery. He said Exactis has since protected the data so that it's no longer accessible to the public.
The number of data unintentionally exposed by Exactis exceeds that of the 2017's Equifax breach of nearly 148 million consumer’s data. The difference though is that in the case of Exactis, victims aren’t even aware that they’re part of the company’s database.
Past Incidents of Accidental Database Leaks
While the Exactis data may have been the largest accidental database leak, in the past few years, reports about accidental database leaks have come up again and again.
Another security researcher Chris Vickery discovered a number of accidental database leaks. In December 2015, Vickery discovered that the database that housed 3.3 million Hello Kittyaccounts was exposed as a result of a misconfigured MongoDB (a free and open-source cross-platform document-oriented database program) installation.
In April 2016, Vickery discovered that voter registration details of 93.4 million Mexican citizenswere exposed via publicly accessible database hosted on an Amazon cloud server.
In January 2017, Vickery also discovered that an Ontario-based plastic surgery clinicleaked thousands of customer’s medical records online via unprotected remote synchronization (rsync), a service which allows synchronization of files between two computers or servers over the internet.
In October 2017, Redlockresearchers reported that attackers infiltrated the Kubernotes (open-source platform designed by Google to automate deploying, scaling and operating application containers) console of Aviva, a British multinational insurance company, after the company failed to secure it with a password. One of Aviva’s Kubernetes pod contained credentials to the company’s Amazon Web Service Inc. account. According to Redlock, this enabled the attackers to steal the cloud compute resources of Aviva for cryptocurrency mining, in particular, mining the cryptocurrency Bitcoin.
In February 2018, Redlockresearchers reported that attackers similarly infiltrated the Kubernotes console of Tesla after the company failed to secure it with a password. One of Tesla’s Kubernetes pod contained credentials to Telsa’s Amazon Web Service Inc. account. Redlock said this enabled the attackers to steal the cloud compute resources of Tesla to mine the cryptocurrency Monero quietly in the background.
Accidental Leaks Discovery
According to Troia, he discovered the exposed Exactis’ database by simply using Shodan, an alternative search engine used by researchers and security professionals. Troia said he used Shodan to search for all ElasticSearch databases visible on publicly accessible servers with American IP addresses.
This search query resulted in about 7,000 results, Exactis database being one of them, unprotected by any firewall. ElasticSearch is a document-oriented database that's designed to be easily searched over the internet.
For his part, Vickery told ZDNet that he finds accidental database leaks via Shodan as well. There’s, however, no stopping for malicious hackers to use tools like Shodan to discover accidental database leaks. It’s a challenge then for ethical hackers like Troia and Vickery to discover and report to the concerned organizations regarding accidental database leaks before malicious hackers do.
"I’m not the first person to think of scraping ElasticSearch servers," Troia said in the case of Exactis’ accidental data leak. "I’d be surprised if someone else didn't already have this."
Data Leak Prevention
Here are some of the security best practices in preventing accidental database leaks:
1. Monitor Firewall Traffic
A firewall is your first line of defense in preventing accidental database leaks.
A firewall, which can be a hardware, software or both, monitors incoming and outgoing network traffic. It decides based on a defined set of security rules whether to allow or block specific traffic. For instance, a firewall can be configured to block data from certain locations or applications while allowing relevant data in.
RedLock reported that while firewall is one of the industry’s best practices, “85% of resources were found to have no firewall restrictions on any outbound traffic”.
While firewall is a good first line of defense, it can’t be the cure-all remedy in preventing accidental database leaks.
2. Monitor Configurations
Proper configuration is critical in preventing accidental database leaks. Configuration refers to the “Settings” menu in any software. A simple configuration monitoring could have prevented the Tesla breach.
3. Monitor Suspicious User Behavior
As shown by the above-mentioned examples, it’s not uncommon to find accidental database leaks in public cloud environments. Your organization needs to detect accidental database leaks as soon as possible before the bad guys do.
Monitoring has to go beyond geo-location or time-based anomalies but also monitoring event-based anomalies such as unusual volume of traffic or unusual volume of downloaded data.
When you team needs help, our team of experts is a phone call away. Contact ustoday and stay safe!
2 Canadian Banks, BMO & CIBC’s Simplii Financial, Disclose Data Breaches
Two Canadian banks, Bank of Montreal (BMO) and Canadian Imperial Bank of Commerce-owned Simplii Financial, have disclosed early this week that cyber criminals may have stolen sensitive data of their combined 90,000 customers.
BMO is Canada’s 4thlargest bank, while the Canadian Imperial Bank of Commerce (CIBC) is the country’s 5thlargest bank.
A spokesman for Bank of Montreal told Reutersthat nearly 50,000 of the bank’s 8 million customers across Canada were hacked.CIBC’s Simplii Financial, meanwhile, disclosed that fraudsters may have stolen certain personal and account information for nearly 40,000 of its customers.
According to CBC, a group of cyber criminals who claimed to have stolen sensitive data from the 2 banks sent an email to media outlets across Canada last Monday. The attackers said that stolen data would be sold to criminals if the banks don’t pay a $1-million ransom to be paid in the cryptocurrency Ripple by 11:59 p.m. Monday.
The attackers claimed that they’ve harvested personally identifiable information from customers of the 2 banks, including social insurance number, date of birth, address and phone number.
To prove the veracity of the email, the sender shared the identifying information of two Canadians, one for each bank. When CBC contacted those 2 individuals, they confirmed the veracity of the identifying information.
The ransom deadline has already passed. When contacted by CBC about whether any ransom had been paid, Bank of Montreal said, "Our practice is not to make payments to fraudsters."
Simplii, for its part, said that it’s "continuing to work with cybersecurity experts, law enforcement and others to protect our Simplii clients' data and interests."
The attacks on BMO and Simplii are noteworthy as both were disclosed on the same day by the 2 financial institutions and both were attacked by the same cyber criminals using the same method.
The email sent out by the group who claimed to have stolen data from BMO and Simplii Financial explained in detail how the data breaches on the 2 financial organizations were carried out.
According to the email sender, bank accounts from the BMO and Simplii Financial were breached by using the Luhn algorithm – a set of mathematical rules that’ll help to calculate an answer to a problem, in this case, generate the card numbers.
Using the generated card numbers, the attackers then posed as authentic customers who had forgotten their password. The group said the generated card numbers allowed them to reset the backup security questions and answers and reset the passwords.
“They were giving too much permission to half-authenticated account which enabled us to grab all these information,” the email said.
In Simplii Financial's official statement, the organization advised customers to always "use a complex password and pin (eg. not 12345)”. This statement is indicative that the bank isn’t using 2-factor authentication. BMO, meanwhile, offers 2-factor authentication.
A customer at Simplii Financial told The Globe and Mailthat he was unable to log in to his account and the safety questions to recover his password had been changed.
In a study, Newcastle Universityresearchers found that it only takes seconds to guess a bank account number by using the first six digits (which tell you the bank and card type) and the Luhn’s algorithm. One of the original purposes of the Luhn’s algorithm is for the websites to immediately identify invalid card numbers.
"As an example, suppose one's credit card number is 5377223617291234. Here, the ‘4’ is the check digit. This digit can be determined solely from the digits that precede it through what is called the Luhn Algorithm,” the Oxford Math Centerexplains Luhn Algorithm. “If when entering this credit card number, one accidentally types a ‘7’ where the right-most "1" should be (i.e., 5377223617297234), the check digit produced from the first 15 digits, in accordance with the Luhn Algorithm, will now disagree with ‘4’ on the end – flagging this as an invalid credit card number.”
If you’ve an account in either BMO or Simplii Financial, it’s important to monitor your account for signs of unusual activity. Both banks are offering free credit monitoring and guarantee a 100% reimbursement for any unauthorized transaction.
The recent data breaches at BMO and Simplii Financial could’ve prevented by data encryption. Organizations, especially those in the financial sector, are required to safeguard personally identifiable information of their clients.
One of the ways of safeguarding sensitive information is by encrypting the data. Encryption changes the data into something incomprehensible, rendering the data useless to the attackers without the secret code.
“The banks involved in claims of a potential data breach acted swiftly in response, launched full-scale investigations and took immediate action to enhance online security measures to protect customers," the Canadian Bankers Association told Bloomberg.
“When you’re dealing with financial information, you should have the highest level of privacy protection possible,” Dr. Ann Cavoukian, former privacy commissioner of Ontario and a distinguished expert-in-residence who leads Ryerson University’s Privacy by Design Centre, told the Financial Post. “This is a real eye-opener. The question that that begs is why weren’t you engaging in those measures all along?”
Top 5 Cybersecurity Predictions in 2018
It’s the yearend. It’s the time of the year when we look back at the salient events that made a great impact in the cybersecurity world, and make predictions of what the new year will bring.
Here are the top 5 cybersecurity predictions for 2018:
1. Cryptocurrency Mining
The growth of cryptocurrency this year is unprecedented, with the total value of close to 500 billion US dollars as of December 24, 2017. While Bitcoin is the most dominant cryptocurrency in the market, other cryptocurrencies have soared as well. Cryptocurrency Monero, for instance, has a total market cap of $5.1 billion as of December 24, 2017, with one coin of Monero valued close to $335.
“Mining” is needed for many cryptocurrency coins like Bitcoin and Monero to be processed and released. In the past, Bitcoin could be mined using ordinary computers. Today, Bitcoin can only be mined using specific and high-powered computers, leaving the mining to big companies. Other cryptocurrencies, however, can be mined using ordinary computers. Monero, in particular, can be mined using ordinary computers and even using smartphones.
The people who mine cryptocurrencies called “miners” are given a fair share of the coin value for the computer use. Unscrupulous individuals who want to earn more money from cryptocurrency mining, meanwhile, are scouring the internet looking for vulnerable computers and smartphones to install malicious software (malware) capable of mining cryptocurrency like Monero.
Adylkuzz cryptocurrency malware, which was released into the wild in May 2017, infects computers using Microsoft operating system that fail to install Microsoft’s March 14, 2017 security update. Other cryptocurrency malware that proliferated this year includes Coinhive, Digmine and Loapi. Coinhive is distributed via compromised websites, Digmine via Facebook Messenger and Loapi via online advertising campaigns.
Cryptocurrency mining malware eats up most of the computing power of servers, desktops, laptops and smartphones. This results in the slow performance of computers. The Loapi malware, in particular, is so powerful that it can even melt an Android phone.
“Although attacks that attempt to embed crypto-mining malware are currently unsophisticated, we expect to see an increase in the sophistication of attacks as word gets out that this is a lucrative enterprise,” Imperva Incapsula said in the article "Top Five Trends IT Security Pros Need to Think About Going into 2018”. “We also expect these attacks to target higher-traffic websites, since the potential to profit increases greatly with higher numbers of concurrent site visitors.”
2. Business Disruption
In 2017, the world saw the devastation brought about by ransomware and distributed denial-of-service (DDoS) attacks.
Ransomware is a type of malware that restricts user access to the infected computer until a ransom is paid to unlock it. Two of the notable ransomware this year, WannaCry and NotPetya, are essentially not ransomware in the sense that the code of these two malware were written in such a way that even the attackers themselves can’t unlock the infected computers. Whether this was intentional or not, only the attackers know. But in this sense, these two malware are considered as “wiper” – meant to bring business disruption.
“The WannaCry and NotPetya ransomware outbreaks foreshadow a trend of ransomware being applied in new ways, in pursuit of new objectives, becoming less about traditional ransomware extortion and more about outright system sabotage, disruption, and damage,” researchers at McAfee said.
Another malware that brought widespread business disruption in 2017 was the Mirai botnet, a malware that infected close to 100,000 IoT devices, turned them into robots and launched DDoS attack that brought down the managed DNS platform of Dyn, which in effect, temporarily brought down 80 widely used websites like Amazon, Twitter, Tumblr, Reddit, Spotify and Netflix.
According to Imperva Incapsula, attackers in the upcoming year will probably adopt new business disruption techniques. Examples of these disruptive techniques include modifying computer configuration to cause software errors, system restarts, causing software crashes, disruption of corporate email or other infrastructure and shutting down an internal network (point-of-sale systems, web app to a database, communication between endpoints, etc.).
3. Breach by Insiders
The 2017 Cost of Data Breach Study (PDF) conducted by Ponemon and commissioned by IBM showed that 47% of data breaches were caused by malicious insiders and outsiders’ criminal attacks, 25% were due to negligent employees or contractors (human factor) and 28% were due to system glitches.
According to Imperva Incapsula, illegal cryptocurrency mining operations in corporate servers are on the rise, set up by insiders or “employees with high-level network privileges and the technical skills needed to turn their company’s computing infrastructure into a currency mint.”
4. Artificial Intelligence (AI) as a Double-Edged Sword
In 2018, AI is expected to be used by cybercriminals as a means to speed up the process of finding security vulnerabilities in commercial products like operating systems and other widely used software. On the other hand, AI is expected to be used by cyberdefenders to improve cybersecurity.
“Unfortunately, machines will work for anyone, fueling an arms race in machine-supported actions from defenders and attackers,” researchers at McAfee said. “Human-machine teaming has tremendous potential to swing the advantage back to the defenders, and our job during the next few years is to make that happen. To do that, we will have to protect machine detection and correction models from disruption, while continuing to advance our defensive capabilities faster than our adversaries can ramp up their attacks.”
In 2018, one thing is for sure: General Data Protection Regulation (GDPR) will be enforced on May 25, 2018.
GDPR is a European Union (EU) law that has an “extra-territorial” reach. Businesses that process personal data or monitor the online behavior of EU residents are still covered under this law even if they aren’t based in any of EU countries. Salient features of the law include consent requirement, right to be forgotten, transparency requirement, cybersecurity measures and data breach notification.
“In the corporate world, McAfee predicts that the May 2018 implementation of the European Union’s General Data Protection Regulation (GDPR) could play an important role in setting ground rules on the handling of both consumer data and user-generated content in the years to come,” researchers at McAfee said.
Happy 2018, and Stay Safe!
Whole Foods Becomes the Latest Victim of a Cyber Attack
Whole Foods, the supermarket chain recently acquired by Amazon, becomes the latest victim of a cyber attack.
The supermarket chain officially acknowledged that the cyber attack potentially compromised its customers’ credit card details. The data breach, according to Whole Foods, affected only the point of sale system used in taprooms (bars) and restaurants located within some of the Whole Foods stores. As of November 2016, The Mercury News reported that 180 of Whole Foods’ 464 stores had bars and restaurants.
In its official statement, Whole Foods stressed that Whole Foods’ bars and restaurants use a different point of sale system from the company’s supermarket point of sale system. The company said that payment cards used at the supermarket point of sale system were not affected. It added that the Amazon systems, which acquired the supermarket chain last month, don’t connect to the Whole Foods’ bars and restaurants system. As such, transactions on Amazon.com haven’t been affected.
Whole Foods’ public statement didn’t reveal how many customers may have been affected, how many bars and restaurants may have been involved or when the data breach was discovered.
The Whole Foods data breach came just heels after the Sonic Drive-in cyber security breach. The American drive-in fast-food restaurant chain, with over 3,500 restaurants in 45 US states, confirmed that there's been some “unusual activity” on credit cards used at some of its restaurants. Similar to Whole Foods, the company didn’t disclose how many credit cards were potentially affected or when the data breach took place.
Krebs on Security reported that Sonic Drive-In cyber security breach may have impacted millions of credit and debit cards.
“The first hints of a breach at Oklahoma City-based Sonic came last week when I began hearing from sources at multiple financial institutions who noticed a recent pattern of fraudulent transactions on cards that had all previously been used at Sonic,” Krebs on Security wrote.
About 5 million credit and debit card details recently put up for sale on the underground online site Joker’s Stash has been tied to a breach at Sonic Drive-In, according to Krebs on Security.
“I should note that it remains unclear whether Sonic is the only company whose customers’ cards are being sold in this particular batch of five million cards at Joker’s Stash,” Krebs on Security said. “There are some (as yet unconfirmed) indications that perhaps Sonic customer cards are being mixed in with those stolen from other eatery brands that may be compromised by the same attackers.”
Cyber criminals typically steal credit card details from merchants that accept cards by hacking into their point of sale systems.
What is Point of Sale
Point of sale, also known as POS, is a system used by merchants where customers pay for goods or services. The POS system consists of hardware and software. The POS hardware refers to the device used to swipe a credit or debit card and the computer or mobile device attached to it. The POS software refers to the computer program that instructs the hardware what to do with the data it captures.
Through the years, there have been a number of vulnerabilities identified in the POS system. The vulnerability of the POS system was highlighted with the arrest and conviction of Albert Gonzalez, leader of the group that stole more than 90 million card records from retailers.
The Gonzalez group took advantage of the lack of point to point encryption of POS system. If you pay using your credit card at a POS terminal, your credit card data housed in the card’s magnetic stripe is read, passed through a series of systems and networks before reaching the store’s payment processor.
In 2005, credit card details transmitted over a public network from a POS device are required to be encrypted using network-level encryption, for example, the Secure Sockets Layer (SSL). Within the internal network of the store, however, credit card details weren’t required to be encrypted except when stored.
The Gonzalez group took advantage of this lack of point to point encryption at the internal network level by installing network-sniffing tools that allowed him and his group to steal over 90 million card details. As a result of the Gonzalez group’s criminal activities, many stores today use POS system with encryption even at the internal network level.
Through the years though, POS attackers have honed their skills and a number of POS attack methods have been developed. Big companies like Target Corporation succumbed to POS attackers. In May of this year, 47 US states and the District of Columbia have reached a $18.5 million settlement with Target that resolves the states' investigation into the company's 2013 data breach, which affected more than 41 million customer payment card accounts.
How to Prevent POS Attacks?
Customers’ credit card data in the POS system passes through the following:
In each of these stages, customers’ credit card data becomes vulnerable to POS attackers. On the terminal level, attackers can insert hardware like skimmers or firmware to steal credit card details. As data passes from terminal to cash register or cash register to central payment processing server, the data may be stolen using network traffic sniffing tools like the one used by the Gonzales group. From the terminal to the internet exchange, there can be exposure of the encryption key. Credit card details may also be stolen via RAM scrapping malware from the cash register level or at the central payment processing server level.
From terminal to internet exchange, mitigation strategy includes a firewall. At the cash register level or central payment processing server level, mitigating strategy includes endpoint security software. From cash register to central payment processing server, mitigating strategies include data encryption and the use of SSL. From terminal to internet exchange, mitigating strategy includes security information and event management (SIEM).
Network segmentation is also one of the mitigating strategies to counter POS attacks. The network segmentation of the Whole Foods’ bars and restaurants from Whole Foods supermarket and Amazon.com has prevented attacks on the other two Amazon assets. Target, meanwhile, in the 2013 data breach didn’t implement network segmentation.
When you need help protecting your missing critical applications and infrastructure, give us a call to speak with one of our cyber security and compliance experts.
Steve E. Driz, I.S.P., ITCP