Jump to content

Search the Community

Showing results for tags 'data breaches'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Categories

  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions

Categories

  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 14 results

  1. 3.2 Billion Leaked Passwords Contain 1.5 Million Records with Government Emails A staggering number of 3.28 billion passwords linked to 2.18 billion unique email addresses were exposed in what's one of the largest data dumps of breached usernames and passwords. In addition, the leak includes 1,502,909 passwords associated with email addresses from government domains across the world, with the U.S. government alone taking up 625,505 of the exposed passwords, followed by the U.K (205,099), Australia (136,025), Brazil (68,535), and Canada (50,726). The findings come from an analysis of a massive 100GB data set called "COMB21" — aka Compilation of Many Breaches — that was published for free in an online cybercrime forum earlier this February by putting together data from multiple leaks in different companies and organizations that occurred over the years. It's worth noting that a leak doesn't imply a breach of public administration systems. The passwords are said to have been obtained via techniques such as password hash cracking after being stolen or through phishing attacks and eavesdropping on insecure, plaintext connections. The top 10 U.S. government domains affected by the leak are as follows: State Department - state.gov (29,144) Veterans Affairs Department - va.gov (28,937) Department of Homeland Security - dhs.gov (21,575) National Aeronautics and Space Administration - nasa.gov (15,665) Internal Revenue Service - irs.gov (10,480) Center for Disease Control and Prevention - cdc.gov (8,904) Department of Justice - usdoj.gov (8,857) Social Security Administration - ssa.gov (8,747) U.S. Postal Service - usps.gov (8,205), and Environmental Protection Agency - epa.gov (7,986) Interestingly, this leak also includes 13 credentials linked to emails of the Oldsmar water plant in Florida, as previously reported by CyberNews. However, there's no evidence that the breached passwords were used to carry out the cyberattack in February. In contrast, only 18,282 passwords related to Chinese government domains and 1,964 passwords from those related to Russia were laid bare. "It is an indication that the passwords in these countries, made up of local alphabets, are less targeted by hackers. It is an unexpected layer of protection in relation to the Roman alphabet," said Syhunt Founder and Chief Visionary Officer (CVO) Felipe Daragon. On a related note, a notorious threat actor named ShinyHunters has posted an alleged database consisting of 20 million BigBasket users for free, almost five months after the Indian online grocery delivery startup confirmed a data breach. According to Under the Breach's Alon Gal, the database includes users' email addresses, phone numbers, residential addresses, hashed passwords, dates of birth, and order histories. In the past, ShinyHunters has been connected to the sale of personal data from several companies, including Zoosk, SocialShare, Tokopedia, TeeSpring, Mindful, Minted, Chatbooks, Dave, Promo, Mathway, Wattpad, MeetMindful.com, and StarTribune. Users who have had their information exposed are strongly advised to change their existing passwords. Source: 3.2 Billion Leaked Passwords Contain 1.5 Million Records with Government Emails
  2. ICO Issued Over £42 Million in Fines Last Year The UK’s privacy regulator issued over £42 million in fines last year, although the vast majority of the money relates to two major GDPR penalties, according to new data. Flagged by think tank Parliament Street, the Information Commissioner’s Office (ICO) “work to recover fines” report revealed that 17 financial penalties had been levied in 2020, amounting to more than £42.4 million. Most can be attributed to the vastly reduced and much-delayed fines finally imposed on Marriott International (£18.4 million) and British Airways (£20 million) for major data breaches. Ticketmaster’s (£1.25 million) was the next-biggest fine, with the remaining 14 standing at £500,000 or less. Three court orders were issued to wind-up erring firms last year, while eight company directors were disqualified following ICO enforcement action. The latter action is meant to help prevent tactics known as “phoenixing,” where company owners who have allowed illegal practices such as cold calling simply declare bankruptcy after an ICO investigation and start a new company, avoiding any fines. Thanks to changes in the law, directors could now not only face disqualification, but are also responsible for paying the fines, under either the Data Protection Act 2018, the UK’s version of the GDPR, or the Privacy and Electronic Communications Regulations (PECR), which govern nuisance calls. ICO group manager for investigations, Natasha Longson, said awareness of these penalties has grown among directors. “In most cases where a fine has not been paid, we work closely with the Insolvency Service. This has been a very successful collaboration and, last year, saw eight directors disqualified. Recovering fines from insolvent companies has been slower than usual due to the pandemic’s impact on the courts,” she added. “We take a pragmatic approach to recovery and we support companies and directors in genuine financial hardship, for example agreeing payment plans where appropriate.” However, some reports suggest the ICO’s strategy for fines is problematic. The original intent was to fine BA £183 million, for example. What’s more, the regulator has been unable to collect around two-fifths (39%) of the fines issued from 2015-19, according to a report issued last October. In addition, 68% of fines issued since then are outstanding, the report claimed. Source: ICO Issued Over £42 Million in Fines Last Year
  3. A Tale of 3 Data 'Leaks': Clubhouse, LinkedIn, Facebook Confusion Over Hacking, Scraping and Amassing Highlights Data Lockdown Imperative Post to cybercrime forum describes Clubhouse user data being offered for sale Criminals love to amass and sell vast quantities of user data, but not all data leaks necessarily pose a risk to users. Even so, the ease with which would-be attackers can amass user data is a reminder to organizations to lock down inappropriate access as much as possible. That's a takeaway experts offer after large tranches of data recently became available for sale or for free. The data allegedly was obtained from three social networks: Clubhouse, LinkedIn and Facebook. Scammers can use such data to target individuals via social engineering attacks, and phishers can use it to craft lures, among other potential threats. Clubhouse - a startup social media network accessed via an app - and LinkedIn have both confirmed that large amounts of their user data has appeared online. But both services say the data, which is being offered for sale on darknet forums, was scraped from public-facing pages. So what buyers would be paying for is getting access to all of this public information at once. The story is different, however, with the latest Facebook data breach to come to light. Earlier this month, 533 million users' details - including phone numbers that were set to not display on their profiles - were being offered for free online after having been available for purchase. In response, Facebook said attackers had obtained the data "not through hacking our systems but by scraping it from our platform," apparently by abusing an API that Facebook built to allow users to find each other. "If you provide an API … work on the assumption of it being abused." —Troy Hunt Experts say the resulting records, linking people's names, email addresses, phone numbers and more, are a potential gold mine for fraudsters and phishers (see: Facebook Tries to 'Scrape' Its Way Through Another Breach). Ireland's Data Protection Commission is probing the breach, in line with its authority to enforce the EU's General Data Protection Regulation. Facebook says it's attempting to trace the posted information back, and it has suggested that the data dump may include information amassed from multiple sources, not all of them involving private information held by the social network and its ancillary services. LinkedIn: 'Not a Data Breach' While a Facebook feature appears to have exposed private data for more than a half-billion users, the story looks different for LinkedIn and Clubhouse. Last week, a cybercrime forum seller began advertising 500 million LinkedIn records, offering 2 million of the records as a sampler for $2 in forum credits and access to all records for a four-figure sum, CyberNews first reported. The seller said the profiles included "emails, phone and other details." In a statement released on Thursday, LinkedIn said the data involves only information that is already publicly accessible via its site and may have been combined with information from other sites. "We have investigated an alleged set of LinkedIn data that has been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies," LinkedIn says. "It does include publicly viewable member profile data that appears to have been scraped from LinkedIn. This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we've been able to review." In other words, while seeing so much user data get amassed in one place might be concerning - and of use to social engineers and others - this information was already in circulation. Clubhouse Data Also Scraped The same also appears to be true for Clubhouse, which saw information from about 1.3 million user profiles get posted on a cybercrime forum on or around Saturday. The poster said that the data had been scraped from Clubhouse using one of its APIs. Clubhouse is an iOS-based app that enables users to set up virtual audio chat rooms, to which most participants will then be listening in. The service, which launched early last year, is still invite-only, but the Guardian reports that buzz over Clubhouse has been building, especially after Tesla founder Elon Musk used it in February to host a popular chat. The scraped Clubhouse data includes name and username, user ID, profile photo, number of followers, number of other Clubhouse users followed, an account creation date, who invited the user to the platform and sometimes Instagram and Twitter handles. The data does not include personally identifiable information, such as phone numbers, email addresses or other sensitive information. In a statement posted to Twitter on Sunday, Clubhouse denied that it had been breached or hacked after reports emerged that user data had appeared on the cybercrime forum. This is misleading and false. Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API. https://t.co/I1OfPyc0Bo— Clubhouse (@joinClubhouse) April 11, 2021 Clubhouse officials didn't immediately respond to a request for further comment. Expert View: The API Challenge The posted Clubhouse data poses no risk to users, says Jane Manchun Wong, a Hong Kong-based software engineer and security researcher who often blogs about unreleased features in popular applications. "The kind of data gathered here is no different than going to someone's Clubhouse profile and taking a screenshot," Wong says. The data was likely scraped using one of Clubhouse's "private" APIs or one that is used by its app to retrieve data, Wong says. Whoever downloaded the data may have simply cycled through user IDs sequentially, she says. Not seeing any private info in this "leaked data" of Clubhouse The user IDs are numerical. So it just seems like someone scraped the data by hitting Clubhouse's private API, iterating from user ID 1 to beyond https://t.co/MBWG46JmCB— Jane Manchun Wong (@wongmjane) April 11, 2021 Services generally use rate-limiting and other defensive measures to ensure their APIs aren't abused. Wong says that if the data was obtained by iterating through numerical user IDs, Clubhouse should have enabled rate limiting on its private API if it does not already do that, because its users have an expectation of privacy. But even with rate limiting, amassing all of this information would still be possible. "It'll only be slower, but it can still be done," Wong says. Troy Hunt, creator of the free Have I Been Pwned data breach notification service, says APIs pose this paradox: If developers want to make users discoverable to other users, it's difficult to ensure that the underlying API will only be used for that purpose - in other words, by only the right users and for the right reasons. "If you provide an API, regardless what you protect with rate limiting," expect that whatever data it touches "will be aggregated," Hunt says. "You work on the assumption of it being abused." Source: A Tale of 3 Data 'Leaks': Clubhouse, LinkedIn, Facebook
  4. Data Breaches Tracker monitor unsecured ElasticSearch servers online Cybersecurity research at WizCase, an online security and privacy portal, built a tool to track accessible ElasticSearch servers on the internet. Cybersecurity research at WizCase, an online security and privacy portal, developed a tool that allows track accessible ElasticSearch servers on the Internet. The tool scans the web for accessible ElasticSearch servers and displays different variables such as the total number of running Elasticsearch instances, a breakdown of secure vs insecure servers and more. More specifically – the tool is tracking the number of servers attacked by “Meow,” interestingly the experts noticed a quite significant rise in the number of servers wiped the first week of March. According to the experts over 2500 servers have been erased within a few days. As it’s always hard to figure out the amount of data exposed due to misconfiguration, here the tool: https://www.wizcase.com/tools/data-breaches-tracker/. A recent scan performed on March 15th, 2021 provided the following results: Total number of Servers Scanned 334,013 Total number of Running instances 9,202 Total number of Servers accessible without authorization 5,740 Total size of Servers accessible without authorization 9 TB Total number of Records exposed in servers accessible without authorization17,830,145,680 Total number of Servers accessible without authorization hit by Meow 1,362 Source: Data Breaches Tracker monitor unsecured ElasticSearch servers online
  5. The COVID-19 pandemic provided a huge opening for bad actors this year, thanks to remote work. Security experts expect more advanced cybersecurity threats in the coming year. Hackers are always looking for an opportunity and the COVID-19 pandemic provided a big one this year: As remote work in unprecedented numbers took hold, they preyed upon vulnerable employees who were unfamiliar with how to navigate their tech environments. Threat actors found success infecting businesses with ransomware and stealing company data, turning those ransomware attacks into data breaches. Expect more of this to continue next year as remote work continues, according to Accenture. Going into 2021, "threat actor profits [are] likely to increase as a result of targets' weakened security and remote working, enabling threat actors [to] innovate and invest in even more advanced ransomware," Accenture's 2020 Cyber Threatscape Report said. Remote work created something of a new playground for hackers in 2020, agreed Gartner. An October survey of nearly 2,000 CIOs found that cybersecurity investments in technologies that support digitization will be one of the major priorities next year. "With the opening of new attack surfaces due to the shift to remote work, cybersecurity spending continues to increase,'' the firm said, with 61% of respondents reporting they will increase investment in cyber/information security, followed closely by business intelligence and data analytics (58%); and cloud services and solutions (53%). Cybersecurity mesh for securing any digital asset, anywhere Next year and beyond, Gartner is predicting organizations will use cybersecurity mesh, a distributed architectural approach to scalable, flexible and reliable cybersecurity control. Cybersecurity mesh enables anyone to access any digital asset securely, no matter where the asset or person is located, the firm said in its Top Strategic Technology Trends for 2021 report. "Cybersecurity mesh essentially allows for the security perimeter to be defined around the identity of a person or thing," Gartner said. As perimeter protection becomes less meaningful, the security approach of a "walled city" must evolve, the firm said. By 2025, Gartner predicts the cybersecurity mesh will support over half of digital access control requests. Other predictions: More attacks on healthcare systems. "The seemingly crazy predictions of the past around the cost of ransomware attacks on the healthcare industry stand to be proven true in 2021. We've seen a substantial rise in ransomware since the onset of COVID, and as the space race 2.0 continues, so will the prevalence of attacks," said John Ford, IronNet cyber strategist and former healthcare CISO. With countries all around the world hunting for a COVID vaccine there will be more nation-state attacks leveraging ransomware and an increase in cloud-based ransomware attacks as healthcare systems expedite their transition to meet the growing remote needs, Ford predicts. "Lately, what is different about this tried-and-true attack method is that malicious actors aren't just locking out data," Ford said. "They are also putting it on data leak sites where people can buy/have access to it leading to additional compliance concerns and my prediction for upcoming HIPAA changes." Over-permissioned identities will cause more attacks in the cloud. As a result of the accelerated shift to the cloud due to the pandemic, in 2021 attackers will not only shift their focus more to cloud infrastructure and cloud applications, but also continue to advance their techniques, said Michael Raggo, cloud security expert at CloudKnox. "One of the systemic issues we've seen in organizations that have been breached recently are a vast amount of over-permissioned identities accessing cloud infrastructure and gaining access to business critical resources and confidential data," Raggo said. "We've seen when an attacker gains access to an associated identity with broad privileged permissions, the attacker can leverage those and cause havoc." Most of the time, identity permissions are too broad because enterprises are still using manual and assumptions-based techniques to manage these, he said. Over-provisioned permissions "begs for a clear need for adhering to the principle of least privilege, leveraging a continuous, automated and data driven approach using activity-based authorization across the cloud infrastructure," Raggo said. Growth of insider threats and accidents. Raggo also predicts that accidents and insider threats will become even bigger concerns for enterprises, especially those in the cloud, citing a guilty plea by a former Cisco employee earlier this year who was charged with wiping 16,000 WebEx Teams cloud accounts disrupting their access to the service. CloudKnox research found that more than 80% of the cloud users have the ability to escalate permissions that can be very hard to track in the cloud infrastructure, according to Raggo. "These escalation scenarios allow the bad actors to have the ability to create dummy accounts for themselves," which he said can be used "to perform nefarious actions as some user other than themselves, thus allowing them to cover their tracks." Where CISOs should allocate budget in 2021 Jason Rader, national director network & cloud security at Insight Enterprises, believes that if security leaders still have a viable business in 2021, they have "already done some things very right." 2021 is a time for security leaders to become more efficient with their budgets and more strategic in supporting the business, he said. According to Rader, this includes addressing: Ransomware–A huge number of organizations are expected to be hit with ransomware next year. Rader advocates for a strategy that incorporates the controls to mitigate a ransomware attack into an overall program. Buying a "ransomware solution" that doesn't integrate with workflow or other security controls is very shortsighted, he said. Data classification/appropriate controls on the data–Data is everywhere and a liability for CISOs. DevOps–It's critical to know how security is integrated into an organization's current development and operations processes. CISOs should act as the catalyst for the groups to work together. One cannot live without the other. Vulnerability management–Remote worker setup and cloud initiatives have probably stabilized for the most part after the WFH scramble. Security teams must mature the patch and vulnerability management process. Identity, authentication & access–Identifying your users, ensuring they are who they say they are, and controlling the resources they are permitted to access has always been important. With this year's rise in remote workers and WFH, it is time to revisit ways to gain more control and analysis out of this effort. Regulated data: client data, PII, etc.–Many organizations are changing the way they do business to comply with current and impending data privacy regulations. This will have a trickledown effect to the ecosystems/supply chains of different industries. "If you collect client data, know what systems touch it, how authentication is handled at each step, how the data is secured during transit and while at rest, and what back-end systems can access the systems that process the data." Source
  6. By Charlie Osborne for Zero Day A pandemic is no reason for hackers to hold off cyberattacks against everything from government bodies to healthcare providers. Cybersecurity may be far from many of our minds this year, and in light of a pandemic and catastrophic economic disruption, remembering to maintain our own personal privacy and security online isn't necessarily a priority. However, cyberattackers certainly haven't given anyone a break this year. Data breaches, network infiltrations, bulk data theft and sale, identity theft, and ransomware outbreaks have all occurred over 2020 and the underground market shows no signs of stopping. As a large swathe of the global population shifted to work from home models and businesses rapidly transitioned to remote operations, threat actors also pivoted. Research suggests that remote workers have become the source of up to 20% of cybersecurity incidents, ransomware is on the rise, and we are yet to learn that "123456" is not an adequate password. Many companies and organizations, too, have yet to practice reasonable security hygiene, and vulnerabilities pose a constant threat to corporate networks. As a result, we've seen a variety of cyberattacks this year, the worst of which we have documented below. January: Travelex: Travelex services were pulled offline following a malware infection. The company itself and businesses using the platform to provide currency exchange services were all affected. IRS tax refunds: A US resident was jailed for using information leaked through data breaches to file fraudulent tax returns worth $12 million. Manor Independent School District: The Texas school district lost $2.3 million during a phishing scam. Wawa: 30 million records containing customers' details were made available for sale online. Microsoft: The Redmond giant disclosed that five servers used to store anonymized user analytics were exposed and open on the Internet without adequate protection. Medical marijuana: A database backing point-of-sale systems used in medical and recreational marijuana dispensaries was compromised, impacting an estimated 30,000 US users. February: Estée Lauder: 440 million internal records were reportedly exposed due to middleware security failures. Denmark's government tax portal: The taxpayer identification numbers of 1.26 million Danish citizens were accidentally exposed. DOD DISA: The Defense Information Systems Agency (DISA), which handles IT for the White House, admitted to a data breach potentially compromising employee records. UK Financial Conduct Authority (FCA😞 The FCA released sensitive information belonging to roughly 1,600 consumers by accident as part of an FOIA request. Clearview: Clearview AI's entire client list was stolen due to a software vulnerability. General Electric: GE warned workers that an unauthorized individual was able to access information belonging to them due to security failures with supplier Canon Business Process Service. March: T-Mobile: A hacker gained access to employee email accounts, compromising data belonging to customers and employees. Marriott: The hotel chain suffered a cyberattack in which email accounts were infiltrated. 5.2 million hotel guests were impacted. Whisper: The anonymous secret-sharing app exposed millions of users' private profiles and datasets online. UK Home Office: GDPR was breached 100 times in the handling of the Home Office's EU Settlement Scheme. SIM-swap hacking rings: Europol made arrests across Europe, taking out SIM-swap hackers responsible for the theft of over €3 million. Virgin Media: The company exposed the data of 900,000 users through an open marketing database. Whisper: Millions of users' private profiles and datasets were left, exposed and online, for the world to see. MCA Wizard: 425GB in sensitive documents belonging to financial companies was publicly accessible through a database linked to the MCA Wizard app. NutriBullet: NutriBullet became a victim of a Magecart attack, with payment card skimming code infecting the firm's e-commerce store. Marriott: Marriott disclosed a new data breach impacting 5.2 million hotel guests. April: US Small Business Administration (SBA): Up to 8,000 applicants for emergency loans were embroiled in a PII data leak. Nintendo: 160,000 users were affected by a mass account hijacking campaign. Email.it: The Italian email provider failed to protect the data of 600,000 users, leading to its sale on the Dark Web. Nintendo: Nintendo said 160,000 users were impacted by a mass account hijacking account caused by the NNID legacy login system. US Small Business Administration (SBA): The SBA revealed as many as 8,000 business emergency loan applicants were involved in a data breach. May: EasyJet: The budget airline revealed a data breach exposing data belonging to nine million customers, including some financial records. Blackbaud: The cloud service provider was hit by ransomware operators who hijacked customer systems. The company later paid a ransom to stop client data from being leaked online. Mitsubishi: A data breach suffered by the company potentially also resulted in confidential missile design data being stolen. Toll Group: The logistics giant was hit by a second ransomware attack in three months. Pakistani mobile users: Data belonging to 44 million Pakistani mobile users was leaked online. Illinois: The Illinois Department of Employment Security (IDES) leaked records concerning citizens applying for unemployment benefits. Wishbone: 40 million user records were published online by the ShinyHunters hacking group. EasyJet: An £18 billion class-action lawsuit was launched to compensate customers impacted by a data breach in the same month. June: Amtrak: Customer PII was leaked and some Amtrak Guest Rewards accounts were accessed by hackers. University of California SF: The university paid a $1.14 million ransom to hackers in order to save COVID-19 research. AWS: AWS mitigated a massive 2.3 Tbps DDoS attack. Postbank: A rogue employee at the South African bank obtained a master key and stole $3.2 million. NASA: The DopplePaymer ransomware gang claimed to have breached a NASA IT contractor's networks. Claire's: The accessories company fell prey to a card-skimming Magecart infection. July: CouchSurfing: 17 million records belonging to CouchSurfing were found on an underground forum. University of York: The UK university disclosed a data breach caused by Blackbaud. Staff and student records were stolen. MyCastingFile: A US casting platform for actors exposed the PII of 260,000 users. SigRed: Microsoft patched a 17-year-old exploit that could be used to hijack Microsoft Windows Servers. MGM Resorts: A hacker put the records of 142 million MGM guests online for sale. V Shred: The PII of 99,000 customers and trainers was exposed online and V Shred only partially resolved the problem. BlueLeaks: Law enforcement closed down a portal used to host 269 GB in stolen files belonging to US police departments. EDP: The energy provider confirmed a Ragnar Locker ransomware incident. Over 10TB in business records were apparently stolen. MongoDB: A hacker attempted to ransom 23,000 MongoDB databases. August: Cisco: A former engineer pleaded guilty to causing massive amounts of damage to Cisco networks, costing the company $2.4 million to fix. Canon: The photography giant was struck by ransomware gang Maze. LG, Xerox: Maze struck again, publishing data belonging to these companies after failing to secure blackmail payments. Intel: 20GB of sensitive, corporate data belonging to Intel was published online. The Ritz, London: Fraudsters posed as staff in a clever phishing scam against Ritz clients. Freepik: The free photos platform disclosed a data breach impacting 8.3 million users. University of Utah: The university gave in to cybercriminals and paid a $457,000 ransom to stop the group from publishing student information. Experian, South Africa: Experian's South African branch disclosed a data breach impacting 24 million customers. Carnival: The cruise operator disclosed a ransomware attack and subsequent data breach. September: Nevada: A Nevada school, suffering a ransomware attack, refused to pay the cybercriminals -- and so student data was published online in retaliation. German hospital ransomware: A hospital patient passed away after being redirected away from a hospital suffering an active ransomware infection. Belarus law enforcement: The private information of 1,000 high-ranking police officers was leaked. NS8: The CEO of the cyberfraud startup was accused of defrauding investors out of $123 million. Satellites: Iranian hackers were charged for compromising US satellites. Cerberus: The developers of the Cerberus banking Trojan released the malware's source code after failing to sell it privately. BancoEstado: The Chilean bank was forced to close down branches due to ransomware. October: Barnes & Noble: The bookseller experienced a cyberattack, believed to be the handiwork of the ransomware group Egregor. Stolen records were leaked online as proof. UN IMO: The United Nations International Maritime Organization (UN IMO) disclosed a security breach affecting public systems. Boom! Mobile: The telecom service provider became the victim of a Magecart card-skimming attack. Google: Google said it mitigated a 2.54 Tbps DDoS attack, one of the largest ever recorded. Dickey's: The US barbeque restaurant chain suffered a point-of-sale attack between July 2019 and August 2020. Three million customers had their card details later posted online. Ubisoft, Crytek: Sensitive information belonging to the gaming giants was released online by the Egregor ransomware gang. Amazon insider trading: A former Amazon finance manager and their family were charged for running a $1.4 million insider trading scam. November: Manchester United: Manchester United football club said it was investigating a security incident impacting internal systems. Vertafore: 27.7 million Texas drivers' PII was compromised due to "human error." Campari: Campari was knocked offline following a ransomware attack. $100 million botnet: A Russian hacker was jailed for operating a botnet responsible for draining $100 million from victim bank accounts. Mashable: A hacker published a copy of a Mashable database online. Capcom: Capcom became a victim of the Ragnar Locker ransomware, disrupting internal systems. Home Depot: The US retailer agreed to a $17.5 million settlement after a PoS malware infection impacted millions of shoppers. Source
  7. GDPR-ready organizations see lowest incidence of data breaches Organizations worldwide that invested in maturing their data privacy practices are now realizing tangible business benefits from these investments, according to Cisco’s 2019 Data Privacy Benchmark Study. The study validates the link between good privacy practice and business benefits as respondents report shorter sales delays as well as fewer and less costly data breaches. Business benefits of privacy investments The GDPR, which focused on increasing protection for EU residents’ privacy and personal data, became enforceable in May 2018. Organizations worldwide have been working steadily towards getting ready for GDPR. Within the study, 59 percent of organizations reported meeting all or most requirements, 29 percent expect to do so within a year, and 9 percent will take more than a year. “This past year, privacy and data protection importance increased dramatically. Data is the new currency, and as the market shifts, we see organizations realizing real business benefits from their investments in protecting their data,” said Michelle Dennedy, Chief Privacy Officer, Cisco. Customers are increasingly concerned that the products and services they deploy provide appropriate privacy protections. Those organizations that invested in data privacy to meet GDPR experienced shorter delays due to privacy concerns in selling to existing customers: 3.4 weeks vs. 5.4 weeks for the least GDPR ready organizations. Overall the average sales delay was 3.9 weeks in selling to existing customers, down from 7.8 weeks reported a year ago. GDPR-ready organizations cited a lower incidence of data breaches, fewer records impacted in security incidents, and shorter system downtimes. They also were much less likely to have a significant financial loss from a data breach. Beyond this, 75 percent of respondents cited that they are realizing multiple broader benefits from their privacy investments, which include greater agility and innovation resulting from having appropriate data controls, gaining competitive advantage, and improved operational efficiency from having data organized and catalogued. More than 3,200 global security and privacy professionals in 18 countries across major industries responded to the Cisco survey about their organizations’ privacy practices. Key findings include: 87 percent of companies are experiencing delays in their sales cycle due to customers’ or prospects’ privacy concerns, up from 66 percent last year. This is likely due to the increased privacy awareness brought on by GDPR and the frequent data breaches in the news. Sales delays by country varied from 2.2 to 5.5 weeks, with Italy, Turkey and Russia at the lower end of the range, and Spain, Brazil and Canada at the higher end. Longer sales delays can be attributed to areas where privacy requirements are high or in transition. Delayed sales can cause revenue shortfalls related to compensation, funding, and investor relations. Delayed sales also can become lost sales if a potential customer buys from a competitor or decides not to buy at all. Top reasons cited for sales delays included investigating customer requests for privacy needs, translating privacy information into customer languages, educating customers about an organization’s privacy practices, or redesigning products to meet customer privacy needs. By country, GDPR-readiness varied from 42 percent to 75 percent. Spain, Italy, UK and France were at the top of the range, while China, Japan and Australia were on the lower end. Only 37 percent of GDPR-ready companies experienced a data breach costing more than $500,000, compared with 64 percent of the least GDPR-ready companies. Source
  8. The government ID database, Aadhaar, became a victim to multiple data breaches which are reported to have compromised the database of 1.1 billion citizens of the country who were registered. In 2018, Cybercrime, more threatening than ever, instigated back to back data breaches across the world which endangered the personal records of millions of people and India is reported to be the largest victim of those breaches. The findings of the World Economic Forum's 14th edition of Global Risks Report 2019, stated the risks to which Environmental degradation is being exposed to; out of the top five most impactful global problems this year, four are related to climate. In 2019, geo-economic and geopolitical are the most vital concerns and 90 percent of experts are anticipating further conflict among the major powers. In January, the criminals were reported to be selling access to the personal records of citizens at a cost of 500 Rs for a time period of 10 minutes, while, in March, a leak allowed the names and ID numbers of the registered citizens to be downloaded by anyone. Other recent instances of data breaches include millions of users of Facebook and MyFitnessPal having their personal data compromised. The report by World Economic Forum outlined the deteriorated international relations which pose serious challenges. It highlighted the reduced ability of the world to battle urgent crises. Other aspects put forth by The Global Risks Report includes the rapid worsening of trade disputes, deterioration in economic and geopolitical conditions and worsened international cooperation. Furthermore, the findings of the reports indicated further challenges to multilateral trading rules and agreements. As per the eighty-five percent of the participants to 2019’s survey, heightened risks of "political confrontations between major powers" are expected as the year progresses. Beyond the short term, environmental dangers have continued to dominate the concerns of the survey participants for over 10 years. Referenced from the statements given by Borge Brende, President, World Economic Forum, "With global trade and economic growth at risk in 2019, there is a more urgent need than ever to renew the architecture of international cooperation. What we need now is coordinated, concerted action to sustain growth and to tackle the grave threats facing our world today," Source
  9. The folks behind the largest known hack of user data to date are finally paying up. Yahoo, now owned by Verizon, recently agreed to pay $117.5 million as part of a proposed class action settlement stemming from a series of breaches in the 2010s that affected 3 billion people—basically Yahoo’s then-entire user base. If you had a Yahoo account during that time, you might have already received an email this week telling you all this, along with the fact that you may be eligible for free credit monitoring or up to $100 as recompense for that whole to-do. The deadline for claims is July 20. The question now, as you may be asking yourself, is how does one cash in on Yahoo’s apology? Any U.S. resident who had an account between Jan. 1, 2012 and Dec. 31, 2016 is eligible to submit a claim here for either two years of free credit monitoring through AllClear ID or “alternative compensation”: cold, hard cash of up to $100 if you show you already have credit services. Individuals can also file claims through the mail and online for any out-of-pocket costs tied to these breaches. Users that can document specific losses suffered because of these hacks are eligible to receive reimbursement up to $25,000. Though that $100 depends on how many eligible users actually enter claims. It could go as high as $358.80 if most folks opt to do nothing, or it could drop down to a few dollars if even just a third of the 194 million potential class-action lawsuit members file a claim. Not that anyone could blame them, what with the sting of Equifax’s breach still fresh on a lot of our minds. Instead of the $125 windfall most victims originally expected, an absolute pittance for exposing the data of nearly 150 million people, the Federal Trade Commission issued a warning that each claimant in Equifax’s case would likely only get “a small amount of money” if more people didn’t opt for free credit monitoring instead. And who wouldn’t want free credit services—compiled from three national credit agencies that include, oh yeah that’s right, the very company that screwed up in the first place! But even Equifax’s breach pales in comparison to Yahoo’s fuck-up history. Hackers, likely state-sponsored, made off with credentials for all 3 billion Yahoo accounts in 2013, though the company didn’t disclose the breach—along with a separate incident in 2014 that affected 400 million accounts—until 2016. The Securities and Exchange Commission ultimately hit Yahoo with a $35 million fine for its failure to quickly inform users that their information might have been stolen. Even still, it took another full year before the full extent of that first breach became known; Yahoo’s original estimates had the number of victims at 1 million. A final hearing on Yahoo’s settlement’s scheduled for April. Source
  10. Will “trust us” cut it when Google gets access to your kids’ school-based health records? How much more evidence do we need to compile before the federal government protects our children and fully deplatforms Google from American public schools? The Silicon Valley behemoth has already admitted it illegally collected children’s personal information on YouTube without parental consent, mines students’ browsing habits and emails, and tracks kids’ locations, audio and search history through Google educational apps and logons that are required for millions of students to participate in public schools. Well, there’s more. Much more. Let us review the most recent alarming disclosures that expose grave public health and safety threats posed by the near-trillion-dollar company with its tentacles tightly wrapped around our kids’ eyeballs, brains and behavioral data. This week, the tech giant admitted for the first time that its data export service, Google Takeout, had accidentally sent the private information and videos of untold thousands of users to other strangers’ accounts. The breach occurred in late November, but users only started receiving notices and apologies on Monday — nearly three months later. “We are notifying people about a bug that may have affected users who used Google Takeout to export their Google Photos content between Nov. 21 and Nov. 25,” an email sheepishly explained. “These users may have received either an incomplete archive, or videos — not photos — that were not theirs. We fixed the underlying issue and have conducted an in-depth analysis to help prevent this from ever happening again. We are very sorry this happened.” Guyer chemistry teacher Jeana Wesson works with her students using Google Classroom How much more evidence do we need to compile before the federal government protects our children and fully deplatforms Google from American public schools? The Silicon Valley behemoth has already admitted it illegally collected children’s personal information on YouTube without parental consent, mines students’ browsing habits and emails, and tracks kids’ locations, audio and search history through Google educational apps and logons that are required for millions of students to participate in public schools. Well, there’s more. Much more. Let us review the most recent alarming disclosures that expose grave public health and safety threats posed by the near-trillion-dollar company with its tentacles tightly wrapped around our kids’ eyeballs, brains and behavioral data. This week, the tech giant admitted for the first time that its data export service, Google Takeout, had accidentally sent the private information and videos of untold thousands of users to other strangers’ accounts. The breach occurred in late November, but users only started receiving notices and apologies on Monday — nearly three months later. “We are notifying people about a bug that may have affected users who used Google Takeout to export their Google Photos content between Nov. 21 and Nov. 25,” an email sheepishly explained. “These users may have received either an incomplete archive, or videos — not photos — that were not theirs. We fixed the underlying issue and have conducted an in-depth analysis to help prevent this from ever happening again. We are very sorry this happened.” Can you imagine a similar breach of minors’ photos and videos stored on students’ Google Drives, Chromebooks, smartphones or home computers used to log on to mandatory learning management systems integrated with Google, such as Canvas or Schoology or Blackboard? It’s easy if you try. Will “upsy-daisy” suffice when schoolkids’ pictures, embedded with geolocation data, end up on a friendly neighborhood registered sex offender’s Google Photos album? Two months ago, The Wall Street Journal reported that Google had secretly harvested “tens of millions of medical records” with identifying names, lab results, diagnoses, immunization records and prescriptions from thousands of hospitals across 21 states. “Project Nightingale” was a partnership with Ascension health system to build a search tool and data analytics using machine-learning algorithms. At least 150 Google employees had access to confidential patient data. Amazon, Microsoft and IBM have acquired private health data as well. It’s a massive Big Tech bonanza. The implications for selling off children’s private health information are chilling. Like federal Health Insurance Portability and Accountability Act protections for patients, federal Family Educational Rights and Privacy Act protections have been sabotaged by “public-private partnerships” between government education officials and tech companies with insatiable appetites for data. Will “trust us” cut it when Google gets access to your kids’ school-based health records? Meet “Gaggle.” Fully integrated with Google Apps for Education and designated as a Google Premier Partner, this snooping system is marketed to school districts as a “safety” mechanism for students. Through 24/7 monitoring of kids’ online use, Gaggle “alerts school officials when students show signs of self-harm, depression, thoughts of suicide, substance abuse, cyberbullying, unhealthy relationships and credible threats of violence against others.” Privacy experts for a pro-digital learning nonprofit called Common Sense determined that it is “unclear” whether Gaggle “allows users to control how their data are displayed,” “whether this product allows parents to withdraw consent for the further collection of their child’s information” and “whether this product provides parental consent notice.” Despite all of that uncertainty, 1,400 school districts use Gaggle to mine “social media, browsing history, email, homework documents, uploads, chats, pictures, and calendars” — and put untold tens of thousands of students at risk of privacy breaches that could do damage for a lifetime. Last spring, Google reported at an education conference that it had started making its cloud platform program accessible to K-12 school districts. Evergreen, Washington, public schools chief Derrick Brown bragged about his district’s data-mining pilot program with Google. “We have tons of data in our school districts,” he is quoted outlining in Education Week, citing information gathered through “student information systems, instructional software programs, online surveys of children’s social-emotional well-being, and special-needs students’ individualized education plans.” “All that data needs to go in a container,” Brown explained. And that container will be Google Cloud Platform. Now, imagine questionnaires and tests stored in the G-container measuring “social-emotional well-being” of children and their families according to politically correct ideology. Imagine being a parent who objects to mandatory vaccine laws or who holds “America first” views deemed “extremist” and “hateful” or who stores guns responsibly at home — information that is not the business of a school district or Silicon Valley giant. Where’s the protection for such families? What’s the academic justification for gathering it? Brown hasn’t bothered to figure out yet how parents will be able to maintain control over the data. Why bother? It’s free! What possible academic benefits could outweigh the real harm posed by school officials’ addiction to “free” Google services? Understand this before it’s too late: When the educational products are “free,” it’s our children who are the products — or the prey. Source
  11. With credential stuffing attacks running rampant, TripAdvisor will invalidate a member's password if their email and password were found in publicly leaked data breach databases. A friend received an email from TripAdvisor.com yesterday and was concerned that it was a phishing email because it stated their email address and password were found in a "lists of publicly leaked passwords". Due to that, the company invalidated their password and they would need to reset it before they can login again. TripAdvisor Email (Click to Enlarge) While receiving this email may at first make a person think it is a phishing scam, it is in fact a legitimate email. TripAdvisor is doing this to prevent a member's account from being compromised using credential stuffing attacks. A credential stuffing attack is when attackers compile username and passwords that were leaked from previous security breaches and use those credentials to try and gain access to other sites. With new reports of data breaches or leaks coming out almost every day and people using the same password at every site they create an account, TripAdvisor's policy is a good one as it only protects their members. So if you receive this email, do not be worried and just reset your TripAdvisor password at https://www.tripadvisor.com/MemberForgotPassword if you wish to login to the site again. The email TripAdvisor sends out when it encounters one of their members using the same credentials that were found in a leaked data breach or leak, can can be read in its entirety below: Dear TripAdvisor Traveler, As part of our ongoing efforts to protect your security, TripAdvisor recently compared our member databases with lists of publicly leaked passwords. Unfortunately, your email and password were included on a list of leaked passwords. As a result, to protect your TripAdvisor account we have invalidated your password. We recommend that you create a strong password that includes: * A unique combination of words, numbers, symbols, and both upper- and lower-case letters * A minimum of eight (8) characters * No commonly used words Please visit the following page to create a new password for your account: https://www.tripadvisor.com/MemberForgotPassword In addition, we recommend that you take additional steps for the safety of your other online accounts. If your discontinued TripAdvisor password is used on any other site or app, change your password on those sites/apps — and avoid using any password on more than one site. Thank you for being a valued part of our community, and for taking a moment to create a new password. If you have questions about any of this information, please contact us at [email protected] Best Regards, The TripAdvisor Team Source
  12. Worldwide Accellion data breaches linked to Clop ransomware gang Threat actors associated with financially-motivated hacker groups combined multiple zero-day vulnerabilities and a new web shell to breach up to 100 companies using Accellion's legacy File Transfer Appliance and steal data. The attacks occurred in mid-December 2020 and were part of attacks that involve the Clop ransomware gang and the FIN11 threat group. The file-encrypting malware was not deployed in the recent incidents, though. It appears that the actors opted for an extortion campaign. After stealing the data, they threatened victims over email with making stolen information publicly available on the Clop leak site unless a ransom was paid. BleepingComputer has been tracking these Accellion-related breaches and discovered almost a dozen victims. Among them are Singtel (Clop claims to have 73GB of data), QIMR Berghofer Medical Research Institute, Reserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC), and the Office of the Washington State Auditor ("SAO"). Additional victims include: - supermarket giant Kroger - technical services company ABS Group - law firm Jones Day - Fortune 500 science and technology corporation Danaher - geo-data specialist Fugro - the University of Colorado A press release from Accellion today says that of about 300 customers using its legacy, 20-years old File Transfer Appliance (FTA), less than 100 were victims of these attacks from Clop and FIN11, and that less “than 25 appear to have suffered significant data theft. Accellion patched the vulnerabilities and continues its mitigations efforts. The company “strongly recommends that FTA customers migrate to Kiteworks” - an enterprise content firewall platform that has a different code base, features a security architecture, and includes a segregated, secure devops process. Incident responders at FireEye Mandiant investigated these attacks for some of their customers and highlighted the collaboration between Clop ransomware and the FIN11 gang in this campaign. Both groups have worked together before. Last year, FIN11 joined the ransomware business and started to encrypt the networks of their victims using Clop. Mandiant has been tracking the recent exploitation of Accellion FTA using multiple zero-days as UNC2546. The following vulnerabilities have been discovered: - CVE-2021-27101 - SQL injection via a crafted Host header - CVE-2021-27102 - OS command execution via a local web service call - CVE-2021-27103 - SSRF via a crafted POST request - CVE-2021-27104 - OS command execution via a crafted POST request The researchers distinguish this activity from the extortion campaign, which they track as UNC2582. However, they did notice overlaps between the two and previous operations attributed to FIN11. New DEWMODE webshell planted on Accellion devices While investigating the incidents, the researchers observed that the intruders used a previously undocumented webshell that they called DEWMODE. “Mandiant determined that a common threat actor we now track as UNC2546 was responsible for this activity. While complete details of the vulnerabilities leveraged to install DEWMODE are still being analyzed, evidence from multiple client investigations has shown multiple commonalities in UNC2546's activities” The researchers reconstructed the compromise of Accellion FTAs using system logs from the breached devices, trailing the initial entry, the deployment of DEWMODE, and the follow-up interaction. The attacker used the SQL injection vulnerability to gain access and then followed with requests to additional resources. Once they obtained the necessary access level, the hackers wrote the DEWMODE web shell to the system. The role of the webshell was to extract a list of available files from a MySQL database on the FTA and to list them on an HTML page along with the accompanying metadata (file ID, path, filename, uploader, and recipient). A blog post from Mandiant today explains all the technical aspects regarding the use of the web shell and how the hackers gained access to their targets. Source: Worldwide Accellion data breaches linked to Clop ransomware gang
  13. Data breaches are a ticking timebomb for consumers Damage from data breaches goes far beyond the impact to the target organisation – an obvious fact that is too often overlooked, says F-Secure The impact of corporate data breaches is becoming more widespread than ever, with ramifications spreading far beyond reputational or financial damage to businesses to hit consumers and their families, often months or years down the line, according to new data from F-Secure. In a newly published report, F-Secure found that three in 10 respondents to its survey had experienced some form of cyber crime – such as a malware or virus infection, email or social media account hacking, or credit card fraud – in the past 12 months. However, this rose to six in 10 among respondents using one or more online services that had been breached in a cyber attack – a group F-Secure referred to as “The Walking Breached”. With over 500 breaches – three a day – disclosed in the first six months of 2020 alone, F-Secure said that over 163 million people will have had some form of personally identifiable information (PII) compromised, but the effects of this rarely makes headlines, and those impacted rarely achieve restitution or justice. The rise of entire underground industries purposely designed to help cyber criminals monetise stolen data, such as passwords and login credentials, further highlights the scale of the problem, and fuels the risk of future cyber crime, said F-Secure. “Personal information stolen from organisations can easily end up being used against people and families through different types of identity theft, fraud, or other types of harm,” said F-Secure consultant Laura Kankaala. “And with more and more information being stored digitally, what criminals can do with people’s information keeps getting worse. So these attacks on companies can really end up hurting people and not just a business’s bottom line.” Among the most significant impacts on The Walking Breached is stress and concern arising from cyber crime, cited by 51% of victims, alongside wasted time, also cited by 51%. This came above loss of personal information or loss of control of personal information, cited by 27%; financial loss, cited by 24%; and data loss, cited by 12%. “Recovering hacked or lost social media accounts can sometimes be really difficult and we tend to recognise the value of something only once it’s gone,” said Kankaala. “These accounts are not ‘just social media’ or ‘just email’ – they hold records of our past, pictures we may not have stored anywhere else or conversations that are either private or something we’ll miss once they’ve been deleted.” F-Secure also reported more acute impacts in families with children, who experienced nearly every type of cyber crime more frequently than their childless counterparts. Fortunately, wrote the report’s authors, the risk of becoming one of The Walking Breached can be mitigated to some extent by paying more attention to some of the basic tenets of cyber security. With half of this group saying they reused passwords, and 70% saying they reused passwords with slightly changed variations, adopting basic credential hygiene is the best place to start. If possible, and affordable, going beyond passwords by adopting some form of multifactor authentication , preferably using some sort of local, USB-A or -C based hardware will add further protection, while investing in identity protection and monitoring services is now becoming a more feasible option. Source: Data breaches are a ticking timebomb for consumers
  14. Universities Face Double Threat of Ransomware, Data Breaches Lack of strong security policies put many schools at risk of compromise, disrupted services, and collateral damage. Institutions of higher education continue to have problematic password policies, lack multifactor authentication (MFA), and have a plethora of open ports — despite suffering dozens of ransomware attacks and targeting by attackers focused on stealing student information and university research, according to a new study published Tuesday. An analysis by cybersecurity services firm BlueVoyant of publicly reported cybersecurity incidents involving higher education found that over the past two years, about 9% of the passwords on a common list used by attackers matched those used in combination with a university-assigned e-mail address. Meanwhile, about two-thirds of universities had no DNS-based e-mail security protocols in place, and 38% of all universities had at least one open database port. While universities have traditionally seen the same types of attacks that other organizations do — and perhaps more nation-state espionage attacks because of their research, especially those institutions focused on COVID-19 — their openness and vulnerability puts them at greater risk, says Austin Berglas, former head of cyber at the FBI's New York office and global head of professional services at BlueVoyant. "The risks that we outline are not impossible to remediate," he says. "However, especially in COVID times when you have an already-understaffed and underfunded IT team whose primary focus is to make sure that everyone has a working laptop and camera for remote learning ... it is daunting." Because educational institutions are focused on access to learning and freedom to exchange knowledge, security is often a difficult prospect. In the US, almost every student — 97% — used their own laptop for at least one course and 89% used their own smartphones, according to an October 2019 survey conducted by the EDUCAUSE Center for Analysis and Research. A UK study found similar usage, with 93% of students using their own laptops and 83% using their own smartphones. The combination of students using personal systems with the difficulty in enforcing security policies undermines many of the potential protections. When online textbook service Chegg suffered a compromise in April 2018, about an eighth of the 40 million subscribers affected by the breach used their university e-mail addresses as passwords, the BlueVoyant report states. Those credentials, combined with password reuse and weak security policies, make such breaches a significant threat, says Berglas. Looking at a subset of 30 public universities, BlueVoyant's analysis found an "across-the-board lack of basic e-mail security and a lack of multifactor authentication," he says. "This makes phishing, for example, a huge vulnerability." Passwords continue to be a large issue, especially because MFA has not made significant inroads at schools. BlueVoyant collected billions of credentials from publicly available username and password lists, so-called "combolists," and compared those credentials to a list of 14.3 million popular passwords — the RockYou.txt file. Of the credentials that used an e-mail address from a .edu domain as a username, about 9% had passwords on the RockYou.txt list, the company found. The problem extends beyond just gaining access to student e-mail messages, says Berglas. "There is a massive amount of password reuse going on," he says. "Students and staff use their .edu accounts not just for school stuff, they use it for everything. And they often hang onto them long after they graduate. And so we see the reuse of those passwords be really critical with credential-stuffing attacks and brute-force attacks, and with allowing the bad guys to utilize those credentials for multiple other accounts." Such weaknesses make attacks easier for the top higher-education attacker — ransomware gangs. With most schools offering virtual learning during the spring semester, they are particularly vulnerable to the operational disruption used by ransomware attackers to ensure payment, Berglas says. "When they had on-site learning prior to the pandemic, if a school got hit with ransomware, maybe they could make the business decision to not pay the ransom because they could fall back to old-school learning," Berglas says. "But when 100% of your students are remote learning, and then you get hit with ransomware and the network goes down, it is forcing the hands of these universities to pay the ransom." The company advised universities to adopt long passwords and implement MFA across all sensitive accounts, including e-mail access. To enforce these requirements, the organizations should monitor authentication attempts for anomalous activity and lock accounts that have nontypical behavior. In addition, password strength should be checked using blacklists, strength tests, or machine-learning algorithms designed to spot weak passwords. Source: Universities Face Double Threat of Ransomware, Data Breaches
×
×
  • Create New...