Author: Katrielle Soussana

Third-party cyber-attacks remain one of the most significant threats facing organisations across the globe. Most recently, Bank of America, a multinational investment banking and financial services corporation, began notifying customers that a November 2023 hack against one of its service vendors resulted in the exposure of personally identifiable information (PII). 

The breach occurred following a security incident against Infosys McCamish Systems (IMS), a subsidiary of Infosys that provides deferred compensation plan services to Bank of America. According to the IMS notification letter filed with the Maine Attorney General, “On or around November 3, 2023, IMS was impacted by a cybersecurity event when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications.” 

The notice revealed that while only 57,028 of Bank of America’s millions of customers were directly impacted in the breach, the PII exposed included Social Security Numbers, credit card and account numbers, as well as names, and addresses. An incendiary mix of data—one that could be easily leveraged by threat actors to launch social engineering attacks against any and all of the impacted individuals. 

Then, on November 4th, IMS notified Bank of America that data relating to their customers may have been exposed. The infamous ransomware gang, LockBit, on the same day claimed responsibility for encrypting over 2,000 IMS systems in the attack.  

“Vendor risk is continuing to become more of a concern,” commented Erich Kron, Security Awareness Advocate at KnowBe4. “Bad actors are finding that attacking the large organizations with significant budgets for cybersecurity and data protection can often be less effective than attacking those that process the same information but may not have the same budget to protect it.” 

 

While Kron explained that using third-party vendors isn’t a bad thing on its own, he also pointed out how “it’s critical to ensure that policies and procedures exist related to the protection of any data being shared. Making sure that contracts define what information is being processed and how long it’s been retained is a very important part of this data management with third parties. In addition, information should be limited as much as possible and anonymized whenever it’s an option.” 

 

Interestingly, this is not the first time Bank of America has been impacted by a third-party cyber-attack. In May 2023, Ernst & Young, an accounting firm providing services to the bank, was hacked by the Cl0p ransomware gang by way of the MOVEit file transfer zero-day exploit. In this incident, personal data like SSNs and financial information of Bank of America customers were also exposed.  

The fallout from the MOVEit hack was explosive, impacting mainly third-party vendors and, as a result, their many, varied customers.  

Indeed, Ray Kelly, fellow at the Synopsys Software Integrity Group, said, “[The MOVEit] issue caused massive amounts of stolen data from large organisations and even the US Government. Ensuring the trust chain between organisations, while not a simple task, is essential to protecting consumers’ private information.” 

Hackers have certainly cottoned on to the weakness of third-party, supply-chain vendors. Where big enterprises like Bank of America most likely have mature cybersecurity protocols, vendors like ISM might not prioritise cyber posture like they ought to. But really—they ought to. The malicious moxie of cybercriminals and cybergangs continues to evolve daily. Vendors can no longer neglect cybersecurity experts.  

As Tom Kellermann, SVP of Cyber Strategy at Contrast Security, commented, “By targeting these less secure vendors [cybercriminals] can successfully compromise major banks. The regulators must mandate higher standards of cybersecurity for shared service providers.” 

 

And yet, this doesn’t dissolve organisations like Bank of America from responsibility either. Sure, ISM (and previously, Ernst & Young) were the actual hacked parties, but it was Bank of America customers that were impacted. Did the bank do its due diligence to ensure that data was being handled by vendors in a sophisticated manner? In the wake of these events, the answer is probably no. The question then becomes: how much longer will banks, enterprises, and even government organisations accept lacklustre cybersecurity standards from their vendors? 

 

Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, commented, “Financial institutions, particularly banks, have long been prime targets for cybercriminals due to the vast amount of sensitive information they hold. This breach underscores the need for financial institutions to adopt a proactive approach to cybersecurity, embracing continuous monitoring and threat intelligence capabilities to detect and respond to threats in real-time.”  

 

Al Lakhani, CEO of IDEE, added, “Protecting the supply chain is critical. Especially when they can cause these kinds of attacks. Therefore, relying on first generation MFA that requires two devices and lacks the capability to prevent credential phishing attacks is a non-starter.  

“To fortify supply chains effectively, they must be protected using next-generation MFA solutions, which protect against credential, phishing and password-based attacks, including adversary-in-the-middle attacks by using same device MFA.” 

Darren James, a Senior Product Manager at Specops Software, an Outpost24 company, commented,When outsourcing services to 3rd parties that handle personally identifiable or sensitive information, both for employees and customer, appropriate risk assessments should always be made.”  

 

In fact, James suggested asking the following questions when it comes to risk assessing third parties:  

  

  • Do they regularly scan for breached passwords? 
  • Do they have strong MFA controls in place especially with access to customer data? 
  • Do they scan the internal and external attack surface of their IT systems? Can you see a summary of recent results? 
  • Where is the data held, under what countries jurisdiction, is your data always encrypted in transit and at rest? 
  • What security, backup, disaster recovery policies and procedures do they have in place? 
  • Do they comply with regulatory requirements for your industry? 
  • What guarantees and insurance do they offer if their systems are compromised? 
  • Do they outsource your data to any other parties? 

 

Sean McNee, VP of Research and Data at DomainTools, concluded, “The deeply interconnected nature of running business online generates tremendous value for consumers and business owners alike, but it also fundamentally changes the threat landscape businesses must defend themselves against. Supply chain attacks such as this highlight the unique challenges operating today. Unfortunately, customers end up suffering long term effects from these events.” 

 

“Stay frosty out there,” McNee warned. The best thing consumers can do is to stay vigilant, alert, and proactive. And—if you are one of the impacted — make sure to take advantage of that free credit monitoring service. 

 

 

The post Cyber gaps in the supply chain — Bank of America breached in another vendor cyberattack first appeared on IT Security Guru.

The post Cyber gaps in the supply chain — Bank of America breached in another vendor cyberattack appeared first on IT Security Guru.

A household name among American media companies, Verizon Communications on Wednesday began notifying employees that an insider may have gained access to their data. According to the breach notice to the Maine Attorney General, an unauthorized employee opened a file containing sensitive data of 63,206 other employees. 

While customers are not believed to have been impacted in this breach, Verizon is warning that the exposed employee data could include Social Security Numbers, National Identifiers, full names, home addresses, DOBs, compensation information, gender, and union affiliations.  

The unauthorized employee initially gained access to this document in September 2023, but Verizon did not discover the incident until December, almost 3 months later. At this time, it is unknown what the unauthorized employee may have done with the data, or if they intend to use it for nefarious purposes.  

In the notification, Verizon states that there isn’t yet any evidence the data has been used maliciously. Fortunately, Verizon has taken steps to mitigate any potential fallout. In the statement, the company said, “We are working to ensure our technical controls are enhanced to help prevent this type of situation from reoccurring and are notifying applicable regulators about the matter.” 

Verizon has also arranged for impacted individuals to receive free identity protection and credit monitoring services for 2 years.  

“Verizon says they have no evidence the information was moved externally or used maliciously. Unless they are leaving out a key detail, this is about as innocuous as an ‘insider threat breach’ gets,” commented Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 

 

“I will say that this is a testament to the monitoring that Verizon is doing to have even noticed and acted upon it. I think it’s probably very common…and I mean happening all the time in most companies…that people who are not authorized to access particular data still do so. I remember this happening in companies I worked for 30 years ago. This is far from rare. What is different is that Verizon and many other companies are now looking for and monitoring these types of situations, and alerting impacted potential victims, if any. That’s progress!”  

 

On the other hand, Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, explained the risks of insider threats, and some ways organizations can prevent it: 

“Insider threats, whether intentional or inadvertent, represent a substantial and often underestimated risk to organizational security and data integrity. Insider threats are harder to discover and neutralize since they originate from within the organization’s trusted perimeter, unlike external threats, which may be more obvious and straightforward to detect. Of particular concern in insider attacks is the delayed detection of the breach. Organizations must utilize advanced threat detection tools to promptly discover and address any questionable activity or unusual network behaviour. Timely detection can significantly mitigate the impact of breaches and reduce the likelihood of prolonged exposure of sensitive data. Organizations, furthermore, must prioritize investments in staff training and awareness programs to educate employees about the importance of cybersecurity best practices.” 

The question remains—was this incident the actions of a malicious actor, or was it simply an employee who clicked into the wrong document, never to think about it again? We may soon find out. 

Roger Grimes wonders the same: “Did they simply look for it and stumble across it, or did they do something nefarious to access it? Either way, did Verizon address how it happened so it won’t happen in the future? That’s the question I put to any company suffering a data breach — how did it happen and was something done to prevent similar actions in the future?” 

The post Verizon Breach – Malicious Insider or Innocuous Click? first appeared on IT Security Guru.

The post Verizon Breach – Malicious Insider or Innocuous Click? appeared first on IT Security Guru.

Yesterday, the security team at Cybernews announced what will likely prove to be the largest data breach of all time. In joint effort with security researcher Bob Dyachenko, the Cybernews team found an open instance on the web containing billions of exposed records. This breach, amounting to an incredible 12 terabytes of information and 26 billion records, is being dubbed as the Mother of All Breaches—MOAB for short. 

From Twitter and LinkedIn to Adobe and Wattpad and many more, leaked data from these major online brand names were found included in the MOAB instance. Tencent, the Chinese messaging app, was the one with the largest number of exposed records—1.4 billion alone. Additionally, records from global governmental organizations were also found.  

Greg Day, SVP and global field CISO at Cybereason, commented that: “As we head towards 6 years of GDPR, it’s clear that numerous businesses face challenges in promptly detecting increasingly intricate cyber-attacks, with the average response time often extending to hundreds of days.” 

As a result, the combined records of all these consumers are now exposed to anyone on the web. And, while a lot of this information likely originated from previous breaches, there is undoubtedly some as-of-yet unseen data in the mix too.  

The person—or persons—behind the MOAB is one of the questions that remains. It could be a threat actor or an access broker. In short, it is likely someone with an interest in having easy access to so many billions of records.  

Even though the MOAB might contain duplicated data in some cases, it hardly diminishes the impact. The consequences facing consumers following this breach cannot be understated. For hackers, this treasure trove of a data-mine will become an incredibly easy way to source PII (Personally Identifiable Information) on their targets. 

According to Paul Bischoff, Consumer Privacy Advocate at Comparitech, “With a single query, a hacker could find out everything about you that’s been leaked online, from old passwords to your hobbies and interests. These databases will only get more complete as time goes on, making it harder for victims to fend off fraud and other crimes.” 

And this information could be used maliciously for phishing, credential-stuffing, and personal identity theft. 

The implications of this could prove to be immense. Indeed, considering many consumers reuse usernames and passwords across multiple online platforms, the fallout of this MOAB could be even more far-reaching than it already is. 

Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, agrees, explaining that, “The potential consumer impact of the MOAB is unprecedented, with the researchers highlighting the risk of a tsunami of credential-stuffing attacks. This threat is particularly potent due to the widespread practice of username and password reuse.” 

So, what can be done in response to this? Can anything be done?  

According to Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, the lack of data privacy is almost a given at this point. “I think most people in this world now correctly think that at least some portion of their personal information is available on the Internet. It’s a sad fact of life and I wonder how it impacts younger people and society overall to grow up in a world where our private information is no longer private.” 

But that doesn’t mean it’s hopeless.  

Chris Hauk, Consumer Privacy Champion at Pixel Privacy, suggests some integral ways that users can protect themselves. “I have long urged all internet users to act as if their personal data is available somewhere on the web. This means users should double check their login information for every site… Users should also stay alert for phishing emails, text messages, and phone calls from parties using the data in the database.” 

 

It’s also important that concerned individuals check whether their personal information is involved in the breach. This can be done with the handy personal data check tool on the Cybernews site. By inputting an email or phone number, consumers may find out if any of their related PII is exposed online.  

 

Tamara Kirchleitner, Senior Intelligence Operations Analyst at Centripetal, adds that it isn’t just individuals that need to be on guard, but organisations too.  “It’s crucial for organizations to prioritize data protection and invest in comprehensive cybersecurity strategies. This includes awareness training, secure password managers, security audits, robust encryption, and incident response plans.” 

 

Tom Gaffney, a Cybersecurity expert at F-Secure: “A case like this emphasises the need for individuals to be proactive in safeguarding their data and understanding how to reduce their risk. Research that we recently conducted found that almost a third of Brits (29%) don’t know what action they can take to mitigate the risks of their data being compromised.” 

The outlook following the Mother of All Breaches is, admittedly, dire. But only time will tell how it all unfolds. In the meantime, if at-risk consumers and organizations take the appropriate steps today, there may be a chance for us all, collectively, to come out unscathed.  

 

The post ‘Mother of all breaches’ uncovered after 26 billion records leaked first appeared on IT Security Guru.

The post ‘Mother of all breaches’ uncovered after 26 billion records leaked appeared first on IT Security Guru.

For many years, the cryptocurrency industry has waited with bated breath for the U.S. Securities and Exchange Commission (SEC) to finally approve Bitcoin ETFs. Finally, on Wednesday the SEC granted this wish, announcing the approval for “a number of spot bitcoin exchange-traded product (ETP) shares.”  

But this was not before a hacker had the first laugh. 

Tuesday afternoon, a day prior, the official X account of the SEC was hacked, and a false announcement was released, declaring the approval of Bitcoin ETFs.  

In the brief period before this false tweet would be deleted and debunked by the SEC, the cryptocurrency industry celebrated this momentous decision. The markets even reflected this excitement, as Bitcoin spiked to a price of $48,000 following the release of the fraudulent tweet.  

The excitement was quickly snuffed, however, when the post was taken down and SEC Chair Gary Gensler announced that the announcement had been the result of an unidentified hacker having taken control of the SEC’s official X account for a short period.  

Following this event, the SEC is currently investigating the incident alongside law enforcement to discover the person or persons behind the hack, and the purpose behind it.  

According to Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, “The hacker could have been someone who wanted to profit on the temporary BTC pricing jump on the fake news, simply a crypto enthusiast trying to make a point, or it could have been a more thoughtful protest attack. The attacker seemed to want to intentionally embarrass the SEC.” 

He explained that the SEC had certainly taken their time approving the Bitcoin spot ETF, “often citing potential easy illegal market manipulation and cybersecurity concerns as their reasons behind either turning down the ETF application or its slow approval. The hacker then created the ultimate irony and embarrassment by taking over the SEC’s Twitter account and then using it to illegally manipulate the market.” 

Not to mention the question of how exactly this hacker gained access to the account of an organization that sets the standard, for all intents and purposes, for cybersecurity organizations across the country. Unfortunately, it turns out that the X account did not have two-factor authentication (2FA) enabled when the hack occurred, as X Safety announced in a tweet Tuesday night.  

While the official approval for Bitcoin ETF came only a day after the account compromise, the hack caused a significant level of uproar and will likely not be forgotten for some time.  

 

“While this incident appears to be contained, it demonstrates the impact of compromised social media accounts, particularly when such a highly influential entity is involved,” commented Darren James, a Senior Product Manager at Specops Software, an Outpost24 company.  

 

“By all appearances, the unauthorized message was flagged almost immediately, which prevented broader fallout.  But with the investment community awaiting the agency’s announcement regarding Bitcoin, millions of dollars could have potentially been transacted on fraudulent information.” 

Considering the influential nature of the SEC within the cybersecurity industry, this bout of misinformation—for whatever purpose—shows the importance for organizations to maintain a strong and robust security posture, especially ahead of global shifts in industry, money, and politics. 

 

The post Bitcoin ETFs Approved Following Official SEC X Account Compromise first appeared on IT Security Guru.

The post Bitcoin ETFs Approved Following Official SEC X Account Compromise appeared first on IT Security Guru.

Jeremy Hunt, the Chancellor of the Exchequer for the UK, delivered his Autumn Statement of 2023 on November the 22nd to Parliament. In this statement, he outlined the government’s five economic priorities for the upcoming forecast period. These include reducing debt, cutting taxes, supporting British businesses, building sustainable, domestic energy, and providing world-class education.  

The Office for Budget Responsibility (OBR) predicts that the policies as outlined in the 2023 Autumn Statement will reduce inflation and increase business investment by £14 billion. Additionally, it is forecast that the Autumn Statement policies will increase the UK economy’s potential output by 0.3%.  

This statement also includes a plan for an enormous investment in tech, particularly Artificial Intelligence (AI).

Here is a quick run-down of some of the major commitments made in the Autumn Statement.  

Lowering Debt 

In this year’s statement, the Chancellor of the Exchequer has reaffirmed the commitments made in the 2022 Autumn Statement to provide £14.1 billion for the NHS and adult social care. £2 billion will also be made available for schools up until 2025.  

According to the written statement, “tackling waste and inefficiency has always been at the heart of the government’s approach to public spending.” However, inflation continues to add pressure to departmental spending. Regardless, Parliament hopes to raise an additional £5 billion in tax revenue to fund these necessary public services.  

Cutting Taxes 

Following the economic downturn resulting from the COVID-19 pandemic and the war in Ukraine, the Autumn Statement focuses on the ways in which the economy can and will grow. Since inflation is falling, the government vows to return tax money to hard-working citizens.  

Significantly, taxes will be cut for over 29 million working people. For Class 1 employees, the National Insurance contributions (NICs) will be reduced from 12% to 10% beginning January 2024. By reducing taxes, the government hopes to get more people into the workforce and to bolster the labour market.  

The Autumn Statement also outlines some other measures to improve economic conditions like increasing the National Living Wage (NLW) to £11.44 and to support various welfare systems for the ill, disabled, and unemployed.  

Supporting British Businesses 

Of particular interest are the commitments in the Autumn Statement to support and restore private sector growth. The government aims to remove barriers for investment and to cut taxes on businesses. Green industry, digital technology, science, and manufacturing are all sectors the government intends to support. The Chancellor has also vowed to back start-up businesses.  

Commenting on the measures to support innovation, Arran Dewar, Executive Director at SIS Ventures, said, “As the Chancellor has rightly said, innovation is the key to our future success as a nation.”  

However, he added, “Within today’s broad package of investment for innovation, we’d also like to see further consideration given to prioritising investment for those ideas and businesses which are delivering positive impacts for people and planet, not just profit.” 

Interestingly, one of the focuses of this statement is the UK’s desire to become a world-leader in Artificial Intelligence (AI). In the Spring Budget of 2023, the government allocated £900 million in compute/tech investments. In the Autumn Statement, an additional £500 million has been invested in the development of Artificial Intelligence. According to the official document, “these investments will allow researchers and SMEs to develop new foundation models and maximise the UK’s potential in AI, enabling, for example, the discovery of new drugs.” 

According to Jonathan Boakes, Managing Director at Infinum, this allocation plus the provided tax deduction on IT expenditures shows a robust support for technological innovation. However, there is still a concern that this investment will “not be used wisely.”  

In an email statement, Boakes said, “Success in the AI revolution demands more than just plugging gaps with cash. It requires strategic planning, workforce training, and expert collaboration to maximise the impact and prevent implementing AI for AI’s sake. The rush to embrace AI carries the risk of hasty decisions fueled by FOMO, jeopardising sound judgment. While the financial boost is appreciated, it must come with clear guidelines and support from the Government to empower businesses in utilising it effectively.” 

Claire Trachet, CEO and founder of business advisory firm, Trachet, was a bit more optimistic. “The government’s continued commitment to strengthening the country’s position in artificial intelligence through a further £500m in funding for UK AI will enable tech firms to bring cutting-edge products to market faster and ensure that Britain doesn’t lose its spot as a leader in Europe for this sector.” 

Additionally, she said that the statement “provided welcome news for what has been a turbulent economic period for the UK’s investment ecosystem… [W]ith the extension of the tax break as well as introducing measures to boost foreign investment, relief is on the horizon for companies that have been facing major economic challenges.” 

Finally, some experts noted the distinct lack of improvement to cybersecurity efforts. Al Lakhani, CEO of IDEE, commented, “As a severe and universal threat to businesses and nation-states alike, it is imperative that the public and private sectors work together to create an environment that allows for the development and adoption of world-class cybersecurity solutions.”

“Simplifying R&D tax credits has been a necessity for years, and the Chancellor was right to acknowledge this, albeit very briefly. But it is too early to celebrate; we need to see what shape the reforms will take, and what types of R&D investment will be eligible. Cybersecurity must be one such area, as it is imperative that companies are encouraged to invest in robust cybersecurity infrastructure.” 

In conclusion, the 2023 Autumn Statement has provided a set of long-term plans following a period of economic upheaval where shocks like the pandemic limited the government’s ability to provide relief. With the goal to significantly bolster the UK economy over time, these measures will hopefully mean an increase in business investment, a reduction in debt, lower taxes, and a leading AI ecosystem.  

While the importance of cybersecurity has not yet risen in the esteem of the Chancellor of the Exchequer, there is no doubt it will one day become a top priority, hopefully before it is too late.  

The post AI Receives £500 Million Funding in Finance Minister’s 2023 Autumn Statement first appeared on IT Security Guru.

The post AI Receives £500 Million Funding in Finance Minister’s 2023 Autumn Statement appeared first on IT Security Guru.

On November 8th, the Industrial and Commercial Bank of China (ICBC) was impacted by a ransomware attack that disrupted a subset of their Financial Services (FS) systems. ICBC is China’s largest bank with the Financial Services unit based in New York City. ICBC FS has many operations but has a significant hand in the U.S. Treasury market.  

As the Financial Times first reported, the ransomware attack against ICBC FS came in the form of LockBit 3.0 malware, a product of the notorious LockBit ransomware group. 

 According to Jake Moore, Global Cybersecurity Advisor at ESET, “LockBit is a ransomware attack which uses extortion tactics once the malware is in place making it more lethal. It is dangerously self-spreading in organisations and targeted at victims or their systems specifically looking for vulnerabilities such as being able to bypass authentication.”  

He explained that LockBit will then automatically spread the infection and encrypt all accessible computer systems on the network. “Once data has been stolen, the extortion tactics occur.” 

In a statement on the ICBC FS website, the bank announced that following the discovery of the ransomware attack on Wednesday, they immediately “disconnected and isolated systems to contain the incident.” 

Significantly, the attack has impacted the U.S. Treasury market, resulting in ICBC FS clients having to reroute trades through different banking services. Some financial experts are concerned the fallout of this incident will impact liquidity of US Treasuries. 

“The attack on ICBC, China’s largest bank, shows that no organisation is ever safe from the threat of ransomware,” said Camellia Chan, CEO and Co-Founder of Flexxon. “Both old and new gangs and threat actors are always plotting their next move. In fact, ransomware had a record month in September. And we all know the consequences can be disastrous. Just look at MOVEit from earlier this year – cybercriminals accessed data from a whole host of businesses and governments, including Shell and the United States Department of Energy, and is still being felt today across the supply chain.”  

While ICBC FS is a subsidiary of the Industrial and Commercial Bank of China group, its business and email systems operate independently. According to the notice, neither the ICBC Head Office nor the ICBC New York Branch were impacted in the attack. 

 This is a developing story and ICBC FS may still come out with more news yet. Fortunately, the bank’s notice includes reassurance that they are, “conducting a thorough investigation and is progressing its recovery efforts with the support of its professional team of information security experts.”  

 

The incident has also been reported to law enforcement.  

Roger Grimes, Data-Driven Defence Evangelist at KnowBe4, thinks that this is a surprisingly big and powerful target for LockBit to have gone after.  

“Incidents like this, where there’s “real” money involved, often don’t work out long-term for the ransomware gang involved,” Grimes said in a comment to IT Security Guru.  

He explained, saying, “The authorities not only get involved, but there’s big pressure for people to be arrested and the gang shutdown. I’m surprised the ransomware gang went ahead with the exploitation. Perhaps they didn’t realize what they had and what they would be interrupting. But the Chinese certainly have their own great hackers they can use as an offensive resource and the US authorities are pretty good at identifying culprits and dishing out pain when the money involved is enough. This is one of those cases.”  

However, Chan offered an additional perspective, pointing out that “The ICBC attack has already disrupted trades in the US Treasury market, who is to say the damage will stop there? The good news is, it appears the bank acted swiftly by isolating affected systems, and investigations are ongoing – but this will no doubt shake organisations across the globe. To meet the fast-evolving threat landscape, organisations need to be proactive in recognising security gaps and must address those with innovative, proven solutions at both the software and the hardware layer.” 

The post China’s biggest bank hit by LockBit ransomware; US Treasury markets impacted first appeared on IT Security Guru.

The post China’s biggest bank hit by LockBit ransomware; US Treasury markets impacted appeared first on IT Security Guru.

Electric Ireland, an Irish utility company, released an announcement confirming that 8,000 customer accounts containing personal and financial information may have been compromised. 

Though the exact details of the breach are unknown, the statement explained that “Electric Ireland is aware that an employee of a company working on our behalf may have inappropriately accessed a small portion of our 1.1 million residential customer accounts.” 

This, the statement said, has resulted in the potential misuse of the personal and financial information included in these accounts. Electric Ireland has already sent out letters to all 8,000 affected individuals, offering advice on how deal with the potential fallout.  

This letter included instructions for customers to contact their banks, as well as to contact Electric Ireland itself. The company is currently collaborating with An Garda Síochána, the Irish national police and security agency, as well as the Data Protection Commissioner to determine the exact details of the case, and how to move forward.  

While it is fortunate that only a small portion of the 1.1 million customer accounts were accessed, it is likely that the employee responsible for the breach will use the compromised data to commit financial fraud, as it appears to have been a deliberate breach of accounts as opposed to an accidental one. The data accessed in this breach included names, addresses, bank account details, phone numbers, and dates of birth.  

According to Erfan Shadabi, cybersecurity expert at comforte AG, “Data breaches are unfortunately becoming more common in today’s digital age, and it is important for organisations to take proactive steps to protect their sensitive information and the information of their customers. The news that Electric Ireland has suffered a data breach is concerning for both the organisation and its customers.” 

Javvad Malik, Lead Security Awareness Advocate at KnowBe4, commented, “The data breach at Electric Ireland is yet another reminder of the critical importance of employee awareness and a strong cybersecurity culture within an organisation. The fact that an employee of a contracted company had the ability to inappropriately access customer accounts is concerning and highlights the need for robust security measures.” 

This is not the first time the use of third-party vendors or partners has caused an issue in the security supply chain. While this incident isn’t a result of an exploitable vulnerability like with the recent MOVEit mass-hacks, it nonetheless highlights the necessity of bolstering security defences. Companies must be able to defend themselves from within and without. 

James McQuiggan, Security Awareness Advocate at KnowBe4, explained that “As organisations rely on external partners and vendors, it is crucial that proper access controls, privilege restrictions, and monitoring be implemented for those accounts. It’s vital to ensure these users only have the bare minimum access needed to perform their duties. Additionally, monitoring account activity and access can help detect malicious actions sooner.”

He continued to add, “Robust third-party risk management, paired with least privilege and vigilant monitoring, is essential for reducing an organisation’s attack surface. Security leaders must prioritize these foundational controls to prevent unauthorized access and potential breaches before they occur. By limiting unnecessary access, streamlining privileges, and monitoring activity, companies can take proactive steps to avoid becoming the next victim.” 

Additionally, Shadabi suggested that “to mitigate the risk of third-party breaches, organisations must adopt a data-centric approach to information security. Instead of focusing solely on securing their internal networks and systems, organisations should prioritize the protection of the data itself, regardless of where it resides or who has access to it. By implementing data-centric security measures, organisations can safeguard their information from unauthorized access, even in the event of a breach involving a third party.” 

“Furthermore, organisations need to exercise caution and diligence when selecting business partners and vendors. Thoroughly vetting potential partners’ security practices, policies, and past incidents can help identify any vulnerabilities or red flags. Safeguarding sensitive data should be a top priority for organisations, as the stakes are higher than ever.” 

Malik, on the other hand, suggested a focus on security awareness within any enterprise, explaining that “Organisations should ensure that comprehensive security controls are implemented, including employee training on data protection principles, access control, and monitoring systems. Regular security assessments and audits can help identify vulnerabilities and mitigate risks. In the event of a data breach, timely communication and transparency are key. Electric Ireland’s confirmation of the breach and their awareness of the potential misuse of personal and financial information is a step in the right direction.” 

However, Malik concurred with Shadabi and McQuiggan on the matter of third-party service providers presenting a risk, saying, “This incident emphasises the need for organisations to thoroughly vet and monitor third-party vendors and contractors who have access to sensitive customer data. It’s crucial to establish contractual obligations for maintaining data security and ensure adherence to proper security practices.” 

“Ultimately,” Malik said, “organisations must continuously prioritise cybersecurity and view it as an ongoing process rather than a one-time implementation. Constant vigilance, employee education, and a proactive approach to security are critical elements in safeguarding customer data and maintaining customer trust.” 

The post Electric Ireland Confirms Compromise of 8,000 Customers’ Personal and Financial Data first appeared on IT Security Guru.

The post Electric Ireland Confirms Compromise of 8,000 Customers’ Personal and Financial Data appeared first on IT Security Guru.

Boeing, the American multinational corporation most known for the manufacturing of aircrafts, rockets, satellites, and missiles, has confirmed a cyber breach on their systems. Last week, the infamous and prolific ransomware gang, LockBit, announced that “a tremendous amount of sensitive data was exfiltrated” from Boeing’s systems and was ready to be published if the company did not make contact within the deadline. 

The announcement has since been removed from LockBit’s website, but a screenshot shared by Dominic Alvieri on X shows that LockBit demanded a response from Boeing before November 2nd.  

On October 28th, the malware research group VX-Underground claimed to have spoken with a LockBit representative about the then alleged breach. According to this statement, LockBit claimed to have gained access to Boeing systems through a Zero-Day Vulnerability exploit.  

At this point Boeing had yet to confirm or deny any claims.  

However, on November the 2nd, Boeing confirmed with various publications that their systems had been compromised in a cyber incident. 

Boeing spokesperson Jim Proulx told TechCrunch that while elements of parts and safety business were targeted in this incident, flight safety was not affected. Additionally, he said, “We are actively investigating the incident and coordinating with law enforcement and regulatory authorities. We are notifying customers and suppliers.” 

While Boeing has yet to confirm whether the LockBit group was truthfully behind the incident, the fact that the listing was removed from the website before the deadline suggests that it is the case.  

At this time, the Boeing Services website is down for technical issues.  

According to Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, “Boeing’s acknowledgement of the cyber incident and its cooperation with law enforcement are commendable steps in addressing the breach. The aerospace and defence sector, similar to various other industries, heavily depends on an extensive network of suppliers and partners. It’s a common occurrence for threat actors to target vulnerabilities within these expansive ecosystems.” 

Erich Kron, Security Awareness Advocate at KnowBe4, added, “Ransomware can be a significant issue for organizations such as Boeing who need to provide parts quickly and often in a just-in-time manner. In the event their systems are down due to the ransomware encryption, significant delays could occur that may stop commercial aircraft from flying. In addition, organizations such as this have a tremendous amount of intellectual property that spans both commercial and military industries, and the theft of that information and threat to leak it publicly could be a significant issue for the company and any impacted military services. These cyber criminals know this and use it to their advantage to request what is often a huge ransom from the victims.”  

According to Shadabi, the data at risk is the real concern in a scenario like this. He commented, “One key takeaway from this incident is the importance of a proactive approach to cybersecurity that revolves around the safeguarding of data itself. Traditional cybersecurity measures often focus on perimeter defence and incident response. However, the concept of data-centric security, particularly tokenization, offers an additional layer of protection. Tokenization involves replacing sensitive data with non-sensitive placeholders, or tokens, rendering the stolen data useless to malicious actors. By utilizing tokenization, organizations can minimize the impact of data breaches, safeguard their intellectual property, and protect customer information. This proactive approach reduces the incentive for cybercriminals to target an organization and demand ransoms, as they are less likely to obtain valuable information. Cyberthreats are evolving and as we move forward in the digital age, organizations of all types must invest in comprehensive cybersecurity strategies that safeguard their most valuable asset – data.” 

 Indeed, Kron also raised some caution. He explained that, “Generally speaking, the attackers will guarantee that the information is deleted if the ransom is paid, however, that simply means we have to trust the very criminals that broke into our systems, stole the data, and oftentimes disrupted critical business, to do as they promise. When it comes to extremely valuable information, such as potentially sensitive information about military equipment, the odds are pretty good that other nation states will be willing to pay a significant amount for this information and the victim would never know it has been sold.” 

While there has been some discussion that LockBit gained access to Boeing systems by exploiting a Zero-Day Vulnerability, Kron warned that it could have just as easily been a result of a social engineering attack. He said, “Since most ransomware starts with a social engineering attack that targets humans, organisations that deal in information such as this or have critical manufacturing or logistical time frames should ensure that their employees are educated on how to spot and report phishing attacks to their security team. In addition, strong Data Loss Prevention (DLP) controls should be in place to limit the possibility of data being exfiltrated by bad actors.” 

The post Aerospace Giant Boeing Confirms Cyber Compromise, LockBit Claims Responsibility first appeared on IT Security Guru.

The post Aerospace Giant Boeing Confirms Cyber Compromise, LockBit Claims Responsibility appeared first on IT Security Guru.

Cato Networks, global SASE cloud provider, just announced the release of their new Data Loss Prevention (DLP) engine. Part of Cato’s SSE architecture, the DLP is meant to offer protection of data as well as prevention of loss of data across organisation software and applications. 

Historically, DLP has been considered complex and operationally complicated. With inaccuracies in traffic routing and a limited scope of protection, DLP left some issues to the wayside such as disruptions to daily organisational operations. 

Cato DLP, however, reportedly solves this issue. Consolidated within Cato SPACE (Single Pass Cloud Engine) architecture, the DLP can widely view and control all traffic at all times. Utilising machine learning for smarter data protection, Cato DLP streamlines what was once imperfect and largely unconsolidated.  

But that’s not all. Cato Networks has also announced their SSE 360 platform release, with which the DLP will be converged. Extending beyond typical SSE functionality, SSE 360 sets its sights on the optimisation, control, and visibility of internet traffic, WAN, and the entire cloud. 

CEO and co-founder of Cato Networks, Shlomo Kramer, noted: “Traditional SSE architectures alone are not enough to protect the enterprise. They have limited visibility and control over WAN traffic which drives the need for multiple networking and security architectures. What’s needed is one architecture that can provide visibility into and control over all traffic to all applications and resources from all endpoints. Cato SSE 360 is the first SSE solution to meet that challenge.” 

Here at IT Security Guru, we are looking forward to seeing Cato DLP and SSE 360 in action. 

The post Cato Networks Announces New Data Loss Prevention Engine & SSE 360 appeared first on IT Security Guru.

A part of the industry for around twenty years, DomainTools uses active and passive DNS (Domain Name System) data to create cybersecurity intelligence for its customers. Tim Durant, Vice President of Channels and Alliances, explained: 

DNS is like the fingerprints or the activity on the internet. So we’re mapping all those fingerprints.”  

With unique sets of data, providing a different picture of cyber threat infrastructure than that which is typically provided, governments, enterprises, and other cybersecurity companies all use DomainTools’s data.  

Senior Cybersecurity Consultant, Oliver Tonge, added to this: 

“One of the things we’ve done in the past is set up an account. Maybe there’s an incident around a particular brand; with access to such an account, [a customer] is able to get the most of our intelligence on that to build a story around it… It’s almost guaranteed that there’s something in our data to shine a brighter light on the activity of the threat actors.” 

Having recently announced a new DomainTools product, Iris Detect, Durant was excited about the simplicity of the interface. Even for a person who lacks cybersecurity knowledge, it’s intuitive and easy-to-use. Someone could punch in the domain name of their company and very soon after have a reported risk score attached, showing the number of spoofs using that name, and the number of phishing threats as well. And it all happens close to real time. 

“50 of the top global 100 companies use us already,” Durant noted.  

How do DomainTools’ customers use this data? 

According to Tonge, it depends on which industry the customer comes from. Whether banking, law enforcement, or government, each of these have their own use cases. Law enforcement, for one, is less interested in spam and phishing, but more interested in malware. Pre-emptively, DomainTools is able to provide intel on the infrastructure of threat actor activity pertaining to the industry in question. 

This data is also used in post-incident scenarios. Say all the credentials from a domain were leaked, then DomainTools’s data and machine learning tools help to answer questions such as who was behind the attack, where did it come from, what infrastructure was deployed, and who else might be affected by this same, or similar, threat. 

“It’s not just historical data, it’s also predictive data,” Tonge said.  

And DomainTools doesn’t just provide data to paying customers either.  

“Before the pandemic struck, there were about 6 domains globally with the term Covid in it or related to Covid. Not long after, that number went up to 64,000 domains. Some of them were legitimate, like government organisations providing Covid health infrastructure and community support. But you can guess the vast majority was illegitimate, capitalising on people’s fears,” Tonge said.  

Spoof sites looking to rake in money and information from the concerned populace, DomainTools popped in to provide some guidance. Free of charge, they made available a site with Covid block lists to anyone on the internet as a continuously updated service. They offered the same with the start of the Russia-Ukraine war.  

“One of the things that really drives everyone at DomainTools is the mission to make a secure and safer internet for everyone. And that’s a reward in itself.” 

It’s a rewarding job, but it’s also a big one. As the industry moves forward, the data never stops coming in and neither do the threats. Catching 5-6 million newer, updated domains per day, DomainTools is kept busy. By presenting the data in a digestible and meaningful format to customers, this means sifting through billions of feeds of data at a machine scale. Even, Durant said, some of the largest technology companies have tried to do it themselves, only to return to the services of DomainTools. 

“There’s always more than enough work for us to do,” he added. “We need to continue to find ways as we capture this data to make it useful and helpful to make the internet a safer place.” 

Is it feasible that one day there will be a safe internet? 

“I don’t believe there’s ever a 100% safe [internet]. There’s always that cat and mouse game. Someone who’s just ahead. It’s just the nature of bad players. We’re in the cyber world, what we’re talking about here, but it’s true in the real world. No bank is 100% safe from being robbed,” Durant said. 

Slowly but surely, law enforcement is catching up to the bad guys, Tonge added. While the EU’s GDPR (General Data Protection Regulation) didn’t quite have the result that everyone was hoping for, the intent was good. Will we ever get there? Potentially not, but cybersecurity and law enforcement are not as far behind as they were just ten years ago. To make a safer internet, however, international cyber police cooperation is integral. Historically, investigators have been limited from policing cyber-crime if it crosses nation’s borders. 

Yet overall, DomainTools is optimistic about the future of the internet, and their role in the making of its safety. 

“Look at how many technology companies are in this space,” Durant said, gesturing around to the other attendees of Infosecurity Europe. “There’s a lot of smart people that are trying to solve a lot of hard problems.” 

The post DomainTools, Data, and Internet Safety appeared first on IT Security Guru.