Category: data breach

Taj Hotels, a subsidiary of Indian Hotels Company Ltd (IHCL), recently fell victim to a cyber-attack that resulted in the compromise of personal details belonging to more than 1.5 million customers. The leaked information encompasses a range of sensitive data, including addresses, membership IDs, mobile numbers, and other Personal Identifiable Information (PII) spanning the period from 2014 to 2020.

The motive behind Taj Hotels, now under the ownership of the Tata Group, holding such PII remains unclear. This is noteworthy given the stringent guidelines from the Indian government, which stipulate that businesses in the hospitality sector should not retain sensitive information such as dates of birth and banking details, including card information.

The Indian Computer Emergency Response Team (CERT-IN) has taken cognizance of the situation and is actively engaged in investigating the cyber breach.

In response to the incident, IHCL has released a statement affirming its commitment to prioritizing the protection of customer details. To this end, the company has enlisted the expertise of forensic specialists to conduct a thorough investigation into the extent of the breach.

A notable aspect of this cyber threat is the involvement of a threat actor named “DNA Cookies,” who has demanded a ransom of $5000 for the release of the stolen data. The threat actor has set a specific timeframe for negotiating the ransom payment. Uniquely, the demand extends to payment for the entire dataset, as opposed to providing a sample to verify the authenticity of the compromised information.

Complicating matters further, the cybercriminal has published a segment of the pilfered data on BreachForums, accessible exclusively through the dark web. In a peculiar twist, DNA Cookies has instructed Taj Hotels’ IT staff to initiate contact through a designated member on the forum, explicitly discouraging communication from external sources.

As the investigation unfolds, additional details regarding the scope and impact of the cyber-attack are eagerly anticipated.

The post Taj Hotel Data Breach details appeared first on Cybersecurity Insiders.

Who gets to decide who should be CEO of OpenAI? ChatGPT or the board? Plus a ransomware gang goes a step further than most, reporting one of its own data breaches to the US Securities and Exchange Commission. All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.

By Christoph Nagy, SecurityBridge

So your SAP system has been breached.

While this is not an unusual occurrence, it’s still a serious issue that needs your immediate attention. Since SAP is one of the most widely used systems by organizations around the globe and houses a lot of business-critical and thus valuable information, hackers constantly try to find backdoors and vulnerabilities for exploitations.

The more time that elapses before the breach is dealt with, the longer hackers have access to the data your company houses in the SAP platform, and the more damage they can do.

The first step is to determine where the cybersecurity breach occurred, and then walk through the steps of addressing it. And when the immediate attack is dealt with, putting in place resources to prevent it from happening again is a wise course of action. Let’s start with the kinds of SAP breaches that might befall your company.

The Most Common Attack Vectors

We’re defining a breach as any exploitation of the vulnerabilities of a system resulting in unauthorized access to that system and its data. The most common (and sizable) damages to a company that is successfully attacked is financial damage (in the form of fines, the cost of addressing the breach, among other expenses) and a hit to the company’s reputation. Customers are less likely to stick around when they don’t feel their business or confidential data is being safeguarded properly.

When a breach occurs, it’s most likely tied to one of the following:

Vulnerabilities in code. All applications are subject to vulnerabilities, and it’s possible for custom SAP applications to provide a window for attackers to access the overall system.

Unapplied security patches. Patches for SAP applications are extremely important, since they address known flaws that could be exploited in a breach attempt. Companies that delay implementing these patches leave themselves exposed.

System misconfigurations. When settings in an SAP application are misconfigured—or keep unused functions active—attackers can exploit this mistake and gain unauthorized access. You see this most often when applications are left on default settings or someone goes in and makes changes that they shouldn’t.

Inside jobs. Occasionally, someone with at least some level of access already, like an employee, can clear a path for attackers to gain entry into the system. More often than not, it’s the employee’s account, but not the employee themselves causing the breach. The employee account could be taken over by bad actors through phishing or social engineering tactics—the MGM Grand/Caesar’s breach provides a perfect example of this type of attack.

How to Respond to an Attack

When you’ve identified where the threat has come from and what vulnerability has been exploited, it’s time to take decisive action. Reacting quickly but also in the right way will help reestablish your company’s security posture. For most breaches, the following steps will be the most effective means of getting a handle on the situation:

  • Lock down any compromised user accounts and cut off access to the network and system by any third parties such as partners or clients that are involved in the attack. If such a tactical approach doesn’t work, you might need to isolate the full SAP system, going into full lockdown or cutting off its access to the internet so unauthorized users can’t keep finding their way in while you address the issue.
  • Put together a team of stakeholders—executives, your best tech leads, SAP admins, and any other experts available—to assess the damage of the threat and make a plan to deal with it.
  • Make sure to keep all SAP logs relating to security and put them under forensic analysis. It can be useful to look at these logs, such as the Security audit log, JAVA audit log, and HANA audit log within the timeframe of the attack.
  • Use those logs to assess the details of the vulnerability that was exploited and identify the critical events and activity patterns during the key time periods.
  • Install fixes and patches as needed to shore up vulnerabilities and adopt the appropriate security configurations to stop the attack and prevent that specific vulnerability from being exploited again.
  • Only then should you return, one application at a time, to normal SAP operations. Monitor your SAP security logs following this return to make sure operations are now secure.

While all of the above is happening, be sure to comply with all legal requirements for communications with affected or relevant parties. Especially if there is ever a legal investigation on your company’s actions during and after a breach, transparency and timely notification to affected parties so they can take appropriate action will work in your favor.

Future Actions

Once the immediate threat is over, most companies should shift to prevention mode: making it so such a breach can’t happen again. Perhaps those fixes and patches can be extended to other SAP applications. Following NIST and other common SAP security frameworks is recommended.

Further SAP process improvements can help provide preventative measures or early alerts of a potential attack. Some features can detect anomalies in SAP systems or include automation capabilities that can make changes to protect a system on the fly. You can even set up the capability to alert users when their credentials might be compromised—like if they were just used to sign in from an unusual geographical location or were exposed due to a hack elsewhere. In those cases, contacting the SAP security team immediately could make a big difference in preventing authorized accounts from being misused.

There’s never a good time to experience an SAP breach, but companies that have a plan to address it quickly and effectively will fare better in both the short and long term than those that don’t. SAP’s systems are critical for many companies, so ensuring the strongest possible security posture for those applications is an equally critical task that organizations should prioritize.

Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member and CEO at SecurityBridge–a global SAP security provider, serving many of the world’s leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.

The post A Guide to Handling SAP Security Breaches appeared first on Cybersecurity Insiders.

Marina Bay Sands (MBS), the renowned resort and luxury hotel situated in Singapore, recently experienced a data breach that impacted the personal information of more than 665,000 individuals associated with the MBS Loyalty Program. The breach occurred in mid-October of this year, and the news has only recently come to light.

The compromised data is believed to include sensitive details such as names, email addresses, contact information like phone numbers and physical addresses, as well as membership information related to Sands Life Style. Security experts are concerned that this type of information can be exploited by cybercriminals to execute social engineering attacks, particularly phishing attempts.

Currently, there is no evidence indicating that the stolen MBS data has been misused by the individuals responsible for the breach. The management of this iconic hospitality establishment has confirmed that no data linked to the Casino Membership rewards program or the Sands Rewards Club has been accessed or pilfered by the hackers.

Given that Marina Bay Sands offers a wide array of world-class luxuries within its resort, it is anticipated that many high-profile customers have been affected by this incident.

It’s worth noting that Marina Bay Sands has had its share of controversies since its opening in 2011. In the latter part of 2019, a notorious ransomware gang was discovered to be operating from one of the luxury rooms within the hotel. This gangster was seen spreading malware from the resort and was linked to an Asian nation that is currently at odds with Western nations. However, due to the onset of COVID-19 and the subsequent lockdowns, the case was temporarily set aside and remains under investigation to this day.

The post Marina Bay Sands Singapore suffers Information Security Breach appeared first on Cybersecurity Insiders.

As organizations increasingly migrate their operations to the cloud, the security of their cloud infrastructure becomes a paramount concern. While cloud services offer numerous benefits, mis-configurations in cloud environments can inadvertently expose sensitive data and lead to catastrophic breaches. In this article, we’ll explore some of the top cloud mis-configurations that pose significant security risks and examine how organizations can protect their cloud resources.

Inadequate Identity and Access Management (IAM): One of the most common cloud misconfigurations involves mismanaging user privileges and access controls. Improperly configured IAM settings can allow unauthorized users to access, modify, or delete data. In some cases, overly permissive permissions might lead to data expo-sure, making it essential for organizations to establish and maintain strict access controls.

Unsecured Storage Buckets: Misconfigured storage buckets in cloud platforms can be a goldmine for cybercriminals. Leaving these containers open to the public or granting excessive access permissions can result in the unintentional exposure of sensitive data. Regularly auditing and securing these buckets is critical in preventing data breaches.

Inadequate Logging and Monitoring: Lack of comprehensive logging and monitoring can make it challenging to detect unusual or suspicious activities within a cloud environment. This oversight can lead to delayed detection of breaches or unauthorized access. Properly configured monitoring systems and timely inci-dent response are crucial for addressing security threats.

Unencrypted Data: Failure to encrypt data both in transit and at rest is a significant security lapse. Without encryption, attackers can intercept and exploit sensitive information. Organizations should employ strong encryption mechanisms to safeguard their data from prying eyes.

Insecure APIs: Cloud services often rely on APIs (Application Programming Interfaces) to interact with external systems. Misconfigured or unsecured APIs can provide an entry point for attackers. Regularly assessing and securing APIs is a critical step in maintaining cloud security.

Neglecting Patch Management: Cloud providers regularly update their services to fix vulnerabilities. Failing to apply these up-dates promptly can leave cloud resources exposed to known security flaws. A robust patch management process is essential to keep cloud environments secure.

Default Configurations: Many cloud services come with default configurations that may not align with an organization’s specific security requirements. Ignoring these defaults can leave vulnerabilities unaddressed. Organizations should customize configurations to enhance security.

Misconfigured Firewall Rules: Improperly configured firewall rules can allow unauthorized traffic into a cloud network. Re-viewing and maintaining firewall rules to ensure they align with security policies is vital to prevent unauthorized access.

Conclusion:

Cloud misconfigurations are a significant contributor to data breaches, and organizations must remain vigilant in addressing these issues. By taking a proactive approach to security, conducting regular audits, and implementing robust access controls, encryption, and monitoring practices, businesses can significantly reduce their vulnerability to cloud-related security threats. In an era where data is a prized asset, safeguarding it against misconfigurations is paramount to maintaining trust and security in the digital age.

The post Top Cloud Misconfigurations Leading to Cloud Data Breaches appeared first on Cybersecurity Insiders.

The personal information of more than 815 million people in India has reportedly been leaked online. According to local media reports, hackers have offered for sale the personally identifiable information (PII) - including that found on Aadhaar identity cards - belonging to hundreds of millions of Indian residents. Read more in my article on the Hot for Security blog.

Aadhaar, the unique identification number issued to every Indian citizen, has recently made headlines for all the wrong reasons. There are alarming reports suggesting that the personal information of approximately 815 million citizens was illicitly accessed by hackers through the Indian Council of Medical Research (ICMR) website, which maintains records of Covid-19 vaccination details for the public.

The ICMR, short for the Indian Council of Medical Research, fell victim to a security breach in September of this year. Allegedly, an actor known as ‘pwn001’ successfully gained unauthorized access to this data and subsequently posted it on a discussion thread within Breach Forums.

The breach is particularly concerning as the hacker claims to have sourced data on over 81.5 crore (815 million) Indian residents from a website related to citizen information. To put this into perspective, the leaked data pertains to roughly half of India’s total population, which stands at a staggering 144 crore citizens, or 1.40 billion people.

What makes this UIDAI data breach even more troubling is the wealth of information the hacker managed to obtain. In addition to Aadhaar numbers, the breach includes names, phone numbers, addresses, and passport data of Indian citizens. Such comprehensive personal information can potentially be exploited by cybercriminals to orchestrate phishing attacks and other malicious activities.

In response to this alarming breach, the Information and Broadcasting Ministry of India has reported that the Central Bureau of Investigation (CBI) is currently investigating the details of the data breach. The CBI launched this inquiry following a complaint filed by the ICMR. The Ministry has pledged to provide further information once a thorough investigation has been completed.

It is worth acknowledging the efforts of Resecurity, a cybersecurity firm based in Los Angeles, for initially bringing this significant breach to public attention. Their responsible disclosure of this information through proper channels has played a crucial role in shedding light on this serious security incident.

The post India witnesses biggest data breach of Aadhaar details via ICMR appeared first on Cybersecurity Insiders.