In episode 403 of "Smashing Security" we dive into the mystery of $65 million vanishing from Coinbase users faster than J-Lo slipped into Graham's DMs, Geoff gives a poor grade for PowerSchool's security, and Carole takes a curious look at QR codes.
All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by The Lazarus Heist's Geoff White.
Category: data breach
The Turkish government is proposing a controversial new cybersecurity law that could make it a criminal act to report on data breaches.
But might it stifle journalism and free speech?
Read more in my article on the Tripwire State of Security blog.
The personal information of almost half a million people is now in the hands of hackers after a security breach of a company used by some of the world's best known hotel brands.
Read more in my article on the Hot for Security blog.
Otelier, a widely used data management software in the hospitality industry, has recently made headlines after becoming the target of a data breach, raising significant concerns about the security of customer information.
The platform, which serves major hotel chains like Marriott, Hilton, and Hyatt, was compromised in July 2024. Hackers are believed to have gained unauthorized access to data stored in Amazon Web Services (AWS) storage buckets. The breach resulted in the theft of over 8 terabytes of data over a span of three months, from July to October 2024.
As of now, Otelier has reportedly suspended its operations and brought in a team of cybersecurity experts to investigate the breach. Freelance security expert Stacey Magpie speculates that the stolen data could include sensitive details such as email addresses, contact information, guest visit purposes, and stay durations—information that could be exploited in phishing schemes and identity theft.
Otelier, which was previously known as “MyDigitalOffice,” has not yet issued an official statement about the breach. However, it is suspected that a threat group was behind the attack, potentially gaining access to AWS credentials from an employee through malware and then transferring the stolen data to their own servers. An anonymous employee has confirmed that no payment or employee data, nor any operational data, was compromised during the breach.
This incident highlights the importance for hospitality businesses to take proactive measures to secure customer data. A data breach not only jeopardizes sensitive information but also damages trust with customers, potentially driving them to competitors.
To mitigate risks, businesses in the hospitality sector should implement robust data protection strategies, including maintaining effective data continuity plans, applying regular software updates, educating staff about cybersecurity risks, automating network traffic monitoring for suspicious activity, deploying firewalls to block threats, and encrypting sensitive information.
The post Otelier data breach triggers serious data security concerns appeared first on Cybersecurity Insiders.
GoDaddy, a prominent web hosting service provider trusted by millions of customers to host their websites, has long been recognized as a digital enabler for small businesses. However, recent security lapses have tarnished its reputation, drawing the attention of the Federal Trade Commission (FTC).
The FTC has reprimanded GoDaddy for its failure to implement robust security controls, which left its platform vulnerable to cyber threats. These deficiencies have allegedly been ongoing since 2018, exposing customers to significant risks. In response, the watchdog has directed GoDaddy to establish a comprehensive information security program to address these issues.
Allegations of Misleading Compliance Practices
In addition to its security failures, GoDaddy is accused of overstating its compliance with privacy frameworks, including those governed by the European Union, Swiss, and U.S. privacy regulations. These frameworks mandate specific security measures to safeguard personal data, which GoDaddy reportedly failed to uphold. This discrepancy raises questions about the company’s commitment to protecting sensitive customer information.
Multiple Data Breaches Exposed
Between 2019 and 2022, GoDaddy’s domain management platform suffered multiple data breaches. Investigations revealed that hackers exploited these vulnerabilities to gain unauthorized access to customer information. In some cases, cybercriminals redirected website visitors to malicious sites, compromising the trust and operations of affected businesses.
The FTC’s probe attributed these breaches to GoDaddy’s inadequate management of its IT infrastructure. The company reportedly neglected critical tasks, such as timely application of software patches, which could have mitigated these threats. These oversights have not only jeopardized customer data but also called into question GoDaddy’s ability to uphold cybersecurity standards.
FTC’s Mandates for Strengthened Security
The FTC has issued strict directives to GoDaddy to address these shortcomings. The hosting provider is now required to develop a comprehensive security program aimed at securing its platform and protecting the confidentiality, integrity, and availability of customer data.
Additionally, the company must engage an independent third-party assessor to evaluate its security controls. This assessment will occur biennially to ensure ongoing compliance. A specialized five-member team has also been tasked with negotiating penalties and outlining further corrective measures. This move was widely anticipated as a necessary step to restore trust and accountability.
A Wake-Up Call for the Industry
GoDaddy’s case serves as a stark reminder for businesses across the digital landscape about the importance of rigorous cybersecurity measures. As cyber threats evolve, maintaining a proactive approach to IT asset management and compliance is crucial to safeguarding sensitive data and sustaining customer trust.
The post GoDaddy falls into FTC Data Breach radar appeared first on Cybersecurity Insiders.
The video game Path of Exile 2 suffers a security breach, we explore the issues of using predictive algorithms in travel surveillance systems, and the very worst IoT devices are put on show in Las Vegas. Oh, and has Elon Musk accidentally revealed he cheats at video games?
All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire's Dave Bittner.
The Space Bears ransomware gang stands out from the crowd by presenting itself better than many legitimate companies, with corporate stock images and a professional-looking leak site.
Read more in my article on the Tripwire State of Security blog.
The ICAO, the UN aviation agency tasked with keeping our skies safe, just got hacked... again.
This time, a hacker is offering to sell the personal data of 42,000 job applicants.
Read more in my article on the Hot for Security blog.
Gravy Analytics, a Virginia-based company whose name has no connection to the actual meaning of “gravy,” has recently found itself in the spotlight for all the wrong reasons. The firm, known for its location data services, has been hit by a data breach that could raise serious concerns over the security of user data for millions.
The company, which specializes in providing location analytics using smartphone data, appears to have fallen victim to a sophisticated cyberattack. This breach could potentially expose the location data of millions to hackers.
Gravy, a location data broker, is still investigating claims circulating on the dark web. As a hacker is reportedly selling a dataset containing information believed to have been stolen from Gravy, sparking worries among individuals and businesses whose location data may have been compromised.
Typically, businesses must obtain consent from smartphone users before tracking their location via apps. However, in practice, this rule is often overlooked, and the consent process is usually limited to search engines rather than being enforced across the web.
In this case, the hacker claims to have gained access to an Amazon storage bucket where Gravy Analytics stored its data. The hacker is now allegedly selling part of the compromised dataset, which raises red flags regarding privacy, data retention, and regulatory compliance.
For years, Gravy has collected data such as timestamps, GPS coordinates, and location histories, which was then merged with Unacast in 2023. Through its subsidiary Venttel, Gravy sold information about smartphone users’ visits to specific venues, neighborhoods, and zip codes, often to entities like law enforcement agencies (FBI, IRS, DHS) as well as marketing and advertising firms, all of whom seek detailed location insights.
The potential ramifications are concerning. If the stolen data includes smartphone usage history across various locations, it could jeopardize individuals’ privacy. Worse, if the dataset contains information about high-profile individuals, their whereabouts and activities could easily be deduced, posing significant security risks—both physical and virtual.
That said, the hacker’s claims have yet to be verified. It’s not uncommon for individuals or groups on the dark web to make exaggerated or false claims about hacking large firms, attempting to gain attention by falsely taking credit for major data breaches. As such, while the situation is serious, it remains unclear whether the breach is as extensive as reported.
The post Gravy Analytics data breach could put millions to data security risks appeared first on Cybersecurity Insiders.
Healthcare organizations are prime targets for cybercriminals due to the sensitive and valuable nature of the data they store. Personal health information (PHI) is one of the most sought-after commodities on the dark web. If a healthcare database breach occurs, it can have severe consequences—not only for the affected individuals but also for the organization itself. From patient data exposure to regulatory violations, the repercussions can be long-lasting. Therefore, healthcare providers must act swiftly, methodically, and in accordance with legal requirements when a data breach happens.
Here’s a step-by-step guide on what to do if a healthcare database breach occurs:
1. Contain the Breach Immediately
The first and most critical step when discovering a data breach is to contain it. Prompt action can help prevent further exposure of sensitive data. This could involve:
• Disconnecting affected systems: If the breach is detected in real time, immediately isolate compromised systems from the rest of the network to prevent the spread of malicious activity.
• Shutting down access points: Disable any compromised user accounts, login credentials, or vulnerable network pathways that may have been exploited by the attackers.
• Alerting internal IT and security teams: Ensure that the organization’s cybersecurity team is immediately aware of the breach. They should work to identify the entry point of the attack and stop the data exfiltration.
2. Assess the Scope and Impact of the Breach
Once the breach is contained, it’s crucial to understand its scope. This step involves:
• Identifying the compromised data: Determine which databases or files were accessed or leaked. Was it patient health records (e.g., medical history, prescriptions, lab results)? Was personal identifiable information (PII) exposed?
• Assessing the size and scale: How many records were affected? This will help to prioritize responses based on the severity and the number of impacted individuals.
• Analyzing the method of attack: Understanding how the breach occurred—whether through phishing, ransomware, or an insider threat—will inform the response and future prevention strategies.
3. Notify Regulatory Bodies and Authorities
In most countries, healthcare providers are required by law to notify specific authorities when a data breach occurs, particularly if it involves PHI or sensitive personal information. For example:
• United States (HIPAA Compliance): The Health Insurance Portability and Accountability Act (HIPAA) mandates that covered entities report data breaches involving PHI to the U.S. Department of Health and Human Services (HHS) and affected individuals. A breach affecting 500 or more individuals must be reported within 60 days.
• European Union (GDPR Compliance): The General Data Protection Regulation (GDPR) requires data controllers to notify relevant authorities within 72 hours of becoming aware of a breach.
Not only is notifying the appropriate regulatory body legally required, but it also ensures that organizations remain in compliance and avoid potential fines and penalties.
4. Notify Affected Individuals
Transparency with affected individuals is crucial to maintaining trust and fulfilling legal obligations. The following steps should be taken:
• Timely notification: Affected individuals must be notified as soon as possible about the breach, typically within a set time frame defined by regulations (e.g., 60 days under HIPAA).
• Details of the breach: Provide clear information about what data was compromised, how it occurred, and what the organization is doing to mitigate damage.
• Offer support and guidance: Depending on the nature of the breach, you may offer affected individuals assistance like credit monitoring or identity theft protection services, particularly if financial data or social security numbers were involved.
• Clear communication channels: Set up a dedicated hotline or communication channel where affected individuals can ask questions and report any suspicious activity on their accounts.
5. Conduct a Forensic Investigation
To understand the cause and extent of the breach, a thorough forensic investigation should be conducted. This may involve:
• Hiring a third-party cybersecurity firm: Engage experienced professionals who specialize in data breaches. They can conduct a thorough investigation, identify how the breach occurred, and recommend corrective measures.
• Documenting findings: Maintain a detailed record of the investigation, including timelines, findings, and remediation actions taken. This documentation will be critical for regulatory reporting, insurance claims, and potential legal action.
The investigation will also help identify whether any security vulnerabilities were exploited and guide the implementation of improved security measures.
6. Mitigate and Prevent Future Breaches
After a breach, it’s vital to take steps to ensure that the same vulnerability does not lead to future incidents. This may involve:
• Patch and update systems: Ensure that all security patches and updates are applied to affected systems, including software, firewalls, and anti-virus programs.
• Change passwords and credentials: Immediately reset passwords and access credentials that may have been compromised. Implement multi-factor authentication (MFA) wherever possible.
• Review and improve cybersecurity policies: Strengthen network security, employee training, and data encryption policies. Consider adopting more robust encryption for sensitive data both at rest and in transit.
• Conduct regular audits: Perform regular security audits to assess and address any vulnerabilities before they can be exploited by cybercriminals.
7. Work with Legal and PR Teams
A data breach, especially in the healthcare sector, can result in significant legal and reputational consequences. Therefore, it’s essential to:
• Consult legal advisors: Ensure that all responses to the breach are in compliance with data protection laws and regulations. Legal advisors can also help mitigate liability, including responding to any potential lawsuits from affected individuals or regulatory fines.
• Manage public relations: Work closely with PR teams to craft a statement addressing the breach. Be honest and transparent in communications, acknowledging the severity of the situation and outlining the steps being taken to resolve it. A well-managed PR response can help maintain public trust in the organization.
8. Monitor for Ongoing Risks
Even after a breach has been contained and addressed, the organization must remain vigilant. Ongoing monitoring is essential to:
• Detect additional threats: Cybercriminals may attempt to exploit the breach further. Continuous monitoring of network traffic and logs will help identify any lingering threats.
• Watch for identity theft: If personal information like social security numbers, addresses, or financial data was involved, consider monitoring services or providing credit monitoring to affected individuals.
• Analyze impact on operations: Some breaches can have long-term operational impacts.
Continuously evaluate how the breach has affected your organization’s processes, patient trust, and financial standing.
9. Learn from the Incident
Finally, every data breach is an opportunity for improvement. After resolving the immediate crisis, take the time to:
• Review your incident response plan: Determine what worked well and what could be improved. Update your procedures and make sure all employees are trained on new protocols.
• Invest in cybersecurity improvements: With the knowledge gained from the breach, enhance the organization’s security measures. This could include stronger firewalls, improved access control, better employee training, or more advanced threat detection tools.
Conclusion
A healthcare database breach is a serious event that requires swift action and adherence to legal and regulatory requirements. By containing the breach, notifying the necessary authorities and individuals, conducting a forensic investigation, and implementing stronger cybersecurity practices, healthcare organizations can mitigate the damage and prevent future incidents. Proactive planning, transparency, and a well-prepared response are key to minimizing the impact on patients, staff, and the organization as a whole.
The post What to Do if a Healthcare Database Breach Occurs: A Step-by-Step Guide appeared first on Cybersecurity Insiders.