Confidential Information Left Publicly Accessible Online
Several recent data breaches occurred when companies and organizations placed PII and customer data on servers that were publicly accessible online:
- The personal data of more than 650,000 Bon Secours patients was left publicly accessible online for four days earlier this year by one of the hospital system’s business associates, R-C Healthcare Management. When the reimbursement firm was reconfiguring its network settings in April, it reportedly exposed names, insurance identification numbers, banking information, social security numbers, and clinical data of patients in three states.
- Two Mexican electoral databases were found online by security researcher Chris Vickery of MacKeeper. One contained more than 93 million “strictly confidential” voter registration records that Vickery indicated were stored on an Amazon cloud server configured for public access.
- Vickery reportedly found other data troves online recently:
- A Fortune.com article outlines the breach of a mid-2014 version of the Thompson Reuters World-Check database, which is used by intelligence agencies, governments, global banks, and law firms to identify individuals with ties to terrorism, corruption, and other crimes. Vickery said the dataset — which contains 2.2 million records on “heightened risk individuals and organizations” — was stored in an open-source Apache database called CouchDB that was configured for public access.
- Vickery claims to have discovered another publicly accessible CouchDB database stored on Google Cloud that contained more than 150 million U.S. voter profiles. He said the database required no user authentication and that he has “proof that foreigners may have been accessing it.”
- Last December, Vickery reportedly found an unsecured MongoDB database belonging to online dating service BeautifulPeople.com. Though Vickery reported it to the company, who then secured the data, the damage was already done; the personal information of 1.1 million Beautiful People users recently ended up for sale on the black market.
Lax Security Culture
A recent U.S. congressional investigation indicated that the U.S. Office of Personnel Management (OPM) failed to implement even basic cybersecurity safeguards that could have mitigated — and potentially prevented — the agency’s mega-breaches in 2014 and 2015. The investigative report indicated that a lax security culture and ineffective leadership exacerbated the incidents, which exposed the data of more than 22 million individuals. Government officials also noted that, since 2005, the OPM had largely ignored inspector generals’ repeated warnings about cybersecurity vulnerabilities.
The email addresses, user names, and passwords of nearly 800,000 users of Brazzers, an adult website, have recently surfaced online as the result of a data breach that originally occurred in 2012. Hackers reportedly exploited security vulnerabilities in the site’s vBulletin chat forum software, and exposed data could include sensitive messages posted within the forum.
Social Media Fraud
Dark Reading reported that a recent Proofpoint study revealed that 19% of the social media accounts associated with ten major international brands are fraudulent. According to the report, 30% of the 902 identified fake accounts are used by cybercriminals to offer counterfeit products and services, while 4% of the accounts are used to pilfer PII, deliver malware, satirize brands, and protest. The study also showed that the fastest-growing threat with social media is phishing, with a 150% uptick in scammers posing as legitimate brands in order to trick users into revealing sensitive information.
Lack of Encryption
In other “old breach haunting” news, stolen login names and passwords from a 2012 breach of the Russian Rambler.ru email service have now been placed for sale on the black market. More than 98 million users of the service — which has been described as the Yahoo of Russia — have had their information exposed as a result. According to Leaked Source, the credentials were stored in a plain text file with “no encryption or hashing.” In related “bad passwords” news, analysis of the data showed that more than 723,000 users shared the same login code: asdasd. The second most popular password choice among users: asdasd123.
U.S. healthcare organizations are also lax about encryption. A new survey of 150 hospital executives by the Healthcare Information and Management Systems Society indicates that only 68% of hospitals encrypt personal health information (like electronic medical records) when it’s shared with other parties. Compounding the problem, just 59% of these institutions use audit logs to track access to patients’ health and financial records.
A retiring system administrator was discovered to have faked a cyberattack on his employer’s website in an attempt to cover the theft of company data, which he planned to sell to cybercriminals. When the sysadmin was approached by fraudsters about selling data, he simulated a hactivist attack on a company website in order to mask his theft of data from the server. Inconsistencies in the sysadmin’s story and actions were later discovered by the company’s web security provider.