Personal data on 500,000 left open on an Amazon blob, a $2 million penalty after data breach and a Facebook error.
Welcome to Cyber Security Today. It’s Monday, December 21st. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
I’ve done a number of stories about company employees leaving tons of sensitive information open on Amazon S3 storage buckets. It also happens on Microsoft’s Azure cloud storage service. The latest incident of sloppy storage is reported on a news site called The Register. It says a security researcher found someone at a British-based software developer left over a half a million files open on Azure storage, which is called a blob. The data included backed-up emails, letters, spreadsheets, personal medical information and more. This company creates websites and content management systems for customers and apparently looks after their data as well. Incredibly, it seems, not only didn’t the company offer password protection or encrypt customer data, it just threw many of its customers’ data into one folder in a single blob. Two things here: First, every organization must have a data storage policy, and procedures to make sure employees follow that policy. Second, every organization that wants to use a third party for storing data has to check its security policies before signing a contract. Ask if data is segregated, how it is protected, and how that protection is assured and whether its policies are equal to your policies and procedures. Your firm controls data security; it’s not in the hands of someone else.
A cybersecurity news web site called DataBreaches.net has praise for the candour of a press release put out by an Arizona-based pharmacy. On September 28th it discovered a ransomware attack, shut it down fast, was able to continue operating with a good backup. However the thieves were able to copy some customer information including names, addresses, dates of birth, allergies and medication list. What caught my eye was what the pharmacy did after the breach: Upgraded its firewall firmware, added additional anti-virus and web-filtering software, increased Wi-Fi network traffic monitoring, provided additional training to employees, updated internal security policies and procedures, installed real-time intrusion detection and response software on all workstations and servers that access the company network. Interesting it did all these things after the incident.
And — sorry to regular listeners for being repetitive — it did one more thing: Forced employees to use multifactor authentication when logging into systems. Experts say multifactor authentication is a prime tool for slowing down if not crippling most data breaches.
What happens in certain jurisdictions if you don’t thoroughly investigate a possible data breach? You have to pay a financial penalty. That’s what happened with American online retailer CafePress, which makes and sells custom T-shirts, mugs and stuff. Last week it agreed to pay $2 million to seven states after a hacker copied data of 22 million customers in 2019. It was notified of an application vulnerability early in 2019. The company patched the hole, and then looked at its logs for the previous two weeks and found no evidence of a breach. Other than requiring a password reset of accounts, no customer was notified. Well, it didn’t look back far enough, because the company had been hacked in February. It wasn’t until August that the company conducted a full investigation after a security site began notifying customers their email addresses were being listed by crooks. In September, 2019 CafePress began notifying customers. An immediate payment of $750,000 will be divided among the states. The remainder of the $2 million payment is suspended based on the company’s financial condition.
You don’t have to be honest all the time on the Internet. You do if you want to buy something. But you don’t have to give your real name or date of birth or home address on social media sites or discussion forums. That’s because someone might copy that information and impersonate you. Even if the site promises it won’t reveal personal registration information unless you change the settings, accidents happen. I tell you this because the news site The Verge says a security researcher recently found a bug in Instagram that gave away personal information that was supposed to be held private for a short time in October. It was in an experimental upgrade to parent company Facebook’s Business Suite Tool. If a Facebook business account was linked to Instagram and you were in the test group and you sent a direct message on Instagram about a user, you’d get the information they wanted to show plus the hidden information. Facebook has fixed this vulnerability. It told The Verge it found no evidence of data abuse.
That’s it for now. Details about these stories can be found in the text version of this podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at cybersecurity professionals.
Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon