Marketing firm leaves a huge database open, why former employees can be a security risk and more.
Welcome to Cyber Security Today. It’s Friday, February 11th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Another huge pile of unsecured data held in a misconfigured Amazon S3 bucket has been found. According to researchers at Website Planet, it belonged to a company called Beetle Eye, an online service for digital marketers. Data on an estimated 7 million people were left open. In some cases that included their names and addresses. In other cases it included email addresses and phone numbers. Most of the people were American residents, but a small number were Canadian. It is believed the databases were lists of leads that customers of Beetle Eye could use for potential marketing. IT and marketing departments that allow employees to put data into cloud storage like Amazon have to be sure security protocols are followed.
Former employees continue to be possible cybersecurity threats to organizations that don’t take care to revoke their passwords when they leave. Consider these numbers from a survey of 1,000 employees in the U.S., the U.K. and Ireland done for a cybersecurity firm called Beyond Identity: 83 per cent of respondents said they were able to continue accessing old email, social media and application accounts when they left an employer. Of those, 56 per cent said they had used that access to harm their former employer. Twenty-four per cent admitted they intentionally kept a password after leaving the company. For their part 74 per cent of employers surveyed said they have been negatively impacted by a former employee breaching their digital security. The lesson: Companies need to take greater care to end access to data when an employee leaves.
Cybersecurity experts on a webinar this week sponsored by HP Wolf Security made a number of good points. One from Kurt Johns, chief information security officer at Siemens U.S., stuck out for me: Hackers are calling up IT administrators and offering them big money to download a malicious file and let it run on company computers. Johns didn’t say how many had succumbed to this lure.
Some listeners may not know but the government of Canada’s Centre for Cyber Security has a learning hub where government employees and those in private sector critical infrastructure organizations can take cybersecurity courses. The latest include how to implement robust authentication in federal services, understanding targeted social engineering attacks and how to mitigate insider threats. There is a charge for those taking courses who aren’t government employees.
Apple has just rolled out urgent security updates to iOS, iPad and macOS operating systems to patch a zero-day vulnerability. Make sure if you use Apple devices these updates have been installed. According to Kaspersky, the most likely attack scenario is an infection of an iPhone or iPad device after visiting a malicious web page.
Finally, later today the Week in Review podcast will be out, with guest commentator David Shipley of New Brunswick’s Beauceron Security to talk about some of the week’s events
Links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
You can follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.
Thanks for listening. I’m Howard Solomon