Breach Report 2019 – September
Every month there is headline after headline reporting about a new data breach. Whether it’s a ransomware attack, a negligent employee opening a phishing email, or a state-sponsored attack, millions of individuals are impacted by hackers and security incidents on a regular basis. Let’s take a look at some of the top data breaches that occurred during September and the lessons we can learn from them.
At the beginning of the month, Foxit Software, a document software company, released a statement notifying its “My Account” users of a data breach where malicious individuals gained access to user account data, including email addresses, passwords, users’ names, phone numbers, company names, and IP addresses. While no payment card data was stolen, this major data beach left nearly 560 million users at risk. Foxit has since encouraged users to update their passwords. ZDNet reported, “Due to the presence of IP addresses in the data hackers managed to access, [the breach is] believed to be a breach of Foxit’s backend infrastructure, rather than a credential stuffing attack.” Foxit has not commented on when the breach occurred or how long they knew about it before notifying “My Account” users.
Often times, if malicious hackers want to hack larger companies, they’ll target companies like Foxit, where they know they’ll find a list of usernames and passwords that can be a gateway to hacking larger companies. KirkpatrickPrice penetration tester, Stuart Rorer, explains that malicious individuals who use this tactic do so because “many of us use the same password for a lot of our services, so chances are, the stolen credentials might work for other similar accounts.” He adds that malicious hackers can then use that information they gain as a foothold on a larger company, which was their original intent – it’s a domino effect.
In mid-September, one of Canada’s financial giants experienced a massive data breach caused by none other than internal negligence. Scotiabank disclosed that critical information was leaked on unsecured GitHub repositories, compromising internal source code and some of the bank’s private login keys to backend systems. The Register reported, “These repositories featured, among other things, software blueprints and access keys for a foreign exchange rate system, mobile application code, and login credentials for services and database instances.” It is still unknown if malicious hackers have yet to exploit the digital blueprints to attack the bank and its more than 25 million users.
While investigations into this breach are still ongoing, preliminary findings point to internal negligence. Richard Rieben, a Director of Audit Operations at KirkpatrickPrice, explains, “As the growth of cloud-based resources continues, organizations need to become increasingly vigilant about understanding what data is being placed on such platforms and how it is secured. A quality audit, which digs deep into the organization’s usage of risk-prone solutions, can be an effective tool in reducing the likelihood and impact of breaches associated with the failure of technical or administrative controls.”
Just days after it announced that it would be acquired by education giant, Chegg, for $80 million, Thinkful, an education site for developers, said that unauthorized third-party users accessed company credentials. According to Thinkful VP of Operations, Erin Rosenblatt, as soon as they learned of the unauthorized access, they “promptly changed the credentials, took additional steps to enhance the security measures [they] have in place, and initiated a full investigation.” It is still unclear what caused the breach, although phishing attacks are presumed to be the cause.
What can we learn from Thinkful’s data breach? Rieben says, “As part of M&A activities, effective due diligence can often uncover weaknesses in the security compliance programs of organizations which are preparing for an acquisition. Organizations engaging in M&A activities should strongly consider the dependence on a quality audit or other assessments as part of the valuation process.”
On September 26th, the popular food delivery service, DoorDash, published a statement announcing that they had experienced a data breach on May 4th – one that impacted 4.9 million of its users, delivery drivers, and merchants. The statement explained that the data compromised by unauthorized third-party users included names, email addresses, delivery addresses, order histories, phone numbers, and hashed, salted passwords. Other information stolen included the last four digits of users’ credit and debit cards, the last four digits of bank account numbers for drivers and merchants, and driver’s license numbers for 100,000 drivers. The breach only impacted DoorDash users that joined before April 15, 2018.
While the exact cause of DoorDash’s data breach has yet to be disclosed, there are two key takeaways from this security incident: the risks of working with third-party vendors and the importance of transparent, effective incident response. Rieben explains, “This is another example of not only the vulnerabilities associated with the usage of third parties who have access to sensitive data, but it’s also an example of how not to perform incident response. We’ve seen a pattern of poor responses to past breach concerns from DoorDash and with many questions still outstanding regarding this breach, transparency does not seem to be the theme of the day for the organization.”
At KirkpatrickPrice, we know that data breaches are only a matter of when, not if, they’ll occur, no matter what industry you’re in. That’s why we’re committed to offering a variety of quality, thorough assurance services to help you mitigate risk and keep your organization protected. Want to learn more about our services and how they can help you mitigate the risk of experiencing a data breach? Contact us today.