Category Archives: Privacy

Cyber Attacks, Privacy, Supply Chain Security

What is Edge Computing?

Posted on by Or Kadosh
Findings.co explains the positives and negatives of edge computing
19
Apr


Edge computing is a growing trend in the field of network technology that is changing the way data is processed and analyzed. Instead of relying solely on a centralized server to process data, edge computing brings processing capabilities closer to the source of the data, or the “edge” of the network. This allows for more efficient and effective data processing and analysis, as well as increased performance and reduced latency.


Edge computing has become increasingly popular due to the rise of the Internet of Things (IoT) and other connected devices. These devices generate a vast amount of data that needs to be processed and analyzed in real-time, and edge computing provides a way to do this without overburdening centralized servers.


In essence, edge computing enables smart apps and IoT sensors to perform real-time functions by addressing three related challenges:

  • Remote device connectivity to a network

  • Slow data processing caused by network or computing limitations

  • Edge devices that create network bandwidth issues


By processing data closer to the source (at the edge of the network), edge computing can overcome these challenges and improve efficiency, reduce latency, and enhance the overall performance of the system. This allows for faster and more reliable data processing, making real-time functionality possible.


One of the main benefits of edge computing is improved efficiency. By processing data at the edge, devices can perform some of the computing tasks that would otherwise require a more powerful centralized server. This not only reduces the workload on the server but also reduces the amount of data that needs to be transmitted over the network, resulting in faster processing times and lower latency. Microsoft Azure shared a great example of this, writing, “A security camera in a remote warehouse uses AI to identify suspicious activity and only sends that specific data to the main datacenter for immediate processing. So, rather than the camera burdening the network 24 hours per day by constantly transmitting all of its footage, it only sends relevant video clips. This frees up the company’s network bandwidth and compute processing resources for other uses.” 


Of course, however, there are several risks associated with edge computing. One of the most significant risks is security. With data being processed and stored at multiple edge devices, it can be more challenging to secure the network against potential attacks. This is especially true when it comes to securing data in transit between edge devices and central servers.


Another risk is data privacy. Edge computing involves collecting and processing large amounts of data, which can potentially be used to identify individuals or groups. One of the primary concerns is that edge computing may collect and process personal data, such as personally identifiable information (PII), biometric data, or sensitive information related to health, financial, or other personal matters. This raises concerns about the potential for misuse or unauthorized access to personal information. Another data privacy risk associated with edge computing is the potential for data breaches or cyberattacks. Since edge devices are distributed and may not have the same level of security measures as centralized servers, they may be more vulnerable to attacks. Moreover, edge devices may transmit data over insecure networks or unsecured channels, further increasing the risk of interception or data leakage.


Network connectivity is another potential risk. Edge computing relies on stable and fast network connectivity between edge devices and central servers. If the network connection is unreliable or slow, it can negatively impact the performance of the entire system.


Compatibility issues can also arise with edge computing. Edge devices may be running different operating systems and software, which can create compatibility issues when it comes to integrating them with other devices and central servers.


Finally, managing and maintaining edge devices can be challenging. This includes firmware updates, security patches, and troubleshooting issues. This can be especially problematic in large-scale deployments with many devices spread out over a wide area.


Despite these risks, the benefits of edge computing make it an increasingly popular technology for organizations looking to improve their data processing and analysis capabilities. As the technology continues to evolve, it is likely that many of these risks will be mitigated, making edge computing an even more attractive option for businesses and organizations of all sizes. 


Noting the security issues is important to prevent detrimental damages to companies. To mitigate these data privacy risks, organizations must implement privacy-by-design principles in their edge computing solutions. This includes conducting privacy impact assessments (PIAs) to identify potential privacy risks and implementing technical and organizational measures to address them. Additionally, companies must ensure that they obtain valid user consent for collecting and processing personal data and that they adhere to data protection regulations. Encryption and other security measures should also be implemented to protect data both in transit and at rest, and data monitoring and auditing processes should be in place to detect and respond to security incidents.






See How Findings Can Help You Monitor Your Systems

Cyber Attacks, Privacy, security compliance, Supply Chain Security

The Great Data Breaches: Tales of Cybersecurity Misadventures

Posted on by Or Kadosh
Findings.co talks about the decade's biggest breaches from the past decade.
11
Apr

The Great Data Breaches: Tales of Cybersecurity Misadventures

Data breaches are a nightmare of the digital age that have plagued companies and organizations around the world in recent years. With cybercriminals constantly evolving their tactics, no one is safe from the threat of a data breach. While this list can go on and on we’ve narrowed it down to some of the most well known breaches to date.

Let’s take a look at some of the most notable data breaches that have occurred in the past decade, and the lessons we can learn from them!

Equifax: The One That Got Away

In 2017, Equifax, one of the largest credit reporting agencies, suffered a breach that exposed the personal information of 147 million people, including names, birthdates, Social Security numbers, and other sensitive data. Equifax system administrators discovered that attackers had gained unauthorized access via the Internet to the online dispute portal that maintained documents used to resolve consumer disputes. In a statement released, Equifax writes, “The attack vector used in this incident occurred through a vulnerability in Apache Struts (CVE-2017-5638), an open-source application framework that supports the Equifax online dispute portal web application. Based on the company’s investigation, Equifax believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017.”


(From SEC filing report)

This was a huge blow for the credit industry, as it exposed flaws in the system that allowed unauthorized access to sensitive personal information. It also highlighted the need for companies to invest in cybersecurity measures to protect their customers’ data.

Yahoo: Twice Bitten, Thrice Shy

In 2013 and 2014, Yahoo experienced two separate data breaches and every user who had a Yahoo account was likely affected by its massive hack. The stolen information included names, email addresses, phone numbers, dates of birth, and security questions and answers. The sheer scale of this breach was unprecedented, and many companies lack the ability to collect and store all network activity that could be used to trace a hacker’s steps, making it difficult to investigate data breaches. This was highlighted by the Yahoo breach in 2013 and 2014, where investigators struggled to follow the hackers’ tracks due to a lack of network activity data.

Marriott: A Wake Up Call

In 2018, Marriott International, one of the world’s largest hotel chains, suffered a data breach that exposed the personal information of 500 million customers. In a company statement, Marriott explains that they “learned during the investigation that there had been unauthorized access to the Starwood network since 2014. The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.” The breach at Marriott International exposed the personal information of approximately 500 million customers who made a reservation at a Starwood property. The stolen information included names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. Some guests’ payment card numbers and expiration dates were also compromised, but they were encrypted using AES-128. This breach was a wake-up call for the hospitality industry, which has traditionally lagged behind other sectors in cybersecurity. It highlighted the importance of designing security measures into products and services from the outset, rather than bolting them on as an afterthought.

Target: The Target of Cybercrime

In 2013, Target, a major U.S. retailer, experienced a breach that affected 110 million customers. This was one of the earliest and most widely publicized data breaches. Prior to this event, cybersecurity was not given the same level of attention as it is today. The professional practices that many businesses implemented in response to this event likely prevented numerous data breaches from occurring. The breach began when a third-party contractor for Target, Fazio Mechanical Services, fell victim to a spear phishing attack. The hackers then used the stolen credentials to access Target’s corporate network and install malware on Target’s POS devices. Target’s security team received a notice for a generic threat but did not act on the warning. The breach wasn’t detected until three days later, and the US Department of Justice uncovered the scope of the danger on December 12th. The hackers gained access to data including full names, phone numbers, email addresses, payment card numbers, and credit card verification codes. This breach was a turning point in the battle against cybercrime, as it demonstrated that even the biggest companies were vulnerable to attack. It also highlighted the need for companies to invest in cybersecurity measures and to take a proactive approach to threat detection and response.

Capital One: A Capital Mistake

In 2019, Capital One experienced a breach after an outside individual obtained unauthorized access to personal information of about 100 million US customers and 6 million Canadian customers. Capital One explained that they discovered this security incident after the configuration vulnerability was reported to Capital One by an external security researcher through their Responsible Disclosure Program on July 17, 2019. The accessed information included personal information collected from credit card applications, such as names, addresses, and self-reported income, as well as customer status data, credit scores, and transaction data from 23 days in 2016-2018. Additionally, the individual obtained about 140,000 Social Security numbers and 80,000 linked bank account numbers of secured credit card customers. This incident underscores the importance of securing sensitive financial data and having strong cybersecurity policies, including employee training and regular security audits.

eBay: Buy and Beware

In 2014, eBay experienced a massive data breach that affected all 145 million users at that time. The hackers were able to access encrypted passwords and personal details of customers, including names, email addresses, phone numbers, and physical addresses. As a result, eBay was forced to ask all of its users to change their passwords in a surprising turn of events. In many instances, hackers may unscramble encrypted passwords and then use automated softwares that logs into thousands of popular social media sites and banking accounts. At the time, eBay faced extreme criticism for its slow response and poor communication with affected customers following the massive data breach. This incident highlights the importance of swift action and proactive communication with customers in the aftermath of a data breach. Even more importantly, it was a lesson in the importance of password hygiene and the need for companies to implement strong password policies, such as two-factor authentication.

(from eBay’s website)

Anthem: The Healthcare Hack

In 2015, Anthem, one of the largest health insurance companies in the U.S., announced that it suffered a breach that exposed the personal information of 80 million customers, including names, birthdates, Social Security numbers, and other sensitive data. How did it happen? According to the investigative report, the Anthem data breach began in February 2014 when a user in one of the company’s subsidiaries opened a phishing email containing harmful content. This led to the download of malicious files and remote access to the user’s computer, as well as dozens of other systems within the Anthem enterprise, including the company’s data warehouse. The attacker was able to move laterally across Anthem systems and escalate privileges, ultimately compromising at least 50 accounts and 90 systems. This resulted in access to approximately 78.8 million unique user records after querying the data warehouse. This breach was a stark reminder of the importance of securing sensitive healthcare data, which is highly sought after by cybercriminals. It also highlighted the need for companies to invest in cybersecurity measures and to take a proactive approach to threat detection and response.

Microsoft Exchange: The Latest Threat

In 2021, Microsoft Exchange email servers were attacked, affecting 60,000 companies worldwide. The hackers were able to exploit four zero-day vulnerabilities, which allowed them to gain unauthorized access to emails from small businesses to local governments. They took advantage of a few coding errors over three months to take control of vulnerable systems. Once they gained access, they could request data, deploy malware, use backdoors to gain access to other systems, and ultimately take over the servers. Many people assumed that the requests were legitimate because they looked like they came from the Exchange servers themselves. Although Microsoft was able to patch the vulnerabilities, owners of individual servers that didn’t update their systems would still be vulnerable to the exploit. Because the systems weren’t on the cloud, Microsoft couldn’t immediately push a patch to fix the issues. In July 2021, the Biden administration, along with the FBI, accused China of the data breach. Microsoft followed suit and named a Chinese state-sponsored hacker group, Hafnium, as the culprit behind the attack.


These are just a few of the largest data breaches in the past decade, and there have been many others affecting a range of industries and types of organizations. The lessons we can learn from these breaches are clear: companies need to take cybersecurity seriously and implement robust security measures to protect their customers’ data. By staying informed and investing in the latest cybersecurity technologies, we can help to prevent the next big data breach.




Findings Can Help You 



Cyber Attacks, Privacy, Supply Chain Security

January Security Breach Round Up

Posted on by Or Kadosh
Findings.co reveals the top breaches in January 2023
02
Feb

While a new year is supposed to bring in new and exciting opportunities, quite the opposite happened to these companies after they had their resolutions spoiled by hackers. Let’s review some of the most interesting data breaches that happened in January..


PayPal:


Yes, even massive financial companies like PayPal fall victim to breaches. On January 18, 2023, PayPal informed customers that unauthorized parties were able to access PayPal customer accounts using their login credentials. In the company notice, PayPal writes, “the personal information that was exposed could have included your name, address, Social Security number, individual tax identification number, and/or date of birth.” After an incident like this, it is extremely important that users change their passwords for other online accounts as well as activate two-factor authentication, which can prevent hackers from accessing their other accounts. 


T-Mobile:

Another breach? This time, 37 million people were apparently affected. On January 19th, 2023, T-Mobile released a statement writing, “We are currently in the process of informing impacted customers that after a thorough investigation we have determined that a bad actor used a single Application Programming Interface (or API) to obtain limited types of information on their accounts.” Obtained information includes name, billing address, email, phone number, date of birth, account number, and information such as the number of lines on the account and service plan features. T-Mobile further writes, “While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program.” While we hope that T-Mobile does indeed strengthen their cybersecurity program, we’d like to note that the telecommunications giant has suffered several security incidents in the past few years. 


Google Fi:

Think of a domino effect here. When one goes down, so can the next. It is alleged that Google Fi’s security incident is connected to the T-Mobile incident right above this one. Google Fi is a mobile virtual network operator that uses T-Mobile’s network for the majority of its connections. It is believed that hackers may have accessed customer information such as phone numbers, SIM card serial numbers, account status, and mobile service plan data. To explain the aftermath of this, BleepingComputer explained that, “the exposed technical SIM data allowed threat actors to conduct SIM swap attacks on some Google Fi customers, with one customer reporting that the hackers gaining access to their Authy MFA account. SIM swapping attacks are when threat actors convince mobile carriers to port a customer’s phone number to a mobile SIM card under the attacker’s control.” After the SIM swapping attacks, hackers can access a person’s email, accounts registered with the phone number, and authentication apps. 


Mailchimp:


Don’t be that person – always think twice before opening links from people you don’t know. On January 11, 2023, Mailchimp discovered that an unauthorized actor conducted a social engineering attack on Mailchimp employees and contractors. By doing so, the hacker was able to obtain access to select Mailchimp accounts using employee credentials compromised in that attack. The hacker accessed a tool used by Mailchimp customer-facing teams for customer support and account administration. In a company notice explaining the situation, Mailchimp confirms, “this targeted incident has been limited to 133 Mailchimp accounts.”


JDSports: 


JDSports, a British sports-fashion retail company based in England also unfortunately fell victim to an attack in January. JDSports notified customers via email explaining the situation, pictured below.  


Photo Source:




The sports company warns that the attack resulted in unauthorized access to a system containing customer information for orders placed between November 2018 and October 2020. Information such as full names, billing details, delivery addresses, email addresses, phone numbers, order details, and final four digits of payment cards were accessed.



 

Before wrapping up for the month, did you hear about SwiftSlicer, a new data wiping malware that aims to overwrite crucial files used by the Windows operating system? BleepingComputer explains that it allows “domain admins to execute scripts and commands throughout all of the devices in the Windows network.  SwiftSlicer was deployed to delete shadow copies and to overwrite critical files in the Windows system directory, specifically drivers and the Active Directory database.” Researchers at a cybersecurity company, ESET, say that SwiftSlicer has the ability to overwrite data using 4096 bytes blocks and then the malware can reboot the system. Since this is a new discovery, it’s important that companies continue using the most up-to-date antivirus softwares. 





Learn About Our Continuous Monitoring Solution

Cyber Attacks, Privacy, Supply Chain Security

December Security Breach Round Up

Posted on by Or Kadosh
December security breaches
09
Jan

2023 is here and while I would love nothing more than to say that everything is awesome in the security world, I would be lying to all of you if I said there were no data breaches in the month of December. 

While most people usually wind down and enjoy the holiday season with family in December, the top dogs at the companies below probably had nothing but stress on their minds. 

Let’s dig in and see what mistakes were uncovered this month.


  1. LastPass:

Well this is a little awkward, isn’t it? Given that LastPass is a password manager, one would think that they would have strong measures in place to protect their consumer’s privacy; however, that does not seem to be the case. In a company notice, LastPass writes: “we recently notified you that an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data.” The threat actor copied information from a backup source that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. The company continues to explain that “the threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.” It is important to note that many organizations and their employees use LastPass to store passwords. If you were not aware of this incident, it is time you look into protecting your accounts and changing your passwords.


  1. Uber:

When I found out about yet ANOTHER Uber breach, my reaction was a deep sigh of frustration. This time the breach resulted from a compromised third-party vendor. BleepingComputer reported about the incident and shared that “a threat actor named ‘UberLeaks’ began leaking data they claimed was stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches. One of the documents seen by BleepingComputer includes email addresses and Windows Active Directory information for over 77,000 Uber employees. While BleepingComputer initially thought this data was stolen during the September attack, Uber told BleepingComputer it believes it is related to a security breach on a third-party vendor.” After further investigations, Uber later shared with BleepingComputer that the threat actor stole its data in a recent breach on Teqtivity, which Uber uses for asset management and tracking services. Teqtivity informed that the threat actor was able to access device information such as serial number, make, models, and technical specs. Additionally, user information such as first name, last name, work email address, and work location details were accessed. 


  1. Five Guys:

I’ll be the first to admit that Five Guys is irresistible – especially on a cheat day. So of course I hate to be the bearer of bad news here, but alas, it has to be said. On December 29, 2022, Five Guys released a statement confirming a breach that occurred in September 2022 that exposed sensitive customer data by an unauthorized party who accessed a file server. The company writes: “The investigation identified unauthorized access to files on our file server that occurred on September 17, 2022. We conducted a careful review of those files and, on December 8, 2022, determined that the files contained information submitted to us in connection with the employment process.” Stolen data would include employee personally identifiable information (PII) such as names, social security numbers and driver’s license numbers. We see this time and time again where threat actors access sensitive information and companies do not inform victims until months later. In those months, the attackers can commit identity and credit fraud and sell user data on the dark web. That is one of the reasons why Findings is so useful – we continuously monitor your systems and the dark web to make sure that if an incident like this does ever occur, it will not take you months to find out.

 

  1. Sequoia:

For those who are unaware, Sequoia is a popular benefits and payroll management company. In a company notice, they stated: “Sequoia Benefits and Insurance Services LLC (“Company”) recently became aware that an unauthorized party may have accessed a cloud storage system that contained personal information provided in connection with the Company’s services to its clients, including your employer or, if you are a dependent, your family member’s employer.” Information accessed by the unauthorized party consists of personal information including demographic information such as name, address, date of birth, gender, marital status, employment status, social security number, work email address, member ID, wage data for benefits, attachments that may have been provided for advocate services, ID cards, and any COVID test results or vaccine card that may have been uploaded.

  1. Social Blade:

Social Blade is an analytics platform that provides statistical data for numerous social sites such as YouTube, Twitter, Twitch and Instagram. They confirmed that they suffered a data breach after their database was breached and put up for sale on a hacking forum. Social Blade monitors tens of millions of social media accounts and the hacker claims to have obtained 5.6 million records. The sample data that was posted by the hacker also suggests that many of the records contain user information. Users online were quick to share an email that was apparently sent privately to affected users. In the email, Social Blade confirms the breach and reports that the affected data includes email addresses, IP addresses, password hashes, client IDs and tokens for business API users, and authentication tokens for connected accounts. Other non-personal and internal data was also compromised. Roughly 0.1% of users also had their addresses leaked, but credit card information was not exposed. A similarity we see here in comparison to other breaches is that this was not Social Blade’s first breach. In 2016, the company also confirmed that it suffered a breach. Let’s see if the most recent breach will be the push they need to better protect their company and prevent future attacks. 

Image

source: twitter


Now that we are in 2023, we hope that companies will take the necessary steps to protect their systems. Findings has a few New Year’s resolutions we recommend companies take on to ensure that they are protecting their employees and consumers.

Attackers prey on those who don’t regularly change their passwords. In fact, it makes their jobs easier. Make sure your systems are secure with New Year’s Resolution # 1: Require your employees to change their passwords every 90 days.

With an increase in cyber attacks being committed against supply chains, it’s vital that every business implements mandatory cybersecurity training programs. Having employees that are aware of all things cyber security is beneficial in minimizing the risks associated with cyber attacks.


Staying vigilant and continuously assessing potential risks in your supply chain is an essential New Year’s Resolution that companies need to follow in 2023.



Updates are usually required for a reason, and many times it’s for security reasons. When systems are up to date, it makes it harder for hackers to attack and find loopholes in the system. 


If you haven’t heard of our continuous monitoring solution, you may want to consider looking into it.



Andddd that’s a wrap for this month!


Findings wishes you all a happy and healthy New Year.

 

We’re here for you. Learn more today.

Cyber Attacks, Privacy, Supply Chain Security

November Security Breach Round Up

Posted on by Or Kadosh
November Security Breaches
01
Dec

From grocery stores, to banks, and everything in between – November saw it all when it came to breaches. As I mentioned in September, hackers are not picky. Let’s just say, when an opportunity arises, they will swoop right in and overtake your systems and access any data they can get their e-hands on.

 

Be careful, and keep staying informed – our goal is to make sure no company ends up on this list next month. 

 

Let’s dive in. 

 

  1. WhatsApp


Whatsapp with this?! The app that we all know, love, and use, WhatsApp, has supposedly fallen victim to a massive data leak. And by massive, I mean nearly 500 million user records have been leaked online. So… what happened? On November 16, 2022, an ad on a well-known hacking community forum was posted by someone claiming to be selling a 2022 database of WhatsApp user mobile numbers. It is also claimed that 32 million users from the United States have been included. Although only phone numbers were leaked, it is important to note that leaked phone numbers are typically used for marketing purposes, phishing, impersonation, and fraud. 

 

  1. Bed Bath & Beyond

Ah, phishing at its finest. While almost anyone who enters Bed Bath & Beyond can get lost for hours browsing, no one likes hearing about breached data. The United States retail giant confirmed that unauthorized access to company data was accessed after an employee was phished. In an 8-K filing to the U.S Securities and Exchange Commission, Bed Bath & Beyond explained that data of the employee’s hard drive and other shared drives that the employee had access to were accessed. The company is still investigating whether the drives have any sensitive or personally identifiable information.

 

  1. DropBox


File hosting service, DropBox, also fell victim to a phishing incident. In a statement from the company, they explained the situation saying “We were recently the target of a phishing campaign that successfully accessed some of the code we store in GitHub. No one’s content, passwords, or payment information was accessed, and the issue was quickly resolved. Our core apps and infrastructure were also unaffected, as access to this code is even more limited and strictly controlled. We believe the risk to customers is minimal. Because we take our commitment to security, privacy, and transparency seriously, we have notified those affected.” The company goes on to explain that on October 14, GitHub alerted them that suspicious behavior was going on. DropBox found that a threat actor was pretending to be CircleCI and was able to access one of DropBox’s GitHub accounts. To date, their investigation has found that the code accessed by the threat actor contained some credentials, primarily, API keys used by Dropbox developers.

 

  1. TransUnion


Isn’t it ironic how an agency who determines your credit score, is the one that could be ruining your credit? There are three main credit bureaus in America – Experian, Equifax and TransUnion. Unfortunately, the consumer credit reporting agency, TransUnion, experienced a breach and began notifying individuals about the incident on November 7,2022. The company collects and assembles information on over 1 billion consumers worldwide, 200 million of those being Americans. The type of information that was exposed includes names, social security numbers, driver’s license numbers, and account numbers. 

 

  1. AirAsia


AirAsia, the largest airline in Malaysia with approximately 22,000 employees and worldwide operations, has unfortunately fallen victim to a supposed ransomware attack. The group behind this attack is known as the Daixin Ransomware Gang and they have supposedly stolen data of 5 million AirAsia passengers and employees. The Daixin team is known for disrupting operations with ransomware and stealing personally identifiable information. With this data, the cyber threat group threatens to release the stolen information unless a ransom is paid. In a tweet shared by Soufiane Tahiri, screenshots from the group can be seen that were posted on the dark web. The information applies to both employees and passengers. In these documents, information such as date of birth, country of birth, where the person is from, start of employment for employees and their secret question and answer used to secure their accounts could be found. 

 

  1. Sonder


In a company security update, Sonder, a hospitality company, notified the public that they became aware of unauthorized access to one of its systems that included guest records. Information that was accessed includes: 

  • Sonder.com username and encrypted password

  • Full name, phone number, date of birth, address, and email address

  • Certain guest transaction receipts, including the last 4 digits of credit card numbers and transaction amounts

  • Dates booked for stays at a Sonder property

  • Government issued identification such as driver’s licenses or passports

 

  1. Sobeys

This incident shows that ANY business can get breached. Even a supermarket. Incase you aren’t familiar, Sobeys is one of the two national grocery retailers in Canada. On November 7, 2022, Sobeys’ parent company wrote in a notice that the grocery stores were impacted by an IT systems issue. While the company hasn’t publicly confirmed a cyber attack on its systems, a local media outlet reported that “two provincial privacy watchdogs said they had received data breach reports from Sobeys. Both Quebec’s access to information commission and Alberta’s privacy commission have both been notified by the grocer about a “confidentiality incident.” 

 

  1. Whoosh

Russian scooter sharing company known as Whoosh has confirmed that it too was breached. Hackers started to sell a database containing the details of 7.2 million customers on a hacking forum. Alleged stolen data on the hacking forum allegedly contains promotion codes that would allow someone to access the service for free, as well as partial user identification and payment card data. Included were email addresses, phone numbers, and first names. A russian news outlet, RIA Novosti was told by Whoosh that, “The leak of some of the personal data of customers of the Russian scooter rental service Whoosh at the beginning of November did indeed occur, but did not affect sensitive user data, such as access to accounts, transaction information or travel details” 

 

  1. Coinsquare:


Cryptocurrency is a sexy industry to talk about, but this incident is a little less appealing. To round up the month, a Canadian cryptocurrency exchange, Coinsquare has become the latest victim of a security breach. Data such as customer names, email addresses, residential addresses, phone numbers, dates of birth, device IDs, public wallet addresses, transaction history, and account balances were compromised. According to customer reports, Coinsquare allegedly contacted them via email and let them know that it had identified an intrusion and a database containing personal information accessed by an unintended third party. In a Tweet responding to an account sharing about the hack, Coinsquare wrote, “We have no evidence any of this information was viewed by the bad actor, but in an abundance of caution, we wanted to make our users aware. We notified all clients, but only identified 3 clients whose accounts were accessed.” 



Companies can get careless when it comes to securing their systems, their employees, and their customers. And while we are here to help you, the first step begins with you staying informed. Which we see you are since you made it this far! 


We’re here to help you. Contact us today

Cyber Attacks, Privacy, Supply Chain Security

October Security Breach Round Up

Posted on by Or Kadosh
30
Oct

October was Cyber Security Awareness Month, and yet, another month, another breach. In a month that is geared towards helping organizations protect themselves, large companies have yet again fallen victim to these heinous attacks. One after the other, many companies and their consumers are now wondering when these breaches will stop. 

 

Here are our top October 2022 know-worthy incidents:

 

Toyota:

    • Toyota is no stranger to data breaches. And by the looks of it, it seems as though the company hasn’t learned from past mistakes (remember the 2019 breach that affected over 3 million of Toyota’s customers?). On October 7, 2022, Toyota issued an apology after nearly 300,000 people who used T-Connect, a telematics service that connects vehicles via a network, were exposed. The Japanese car giant explained that personal data was leaked when an access key was publicly made available on GitHub for almost five years. Email addresses and customer control numbers may have been exposed since 2017.


Microsoft:

    • Another tech giant hit yet again. On October 19, 2022, Microsoft addressed the public after security researchers at SOCRadar informed Microsoft of a misconfigured Microsoft endpoint. After the discovery, Microsoft explained that the researchers exaggerated the entire situation. This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers. Information about planning or potential implementation and provisioning of Microsoft services was involved. In addition, the data that was potentially compromised includes names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner. 


Verizon:

    • In a notice, the company confirms, “we determined that between October 6 and October 10, 2022, a third party actor accessed the last four digits of the credit card used to make automatic payments on your account. Using the last four digits of that credit card, the third party was able to gain access to your Verizon account and may have processed an unauthorized SIM card change on the prepaid line that received the SMS linking to this notice.” 


Carousell:

    • On October 14, Carousell Singapore disclosed that it experienced a breach. And this wasn’t a small breach either – almost 2 million accounts were compromised. The company explains, “it is unlikely that this incident will result in an identity theft as it does not include information like your NRIC number,” but it is believed that emails were compromised. 


Medibank:

    • Bad news for Medibank, one of the largest Australian private health insurance providers. On October 12, 2022 the company discovered that customer information may have been compromised after a hack on their systems. It was thought that the original hack only affected certain customers, but after this week, the company is assuming that all 3.9 million customers were affected. The company said it had received a series of files from the alleged hacker, and they found the files included 100 ahm policy records, which include personal and health claims data, plus another 1,000 policy records from ahm, and files which contain some Medibank, ahm and international student customer data. The records provided to the company include names, addresses, dates of birth, Medicare numbers, phone numbers and medical claims data, including information about diagnosis, procedures and location of medical services.


Twilio:

    • Sometimes companies just can’t catch a break. Cloud communications company, Twilio, disclosed a new data breach stemming from a June 2022 security incident. After a lengthy investigation, the company concluded that 209 customers and 93 Authy end users had accounts that were impacted by the incident. 

 

Don’t let your company end up on this list. See how findings can help you here.

Cyber Attacks, Privacy, Supply Chain Security

September Security Breach Round Up

Posted on by Or Kadosh
September Security Breach Round Up. An iPhone with a broken lock - signifying a breach.
01
Oct

Cybersecurity threats have become an integrated part of every company’s lifecycle. They are occurring now more than ever, and hackers are not selective – ultimately putting any company at risk for an attack. 

 

To keep your company safe and your cybersecurity team up to date with the latest trends, it’s important to learn from recent incidents to avoid the same mistakes that left even the world’s largest corporations exposed. 

 

Here are our top 5 September 2022 read-worthy incidents:

 

Uber:

Sneaking out of the house isn’t the only thing teens are getting good at and a recent breach proves this. On September 15, 2022, Uber fell victim to an attack. In this case, a suspected teen hacker, who Uber believes is a part of Lapsus$, was able to access Uber’s systems. In a company notice, Uber explains that the hacker likely purchased an Uber EXT contractor’s password off the dark web, and after many attempts, was successfully able to access this worker’s account. Several internal systems, internal slack messages, information from an internal tool the company uses to manage invoices, and their dashboard at HackerOne were all accessed. 


Samsung:

Most would think that one of the world’s biggest tech companies is heavily secure, right? Well… On September 2, 2022, Samsung confirmed a cybersecurity incident that affected customer data. Information such as name, contact and demographic information, date of birth, and product registration information may have been compromised. After further investigation, Samsung discovered that this incident stemmed from an unauthorized third party acquiring information from some of Samsung’s U.S. systems. 


Optus:

Optus, one of Australia’s largest telecommunication companies, suffered a cyberattack and confirmed it on September 22, 2022, through a company announcement. Customer names, dates of birth, phone numbers, email addresses, street addresses, medicare cards, and ID document numbers such as driver’s license and passport numbers of over 9 million people were potentially exposed.


American Airlines (Again?! Really?!):

On September 16, 2022, American Airlines informed customers that they experienced a security incident in July 2022. The notice explains the discovery of an unauthorized actor who compromised the email accounts of a limited number of American Airlines employees. Upon further investigation, they found that personal information such as name, date of birth, mailing address, phone number, email address, driver’s license number, passport number, and/or certain medical information were accessible through  the email accounts. 


Tap Air Portugal:

As aviation becomes a hot target, TAP Air Portugal released an important notice to customers on September 21, 2022, regarding a cyber attack discovered back in August. The notice reads, “Regretfully, we want to inform that the following categories of personal data from some customers of TAP have been disclosed: name, nationality, gender, date of birth, address, email, telephone contact, customer registration date and frequent flyer number. The information for each affected customer may vary. We are releasing this notice to make customers aware of this matter. There is no indication that payment data was exfiltrated from TAP’s network.” While the company did not disclose how many people were affected, it is believed that over 1.5 million TAP customers had their data stolen. 


While we’ve only listed 5 of the many incidents that occurred in September, it’s important to mention that breaches occur all the time, and hackers are getting more and more creative and sophisticated. 


As businesses, it’s even more important for you to find ways to prevent, detect, and respond to these attacks in a quick and effective manner. 


Keeping your supply chain secure is vital to keeping it functioning properly and that’s why we’ve put together a supply chain security enhancement checklist for companies to reference. 

 

 

                                                                      At Findings, we help secure your digital supply chain. Discover how we can benefit your business here.

Privacy, security compliance, Vendor Risk Management

What action can you take post Kaseya

Posted on by kobi
08
Jul

The Kaseya supply chain attack (also known as the fourth of July attack) is the hottest cyber topic these past few days. How can it affect your business and what can you do about it? Kobi Freedman, Findings CEO, provides answers as well as an actionable solution.

Recently, numerous cyber attacks have been targeting supply chains, affecting hundreds of thousands of vendors globally, impacting large numbers of companies, putting them at major risk in terms of supply chain disruption and cyber exposure. Past incidents which include SolarWinds, Accelion, MS Exchange, Fortinet as well as the current Kaseya indicate a steep future risk trajectory, with major implications.

What happened to Kaseya?

Kaseya IT group provides financial management software tools for medium and large organizations, used by a massive number of customers.

On July 4th Kaseya disclosed a compromise by the REvil group – a cardinal cybercrime syndicate, resulting in a breach that allowed attackers to deploy ransom malwares to Kaseya customers. Kaseya claims only the VSA product line (a unified IT management tool) was exposed and that only 1500 (!!!) customers were breached – however, due to the fact that Kaseya’s wider circle of influence is estimated in 1 million businesses, the announcement should be considered with a grain of salt.

The attack caused business disruption to thousands of companies, impacting over 1 million users. While the US Govt is actively pursuing the REvil group, so far, no one has been arrested. The attack’s economic and full damage extent is yet to be determined as the incident is still in progress.

Third-party attacks have been fundamental for cybercriminal groups due to its effectiveness, financial return, and the ability to simultaneously extort multiple organizations.

The extent of these attacks is astonishing; Findings customers’ long-tail assessments indicate on average 15-20% exposure rate to SolarWinds, Accelion and other attacks – a risk currently not being reviewed by traditional vendor risk assessments lifecycle – whether upon onboarding or periodically performed.

What can you do?

    1. Ensure your organization has entire supply chain visibility and continuous risk exposure of every business continuity vendor.
    2. Have the capability to rapidly act upon current and future events to review any potential exposure.

Findings long-tail monitoring protocol provides customers the ability to continuously map their entire vendor-space risk. In the case of a supply-chain incident, Findings enables 3rd and 4th tier vendor rapid assessment, detection and mitigation. This will allow you to prioritize risk mitigation as well as efficient and timely action tracking.

Contact us to initiate your long tail solution. Don’t be a victim of the next supply chain attack. 

Privacy, security compliance, Vendor Risk Management

How to align the vendors objective and internal risk profile

Posted on by kobi
20
Apr

One of the key issues in correctly assessing and managing vendor risk is the ability to analyze the potential risk exposure of the vendor and execute the risk evaluation process accordingly.

The process should include:

    • Understanding the business process
    • Mapping potential data or processes at risk 
    • Analyzing business or operational impact upon vendor breach
    • Aligning audited controls and categories

For example:
Vendor A is a small software development company, providing us services in 2 separate deals:

Deal 1:

Business owner: IT

The deal:

The vendor is providing outsourced code development services and processes employee data in an AWS environment in which  a breach might cause major business disruptions and should be addressed in terms of security evaluation with the following, beyond traditional security audit:

    • Assessment: Software provider – sensitive.
    • IP exposure analysis: data encryption, employee privileges management,  separation of environments, etc.
    • Privacy related exposures: Private data handling, policies, and procedures, privacy compliance opinion, etc.
    • Cloud security measures required: cloud security posture management, relevant certificates, etc.
    • Timing and severity: the vendor might be assessed annually with a set of findings thresholds that will require high standards of security.

Deal 2: 

Business owner: R&D

The deal:

Technical on site consulting regarding architecture of a planned website renewal of the company, Where no data is being stored by the vendor.

In this case, the assessment term might be minimal and include the following:

    • Assessment: consulting
    • IP exposure analysis: NDA execution, email security.
    • Timing and severity: the vendor might be assessed once and with a set of findings thresholds that will require low standards of security.

Being able to orchestrate and automate the risk assessment requirements and analysis will enable a better understanding of the real exposure, an increase in vendor engagement and commitment and a dramatic reduction of security handling costs and risk evaluation accuracy.

 

Maintain holistic internal risk management

In order to streamline the ability to perform better security analysis and execute at scale, the following process elements should be addressed with your own organizational terminology.

    1. Vendor/Deal risk exposure mapping as indicated by business owners:
      • Mapping of deal elements
      • Mapping of business impact
      • Mapping of potential assets exposed
    2. Security & privacy requirements:

      • Transformation of the initial vendor/deal mapping into an actionable assessment framework.
      • Determination of benchmark and standards.
      • Determination of repetitiveness.
      • Determination of a minimal risk threshold for assessment execution.

 

Findings internal risk module

Findings enables you to streamline all internal risk elements into one process and customize your own business logic, policy and terminology as part of it.

The main capabilities provided as part of your account:

1. Business owner page

A customizable wizard enabling the following branded capabilities:

    • Publication of your policy to your business owners across the enterprise
    • New/existing Vendor requests
    • A customizable vendor risk classification questionnaire 
    • An automated calculation of vendor internal risk score
    • Automated triggering of security categories and controls for the assessment
    • An automated pending vendor for security team

2. Vendor management

A comprehensive vendor management page for the security team, including:

    • The ability to open, edit vendor details, send assessments and define vendor assessment policies
    • Review and approval of business owner page results and the system assessment recommendations
    • Self definition of vendor internal risk classification by a member of the security team
    • Maintaining multiple business owner security page results for a single vendor
    • Launching assessments in alignment with the business owner page results

IMPORTANT: The ability to maintain said multiple risk profiles allows the enterprise to assess and certify the vendor for multiple deals and reuse already finalized past assessments to match with new business owner requests.

How to:

Option 1: Your vendor management module :  Vendor tab >> manage vendors >> select vendor >> Edit

Option 2: directly from the notification received from you BO page initiation

3. Notifications

Findings’ powerful notification engine enables the business owner to be notified on the various stages and processes following his/her request. The notifications, as always, are self customizable to your needs.

The standard notifications that the business owner will receive (is CCed to)  include:

    • The assessment sent to the vendor
    • Notification and escalations of delays
    • Vendor assessment finalization 
    • Security review completion

How to:

The notification editor can be found at Profile >> Manage organization >> Notifications

The combination of all  Findings internal risk elements will provide you with a streamlined process, better business risk alignment, better security efficiency and service level to your internal stakeholders.

Give it a try or book a free demo session with our experts.

iso, iso27001, iso27017, iso27018, Privacy, Vendor Risk Management

GE Discloses Data Breach

Posted on by kobi
GE data breach in supply chain
07
Apr

Tech Giant GE Discloses Data Breach After Service Provider Hack

The recent data breach of a GE supply chain service provider resulted in the theft of PII for many of the company’s employees. 

GE currently has customers in more than 180 countries and in employment of 280,000 employees according to the company’s 2018 annual report.

“The breach occurred at Canon Business Process Services (Canon), a GE service provider, where an email account of a single employee was breached, resulting in an unauthorized party gaining access to an email account that contained documents of certain GE employees, former employees, and beneficiaries entitled to benefits that were maintained on Canon’s systems”.

Also, GE stated that the sensitive personal information exposed during the incident was uploaded by or for current and former GE employees, as well as “beneficiaries entitled to benefits in connection with Canon’s workflow routing service.”

GE reported the incident to the Office of the California Attorney General and have notified the affected individuals according to data breach laws and the CCPA.

They said that GE’s IT systems were not affected by the Canon security breach and that it’s taking all the necessary measures to prevent a similar incident from happening in the future.

Supply chain cybersecurity risk 

This attack highlights the issues of Supply Chain and Third-Party Provider attacks

As companies seek to reduce costs and improve operational margins, they rely on suppliers of business services or providers of products to take advantage of the lower costs these partners incur to specialization and economies of scale.

These strategies are sound business practices in the growing trend toward collaborative eco-systems. In fact, it’s impossible for an organization the size of GE to operate without an efficient global supply chain spanning across tens of thousands of subcontractors and vendors.  

The cybersecurity risks, companies face are the lack of control they have when it comes to protecting the data which they now share or have hosted by these suppliers – due to it not always being protected with the same level of security that the company itself, as a data owner, may impose on its own resources. 

The inability to determine the financial impact of these types of breach attacks makes it very hard for cost-conscious outsource/third-party services or goods suppliers to assess the right sizing of risk and breach mitigation measures.

The attackers that are leveraging these third-party or supply chain attacks are often identified as Political Cyber Warriors, Financial Hackers, Disgruntled Employees, and Industrial Espionage Agents. 

These actors have already done the math in terms of assessing the value of such purloined information in terms of financial value, and have sufficient resources behind them to invest in the attack methods that will enable these penetrations and exfiltration – and make a positive return on investment. 

As the number of attacks and the size/prestige of victims of these breaches increases, companies must be much more diligent in coping with these risks.

What can you do?

When selecting third-party service providers or supplier partnerships, companies must perform reasonable due diligence to assure themselves and their stakeholders that the selection process does not just focus on cost. 

The first step is for companies to assess the financial impact such a breach will have on their business in terms of reputation and survivability. 

This can be accomplished by firstly quantifying the risk in monetary terms – A Cyber Risk Quantification exercise can put a financial impact number to each type of asset’s compromise. 

Companies should perform this themselves or with the assistance of independent professionals.  This should not be done by the out-source provider.

Secondly, each potential provider should demonstrate that they are adequate to data security and relevant privacy measures by performing a defensive maturity assessment – ensuring that all security measures are in place, current and fully configured. 

There are several industry-specific standards such as ISO, NIST, and others that can provide standard yet independent expertise to conduct the assessments. 

These assessments should be performed as necessary-  Prospective clients/organizations should ask for and receive these security assessments during their selection or on-boarding process as well as on a periodic basis according to the risk exposure of the vendor.

Obviously, such operation of performing manual assessments on such a large scale isn’t practical, meaning an automated solution must be implemented to facilitate this process.

Summary

Cyber mitigation has become a fact of life and therefore, companies must make sure that they deal with it effectively.  Out-sourcing services or products for resale in an eco-system can be extremely beneficial and enables organizations to move investment off-balance sheet and gain the benefits of markets in sourcing such services, yet they must act aggressively to ensure that their partners are delivering on protecting the company from risks.

A 3rd party assessment cannot and will not prevent a cyber incident, but will help organizations create a robust supply chain and to respond quickly and decidedly when an attack occurs –  just like GE did.

Findings.co
Company
Products
Solutions
Media Room
Guides
Company
About
Privacy Policy
Terms of Use
Contact Us
FAQs
Sitemap
Products
Vendors
Enterprise
Partners
Vendors index
Solutions
Cyber security
ESG
Cloud Monitoring
Continuous Monitoring
Media Room
Blogs
Press Room
Guides
What is vendor risk management?
The Findings CMMC compliance checklist
4 ESG Best Practices for Energy Efficiency
Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account

Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Claim your free account Trial
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
less
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Claim your free account trail
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!