Category Archives: Supply Chain Security

The Evolution of Compliance Automation

Cybersecurity and ESG supply chain compliance automation

The Revolutionary Impact of Compliance Automation

Cybersecurity and ESG criteria are evolving everyday and the significance of compliance is undeniable. Compliance automation has emerged as a beacon of innovation, reshaping how companies navigate the complex landscape of regulatory requirements and societal expectations. Here at Findings, we’re leading the charge in harnessing the power of AI automation to reshape how companies demonstrate their commitment to security and sustainability. This transformation is not just about staying within legal boundaries; it’s about leveraging technology to demonstrate a company’s commitment to security and sustainability in a transparent, efficient manner.

The Evolution from Manual to Automated Compliance

Our journey began against the backdrop of an era dominated by manual compliance processes.

Think: endless excel spreadsheets.

The initial focus was on digitizing paperwork and making audits more manageable. However, as regulations grew, and continue to grow increasingly complex, the limitations of manual processes became glaringly apparent. This challenge paved the way for the era of compliance automation—an era we’re pioneering. By integrating generative AI and machine learning, we’ve transformed difficult, error-prone tasks into streamlined, precise operations.

We’re at the forefront of this transformative wave, offering a comprehensive suite of services, including audit automation and assessment automation, as well as offering our clients continuous risk ratings, and continuous monitoring. Our approach to compliance automation doesn’t just simplify adherence to regulations; it completely redefines the landscape. Our platform enables real-time assessment of compliance postures and transparent demonstration of adherence to both industry standards and ESG principles. For CISOs, compliance officers and cybersecurity professionals, we provide not just the tools to meet compliance expectations but the means to surpass them with unparalleled efficiency and dependability.

The rise of automation marks a pivotal shift for professionals. Freed from the burdens of manual oversight and exhaustive paperwork, you can now pivot towards strategic imperatives. This enhancement in decision-making capabilities fosters a culture of proactive risk management and corporate accountability, aligning closely with our mission to empower businesses.

Automate Your Compliance Journey With Findings.co

* indicates required
Your work email please

Intuit Mailchimp

Transforming Compliance and Corporate Resilience

As we look into the future, it’s evident that compliance automation is a fundamental evolution in how businesses meet regulatory obligations. Our journey exemplifies the potential of automation to not only streamline compliance processes but also to bolster a company’s standing and trustworthiness among stakeholders. For businesses ready to embrace this change, it signifies a gateway to growth, resilience, and a competitive edge.

The evolution of compliance automation is a testament to technology’s capacity to effectuate positive change. By automating routine tasks, we enable companies to concentrate on what truly matters—building a safer, more sustainable future for all.

January 2024 Data Breach Round Up

January 2024 data breaches findings.co

Enhancing Cybersecurity in the Face of Growing Threats

U.S. SEC’s X Account Compromise

The U.S. Securities and Exchange Commission’s (SEC) X account was hacked to falsely announce the approval of Bitcoin ETFs, causing a temporary spike in Bitcoin prices. The false claim was quickly addressed by SEC Chairperson Gary Gensler, who clarified that the SEC had not approved Bitcoin ETFs and that the tweet was unauthorized. This hacking incident is part of a broader wave of cyberattacks on verified X accounts aimed at promoting cryptocurrency scams. Notably, companies like Netgear, Hyundai MEA, and cybersecurity firms such as CertiK and Mandiant have also been targeted. The SEC has terminated the unauthorized access and is collaborating with law enforcement to investigate the breach and its implications. The incident underscores the growing concern over cybersecurity in the digital finance space.

VF Corporation Data Breach

On January 18, 2024, VF Corporation, the parent company of popular brands such as Vans, Timberland, The North Face, Dickies, and Supreme, reported a ransomware attack it experienced in December that compromised the personal information of over 35 million customers. Fortunately, sensitive information like social security numbers, bank account, or payment card details were not stolen as the company does not store these details on its systems. Despite no evidence of stolen consumer passwords, the breach disrupted business operations, leading to the temporary shutdown of IT systems, inventory replenishment issues, and delayed order fulfillments. VF Corp has since managed to restore the affected IT systems and reported minimal operational issues in its retail stores, e-commerce sites, and distribution centers as of the latest update.

Trello API Misuse

An exposed Trello API vulnerability was exploited to link private email addresses to 15 million Trello accounts, leading to a significant data leak. The issue came to light when a user named ’emo’ attempted to sell the data on a hacking forum, which included emails, usernames, full names, and other account information. Trello, owned by Atlassian, attributed the leak to public data scraping and not unauthorized system access. However, further investigation revealed that a publicly accessible API allowed the association of email addresses with Trello profiles without requiring authentication. Trello has since modified the API to prevent unauthenticated queries, aiming to balance user convenience with security. The data breach underscores the potential for abuse in public APIs and highlights the importance of securing such interfaces against unauthorized access. This incident also raises concerns about the use of public data in targeted phishing campaigns, prompting users to be vigilant.

Capital Health Ransomware Attack

The LockBit ransomware group has taken responsibility for a cyberattack on Capital Health, a key healthcare provider in New Jersey and Pennsylvania, in November 2023. On their data leak site, the group wrote, “We purposely didn’t encrypt this hospital so as not to interfere with patient care. We just stole over 10 million files.” They have threatened to release seven terabytes of sensitive data and negotiation communications if their ransom demands are not met. Although LockBit typically forbids affiliates from encrypting hospital network files to avoid disrupting patient care, they claim to have stolen data without encryption in this instance. Capital Health has restored its systems and enhanced security measures but is still assessing the extent of the data breach. This incident is part of a disturbing trend where healthcare organizations, despite guidelines advising against such attacks for ethical reasons, are increasingly targeted by ransomware gangs. LockBit’s actions, including previous attacks on healthcare institutions globally, challenge the notion of “harmless” cyberattacks by highlighting the potential for significant operational disruptions and data breaches within the healthcare sector.

loanDepot Cyberattack

loanDepot, a leading U.S. mortgage lender, experienced a cyberattack that disrupted its IT systems and online payment portal, affecting customers’ ability to make loan payments and contact the company via phone. In company notice, it is now revealed that, “Although its investigation is ongoing, the Company has determined that an unauthorized third party gained access to sensitive personal information of approximately 16.6 million individuals in its systems. The Company will notify these individuals and offer credit monitoring and identity protection services at no cost to them.” The incident led loanDepot to take certain systems offline as they work with law enforcement and forensic experts to investigate and resolve the issue. In an 8-K filing, the company reported that the unauthorized actor gained access to certain company systems and the encryption of data. This attack raises concerns about potential data theft, including sensitive customer information, which could lead to phishing attacks or identity theft. This event marks another significant cyber challenge for loanDepot, following a data breach disclosed in May from an August 2022 cyberattack, highlighting ongoing security threats in the financial services sector.

Trezor Support Site Breach

Trezor, a leading hardware cryptocurrency wallet provider, announced a security breach affecting its third-party support ticketing portal, exposing personal data of 66,000 customers. The breach, detected on January 17, led to unauthorized access but did not compromise users’ digital assets. Trezor reassured customers that their funds remain secure and their devices are unaffected. However, the breach exposed names or usernames and email addresses of users who interacted with Trezor Support since December 2021. Although other personal information like postal addresses and phone numbers were stored, there’s no evidence they were accessed. The company confirmed 41 instances of data exploitation, with attackers phishing for users’ recovery seeds via email, posing as Trezor Support. Trezor has alerted potentially affected users, emphasizing that wallet recovery seeds should never be shared, as disclosing them could lead to irreversible cryptocurrency theft. The unauthorized access has been terminated, and the risk mitigated.

Veolia North America Ransomware Attack

Veolia North America, part of the global Veolia group, was hit by a ransomware attack affecting its Municipal Water division’s systems and disrupting online bill payment services. Veolia responded by taking certain systems offline and is collaborating with law enforcement and forensic experts to understand the attack’s full impact. The company reassured customers that payments made during the disruption have been processed and no late fees or interest charges will apply. Importantly, Veolia’s water treatment and wastewater services remained uninterrupted, indicating the attack was limited to internal back-end systems. A small number of individuals’ personal information may have been compromised, and Veolia is assessing the extent of this breach. This incident underscores the growing cybersecurity threats facing critical water infrastructure, highlighting recent attacks on other water services and CISA’s efforts to bolster security within the sector.

Jason’s Deli Credential Stuffing Attack

Jason’s Deli has reported a data breach due to a credential stuffing attack, impacting customers of its online platform. Hackers obtained login credentials from other breaches and tested them on Jason’s Deli’s website on December 21, 2023. This type of attack exploits the common practice of using the same password across multiple services, posing a risk to accounts with reused credentials. The breach potentially exposed personal data including names, addresses, phone numbers, birthdays, preferred locations, account numbers, Deli Dollar points, and the last four digits of credit card and gift card numbers. The exact number of affected accounts is unknown, but all potentially impacted customers, estimated at 344,034, have been notified and advised to reset their passwords. Jason’s Deli is also restoring any unauthorized use of Deli Dollars to ensure customers do not face losses.

A Call to Action for Cybersecurity Leaders

These incidents collectively highlight the multifaceted nature of cyber threats and the critical need for advanced security measures, employee training, and regulatory compliance. CISOs, cybersecurity experts, and risk managers must remain vigilant, adopting a proactive approach to cybersecurity that anticipates and mitigates potential threats. Collaboration, innovation in security technologies, and adherence to best practices are essential in safeguarding against the evolving cyber threat landscape, ensuring the integrity and resilience of organizational operations in an increasingly digital world.

2024 Trends Unveiled: Cybersecurity as a Key Business Enabler

As 2024 unfolds, we are witnessing a revolutionary transformation in the cybersecurity landscape. No longer a mere aspect of IT, cybersecurity is now a pivotal driver in reshaping business operations on a global scale. This blog post delves into the forefront of cybersecurity compliance, highlighting pivotal regulations such as the ASEAN Guidelines on Consumer Impact Assessment (CIA), CMMC, PCI DSS 4.0, DORA, and SEC incident disclosure regulations. These emerging trends are rapidly becoming the gold standard in global business cybersecurity practices.

 

CMMC: Evolving from Defense to a Universal Cybersecurity Benchmark

  • The Cybersecurity Maturity Model Certification (CMMC) is evolving from its U.S. defense sector roots to a worldwide cybersecurity standard. Now applicable across various industries, CMMC’s layered cybersecurity approach is garnering universal acceptance. Its comprehensive framework, focused on continuous improvement, is especially vital for entities managing sensitive or critical data, signifying a move towards standardized cybersecurity excellence.

PCI DSS 4.0: Revolutionizing Payment Security Standards

  • PCI DSS 4.0 is revolutionizing payment security standards globally in 2024. This updated version introduces an adaptive, risk-based approach, essential for any business involved in digital transactions. Its flexibility and focus on tailored security measures are vital for e-commerce, financial institutions, and others in the payment ecosystem, making PCI DSS 4.0 compliance synonymous with secure and trustworthy payment processing.

DORA: Spearheading Digital Resilience in the Financial Sector

  • The Digital Operational Resilience Act (DORA) is a groundbreaking EU regulation shaping the financial sector’s approach to digital risks in 2024. Its influence extends globally, affecting financial entities interacting with the EU market. DORA emphasizes operational resilience, highlighting the need for robust digital risk management in today’s interconnected digital finance landscape.

SEC Incident Disclosure: Championing Transparency in Corporate Cybersecurity

  • The SEC’s incident disclosure regulations are leading a worldwide movement towards transparency in corporate cybersecurity. These mandates, which require prompt and detailed disclosure of cybersecurity incidents, are becoming critical for publicly traded companies globally. This shift towards transparency and accountability in cybersecurity reflects an increasing demand from investors and consumers for trustworthiness and integrity in corporate practices.

ASEAN CIA: Redefining Cybersecurity with a Consumer-Centric Approach

  • The ASEAN Guidelines on Consumer Impact Assessment, originating from Southeast Asia, are now setting a global precedent. These guidelines shift the focus towards assessing cybersecurity’s impact on consumers, prioritizing their rights and data privacy. This consumer-centric approach, especially critical for businesses in or targeting the ASEAN market, is now a global best practice. It underscores the imperative of balancing robust security with consumer rights, a notion gaining traction across various industries.

Other Regulatory Developments Shaping the Cybersecurity Domain

Additional global regulations also predict significant cybersecurity trends:

  • GDPR: Continues to influence data privacy and protection globally, impacting businesses handling EU citizens’ data.

  • ISO/IEC 27001: Gaining traction as a comprehensive framework for managing information security, key for organizations striving for global best practices.

  • NIST Framework: Increasingly adopted worldwide, indicating a move towards unified approaches in cybersecurity risk management.

Cybersecurity Compliance: A Strategic Business Advantage

In 2024, adherence to these emerging cybersecurity regulations offers businesses a strategic advantage. It transcends legal compliance, fostering trust, enhancing brand reputation, and providing a competitive edge. The integration of AI in cybersecurity is another emerging practice, offering efficient and effective solutions for meeting these standards.

  • Increased Focus on Supply Chain Attacks: Modern supply chains are interconnected and complex, making them susceptible to cyberattacks. A breach in one part can have a cascading effect, impacting multiple businesses. This emphasizes the need for rigorous cybersecurity measures across the entire supply chain.

  • Collaborative Risk Management: The trend towards collaborative defense strategies is based on the principle that sharing threat intelligence and best practices can strengthen the security posture of all involved parties. By learning from each other’s experiences, industries can develop more effective defenses against common threats.

State-Sponsored Cyber Attacks: An Escalating Concern

  • Global Ramifications: State-sponsored cyberattacks are particularly concerning due to their scale and impact. These attacks target critical infrastructure, such as energy grids or financial systems, and can compromise national security. The global nature of these threats requires an international response and cooperation.

  • Advanced Countermeasures: To combat these sophisticated threats, organizations need to implement advanced threat detection systems that can identify and neutralize attacks quickly. A zero-trust security model, where trust is never assumed and verification is required from everyone, can be crucial in mitigating these risks. Continuous monitoring ensures that any suspicious activity is detected and addressed promptly.

AI in Cybersecurity: A Complex Role

  • Enhanced Detection and Response: AI can significantly improve threat detection by analyzing vast amounts of data to identify patterns that may indicate a cyberattack. However, this technology can also be used by attackers to create more sophisticated threats, such as deepfakes or AI-driven phishing attacks.

  • Proactive Mitigation Strategies: Organizations must not only invest in AI-based defense systems but also ensure that their workforce is trained to recognize and respond to AI-generated threats. This includes understanding the limitations of AI and being able to identify when a human response is required.

Ransomware Evolution: The Changing Landscape of Cyber Extortion

  • Sophisticated Tactics: Modern ransomware attacks are more than just data encryption; attackers are now threatening to leak sensitive data if the ransom isn’t paid, adding an extra layer of coercion. This dual-threat approach makes it even more challenging for victims to decide whether to pay the ransom or risk public exposure of their data.

  • Comprehensive Defense Strategies: To protect against these evolving ransomware threats, organizations must have robust backup systems that can restore data with minimal loss. Employee training is crucial to help staff recognize and avoid potential ransomware attacks. Additionally, a well-prepared incident response plan can ensure quick action to mitigate damage if an attack occurs.

The Metaverse and Cloud Security: New Frontiers, New Risks

  • Expanded Attack Vectors: As businesses venture into new digital domains like the metaverse and cloud platforms, they face new cybersecurity challenges. These platforms can provide attackers with novel ways to exploit security vulnerabilities.

  • Proactive Security Measures: Ensuring security in these new environments involves a comprehensive approach that includes strong encryption to protect data, robust identity management to verify users, and regular security audits to identify and address vulnerabilities.

The Human Element: Bolstering the Frontlines of Cyber Defense

  • Empowering Through Training and Awareness: Regular and comprehensive training programs are essential in equipping employees with the necessary skills to recognize and prevent security breaches. This training should cover the latest cybersecurity threats and best practices.

  • Cultivating a Security-First Mindset: Creating a culture of security within the organization is crucial. This involves fostering an environment where employees are aware of the importance of cybersecurity and are motivated to take proactive steps to protect the organization’s digital assets.

As 2024 progresses, it’s clear that these cybersecurity trends and regulations are not just shaping, but redefining business strategies. From the consumer-centric ASEAN CIA guidelines to CMMC’s comprehensive security model, and the transparency demanded by SEC disclosure regulations, these developments are crucial in enabling businesses to thrive in the digital era. By staying ahead of these trends, companies can harness cybersecurity not only as a compliance requirement but as a cornerstone for growth and success. Understanding evolving regulations, embracing innovative technologies, and reinforcing human-centric defenses remain key to ensuring business resilience and triumph in an increasingly digitized world.

Year-End Cyber Alert: December 2023’s Data Breaches

december 2023 data breaches

Welcome to 2024, a year promising advancements and challenges in the digital world. Each month, we embark on a detailed journey through the world of cybersecurity, scrutinizing key incidents that have affected prominent global corporations. Our monthly analyses not only provide unique perspectives on the complexities of digital security in an ever-changing tech landscape, but also shed light on the vulnerabilities within our digital infrastructures. By highlighting the essential need for robust cybersecurity measures, we aim to enhance your understanding of how even the strongest organizations can face significant challenges in this digital era. Join us as we navigate through these captivating episodes of digital drama and learn how even the mightiest can be vulnerable.

EasyPark:

EasyPark, a Swedish app developer, recently reported a data breach impacting an unspecified number of its users, detected on December 10, 2023. The breach potentially exposed users’ names, phone numbers, physical addresses, email addresses, and partial credit/debit card or IBAN details. This incident raises concerns about potential phishing attacks targeting affected users. The company’s widely used apps, including EasyPark, RingGo, and ParkMobile, span across multiple countries. EasyPark is advising all users to change their account passwords and is contacting affected individuals directly.

National Amusements:

National Amusements, the parent company of media giants Paramount and CBS, has confirmed a data breach impacting 82,128 people. The breach, which occurred in December 2022, was only disclosed a year later following notifications to those affected. The compromised data includes personal and financial information, potentially involving employee details as the notification was filed by the company’s HR chief. The nature of the cyberattack and whether customer information was also compromised remains unclear, and the company has not commented further on the incident. Additionally, Paramount reported a separate security breach in August, affecting an unspecified number of customers, where personal details like names, birth dates, and government-issued identification numbers were stolen.

Mr. Cooper:

Nationstar Mortgage LLC, doing business as Mr. Cooper, notified 14,690,284 customers on December 15, 2023 of a data security incident that may have compromised their personal information. This incident, detected on October 31, 2023, involved unauthorized access to the company’s network systems between October 30 and November 1, 2023. The breach resulted in the acquisition of files containing personal details such as names, addresses, phone numbers, Social Security numbers, dates of birth, and bank account numbers. While there’s no evidence yet of identity theft or fraud resulting from this incident, Mr. Cooper is reaching out to potentially affected individuals to explain the situation and offer assistance in protecting their information.

Comcast Cable Communications LLC:

Xfinity has issued a notice about a data security incident that compromised personal information of 35,879,455 customers. The incident stemmed from a vulnerability in a software product by Citrix, used by Xfinity and numerous other companies. Although Citrix released a patch and additional guidance by October 23, 2023, unauthorized access to Xfinity’s internal systems occurred between October 16 and 19, 2023. The compromised data includes usernames, hashed passwords, and for some customers, names, contact details, the last four digits of social security numbers, dates of birth, and secret questions and answers. Xfinity has proactively asked customers to reset their passwords and encourages the use of two-factor or multi-factor authentication. Customers who use the same login information on other accounts are advised to change it there as well. Further protective measures are detailed in Xfinity’s additional information section.

Panasonic:

Panasonic Avionics Corporation, a key provider of in-flight communications and entertainment systems, announced a data breach following a cyberattack on its corporate network in December 2022. This breach, just recently discovered, was disclosed in a notification to California’s Attorney General, and involved unauthorized access to a subset of network devices and impacted personal and health information of an unspecified number of individuals and their employers. The compromised data includes names, contact information, dates of birth, medical and health insurance details, financial account numbers, employment status, and government identifiers like Social Security numbers. Panasonic has found no evidence of misuse of this data since the attack. Over 200 airlines use Panasonic’s services on approximately 70% of the global in-flight entertainment-equipped fleet.

Mint Mobile:

Mint Mobile recently disclosed a data breach that compromised its customers’ personal information, potentially facilitating SIM swap attacks. As a mobile virtual network operator offering prepaid mobile plans, Mint Mobile started informing customers of this security incident on December 22, 2023. The breach exposed customer names, telephone numbers, email addresses, SIM serial numbers, IMEI numbers (device identifiers), and details of service plans. However, credit card numbers and passwords, which are secured with strong cryptographic technology, were not compromised.

The carrier did not announce the breach on its social channels but notified affected customers through email. One of these emails was shared by a customer on Reddit. This breach poses a significant risk for SIM swapping attacks, where attackers can port a victim’s phone number to their device, potentially accessing online accounts and bypassing multi-factor authentication. This technique is often used to compromise cryptocurrency exchange accounts.

The company has not yet disclosed how the breach occurred, but a previous incident in July 2023 involved an attempted sale of data allegedly from Mint Mobile on a hacking forum, including partial credit card details. Mint Mobile experienced a similar breach in 2021.

Nissan Australia:

Nissan Oceania, covering Australia and New Zealand, announced it is currently managing a significant cyber incident involving unauthorized network access. The Akira ransomware gang has claimed responsibility for this attack, stating they stole approximately 100GB of data from Nissan Australia’s systems. This data reportedly includes sensitive corporate and client information, personal details of employees, and other confidential documents.

Despite ransom negotiations, Nissan has either refused to engage or pay the demanded ransom, leading Akira to threaten the release of the stolen data. Akira, emerging in March 2023, is known for targeting various industries, including deploying a Linux variant of their ransomware in June 2023, specifically aimed at VMware ESXi virtual machines.

Nissan has been working with global incident response teams and cybersecurity experts to assess the impact and restore affected systems. While the company has confirmed the breach, it is still investigating whether personal information was accessed. Nissan has notified cybersecurity agencies, privacy regulators, and law enforcement in Australia and New Zealand. Customers have been advised to remain vigilant for any unusual or suspicious online activity. Nissan is yet to provide additional information or comment on the incident.

MongoDB:

MongoDB, a prominent database platform, has recently disclosed that its corporate systems were compromised in a cyberattack, leading to the exposure of customer data. The breach was detected on the evening of December 13, 2023. MongoDB’s Chief Information Security Officer, Lena Smart, informed customers via email that the incident involved unauthorized access to certain MongoDB corporate systems, exposing customer account metadata and contact information. However, there is no indication that customer data stored in MongoDB Atlas was accessed.

The company believes the threat actors had access to its systems for an extended period before detection, raising concerns about potential data theft. MongoDB is actively investigating the incident and has advised customers to enable multi-factor authentication, change passwords, and remain vigilant against targeted phishing and social engineering attacks.

MongoDB has stated they are still investigating the breach and will provide updates on the MongoDB Alerts web page, used for notifying about outages and other incidents. This situation is ongoing, and further details are expected as the investigation progresses.

Reflecting on December’s Data Breaches:

The series of data breaches discussed in this blog underscores a crucial aspect: the importance of cybersecurity vigilance and preparedness. Organizations, irrespective of their size or industry, are potential targets for cybercriminals. The varied nature of these breaches – from ransomware attacks to phishing expeditions – demonstrates the need for comprehensive security protocols and rapid response plans. As customers and stakeholders, staying informed and adopting preventive measures is imperative. This compilation of incidents serves as a reminder that in the digital world, security is not just a necessity but a continuous commitment to safeguarding data and preserving trust.

Want to learn more about SEC reporting requirements for data breaches?

Findings.co and IBM Partner to Secure Global Critical Supply Chains

Findings.co and IBM partner to offer global supply chain solutions.

New York, NY, January 8, 2024 – 


In response to mounting concerns over state-sponsored attacks, supply chain vulnerabilities, and sustainability requirements, Findings.co today announced a partnership with IBM Federal. The collaboration offers robust supply chain security and compliance solutions tailored for government organizations in the United States and across the world.


Supply chain cyber attacks have increased significantly, with multiple targets, such as critical infrastructure, defense, and finance. The supply chain attack vector is a significant concern to organizations and governments and will continue to be exploited by criminals.


The escalating threat landscape necessitates enhanced regulatory compliance, demanding greater visibility, assured security, and more extensive, continuous monitoring than ever before.


Findings.co leads the supply chain compliance domain, providing a comprehensive solution that seamlessly manages complex N-tier and multi-jurisdictional networks. Our advanced platform automates assessments, audits, control verifications, and continuous monitoring, fostering trust, ensuring regulatory compliance, and enhancing risk visibility throughout the entire supply chain.


In recent years, we’ve witnessed a significant surge in supply chain regulatory demands. Key frameworks and regulations like the CMMC in the US, DORA in Europe, and CII in Singapore, among others, are emphasizing the need for enhanced vendor coverage, N-tier visibility, resilience, breach disclosure, and heightened accountability. All of this points to a substantial escalation in supply chain monitoring requirements, a challenge that is adeptly being solved by Findings.co.


Kobi Freedman, CEO of Findings.co, stated, “Our collaboration with IBM Federal is an exciting opportunity to counteract the multifaceted threats the federal sector and critical domains face. We are committed to safeguarding the nation’s critical assets and supply chains resilience by partnering to offer innovative and scalable solutions.”


Terry Halvorsen, General Manager for IBM’s Federal Market Organization and former CIO for the DoD, leads this collaboration, as local and global initiatives are already underway to secure supply chains in various sectors and countries.


This partnership underscores the importance of comprehensive security solutions, especially when some nation-states and other hostile actors increasingly resort to sophisticated cyber espionage and attacks.


Findings and IBM Federal are dedicated to changing how critical infrastructure, procurement, trust, regulatory compliance and risk mitigation are managed effectively.



For further information, please contact:

or@findings.co 

yogev@findings.co



About Findings:

Findings is dedicated to ensuring global supply chain compliance, creating an environment where businesses and government bodies can operate with trust. Findings’ advanced platform provides thorough cybersecurity and ESG assessments, continuous risk monitoring, and easy audit automation.

This helps every member of the supply chain achieve and maintain compliance effortlessly.


About IBM Federal:

IBM Federal assists US Federal agencies in navigating complex, hybrid cloud cybersecurity landscapes. With the surge in threats and expanding skill gaps, IBM Federal specializes in accelerating zero-trust plans, enhancing cybersecurity, and managing multifaceted environments. Tailored to individual needs and legacy systems, their solutions protect data across hybrid clouds, ensure the security of remote users, and proactively address modern threats, all while focusing on risk and compliance.


November Security Breach Round Up

November Security Breaches

Welcome to this month’s edition of our data breach round up, where we unravel the recent cyber threats that have sent shockwaves across industries. In a digital landscape fraught with challenges, our commitment at Findings is to equip you with the knowledge and tools necessary to navigate these turbulent waters.

This month’s featured breaches spotlight the vulnerabilities that transcend sectors, from the technology giant Samsung to the healthcare domain with McLaren Health Care, and even reaching into the retail space with Dollar Tree. Each incident reveals not only the compromise of personal and sensitive data but also the profound implications for privacy, security, and trust in our increasingly interconnected world.

  1. Samsung:

    Samsung has acknowledged a significant data breach affecting its U.K. customer base. The breach, which spanned a year, was first brought to light in a statement to TechCrunch by Chelsea Simpson, a spokesperson for Samsung via a third-party agency. According to Simpson, the breach led to unauthorized access to contact details of some Samsung U.K. e-store customers. The specifics of the breach, including the number of affected customers and the method used by hackers, remain undisclosed.

    In communications with affected customers, Samsung revealed that the breach stemmed from a vulnerability in an unspecified third-party business application. This vulnerability exposed the personal data of customers who made purchases on the Samsung U.K. store from July 2019 to June 2020. The company only discovered the breach on November 13, 2023, over three years after the fact, as detailed in a letter to customers that was shared on X (formerly Twitter).

    The compromised data includes names, phone numbers, postal and email addresses, but Samsung assures that no financial information or passwords were affected. The company has reported the breach to the U.K.’s Information Commissioner’s Office (ICO), where spokesperson Adele Burns confirmed that the regulator is conducting enquiries into the incident.

    This breach marks the third such incident disclosed by Samsung in the past two years. Previous breaches include a September 2022 attack on Samsung’s U.S. systems, with undisclosed customer impact, and a March 2022 breach where Lapsus$ hackers allegedly leaked around 200 gigabytes of Samsung’s confidential data, including source codes and biometric unlock algorithms.

  2. KidSecurity:

    KidSecurity, a popular parental control app, inadvertently exposed user data due to a security oversight. The app, with over a million downloads, tracks children’s locations and activities. Researchers discovered that the app failed to secure its Elasticsearch and Logstash databases, leaving over 300 million records publicly accessible for over a month. This exposed data included 21,000 phone numbers, 31,000 email addresses, and partial credit card information.

    The unprotected data became a target for malicious actors, with indications of a compromise by the ‘Readme’ bot. Cybersecurity expert Bob Diachenko highlighted the severity of this breach, especially considering the app’s focus on children’s safety. The exposure of sensitive information such as contact details and payment information poses serious risks, including identity theft and fraud. KidSecurity had yet to comment on the breach at the time of the report.

  3. McLaren Health Care:

    McLaren Health Care recently informed its patients of a cybersecurity incident affecting its computer systems. The healthcare provider noticed suspicious activity around August 22, 2023, and immediately commenced an investigation with third-party forensic specialists. This inquiry revealed unauthorized access to McLaren’s network between July 28 and August 23, 2023, with potential data acquisition by the unauthorized party.

    A thorough review, completed by October 10, 2023, indicated that sensitive information might have been compromised. The data at risk includes names, Social Security numbers, health insurance details, medical information like diagnoses, physician details, medical records, and Medicare/Medicaid data.

    In response, McLaren has taken steps to secure its network and is reviewing and reinforcing its data protection policies and procedures. They are also offering affected individuals identity theft protection services through IDX, including credit monitoring and a $1,000,000 insurance policy, valid until February 9, 2024.

    McLaren urges individuals to stay vigilant, monitor their financial statements, and report any suspicious activity. For further assistance, IDX is available for inquiries, with representatives knowledgeable about the incident. McLaren emphasizes that, as of now, there is no evidence of misuse of the compromised information.

  4. Staples:

    Staples, a prominent American office supply retailer, recently confirmed a cyberattack that led to significant service disruptions and delivery issues. The company, operating 994 stores across the US and Canada and 40 fulfillment centers, took immediate action to contain the breach and safeguard customer data. The incident came to light following multiple Reddit posts from earlier in the week, reporting issues with Staples’ internal operations. Employees noted problems accessing various systems, including Zendesk, VPN employee portals, and email services. Comments on Reddit from Staples employees expressed surprise and concern, with one stating, “I’ve never seen anything like this in my 20 years with Staples.”

    Unconfirmed reports also suggested that employees were advised against using Microsoft 365’s single sign-on and that call center staff were sent home. Staples confirmed to BleepingComputer that they had to take protective measures against a “cybersecurity risk,” which disrupted their backend processing, product delivery, and customer service communications. Although Staples stores remain open, the company’s online operations, including staples.com, continue to face challenges. A company spokesperson stated that systems are gradually coming back online, but some delays in processing orders are expected. Staples has assured a swift return to normal operations and has posted a similar notice on their website.

    BleepingComputer reported that no ransomware or file encryption was involved in the attack. Staples’ rapid response, including shutting down networks and VPNs, may have prevented the attack from reaching its full potential. The extent of any data theft and the potential consequences, such as ransom demands, remain to be seen. This cyberattack is not Staples’ first brush with cybersecurity issues. In March 2023, Essendant, a Staples-owned distributor, faced a multi-day outage impacting online orders. Furthermore, in September 2020, a data breach at Staples exposed customer and order information due to an unpatched VPN vulnerability.

  5. Dollar Tree:

    Dollar Tree, a notable discount retail chain with stores across the United States and Canada, has been affected by a data breach involving a third-party service provider, Zeroed-In Technologies. This breach has impacted nearly 2 million individuals, specifically targeting Dollar Tree and Family Dollar employees.

    The breach, occurring between August 7 and 8, 2023, was disclosed in a notification to the Maine Attorney General. While the intrusion into Zeroed-In’s systems was confirmed, the exact details of accessed or stolen files remained unclear. Consequently, Zeroed-In conducted a thorough review to identify the compromised information, which included names, dates of birth, and Social Security numbers (SSNs).

    Affected individuals have been notified and offered a twelve-month identity protection and credit monitoring service. In response to inquiries from BleepingComputer, a Family Dollar spokesperson stated, “Zeroed-In is a vendor that we and other companies use. They informed us that they identified a security incident, and they provided notice of the incident to current and former employees.”

    The breach’s impact may extend beyond Dollar Tree and Family Dollar, potentially affecting other Zeroed-In customers, although this has not been confirmed. Zeroed-In has not responded to inquiries about the incident.

    The breach’s magnitude has prompted law firms to investigate the possibility of a class-action lawsuit against Zeroed-In.

  6. General Electric:

    General Electric (GE), a prominent American multinational involved in various industries, is investigating a possible cyberattack and data theft. A hacker known as IntelBroker allegedly breached GE’s development environment, initially attempting to sell access on a hacking forum for $500. After failing to attract buyers, the threat actor claimed to offer both network access and stolen data, including sensitive military and DARPA-related information.

    IntelBroker, recognized for previous high-profile cyberattacks, provided screenshots as evidence of the breach, showing data from GE Aviation’s database on military projects. GE confirmed to BleepingComputer their awareness of these allegations and their ongoing investigation.

    IntelBroker’s past exploits include a breach of the Weee! grocery service and a significant data theft from D.C. Health Link, a healthcare marketplace used by White House and House staff. The D.C. Health Link breach, which led to a congressional hearing, revealed that a misconfigured server had exposed sensitive data online.

  7. HSE:

    Holding Slovenske Elektrarne (HSE), Slovenia’s largest electricity provider, was recently hit by a ransomware attack. Despite this, the company’s power generation remained unaffected. HSE, which accounts for about 60% of Slovenia’s domestic power production, managed to contain the attack within a few days.

    The company’s IT systems and files were encrypted, but operational functions continued normally. HSE informed national cybersecurity authorities and the police, and engaged external experts for mitigation. While no ransom demand has been received yet, the company remains cautious during the cleanup process.

    Unofficial sources attribute the attack to the Rhysida ransomware gang, known for high-profile attacks without immediate ransom demands. The breach might have occurred through stolen passwords from unprotected cloud storage, although this has not been confirmed. Rhysida has been active since May 2023 and is notorious for targeting various organizations internationally. HSE is yet to issue a formal response to these allegations.

The array of cyberattacks faced by the companies above demonstrate the complexity and severity of the cybersecurity landscape. These incidents serve as stark reminders of the persistent threats in the digital domain, urging organizations to fortify their defenses and adopt more robust data protection measures. As the aftermath of these breaches unfolds, it is imperative for companies to not only address the immediate security gaps but also to engage in proactive measures to safeguard against future threats. Furthermore, these events underscore the need for ongoing vigilance, transparency, and collaboration among businesses, regulatory bodies, and cybersecurity experts to enhance the resilience of our digital ecosystem against such pervasive and evolving threats.

Cybersecurity Under Fire: Top October 2023 Breaches

October security breach round up - findings.co

The digital world is full of cyber threats that can affect any industry, and recent incidents have shown that even the most secure systems can be vulnerable. For example, Okta recently admitted to a security breach. Below you will also read about a sophisticated campaign called Magecart that stole credit card details by exploiting webpages. The impact of these breaches can be seen in various industries. For instance, five Canadian hospitals experienced disruptions in their services, and genetic testing company 23andMe had their data compromised. Even businesses in the hospitality and retail sectors are not safe, as shown by the data breach at Marina Bay Sands and Casio’s apology to its users. October’s breaches emphasize the importance of taking swift action and being transparent. As companies navigate through these challenges, it is crucial to strengthen cybersecurity measures and ensure the integrity of customer data.

  1. Okta

Okta has expressed regret to its customers for a recent security breach, emphasizing its dedication to maintaining transparent communication with them. On October 19, Okta notified its customers about a security breach that occurred between September 28 and October 17, wherein unauthorized access was gained to the support system affecting files related to 134 customers, which is under 1% of Okta’s customer base. HAR files containing session tokens were accessed, which led to session hijacking for 5 customers, with 3 customers openly discussing their experiences. The breach was enabled through the misuse of a service account within the customer support system. This service account had been inadvertently synced with an employee’s personal Google account, potentially through the compromise of the employee’s personal Google account or device.

Okta faced challenges in detecting the breach due to the difference in log events when files were accessed directly rather than through case files, which was the method used by the threat actor. Upon receiving a suspicious IP address from BeyondTrust on October 13, Okta could trace and shut down the unauthorized access, revoke the stolen session tokens, and notify affected customers.

  1. 23andMe

23andMe, a genetic testing company, has reported unauthorized access to customer data. The incident did not result from a system breach, but from attackers who managed to guess user login details and subsequently scrape information from the “DNA Relatives” feature. This feature allows users to voluntarily share their genetic information to connect with relatives. A sample of the compromised data, affecting at least one million data points related to Ashkenazi Jewish ancestry and hundreds of thousands concerning individuals of Chinese descent, was put up for sale online. The available data includes personal identifiers and ancestry details, though not the raw genetic data.

The company has advised users to secure their accounts with strong, unique passwords and to enable two-factor authentication. They are still in the process of validating the leaked data, which includes profiles of public figures like Mark Zuckerberg, Elon Musk, and Sergey Brin. However, the legitimacy of this particular data remains unconfirmed, as there are inconsistencies, such as Musk and Brin having identical profile information in the leaked dataset.

The situation underscores the dangers of data breaches, especially with sensitive genetic information, and highlights the continuing issue of “credential stuffing”—where hackers use leaked login details from one breach to access accounts on other platforms. The motive behind targeting data related to Ashkenazi Jews and the extent of additional compromised data are yet to be fully understood. This breach raises significant concerns about the privacy and security risks associated with DNA databases and similar platforms that facilitate the sharing of personal data.

  1. Marina Bay Sands

Marina Bay Sands has reported a data breach affecting approximately 665,000 members of its non-casino rewards program. The breach, which occurred on October 19-20, 2023, involved unauthorized access to customer data, including names, email addresses, phone numbers, countries of residence, and membership details. There is no indication that the casino rewards program was compromised or that the data has been misused. The company has apologized, initiated an investigation with cybersecurity experts, and is contacting affected customers. Authorities have been notified, and measures are being taken to enhance data security.

  1. Casio

Casio Computer Co., Ltd. has recently extended an apology to its users following a security breach that compromised personal data on its educational web application, ClassPad.net on October 11. The breach came to light when a database malfunction was noticed within the development environment for ClassPad.net. Further investigation revealed that this issue was not isolated but part of a larger intrusion that occurred the following evening, leading to the compromise of data belonging to users from various countries.

It was determined that the breach occurred due to deactivated network security protocols within the development system, compounded by a lack of rigorous operational oversight. To address the breach, Casio has temporarily disabled the affected development databases to block any further unauthorized access and has been proactive in contacting the appropriate Japanese data protection authorities. The company is currently consulting with cybersecurity and legal experts to conduct an in-depth investigation and take appropriate measures, as well as cooperating with the police in their investigation.

The types of personal information accessed included customer names, email addresses, countries of residence, purchasing history, and usage details for the service. Casio has confirmed that credit card information was not retained in the database and therefore not at risk. The incident impacted data related to 91,921 Japanese customers, including individuals and educational institutions, along with 35,049 international customers spanning 148 countries.

Casio reiterates its deep regret for the breach and the resulting impact on its customers, pledging a steadfast effort to bolster its security systems to prevent such occurrences in the future.

  1. D-Link

D-Link Corporation faced an alleged data breach after an unauthorized third party claimed on an online forum that they had stolen data. D-Link responded quickly, initiating an investigation and implementing precautionary measures. Their findings, supported by external experts from Trend Micro, indicated that the claim was largely exaggerated and misleading. The data in question was traced back to an obsolete D-View 6 system, decommissioned since 2015, and used for product registration. It did not include user IDs or financial details but contained some low-sensitivity information like contact names and office email addresses.

The breach is thought to have originated from a phishing attack that an employee inadvertently fell victim to, which led to the exposure of the outdated data. D-Link has reviewed its security measures and shut down the servers suspected to be involved, as well as disconnected the test lab from their network. The company reassures that the security systems meet the standards of the time and that they are committed to enhancing their security to prevent future incidents.

In summary, D-Link’s prompt response to the alleged data breach led to findings that contradicted the severity of the online claim. Measures have been taken to safeguard against similar occurrences, and customers have been advised on how to protect their information.

  1. Online stores’ 404 pages stolen

The Akamai Security Intelligence Group has uncovered a novel Magecart web skimming campaign that’s infiltrating a broad range of websites, including those belonging to major players in the food and retail sectors. This particular campaign is notable for its innovative use of three advanced techniques to hide its malicious code, one of which involves exploiting the default 404 error pages of websites—a method previously unseen.

The campaign’s method of operation begins with the injection of a small piece of obfuscated JavaScript, known as a loader, into the website. This loader is responsible for setting up the full malicious attack by initiating a WebSocket channel for communication with the attackers’ command and control server. The attackers then deploy the main skimming code that targets sensitive pages, such as checkout pages, to steal personal and credit card information from unsuspecting users.

Three variations of the campaign have been identified, each showcasing the evolution of the attackers’ methods to evade detection. The first variation uses an image tag with a malformed source attribute to execute JavaScript, while the second mimics legitimate services like Facebook’s Meta Pixel to blend in. The third and most sophisticated variation involves inserting the skimmer within the HTML of the website’s 404 error page, making it extremely difficult to detect and remove. This third variation also employs a different tactic for data exfiltration, using a fake form that overlays the legitimate payment form. This technique captures the user’s data twice—once through the fake form and then again when the user is prompted to re-enter the information on the real form.

The Akamai team tested their Client-Side Protection & Compliance solution against this skimmer and found that it successfully detected and alerted them to the high-severity threat. This case serves as a critical reminder of the importance of advanced security measures to combat the increasingly sophisticated techniques used in web skimming attacks. This emphasizes the importance of vigilance and the adoption of advanced security measures for organizations to protect against these evolving threats. Additionally, it’s a call to action for companies to monitor their websites actively and to consider client-side protection solutions that can detect and mitigate such attacks in real time.

  1. Air Europa

Air Europa, a Spanish airline headquartered in Madrid, is currently in the process of being acquired by International Consolidated Airlines Group, which owns British Airways. The airline has experienced a cyberattack targeting its online payment system, which resulted in some customers’ credit card details being compromised, as reported by the company. The airline has responded by contacting those customers whose information was potentially exposed and has informed the appropriate financial entities about the breach. The exact number of customers impacted and the financial repercussions of the incident have not been disclosed by Air Europa, and they stated that no other personal information was at risk. 

In a previous incident in 2018, which affected 489,000 customers, Air Europa faced penalties for not reporting the breach within the mandated 72-hour period, taking 41 days instead. This past breach was highlighted by the OCU, emphasizing the airline’s obligation to timely report such incidents.


  1. TransForm

A cyberattack on TransForm, a shared service provider, has disrupted operations across five hospitals in the Erie St. Clair region of Ontario, Canada. This attack led to system outages, affecting patient care and resulting in the rescheduling of appointments. TransForm, established by these hospitals to handle IT, supply chain, and accounts payable, acknowledged the cyberattack in a statement and indicated an ongoing investigation to ascertain the attack’s cause and reach. It is currently unclear whether patient information has been compromised.

The affected hospitals include:

  • Windsor Regional Hospital: A major healthcare facility with 642 beds.

  • Hotel Dieu Grace: Specializes in complex care, mental health, and rehabilitation with 313 beds.

  • Erie Shores Healthcare: A significant provider with 72 beds.

  • Hospice of Windsor-Essex: Offers end-of-life care with 23 beds.

  • Chatham-Kent Health Alliance: A community hospital with a 200-bed capacity.

Patients with upcoming appointments at these hospitals are being contacted for rescheduling. Meanwhile, the hospitals have advised individuals not requiring emergency care to seek alternatives such as primary care providers or local clinics to lessen the burden on hospital resources during this period.

As the specifics of the cyberattack are still under review, past patients of these institutions are encouraged to be vigilant, particularly regarding unsolicited communications that may be suspicious.

It’s clear that no entity, regardless of size or industry, is immune to the threat of digital incursions. The essential lesson here is not found in the recounting of breaches but in understanding the dynamic and persistent nature of cyber risks. To navigate this complex landscape, companies must adopt a posture of continuous monitoring and regular security assessments to stay ahead of threats. Utilizing automated tools for real-time analysis and proactive threat intelligence is no longer optional but a critical component of modern cybersecurity strategies. These practices, combined with a culture of security awareness and training, can form a robust defense against a tide of evolving digital dangers. As businesses forge ahead, the integration of advanced cybersecurity measures will be the beacon that guides them through the murky waters of potential cyberattacks, ensuring resilience and trust in the digital era.



The SEC’s New Cyber Rules

what every ciso needs to know about the new cybersecurity sec rules

What Every Public Company CISO Must Know:

The role of a Chief Information Security Officer (CISO) in public companies has never been more pivotal. With cyber threats escalating in scale and sophistication, the Securities and Exchange Commission (SEC) has rolled out new cyber regulations aimed at safeguarding investors, stakeholders, and the broader market. Given that the amendments took effect on September 5, 2023, it’s crucial for your organization to be informed. While the final rules are quite lengthy, I’ll offer a condensed and digestible version in this blog post to help you understand the key points – so make sure to read on!

The Backdrop:

Back in March 2022, the Commission took the bold step of introducing a suite of regulations. The intent was clear: fortify public company disclosures concerning cybersecurity. This encompassed key areas such as cyber threats, strategic countermeasures, governance structures, and insights into major cyber incidents.

At the time, there were several major trends that led the Commission to take this action. The digital evolution and massive work-from-home shifts, intertwined with the allure of cybercrime monetization and an overarching reliance on third-party tech services like cloud platforms, have stretched cyber risk boundaries. The financial fallout from cyber incidents have also skyrocketed. Given all of this, the Commission’s move to ensure transparency isn’t just timely—it’s imperative.

Though the Commission offered guidance in 2011 and 2018, the standards remained inconsistent. The 2022 regulations were introduced to bring consistency and offer investors clearer insights.

Key Mandates To Be Aware Of:

Skip ahead to 2023, and the SEC’s proposed rules have officially transformed into finalized rules. Here are the essential highlights you should be aware of…

  1. Form 8-K Item 1.05: A pivotal element in the new regulations. Public companies now have the duty to report significant cyber incidents. Reports must, “describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.” 

  2. Disclosure Timeline: Post a cyber event, companies need to swiftly gauge its significance. If found consequential, a Form 8-K needs to be filed within four business days. However, exceptions do exist. Should the U.S. Attorney General deem a quick disclosure a threat to national or public safety, delays can ensue.

  3. Regulation S-K Item 106: This regulation delves deep. It mandates firms to shed light on their cyber threat assessment, detection, and management strategies. Past incidents that have or might have considerable ramifications also need to be outlined. Plus, it casts the spotlight on how involved the board is in overseeing cyber risks and the prowess of the management in mitigating them.

  4. International Disclosures: The SEC is highlighting that global transparency is crucial. Modifications to Form 6-K and Form 20-F ensure that foreign private entities aren’t left out. Significant cyber events disclosed overseas or required by foreign issuers need to be detailed.

What Lies Ahead:

The new regulations will be operational a month after their Federal Register appearance. For companies, the compliance timelines are split based on the form:

  • Regulation S-K Item 106 & Form 20-F: Disclosure starts with annual statements for fiscal years ending on or after December 15, 2023.

  • Form 8-K Item 1.05 & Form 6-K: Compliance starts 90 days post Federal Register publication or by December 18, 2023, except for smaller firms. They have until June 15, 2024.

  • Finally, when it comes to structured data mandates, the spotlight is on Inline XBRL. The final rules require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language. Entities must tag their disclosures using this format, a year after the kick-off of initial disclosure duties. To simplify what this filing format is for those who may not be aware, it’s a special language for computers that makes it possible to create a single document that’s human and machine readable. So, instead of making two different documents (one for people to read and one for computers to understand), you just make one using Inline XBRL.

Every day we are reminded how crucial cyber resilience is. For CISOs in public companies, aligning with the SEC’s updated cyber regulations is not just about compliance—it’s a commitment to transparency, investor protection, and long-term business sustainability.



August Data Breach And Security Round Up

august security breach round up

August may be known for summer vacations and relaxing by the beach, but in the world of hackers, it was a month of action-packed cyber escapades. As the digital realm grows, so does the audacity of those who breach the walls of data security. In this blog post, I will take you through the breaches that unfolded in the hot days of August. From electric cars to language learning apps, we’ve got it all covered. Let’s dive in.

Tesla:

Tesla recently reported a data breach affecting over 75,000 of its employees to insider misconduct, according to an official statement. The electric vehicle manufacturer, headed by Elon Musk, stated in a data breach report submitted to Maine’s Attorney General that a thorough investigation determined two former employees had disclosed personal information belonging to more than 75,000 individuals to a foreign media organization.

Tesla’s data privacy officer, Steven Elentukh, stated in the report that “the investigation uncovered that two former Tesla employees wrongfully obtained and shared this information, contravening Tesla’s IT security and data protection protocols by providing it to the media outlet.”

The sensitive data included personally identifiable details such as names, addresses, contact numbers, employment records, and Social Security numbers of 75,735 past and current Tesla employees. The report also revealed that the two ex-employees had transmitted this data to the German newspaper Handelsblatt, which assured Tesla it would refrain from publishing the information and adhere to legal restrictions concerning its use.

In May, Handelsblatt had previously reported a significant breach at Tesla, disclosing various internal documents, known as the “Tesla Files,” totaling 100 gigabytes of confidential information. These documents included employee personal data, customer banking information, proprietary production details, and customer grievances regarding Tesla’s Full Self-Driving (FSD) functionalities. Remarkably, the leak even contained Elon Musk’s Social Security number.

Tesla responded by initiating legal action against the individuals believed to be responsible for the data breach, leading to the confiscation of their electronic devices. Additionally, the company obtained court orders to prevent these former employees from further accessing, sharing, or using the data, with potential criminal consequences for violations.

This incident follows a previous report in April by Reuters, which revealed that Tesla employees had shared sensitive images recorded by customer vehicles, including invasive pictures and videos captured by car cameras, over the period from 2019 to 2022.

Duolingo:

In January 2023, a data breach of Duolingo resulted in the exposure of 2.6 million users’ data on a hacking forum. This has created an opportunity for malicious actors to execute targeted phishing campaigns using the compromised information. The dataset consists of public login and real names, along with confidential details, such as email addresses and internal data related to the Duolingo platform, which can be exploited in cyberattacks.

The data was acquired by exploiting a publicly available application programming interface (API), which had been openly shared since at least March 2023. Researchers had been posting on social media and public platforms about the ease of using this API, which ultimately led to the data breach. The API permits anyone to input a username and receive JSON output containing the user’s publicly accessible profile data. Importantly, it also facilitates the input of an email address into the API to confirm its association with a valid Duolingo account.

The presence of email addresses in the dataset raises significant concerns as it can be exploited in phishing campaigns, which can have detrimental effects on individuals and organizations. It is vital to note that while the inclusion of real names and login names is part of a user’s Duolingo profile, the presence of email addresses is not considered public information.

Companies often downplay the significance of scraped data, as much of it is already publicly accessible, even if its compilation is not straightforward. However, when public data is combined with private information, such as phone numbers and email addresses, it amplifies the risk associated with the exposed data and may potentially breach data protection regulations. Facebook encountered a significant breach in 2021 when an “Add Friend” API flaw was exploited to link phone numbers to Facebook accounts for 533 million users. Subsequently, the Irish Data Protection Commission (DPC) imposed a fine on Facebook for this mishandling of scraped data.

I will say, it is also pretty concerning that the API, which led to the Duolingo data breach, is still openly accessible on the internet, even after reports of its misuse were forwarded to Duolingo in January. This puts Duolingo users at risk and highlights the need for companies to take data protection seriously. While companies may downplay the significance of scraped data, the potential for harm is significant, and it is crucial to address these issues proactively to ensure that personal information remains secure.

Discord.io:

On August 14, 2023, an unofficial platform known for providing redirect and invitation links to Discord servers, Discord.io, suffered a significant data breach. The hacker “Akhirah” exposed the breach, which has compromised the personal information of more than 760,000 users.

The stolen data from the breach includes usernames, Discord IDs, email addresses, and passwords that have been salted and hashed. While the password encryption offers a degree of protection, the potential for decryption remains a looming threat, underscoring the immediate need for users to bolster their security. Discord.io urges users to change their passwords to mitigate the impact of the breach.

Discord.io has taken the unprecedented step of indefinitely suspending its operations in response to the breach. Visitors to the Discord.io website now encounter a message detailing the seriousness of the breach. The company is being transparent about the compromised data fields, aiming to provide affected users with clarity regarding the information exposed and what remains secure in the wake of this incident.

“We have canceled existing premium subscriptions, and we will be reaching out to affected users individually. As of now, we have not been contacted by those responsible for the breach, nor have we initiated contact with them. To our knowledge, the database has not been made public at this time.” – Discord.io

In an interview with the hacker Akhirah, he expressed a desire for Discord.io to eliminate malicious content from their platform and communicate with him to resolve these issues, without seeking retribution or a reward.

This data breach follows a similar trend in the cybersecurity landscape. Just recently, the LetMeSpy Android Spyware Service also announced its permanent shutdown following a successful breach by a hacker who gained access to user data.

SEIKO: 

SEIKO NPC Corporation, a long-established Japanese semiconductor manufacturer founded in 1975 with approximately 12,000 employees, has officially recognized the possibility of a data breach.

On August 10th, the company posted a data breach notification on its website. However, cybersecurity experts only recently became aware of the breach after the ransomware group BlackCat featured SEIKO on its data leak platform.

SEIKO did not provide specific details but referred to the cybersecurity incident as a “potential” data breach.

According to SEIKO, “On July 28th of this year, the company experienced a potential data breach. It appears that unauthorized individuals or parties gained access to at least one of our servers.”

ALPHV/BlackCat Ransomware, now taking credit for the breach, shared several files on their data leak platform as evidence. Among these files was what appeared to be a copy of Yoshikatsu Kawada’s passport, a director at SEIKO’s well-known Watch Corporation subsidiary.

After an external cybersecurity expert examined the incident, SEIKO determined that a breach occurred, and some of the company’s information may have been compromised.

“At present, we are in the process of confirming the precise nature of the information stored on the affected servers. Once our ongoing investigation yields more specific results, we will promptly provide an update,” the company stated. However, no further updates regarding the breach have been made available thus far.

About ALPHV/BlackCat Ransomware:

ALPHV/BlackCat ransomware first emerged in 2021. Similar to other entities in the cybercriminal realm, this group operates a ransomware-as-a-service (RaaS) enterprise, selling malware subscriptions to criminal actors. Notably, the gang employs the Rust programming language.

According to an analysis by Microsoft, threat actors associated with this ransomware were known to collaborate with other prominent ransomware families such as Conti, LockBit, and REvil.

The FBI has suggested that money launderers affiliated with the ALPHV/BlackCat cartel have ties to Darkside and Blackmatter ransomware cartels, indicating a well-established network of operatives within the RaaS sector.

Recently, ALPHV/BlackCat has been notably active among ransomware groups. According to cybersecurity analyst ANOZR WAY, the group was responsible for approximately 12% of all attacks in 2022.

This gang appears to have recently focused its efforts on professional service providers. In mid-May, it claimed responsibility for breaching Mazars Group, an international firm specializing in auditing, accounting, and consulting services.

Forever 21:

Clothing and accessories retailer, Forever 21, is in the process of sending data breach notifications to over half a million individuals whose personal information was exposed to unauthorized intruders. The company operates a global network of 540 outlets and has a workforce of approximately 43,000 employees.

A portion of the data breach notification, shared with the Office of the Maine Attorney General, reveals that the company detected a cyberattack on multiple systems on March 20. The investigation unveiled that hackers had sporadic access to Forever 21 systems between January and March of this year and utilized this access to pilfer data.

“The investigation determined that an unauthorized third party accessed specific Forever 21 systems at different intervals between January 5, 2023, and March 21, 2023,” states the notice. “Results from the investigation indicate that the unauthorized third party acquired specific files from certain Forever 21 systems during this timeframe” – Forever 21.

The data breach notice, dispatched on August 29 to 539,207 affected individuals, lists the following potentially exposed data types:

  • Full names

  • Social Security Numbers (SSN)

  • Dates of Birth

  • Bank Account Numbers

  • Forever 21 Health Plan information

BleepingComputer reached out to Forever 21 to ascertain if the security incident impacted both customers and employees. A spokesperson from the company issued the following statement: “The incident was limited to current and former Forever 21 employees and did NOT affect personal data pertaining to Forever 21 customers.”

In the notice, Forever 21 reports that they have taken steps to ensure that the hackers have deleted the stolen data, implying that the company may have engaged in communication with the attacker. Such actions often occur following ransomware attacks, where the victim negotiates with the hackers to reach a reasonable ransom. However, it is important to note that a ransomware attack on Forever 21 has not been confirmed.

In November 2017, Forever 21 informed its customers of another data breach affecting its payment system, resulting in the compromise of card data from transactions made between March and October 2017.

Italian Banks Temporarily Disabled by Distributed Denial of Service (DDoS) Attacks:

Several banks in Italy recently experienced temporary outages due to targeted Distributed Denial of Service (DDoS) attacks.

On August 1st, the Agenzia per la Cybersicurezza Nazionale (ACN) announced that it had identified cyberattacks against at least five banks in the country, resulting in a temporary disruption of their services.

The affected banks included BPER Banca (EMII.MI), Intesa Sanpaolo (ISP.MI), FinecoBank (FBK.MI), Popolare di Sondrio (BPSI.MI), and Monte dei Paschi di Siena (BMPS.MI).

According to the ACN, it “detected the resurgence of distributed denial of service (DDoS) attack campaigns carried out by pro-Russian… groups targeting national institutional entities.” The ACN attributed the attacks to the Russian hacking group known as “NoName.”

An employee from one of the affected banks informed Reuters that the bank’s website was taken offline due to a substantial surge in traffic. However, the bank’s mobile app continued to function normally during the attack, and the website was restored after a brief period.

The ACN stated that it provided assistance to all those affected by the DDoS attacks launched by NoName.

What Are DDoS Attacks?

Distributed Denial of Service (DDoS) attacks involve malicious actors attempting to disrupt a website by overwhelming its infrastructure with a significant volume of internet traffic. As DDoS attacks saturate a site’s bandwidth, users are unable to access it.

DDoS attacks can be motivated by various factors, but their primary objective is to cause disruption by temporarily taking websites offline. Due to their disruptive nature, DDoS attacks are employed by malicious entities as a means of directly targeting specific individuals or organizations.

Moving Forward:

Data breaches can have severe consequences for both companies and individuals, including financial loss, reputational damage, and identity theft. As the frequency and sophistication of cyberattacks continue to increase, it is crucial for companies to prioritize data protection and implement robust security measures. By staying vigilant and proactive in their approach to cybersecurity, organizations can minimize the risk of a data breach and protect their customers’ trust.


The Top 10 Things Every CISO Should Know

what every ciso should know about

What Every CISO Should Know in 2023 to Protect Their Business


In our rapidly evolving digital age, the role of a Chief Information Security Officer (CISO) has never been more crucial. As a CISO, your role stretches far beyond traditional IT security measures. You are the protector of your organization’s most valuable assets, from intellectual property to customer data. The following insights delve deeper into what every CISO should know in 2023 to ensure they’re at the forefront of safeguarding their business.


1. Grasping the Business

Understanding your business inside out is paramount. The best CISOs fully comprehend the company’s goals, mission, and operational mechanics. Why is this so vital? Because only with this understanding can you adequately prioritize and champion security initiatives. Furthermore, by aligning security measures with business goals, you ensure that security is not viewed as a roadblock but rather an enabler of growth and success.


2. Emphasizing Effective Risk Management

Risk management isn’t just a box to tick; it’s a continual process. This involves constant vigilance—identifying emerging threats, assessing their potential impact, and implementing controls to counteract them. Today’s cyber threats are dynamic, with cybercriminals using sophisticated techniques that change by the minute. Hence, regular risk assessments and updates are non-negotiable. But, just as crucial is the art of communication. The ability to articulate these risks, along with their potential implications to the board and executives, can make the difference between proactive action and reactive damage control.


3. Moving Beyond Compliance

While regulatory compliance is essential, in 2023, it’s merely a starting point. With the ever-evolving threat landscape, relying solely on regulations and standards can render a business vulnerable. It’s like only installing a front door lock while leaving all the windows open. Instead, a proactive approach, involving continuous assessment and adaptation of security measures to the unique needs and threats faced by your organization, is pivotal.


4. Championing Security Awareness

The human factor can often be the weakest link in any security chain. As such, empowering every single employee with the knowledge and tools to act as the first line of defense is vital. This means ongoing training, regular reminders, and cultivating a culture where security is everyone’s business. Remember, from the receptionist to the CEO, everyone can either be an asset or a vulnerability.


5. Harnessing the Power of Effective Communication

Clear, concise, and compelling communication can be one of the most potent tools in a CISO’s arsenal. It’s essential to translate the often complex world of security into language that everyone—from the tech newbie to the seasoned board member—can grasp. Regularly updating stakeholders about security postures, potential risks, and ongoing initiatives not only fosters trust but also reinforces the importance of collective vigilance.


Expanding the CISO’s Toolkit in 2023:

But let’s push the envelope further. In addition to the critical pointers above, CISOs in 2023 should be aware of:


6. Embracing the Cloud and Zero Trust: 

As businesses transition to cloud infrastructures, understanding cloud security best practices becomes paramount. Moreover, adopting a Zero Trust approach—where every access request is fully authenticated, authorized, and encrypted before granting access—ensures layered defense in a distributed work environment.


7. Machine Learning and AI:

Cybercriminals are leveraging AI; so should you. Incorporating machine learning can help in anomaly detection, identifying potential threats faster than any human could, and enhancing predictive analytics. Findings not only automates assessments and the auditing process for all of your company’s vendors, but we also offer real time updates on your risk posture powered by RiskRecon and Anomali.


8. Regular Penetration Testing:

Gone are the days when an annual penetration test sufficed. Regularly challenging your systems can expose vulnerabilities before cybercriminals exploit them.


9. Incident Response Preparedness:

It’s not about if, but when a breach might occur. Having a well-rehearsed incident response plan ensures rapid containment, minimizing potential damage.


10. Collaborative Security:

Partnering with other businesses, industry groups, and governmental bodies can provide invaluable intelligence and resources. Cybersecurity is a collective endeavor.


In conclusion, being a CISO in 2023 means juggling many balls—compliance, risk management, employee training, effective communication, technological advancements, and more. The threat landscape might be challenging, but with the right approach, tools, and mindset, CISOs can ensure their organizations are robustly defended and primed for growth.


We’re Here To Help

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!