The Official Vera Blog

June 7, 2019
|
Industry

Weekly Top 5: Misconfigured Cloud Still Causing Problems

This week we saw a huge uptick in data breaches caused by misconfigured cloud and network storage servers. The most recent incident was reported by Davey Winder at Forbes.

The files included credit card and medical data, as well as intellectual property patents, and were discovered by the Digital Shadows researchers across the cloud, network-attached storage and company servers. Separately, additional researchers found a vulnerability at a photo-sharing service that leaked approximately 11 million photographs, including those categorized as private.

This is certainly not the first time we’ve seen breaches happen because of misconfigured clouds. MongoDB, Elastic, Amazon S3 servers, and Rubrik have had these issues in the past, all of which exposed the data of hundreds (sometimes, thousands) of companies.

 

Here’s the latest rundown for the week:

 

2.3 Billion Files and 11 Million Photos, ‘Private’ Ones Included, Exposed Online

By Davey Winder, Published on Forbes

Newly-published research has found that 2.3 billion files have been publicly exposed online. The files themselves, which include credit card and medical data as well as intellectual property patents, were discovered by the Digital Shadows researchers across the cloud, network-attached storage and company servers. Separately, other security researchers uncovered a vulnerability at a photo-sharing service that leaked at least 11 million photographs including many categorized as private.

The latest Too Much Information report from the Photon Research Team at Digital Shadows found that some 2.3 billion files had been “exposed across SMB-enabled file shares, misconfigured network-attached storage (NAS) devices, File Transfer Protocol (FTP) and rsync servers and Amazon S3 buckets.” That’s a lot of cloud services, storage and small to medium business servers that are all leaking data. Indeed, it amounts to a total of 750 million more files than the same researchers found to have been leaked the previous year.

Quest Diagnostics Says 11.9 Million Patients Affected by Data Breach

By Zack Whittaker, Published on TechCrunch

Medical testing giant Quest Diagnostics has confirmed a third-party billing company has been hit by a data breach affecting 11.9 million patients. The laboratory testing company revealed the data breach in a filing on Monday with the Securities and Exchange Commission. According to the filing, the breach was a result of malicious activity on the payment pages of the American Medical Collection Agency, a third-party collections vendor for Quest. The “unauthorized user” siphoned off credit card numbers, medical information and personal data from the site.

Laboratory test results were not among in the stolen data, Quest said.

The breach dated back to August 1, 2018, until May 31, 2019, said Quest, but noted that it has “not been able to verify the accuracy of the information” from the AMCA. Quest said it has since stopped sending collection requests to the vendor while it investigates and has hired outside security experts to understand the damage.

 

Under GDPR, UK Data Breach Reports Quadruple

By: Matthew Schwartz, Published on DataBreachToday

The EU’s General Data Protection Regulation went into full effect on May 25, 2018. For the first time, it began requiring all organizations that suffer a data breach that put Europeans’ personal data at risk to notify relevant authorities. The Information Commissioner’s Office, which enforces GDPR in the U.K., says that from May 25, 2018, until the beginning of this month, it received 14,072 data breach reports, compared to receiving just 3,311 from April 2017 through April 2018.

The increase in data breach notification is a result of mandatory reporting driving better visibility, security experts say. Before last May, most organizations faced no legal obligation to publicly disclose a data breach. Now, however, they do, which means that more data breach discoveries have been coming to light.

 

Flipboard Resets Passwords After Database Intrusions

By: Jeremy Kirk, Published on DataBreachToday

News aggregator Flipboard has initiated a systemwide password reset affecting as many as 150 million users following two database intrusions. The company says it is taking the password reset precaution “even though the passwords were cryptographically protected and not all users’ account information was involved.” Flipboard engineers discovered the situation on April 23.

Flipboard says one intrusion occurred between June 2, 2018, and March 23, 2019, and another over a shorter period, between April 21 and 22 this year. An unauthorized person “accessed and potentially obtained copies of certain databases containing Flipboard user information,” the firm says, noting it has notified law enforcement.

“In response to this discovery, we immediately launched an investigation and an external security firm was engaged to assist,” Flipboard says in an advisory. The data exposed included usernames and passwords that were hashed and salted. For some users, email addresses and tokens used to connect their Flipboard accounts to third-party applications also were exposed. Those tokens have now been invalidated, Flipboard says.

 

The Growth of Adaptive Authentication

By: Tom Field, Published on DataBreachToday

The right authentication controls at the right time for the right transactions – the adaptive authentication message is taking off, says OneSpan’s Tim Bedard. And here are some quick wins organizations might focus on when starting down the path. For organizations that are still dependent on usernames and passwords, it’s time to start weaning off those controls, Bedard says. “You want to start doing layered security,” he says. “What I mean by that is to bring in additional adaptive authentication-type methods, so that you actually … start to use some soft tokens, hard tokens or some biometrics …” to enhance your approach.