Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy.
Increased reporting of data breaches in recent years has a silver lining – the growing breadth of coverage offers a chance to observe organisations experiencing breaches at different stages of the lifecycle. This week we learn from the conclusion of PageUp’s forensic investigations into its breach in May, note European authorities assessment of Uber’s 2016 breach, and watch Marriott International respond in real-time to a breach revealed this week.
Summary: A forensic investigation into the high-profile breach of HR solutions provider PageUp revealed in May found no specific evidence any data had been exfiltrated, though attackers had installed the necessary tools to do so.
Key risk takeaway: The conclusion of the forensic investigation comes approximately six months after PageUp publicly disclosed the breach. This underscores the difficulties organisations face in the immediate wake of a breach, with the time needed to complete a thorough investigation pressing against increasingly tight disclosure timeframes and public expectations for information. PageUp worked closely with Australian government authorities, including the Australian Cyber Security Centre, in disclosing the incident, earning it commendations at the time for its transparency. The PageUp breach more broadly emphasises the increasingly critical issue of supply chain risk. A variety of major organisations that use the HR software solution were affected – including Commonwealth Bank, Aldi, Telstra and Australia Post.
Tags: #breachmediaresponse #databreachresponseplan #suppliersecurityassessment
Key risk takeaway: While open source software is widely used and even underpins some large and popular online solutions, this case illustrates the challenges in gaining assurance over the security of smaller code packages. Experts note that there are insufficient incentives for developers and maintainers of open source software, which can result in insufficient oversight and governance over published code. As with any procured software, organisations should continually test and seek assurance of the security of any open source software they use. In addition to deploying testing tools, useful indicators include looking to the quality of the developer or development team and assessing the maturity of interactions between the product’s user community.
Summary: Uber has been fined US $1.17 million by UK and Dutch authorities for a 2016 data breach that exposed the personal information of 57 million users. Uber notoriously paid the hackers involved $100,000 to delete the illegally accessed data and to keep the breach quiet.
Key risk takeaway: The fine once again draws attention to Uber’s inadequate response to the breach, as did a $148 million legal settlement in September for the same breach. In announcing the fine, UK authorities emphasised Uber’s decision not to disclose the breach to authorities or affected users. The breach occurred prior to the EU’s General Data Protection Regulation (GDPR), which involves significantly higher fines. Well-rehearsed data breach response plans, combined with an approach to data breaches that is underpinned by transparency and accountability, can mitigate the risk of a poorly handled response.
Tags: #breach #response #comms
Summary: Marriott International revealed a compromise in which hackers had access to the Starwood Hotels and Resorts network and reservations data since 2014, affecting up to 500 million people.
Key risk takeaway: Though Marriott discovered the compromise in September via an alert from a security tool, unauthorised network access dates back to 2014. This time lag highlights the value of effective detective capabilities in an organisation’s mix of security controls, alongside protective and responsive capabilities. According to The Ponemon Institute, the average amount of time to identify a data breach is 197 days. As part of its breach response, Marriott has created a dedicated microsite containing detailed information about the breach and providing affected customers with information on how to protect themselves. Establishment of such microsites are increasingly seen as best practice in the wake of a breach.
Tags: #breach #securitycontrols #response #comms
Summary: New research reveals that half of all phishing websites boast the padlock security icon, ostensibly to better lure in victims.
Key risk takeaway: The pace of change in the methods of cyber-attackers demands similar agility in the evolution of security advice given to users. For some time, users have been urged to look for their browser’s green padlock symbol as an indication of a legitimate site, even though the symbol only means the site uses HTTPS (or that traffic is encrypted). This research shows attackers seeking to exploit this advice by presenting malicious phishing sites as legitimate. Companies should ensure their security awareness programs continue to evolve the security advice given to staff and customers in line with the latest trends and best practice. In line with this trend, Google earlier this year ceased marking HTTPS sites as “secure” in its Chrome browser, instead marking HTTP sites as being “not secure”.
Tags: #phishing #securityawareness