Monthly Cloud Security Roundup: A New Cybersecurity Act for Schools, a Military Ban on TikTok, Wawa’s Data Breach, and More
Each month, we bring you some of the most compelling cloud and Salesforce security-related stories from the last four weeks. In this post, we discuss the new Cybersecurity Act for schools, a ban on TikTok, Wawa’s data breach, and more.
Wawa joined the ranks of other retailers that suffered data breaches in 2019 after being hit by a malware cyberattack in December. The payment information of customers who visited more than 850 east coast Wawa stores may have been collected as early as March 2019, although the breach was not identified until December. Upon discovering malware on payment processing servers, the threat was blocked and contained. Other information that may have been exposed includes cardholder names and expiration dates. The convenience chain notified customers of the incident and is offering free credit monitoring and identity theft protection to those affected.
“At Wawa, the people who come through our doors every day are not just customers, we consider them family, and nothing is more important than honoring and protecting their trust.” – Lori Bruce, Wawa spokesperson
Following guidance from the Pentagon, the U.S. Army and Navy banned the popular video app TikTok on all government phones, citing cybersecurity concerns. Initially part of the Defense Department’s efforts to address existing and emerging threats, the Defense Information Systems Agency recommended that all Department of Defense employees refrain from using the Chinese-owned app. The military utilized TikTok to recruit younger Americans to join the services, but after security concerns related to the exposure of personal information arose, the military banned the application. A statement was not issued regarding other branches of the military – the Marine Corps and the Air Force – and their use of the app.
3,672 users of Amazon’s Ring – an electronic doorbell with a built-in security camera – have been hit with the news that their credentials, including emails and passwords along with other user data, have been compromised. Criminals use data, including locations of Ring cameras, to obtain users’ addresses, phone numbers, payment information, and security codes, according to one report. Some hackers have accessed live footage of the customers’ homes as well as archived footage. Security researcher Nick Shepherd identified the compromised accounts on an anonymous text storage site. Upon contacting Ring customer support, Shepherd was told they were “unable to assist.”
According to a Ring spokesperson, there has been no evidence of unauthorized intrusion, but customers report having their information exposed. In response to the events, consumers have brought forth a class-action lawsuit against Amazon for negligence, invasion of privacy, and breach of implied warranty. Ring users are advised to change their passwords and set up two-factor authentication.
For a long time, the traditional VPN was the go-to choice for network security. As cyber threats have evolved, the VPN is now being replaced by a more secure, smart approach – zero trust security. In a zero trust framework, all users are equally untrusted, unlike VPNs, which placed trusted employees on the inside while untrusted employees were on the outside. Zero trust security combats insider threats by leveling the playing field. With the addition of mobile computing, remote work, and cloud data storage, VPNs weren’t cutting it for optimal data and network security. Zero trust is the future – Gartner reports predict that 60% of organizations will move to zero trust access by 2023.
“Zero trust has allowed us to more granularly enforce what folks are doing on a day-to-day basis,” says Robert LaMagna-Reiter, CISO at FNTS. “We’re showing folks that it’s not a technology decision, it’s a business strategy.”
Senators Gary Peters (D-MI), ranking member of the Senate Homeland Security and Governmental Affairs Committee, and Rick Scott (R-FL), introduced the K-12 Cybersecurity Act of 2019 in December. The Act aims to improve cybersecurity protection for K-12 schools in the United States by having the Department of Homeland Security (DHS) identify security risks and challenges specific to schools while providing attainable solutions. Educational institutions manage vast quantities of sensitive student and employee data, including family information, medical records, employment history, and more. Education facilities require robust cybersecurity measures to protect this data, especially because schools have been targeted by cyberattacks over the last few years. The senators claim the new legislation will ensure that schools can protect themselves from hackers and safeguard sensitive information of both students and educators.
“Schools across the country are entrusted with safeguarding the personal data of their students and faculty, but lack many of the resources and information needed to adequately defend themselves against sophisticated cyberattacks.” – U.S. Senator Gary Peters (D-MI)
An unprotected database with more than 267 million Facebook user records – with personal information like user IDs, phone numbers, and names – was left online for anyone to access. Security researcher Bob Diachenko discovered the Elasticsearch cluster and notified the IP address’ internet service provider, but the database remained online for nearly two weeks after identification. According to Diachenko, the information was posted on a hacking forum for anyone to download. The exposed records belong primarily to United States residents and are believed to be the result of Facebook API abuse or illegal scraping – where bots crawl through hundreds of thousands of web pages and copy data into a database.
In the aftermath of this cybersecurity incident, it’s highly recommended that Facebook users update their privacy settings, change their passwords, and be cautious of spam messages or phishing emails.
On December 13th, the city of New Orleans fell victim to a ransomware attack after government officials detected suspicious network activity in the early hours of the morning. When the questionable activity continued for several hours, Mayor LaToya Cantrell declared a state of emergency, and the city IT department gave the official order to shut down servers as well as nearly 4,000 computers. Emergency communications were not affected by the incident, and police, fire, 911, and EMS workers continued to operate during the shutdown.
Mayor Cantrell confirmed that the incident was a ransomware attack, although no ransom demand had been made. In response to the incident, the city increased its cyber insurance from $3 million to $10 million.
“If there is a positive about being a city that has been touched by disasters and essentially been brought down to zero in the past, is that our plans and activity from a public safety perspective reflect the fact that we can operate with internet, without city networking.” – Collin Arnold, director of Homeland Security