Monthly Cloud Security Roundup: Marriott Data Breach, COVID-19 Cyber Security Challenges, and More

May 11, 2020

Monthly Cloud Security Roundup: Marriott Data Breach, COVID-19 Cyber Security Challenges, and More

Each month, we bring you some of the most compelling cloud and Salesforce security-related stories from the last four weeks. In this post, we discuss the latest Marriott data breach, Ring’s call for multi-factor authentication security, NIST’s security control updates, and more.

Marriott data breach exposes “up to” 5.2 million people

International hotel chain Marriott announced they were the victim of another data breach that exposed the personal information of approximately 5.2 million guests. The breach began in January 2020 and was discovered at the end of February. Exposed personal data includes names, addresses, birthdays, email addresses, and phone numbers. The company, however, does not have reason to believe that passport, payment, or password information was breached. While the source of the breach has yet to be identified, signs point to an unknown third party using the login credentials of two Marriott employees. In response, the company notified the authorities and individuals who were impacted by the breach. For those affected, Marriott has a dedicated website to answer questions and offer support.

Cybercriminals use COVID-19 to target remote employees

Riding the wave of uncertainty caused by the shift to remote work due to COVID-19, cyber criminals are increasing efforts to target employees working from home. The main methods of attack are through phishing emails and spam campaigns designed to use fear and uncertainty to trick people into sharing their personal information, such as Social Security numbers or banking details. Working from home during this time with kids, pets, and family all around is a recipe for distraction, making it easier to let your guard down to phishing and scams, and hackers are exploiting this to steal information.

In a report, Europol warned that the number of attacks will rise as hackers develop more advanced techniques of gaining sensitive information from people. To mitigate cybersecurity threats, provide in-depth security training to employees and configure your security settings in mission-critical applications like Salesforce or Office 365 to fend off attacks.

“The number of cyberattacks is significant and expected to increase further. Cyber criminals will continue to innovate in the deployment of various malware and ransomware packages themed around the COVID-19 pandemic.”

– Europol

Ring mandates 2FA for device security

In response to a recent string of device hacks, Ring, a smart camera doorbell company, is making two-factor authentication (2FA) mandatory for all customers. 2FA offers a second layer of verification – usually a code sent to a designated cell phone or email address – before a user can log into their account and view their doorbell video feed. With the second factor, Ring hopes to prevent unauthorized users from accessing customer accounts, even if the user has the customer’s login credentials. 2FA is a simple, yet effective way to help prevent data breaches. As a result, companies who weren’t previously using it are now enforcing 2FA during the COVID-19 pandemic as cybersecurity threats increase.

Ring also provides a set of best practices for all users beyond their Ring account, which includes:

  • Don’t reuse passwords
  • Update phone numbers and email addresses for online accounts
  • Set up a PIN or passcode to unlock your smartphone
  • Update your apps and operating system to the latest version as soon as possible

Thousands of UK government employee devices lost

According to recent information obtained under a Freedom of Information request, government employees in the UK lost or had their devices stolen more than 2,000 times in one year. Included in these numbers are smartphones, laptops, and tablets. The Ministry of Defence, which includes military personnel in the Army, Royal Navy, and Royal Air Force, had the most lost or stolen devices at 767 – many of which were not encrypted, causing concern for a potential data breach.

The report accounted for 2,004 devices, of which 1,474 were reported lost, 347 were stolen, 183 were either lost or stolen, and 1,628 were lost or stolen in an unknown place. Only 249 devices were recovered. The real concern isn’t that the devices were lost, which is sometimes unavoidable, but that they were not all thoroughly encrypted or properly secured.

“Data security is a top priority for the UK government and is supported by £1.9bn of investment under the National Cyber-Security Programme.”

– Spokesperson for the UK government

Hackers attack US health agency’s computer system

In an unsuccessful attempt to slow down its COVID-19 response, cyberhackers attacked the Department of Health and Human Services’ (HHS) computer systems. Hoping to flood HHS servers with millions of requests over several hours, the attack failed when the HHS detected a “significant increase in activity” on its cybersecurity infrastructure. Systems remained fully operational, largely because HHS’ IT infrastructure has risk-based security controls that are continuously monitored for threats and vulnerabilities. During a press briefing, the Secretary of HHS reported the origin of the attack is unknown, but no data was stolen or accessed inappropriately.

“Early on while preparing and responding to COVID-19, HHS put extra protections in place. We are coordinating with federal law enforcement and remain vigilant and focused on ensuring the integrity of our IT infrastructure.”

– HHS spokesperson Caitlin Oakley

NIST to update flagship information system safeguards

NIST – the National Institute of Standards and Technology – is a physical sciences laboratory and non-regulatory agency in the United States. Its mission is to promote innovation and industrial competitiveness through standards for protecting organizations’ operations and assets, particularly in the areas of cybersecurity and data privacy. The experts at NIST are planning to revise SP 800-53 Security and Privacy Controls for Information Systems and Organizations to include more safeguards and updated definitions.

This publication contains controls and safeguards for a wide range of platforms, including standard computers, Internet of things (IoT) devices, and industrial control systems. The intended audience includes anyone from a security expert to a system developer to a cloud computing provider. This update integrates privacy into the controls, adds a new family of supply chain controls, and includes state-of-the-practice controls like cyber resiliency and secure systems design.

The standard was last updated seven years ago, and the agency is accepting public comments on the draft until May 15, 2020.

“Our objective is to make the information systems we depend on more resistant to cyberattacks. We want to limit the damage from those attacks when they occur, make the systems cyber-resilient, and at the same time protect the security and privacy of information.”

– SP 800-53 co-author Ron Ross, NIST