Monthly Cloud Security Roundup: The Worst State for Online Privacy, the Adobe Data Breach, Russian Hackers Targeting the Olympics, and More
Each month, we’ll bring you some of the most compelling cloud and Salesforce security-related stories from the last four weeks. In this post, we discuss the Adobe data breach, the worst state for online privacy, business email attacks, and more.
Adobe data breach exposes millions of customers
Nearly 7.5 million accounts containing customer details were recently exposed due to an Adobe data breach that involved an unprotected Elasticsearch database. The database was accessible via online search, allowing anyone to access customer records with information such as email address, payment status, subscription status, member ID, and location. Adobe secured the Elasticsearch database the same day security researchers alerted the company to the leak.
It does not appear that any financial or security data such as payment information or passwords were exposed, although there was enough detail to inspire a potential follow-up attack on consumers. If you have an Adobe account, change your password, monitor your account for any changes, and although it’s unlikely to lead to major concerns, consider investing in identity theft protection.
“The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams. Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.”
– Paul Bischoff, Privacy Advocate, Comparitech
Johannesburg networks held for Bitcoin ransom
The city of Johannesburg took its website and other e-services offline after a recent ransomware attack. A group of hackers targeted the city, delivering a ransom note that demanded four Bitcoins (the equivalent of about $40,000) by October 28, or else they would expose sensitive information including passwords, financial data, and personal population information. The city refused to pay the ransom and shut down the entire computer network, including online billing and emergency call systems. Days after the ransom deadline, Johannesburg was able to restore customer-facing systems with many services back up and running.
Russian hackers target anti-doping agencies ahead of Olympics
State-sponsored Russian hackers are continuing to set their sights on anti-doping and sporting agencies as the 2020 Tokyo Olympics draw nearer. Microsoft reported that hackers infiltrated no fewer than 16 organizations around the world that are committed to preventing illegal doping in athletic events. While carrying out espionage to gain intel on organizations like the Worldwide Anti-Doping Agency, hackers stole files and medical records. These attacks occurred not long after it was reported that Russia may face expulsion from the Olympics for doping concerns – Russian athletes have been banned from participating for the last three years due to the discovery of a state-sponsored doping operation. To protect your organization from similar incidents, enhance security with a defense-in-depth strategy.
And the worst state for online privacy is…
Researchers identified one American state that’s severely behind when it comes to online privacy legislation. Based on a state-by-state comparison of online privacy laws, Wyoming offers users the least amount of protection. The research team evaluated every state using 20 criteria, including laws that protect groups of people like employees, children, and laws that govern how companies can use customer data. Of the 20 criteria, Wyoming met just one – the state protects K-12 student information like grades and attendance records. Other states that didn’t fare well included Idaho, Iowa, Pennsylvania, and Mississippi. At the other end of the spectrum, California was found to have met 75% of the criteria used by researchers.
“While not all states have shield laws to protect journalists from exposing their sources, Wyoming is the only state that doesn’t even have a court precedent for doing so.”
– Comparitech researchers
AWS suffers 8-hour DDoS strike
Customers of Amazon Web Services (AWS) were affected by a severe multi-hour outage after a Distributed Denial of Service (DDoS) attack on the cloud provider. Amazon confirmed that the disruption was the result of a DDoS attack via a customer email. The email also stated that the company’s Shield Advanced DDoS mitigation helped handle the incident, although some customers are concerned as it flagged several legitimate queries along with the malicious ones. This led to some users being unable to connect to the service. While the issue appears to be resolved, the fact that the attack took such a massive service offline remains a concern for many.
Attacks on company email accounts on the rise
A new Mimecast report revealed that Business Email Compromise (BEC) attacks are increasing dramatically. Compared to Q2 2019, Q3 saw a 269% increase in incidents. BEC attacks usually target companies that work with foreign suppliers or frequently make wire-transfer payments. In this type of attack, business email accounts are compromised to perform unauthorized funds transfers. The researchers found 28,783,892 spam emails, 28,808 malware attachments, and 28,726 dangerous file types in users’ inboxes.
With the rise in BEC attacks, organizations need to respond by enhancing email security and monitoring for unusual user activity in cloud applications like Microsoft Office 365. These methods can prevent negative impacts like data leakage, financial penalties, or customer turnover.
“Cybercriminals will always look for new ways to bypass traditional defenses and fool users. This means the industry must focus their efforts on investing in research & development, unified integrations and making it easier for users to be part of security defenses, driving resilience against evolving attacks.”
– Joshua Douglas, VP of Threat Intelligence, Mimecast
Amex employee suspected of accessing customer data to commit fraud
Insider threats abound. A former American Express employee is facing investigation for wrongfully accessing customer information with the intent to commit fraud. According to Amex, the employee may have used customer names, card numbers, billing addresses, birthdates, and Social Security numbers to open accounts at other financial organizations.
After the culprit’s actions were uncovered, the company immediately launched an investigation and alerted a subset of customers via a data breach notification. The institution is instructing customers to remain vigilant over the next 24 months and to utilize free fraud and account activity alerts via the Amex app.