(From Credit Union Times) – Honda did not wrap a big bow around another breach, but Facebook did deliver an additional package of personally identifiable information in a couple of cybersecurity incidents prior to the holidays.
Credit unions and financial institutions may not feel the impact of such data incidents immediately, but data theft eventually takes a toll on the entire financial system. As stolen data becomes bought and sold, it generates fraud conspiracies via phishing, account takeover and business email compromises.
Several cybersecurity professionals weighed in on why credit unions and other organizations should find these exposures relevant.
Security researcher Bob Diachenko found the vulnerable Elasticsearch cluster with 976 million Honda North America records. The automaker exposed approximately 26,000 North American customer records containing personally identifiable information due to the misconfigured database in October.
The cloud misconfiguration exposed the full names, email and mailing addresses, and phone numbers of vehicle owners, as well as car makes, models, VIN numbers, agreement IDs, and other service data. None of the records required a password or authentication for access.
Honda’s security team in Japan reportedly secured the publicly accessible server within just a few hours following contact on December 12 by Diachenko, which discovered the exposed database December 11.
Honda was involved in similar previous incidents, with a July 2019 event revealing 134 million documents containing 40 GB of data on 300,000 Honda employees.
“Companies that manage consumer data are obligated to keep it secure, however, suffering two incidents within the same year should signal to Honda that it is time to enact the proper security controls,” said Chris DeRamus, Chief Technology Officer at DivvyCloud. “The self-service nature of cloud means that users not familiar with security settings and best practices can easily create databases or alter configurations, which results in massive leaks of data, unbeknownst to them.”
“Exposures like this highlight the dynamic nature of the enterprise attack surface,” said Vinay Sridhara, Chief Technology Officer at Balbix. “In today’s DevOps driven world, IT and infosec teams no longer control assets in cloud-based services like AWS.”
Sridhara suggested a sound security strategy for these realities must start with a continuously updated inventory and categorization of all assets.
Anurag Kahol, Chief Technology Officer at Bitglass, explained that the PII exposed can help launch highly targeted phishing attacks. This also leaves consumers vulnerable to identity theft, account hijacking, and other types of cyberattacks well into the future. “Enterprises must make security a priority in 2020 and employ solutions that are able to mediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information.”
“Databases that hold personally identifiable information should be secure at all times,” stated Stephan Chenette, Co-Founder/Chief Technology Officer at AttackIQ, Inc. “Throughout the course of 2019, we witnessed several companies make the simple mistake of leaving their database exposed with no password protection in place.”
Unfortunately, these incidents, Chenette maintained, were preventable if the impacted companies were continuously validating the efficacy of their security controls.
Just prior to Christmas, Facebook started investigating a report of a database exposure of more than 267 million user IDs, phone numbers, and names exposed for anyone to access without a password or any other authentication.
Comparitech partnered with Diachenko to uncover the Elasticsearch cluster. Paul Bischof tech writer, privacy advocate and VPN expert with Comparitech, wrote in a blog, “The information contained in the database could be used to conduct large-scale SMS spam and phishing campaigns, among other threats to end users.” Diachenko said a hacker forum also posted a download of the data.
“The rich personal information everyone shares on Facebook, coupled with a simple way to get access to speak to you, is a tremendous feeder source for scams,” said Jason Kent, Hacker in Residence at Cequence Security.
Kent added, the fact that a third party discovered the database inadvertently, makes him wonder how many copies of this data exist.
Erich Kron, Security Awareness Advocate at KnowBe4, acknowledged, “While on the surface a database of phone numbers does not seem like something to be concerned about, this type of information, all in one place, is a gold mine for scammers and cybercriminals.”
He noted attackers know these numbers represent mobile devices and likely can receive text messages. They also know these numbers are associated with a Facebook account and they can craft attacks that seem legitimate using this information and make it difficult for people to defend against this sort of breach.
DeRamus said, “This latest incident is alarming because the database was unprotected for nearly two weeks, allowing threat actors more than enough time to access it and use it to launch spear-phishing attacks and commit identity theft.”
“It was not too long ago that Facebook suffered a data leak of millions of its users’ information, including phone numbers. Given the seemingly cavalier approach many consumer services take towards properly protecting data, enterprises everywhere should see this as a wake-up call,” Sridhara stated. “Security teams must modify their strategies to account for this dynamic new reality.”
Kahol maintained, “Social media platforms are lucrative targets for cybercriminals due to the massive amounts of personally identifiable information they collect and store from users. The lasting impact is unknown and a staggering 59% of consumers (according to Password Boss) admit to reusing the same password across multiple sites. This could give cybercriminals access to various accounts for the same individual across multiple services, rendering their digital footprint incredibly vulnerable as a result.”
“We are all getting a bit jaded by these breaches,” said Robert Prigge, CEO of Jumio. “But, what about the threats to businesses? Tens of thousands of businesses use the Facebook login button on their websites to validate a user. Guess what? You cannot possibly know if a user is who they claim given the scope and magnitude of these breaches. Businesses must reconsider their use of these types of identity proofing and authentication mechanisms.”