It has been a busy year for data breaches already, and January isn’t even officially over. This past week has been no exception. In past seven days, in addition to the Airbus news that we previously reported, Discover Financial, IT management giant Rubrik, the City of St. John in New Brunswick, Canada and the State Bank of India all reported exposures.
Discover Cards
Discover Financial has reported a “possible merchant data breach” that could have compromised user accounts to the State of California Attorney General’s office, in compliance with that state’s data breach rules. There are two separate notifications, available here and here.
“We can confirm this incident did not involve any Discover systems and we are forwarding this to the appropriate parties for review,” the company said in a media statement issued on Twitter. “We’re aware of a possible merchant data breach & are monitoring accounts. Our members can rest assured they’re never responsible for unauthorized purchases on their Discover card accounts.”
The credit-card issuer said that it has alerted cardholders to a data breach that appears to have taken place on August 13, 2018, but it hasn’t said how much personal information was compromised or how many individuals are affected.
Anthony James, chief strategy officer at CipherCloud, told Threatpost in a prepared statement that the length of time between the breach occurring and being found is typical.
“Discover’s breach is very typical of the news we hear continually concerning financial firms and credit processors,” he said. “In today’s environment attackers will get into your networks. That’s a fait accompli. We also expect that it will take months even before a card processor such as Discover is even aware of the intrusion and possible breach What we don’t expect to hear is that the databases and credit-card data are, amazingly, unencrypted.”
Discover is mailing out new cards to those it believes are affected.
“We should be realistic – the costs for Discover will be a rounding error, and have already been built into their Q4 provisions (up 18 percent over Q4 2017),” Colin Bastable, CEO of Lucy Security, said via email. “The 176 million card-carrying U.S. consumers are generally inured to the consequences of these breaches – between them, they have some 985 million credit and store cards, and the card issuers are very good at shipping out replacement cards. The real problem is that these thefts are not victimless crimes – real money is involved. Crime rings and governments are stealing from the American consumer and using it to finance more crime.”
A Pair of Misconfigured Servers
Meanwhile, two other major data exposures revealed this week are the result of misconfigured servers, which is a scourge that shows no sign of going away.
Rubrik, the IT security and cloud data management giant, exposed a whole cache of customer information, improperly stored in an Amazon Elacsticsearch database. The exposed server wasn’t protected with a password, allowing access to pretty much anyone on the internet. The company pulled the server offline Tuesday.
According to reports, the tens of gigabytes of exposed data goes back to October, and includes customer names, contact information, contents of customer service emails, customer IT/cloud set-up and configuration information, and email signatures with names, job titles and phone numbers.
“It seems like almost every day we hear about another company that’s left an Elasticsearch server unprotected, leaving sensitive data exposed, and now we’re seeing it happen with IT vendors,” said Balaji Parimi, CEO, CloudKnox Security, via email.
“There’s a simple reason these vulnerabilities are so prevalent: the complexity of multi-cloud environments, combined with a lack of visibility into who can do what. When combined, this leads to overprivileged identities operating in environments where security team can’t answer simple questions like: ‘what privileges does each service account or employee have?’, and ‘what actions have they performed?’. These vulnerabilities are rarely malicious – they result from lack of visibility into what people are doing in extremely complex environments,” Parimi said.
In other news, the State Bank of India, the largest financial institution in that country of nearly one and a half billion people, also said this week that it failed to secure a server with a password, leaving the financial information for millions of customers exposed as a result of “human error.” The database contained text messages, account balances, recent transactions, partial bank account numbers and customers’ phone numbers, impacting an undisclosed number of people.
CipherCloud’s James noted, “Financial institutions are under constant cyberattack. That, of course, is no surprise to any of us. Instead, the data exposure at the State Bank of India Mumbai data center isn’t due to an attacker – it is due to misconfiguration and errors in administration. Right now we are seeing a surge in data exposure and breach due to these administrative errors.”
Third-Party Supplier Credit-Card Breach
And finally, credit-card information from about 6,000 people in the Canadian city of St. John was seen being sold on the Dark Web thanks to a payment card skimmer being installed on the third-party parking system that it uses. The malware collected credit-card information for 18 months from those paying parking tickets before being discovered.
“Once data has been stolen, it’s used in a number of ways, including account takeover and identity fraud,” explained Ryan Wilk, vice president of Customer Success at NuData Security. “More recently, we’ve seen a change in the value of stolen data as more and more intuitions are implementing user authentication solutions that render stolen data valueless. The loss of credit card data is a worry for everyone. The data lost has the potential to be lucrative in the hands of cybercriminals, who can use the card number and CVC to accurately mimic the legitimate customer in order to make fraudulent purchases, or facilitate further cybercrime.”
Interested in learning more about privacy and data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.