TalkTalk Breach Week 8

For this week’s blog we are going outside of the United States. Remember in week 5 blog’s there was a saying, “No one is safe”, well it seems that the statement was true. The British phone company TalkTalk was hacked. The hackers were able to steal lots of personal data, which will be discussed in the following paragraphs.

So far they are not one hundred percent sure if customers names, addresses, date of birth, phone numbers, email address, TalkTalk account information, credit card details and/or bank details were stolen (Krebs, 2015). The hackers must be doing this for financial gain as they sent TalkTalk a 122,000 dollars ransom to be paid in the digital currency bit coin. Along with the ransom the hackers provided tables from its user database to prove that they were not faking the breach (Krebs, 2015). The hackers have threaten to sell customer information on the dark web if the ransom isn’t paid, but there is no guarantee that even if the ransom is pay they won’t sell or post it on the dark web. The database that the hackers sent as part of the ransom seems to have credit checks from over 400,000 of its customers. Since the investigating is still ongoing TalkTalk is not sure how many customers were affect or what data was stolen.

This breached happened, because of vulnerability called an SQL injection.  A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application (SQL Injection, 2014). When this attack is successful it can give the attacker administrative privileges on the database. The SQL injection vulnerability was posted on the website Xssposed.org. The attacker then became public knowledge allowing hackers to use this vulnerability to steal information.

TalkTalk has issues one year of free credit monitoring services. Again companies don’t take cybersecurity seriously. When you have a website that has vulnerabilities and you don’t take care of them this can happen. This is especially true when the website ties back to a database that houses all their customers’ information. It is good to see they are taking security seriously now, but just like Target they are too late.

References

Krebs, B. (2015, October 24). Krebs on Security. Retrieved October 24, 2015, from http://krebsonsecurity.com/2015/10/talktalk-hackers-demanded-80k-in-bitcoin/

SQL Injection. (2014, August 14). Retrieved October 24, 2015, from https://www.owasp.org/index.php/SQL_Injection

America's Thrift Store Breach Week 7

Entering week seven there has been a credit card breach at America’s Thrift Stores. America’s Thrift Stores headquarters is based in Birmingham, Alabama and also have stores in Mississippi, Tennessee, Georgia and Louisiana (Krebs, 2015). They have a total of 18 stores throughout the states listed above. Hackers are now targeting any businesses that have vulnerabilities to get credit card or any personal information from. No one is safe from attackers or malware no matter how big or small.

America’s Thrift Store was attacked by malware that was used to steal credit card information. This special malware targeted a third party software vulnerability. The malware that attacked America’s Thrift Store also has been infecting other stores throughout the United States. It seems that the malware was used by criminals in Eastern Europe, because that’s where the U.S Secret Service found the information was sent too. The hackers only got away with credit card numbers and expiration dates of the cards. The incident happen on September 1, 2015 and September 27 (LeClaire, 2015).  America’s Thrift Store is not going to give their customers any credit monitoring protection. America’s Thrift Store has verified they have removed the malware and will work with a third party forensic company to get more details about the breach.

The surprise this week is that malware was used to steal credit card information. In the past six weeks hackers have broken in to steal personal information, but haven’t used malware. Another interesting part of the story is that the malware targeted third party software. Most companies today are eliminating third party providers. Target was hacked through their HVAC company they hired. From experience most companies should stay away from integrating third party providers in with their software and network as this adds more risk to having a breach. The good thing is customer names, phone numbers, physical or e-mail addresses were not compromised in the breach (LeClaire, 2015).

References

Krebs, B. (2015, October 12). Krebs on Security. Retrieved October 17, 2015, from http://krebsonsecurity.com/2015/10/credit-card-breach-at-americas-thrift-stores/

LeClaire, J. (2015, October 14). America's Thrift Stores Hit by Data Breach, Payment Cards Compromised | NewsFactor Network. Retrieved October 17, 2015, from http://www.newsfactor.com/story.xhtml?story_id=0320011MKY80

Scottrade Breach Week 6

Going into week six there has been more stories to choose from. This week I'm going to focus on story that involves a well know online brokerage firm. Seems like even well know companies are getting breached. Online companies need a higher budget for security as they are more likely to get attacked. This week’s blog entry will give an overview of the story and what the company needs to do moving forward.

Scottrade was informed by the FBI that they may have been breach around two years ago. “The system that was hacked contain Social Security numbers, email addresses and other sensitive data” (Kirn, 2015). They believe that people’s contact information was targeted. This would include the names and street addresses of their clients. Scottrade says that the attackers may have been after this information because they wanted to facilitate stock scams via spam emails (Krebs, 2015). Scottrade says their client passwords are fully encrypted and there has not been any fraud related to the incident. They are providing their affected customers with a free year of credit monitoring.

The question everyone should be asking is why it took two years to discover they had been breached. Customers of Scottrade may need to rethink if they want to keep doing business with a company that didn’t find a breach on their network for two years. On top of that why did Scottrade have to find out from the FBI? After reviewing the information it seems they do not have proper security measures setup. Honestly, even if their passwords are encrypted and none of them have seemed to be stolen, Scottrade should make all users changed passwords for security reasons.

Not knowing how the attackers got in and took the information it’s tough to say how this could have been prevented. Security breaches are costing companies in the millions each year because of lax security. How much it is going to cost Scottrade? They have to provide credit monitoring services for about four and half million people. According to creditcard.com it can cost 10 to 15 dollars a month or 120 to 180 a year (Johnson). If you take that number times four and a half million the total amount just for credit monitoring services comes in at eight hundred and ten million dollars. That number is just for the credit monitoring services it may end up costing them almost a billion dollars, which could have possibly been avoided if there had been more security in place. Part of the reason it may cost them over a billion dollars is because they will have to pay a third party forensics team and the FBI for researching the breach. 

References

Kirn, J. (2015, October 8). Scottrade faces lawsuit over security breach. Retrieved October 10, 2015, from http://www.bizjournals.com/stlouis/news/2015/10/08/scottrade-faces-lawsuit-over-security-breach.html

Krebs, B. (2015, October 2). Krebs on Security. Retrieved October 10, 2015, from http://krebsonsecurity.com/2015/10/scottrade-breach-hits-4-6-million-customers/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed: KrebsOnSecurity (Krebs on Security)

Johnson, A. (n.d.). Credit monitoring services: Pros, cons and how to pick one. Retrieved October 10, 2015.

Hotel Breach Week 5

After four weeks of blogging, there has been a data breach at a school, hospital, and a physician's office. No one is safe from attackers wanting personal and credit card information. Anyone is vulnerable from department, grocery, and even clothing stores.  This week the Hilton Hotel has been breached. 

The breach happened on April 21, 2015 and continued through July 25, 2015. This happened at Hilton and other Hilton owned properties such as Embassy Suites, Doubletree, Hampton Inn and Suites, and Waldorf Astoria Hotels and Resorts. They have determined the breach didn't happen on their guest reservation system. “Rather, sources say the fraud seems to stem from compromised point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton properties” (Krebs, 2015).

According to Visa’s policy they are not allowed to disclose who was breached. Since the name was not disclosed banks worked together and determined that the Hilton Hotels were breached. There are no other details as they are still investigating the breach.

When I started this blog I honestly thought that I might have some difficulty writing, but I’m amazed that there are so many breaches happening. Is this the same thing that happened to Target a year ago? Does Hilton take information security seriously? They say in the article that they do, but could this have been avoided? People were lucky that credit and debit cards were the only things that were taken. It is easier to close a credit card then have someone steal a social security number, address and birthdate.

References

Krebs, B. (2015, September 15). Krebs on Security. Retrieved October 2, 2015, from http://krebsonsecurity.com/2015/09/banks-card-breach-at-hilton-hotel-properties/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed: KrebsOnSecurity (Krebs on Security)