Published on May 9th, 2017 | by Vatsal Desai
Breach of the Month — April 2017
Every Friday the SS8 Twitter feed features a notable breach, leak, or hack as our pick for the SS8 #breachoftheweek. At the end of every month, our engineers take a look at each of these ‘finalists’ and select one outstanding breach as our #BreachOfTheMonth pick. Which did we choose for April? This month’s breach threat analysis features the thoughts of engineer Vatsal Desai:
- Wonga’s payday loan breach
- Scottrade’s unsecured DB
- Chipotle’s payment system breach
- Nieman Marcus’ 2015 leak
Scottrade and Genpact – open DB
Security researcher Chris Vickery discovered an open MYSQL database on Amazon S3 while searching for specific key phrases. The open DB belonged to Scottrade Bank and contained 20K records of Personally Identifiable Information (PII), 48K credit profiles, guarantor data, clear text passwords and API keys to credit reporting websites.
Scottrade Bank said that the mishap was due to a human error at ‘Genpact’, a 3rd-party provider for the B2B unit of Scottrade. Genpact confirmed that the data was uploaded without the necessary security controls and that the breach was owing to a configuration error. Scottrade confirmed that the DB was secured in 6 hours.
Scottrade also suffered a data breach in 2015, an incident which exposed the PII of 4.6M customers.
In a recent statement, Chipotle announced they had noted unusual activity affecting credit card transactions between March 23 and April 18. Unauthorized behavior was detected on the network that serves as their payment processing gateway for purchases made at their restaurants.
Chipotle claims that appropriate steps have been taken to stop the unauthorized behavior and they advise potentially affected customers to monitor their credit card activity. Chipotle’s CFO John Hartung said that they are looking into the issue and specific information on affected restaurants and transactions will not be available until the investigations are complete.
Chipotle was involved in another security activity in 2015, the HR team was found using “chipotlehr.com” to send emails, a domain that was not owned by the company at the time.
Wonga payday lender
Wonga, a UK-based payday loan provider, reported a data breach involving exposed PII and banking information. It was initially thought that no data was exposed due to the unauthorized activities; however, it was later clear that 270K customer records were stolen.
Wonga sent out a message to the potentially affected customers informing them of the breach and advising that they should monitor their accounts for unauthorized activity while they continue with their investigations.
Wonga was also involved in a financial scandal in 2014, loans were granted to customers who could not afford to repay and such customers were threatened with letters from fake law firms.
And the winner is….
Nieman Marcus disclosed that a December 2015 data breach exposed Personally Identifiable Information (PII) like customer data, purchase history and last 4 digits of credit cards. The incident was said to have been investigated by external forensic experts.
In April 2017, it was revealed that the original conclusions on December 2015 incident were incomplete and it was now clear that in fact full credit card numbers and expiry dates were stolen.
Nieman Marcus recently suffered another security incident in January 2017; it was reported that this was a nearly-identical incident to that of their December 2015 incident, and had exposed similar information
Reports say that both incidents were caused due to an automated attack that iterated over known usernames and passwords from security breaches occurring at other enterprises. The brute-force attempt allowed the attackers to gain access and compromise certain accounts on Neiman Marcus Group’s online portal and InCircle accounts. This is a classic example of adversaries taking advantage of reused and unchanged passwords.
The incidents mentioned above are in addition to another malware activity that was found in payment systems at Nieman Marcus retail stores. The malware infection collected credit card and transaction details for all purchases between July and October 2013; this was reported in January 2014 and affected 350K customers.
Vatsal is a Threat Researcher at SS8. He believes that security is a time-based control — it is only a matter of time before someone breaks into the network, the goal is to improve the control time to surpass the value of the asset under protection.