Published on August 10th, 2017 | by Vatsal Desai
Breach of the Month – July 2017
Every Friday the SS8 Twitter feed features a notable breach, leak, or hack as our pick for the SS8 #breachoftheweek. At the end of every month, our engineers take a look at each of these ‘finalists’ and select one outstanding breach as our #BreachOfTheMonth pick. Which did we choose for July? This month’s breach threat analysis features the thoughts of engineer Vatsal Desai:
- Dow Jones breach
- UniCredit breach
- Verizon – NICE Systems breach
- Automobile Association breach
Chris Vickery from UpGuard discovered a Dow Jones data repository on Amazon S3 — this repository was originally found on May 30th and was downloaded in its entirety on June 1st. The repository, ‘DJ-SKYNET’, contained several folders of compressed Apache Avro files, containing text logs, JSON data sets and CSV lists that revealed valuable user information like last the 4-digits of credit card numbers and correlated details like customer name, customer ID, etc.
Dow Jones has confirmed that data of 2.2 Million customers were being exposed; however, UpGuard estimates the number to be around 4 Million. A particularly confidential and current data set was also exposed; it was a database of infamous finance personnel maintained by Dow Jones as part their Risk and Compliance product for anti-corruption. The exposure was due to a permission misconfiguration that allowed database access to all users registered/authenticated with AWS.
Dow Jones claims that ‘DJ-SKYNET’ was secured on June 6th and that there was no evidence of the data being stolen by an adversary. Steve Severinghaus from Dow Jones stated that since it was just an over-exposed data store that contained insignificant customer information and neither a breach nor an attack, it does not pose a risk that would require them to notify individual customers. UpGuard has however pointed out that such exposures lead to phishing attacks, misuse of credit card details and identity theft.
UniCredit announced a data breach affecting 400,000 customers in a recent press release. In the statement it was revealed that it was a two part breach occurring for the first time in/around September/October 2016 and later in/around June/July 2017. UniCredit claims that access information like passwords and PINs were not exposed and of the data that was lost, none can used to perform banking transactions directly.
It was during the second cycle of the breach (June/July) that the initial compromise was detected (2016). Exposed data contained biographical and loan data, which could be used for targeted phishing attacks. UniCredit claims to have increased the security budget to ensure security of their servers.
Verizon – NICE Systems
Another story from UpGuard’s Chris Vickery, and it is particularly similar to the Dow Jones exposure. NICE Systems provides Verizon with the technology to analyze call-center traffic; the exposed data store was a collection of voice recognition logs, agent details and call queue timers, all compressed as a GZIP. Additionally, subscriber name, address, phone number and PIN (required for subscriber identification) were exposed.
AA Shop, an AA division that provides retail services, suffered a data exposure issue in April 2017. This incident caused records of 117,000 customers to be available for download. Exposed data included PII (Personally Identifiable Information) like names, addresses, emails, last 4 digits of credit cards, credit card expiry dates, transaction histories and IP addresses.
The misconfiguration was brought to AA’s attention on April 23rd and was fixed on April 25th. Upon follow-up, it was found that the affected customers were never informed. The exposed data also contained an expired cryptographic private key and certificate that was associated with AA’s trading account.
Edmund King from AA mentioned that the 3rd party responsible for the management of AA Shop was informed about the exposure as soon as it was reported and upon further investigation and analysis the data was not found to be sensitive. However, several reporters and security researchers have stated that AA has tried to evade from the entire issue by not informing the affected customers and that such information aids in targeted attacks.
And the winner for July is….
Verizon – NICE Systems
An open data repository administered by Israel-based NICE Systems was discovered on Amazon S3 containing call data of Verizon subscribers. The downloadable repository was found on June 13th and wasn’t secured until June 22nd.
UpGuard mentions NICE Systems as a technology provider for state-sponsored surveillance; this puts the data store exposure in a much higher magnitude of severity. The repository was to be maintained for Verizon only, however, it also contained records associated with the French telecom provider Orange.
Verizon claims that records of approximately 6 Million customers were exposed, while UpGuard estimates 14 Million. Verizon also claims that there was no evidence of an adversary gaining access to the data store and that it wasn’t a breach but rather a misconfiguration by NICE Systems. UpGuard has however pointed out that such details can be used by adversaries to impersonate customers by using the PIN as a means of identification.
Vatsal is a Threat Researcher at SS8. He believes that security is a time-based control — it is only a matter of time before someone breaks into the network, the goal is to improve the control time to surpass the value of the asset under protection.