Computer Business Review – MyHeritage Hack: “Future Hackers Could Amend Stolen DNA”

cbr-logoNo DNA data has been lost as a result of a hack at genealogy and DNA testing website MyHeritage that resulted in the leak of 92,283,889 email addresses and hashed user passwords the company has claimed.

“Sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised,” the Israel-based company said.

Gemalto CTO of Data Protection Jason Hart said: “This reinforces again that being breached is not a question of ‘if’ but ‘when’. Perimeter defences are just what they are, first lines of defence. When those fail, the only way data can be protected is to encrypt it. It is especially important that sensitive personal data is always be encrypted. That way, if the data is stolen it is useless to the thieves.”

He added: “MyHeritage noted that it plans to add additional protective measures in the future. While it appears that MyHeritage hashed its passwords, this is a weak form of protection. Given today’s security climate, all online companies should have multi-factor authentication activated by default for all online accounts as well as using encryption and key management to secure sensitive data.”

To read the full article click here.

Business Today – Data theft increased by 783% in India in 2017, says study

business-todaySome 3.24 million records were stolen, lost or exposed in India in 2017, according to Breach Level Index study by digital security firm Gemalto. This number has increased by a whopping 783% over the previous year. The study tracks and analyses data breaches, the type of data compromised and how it was accessed, lost or stolen in the last five years.

“The manipulation of data or data integrity attacks pose an arguably more unknown threat for organizations to combat than simple data theft, as it can allow hackers to alter anything from sales numbers to intellectual property. By nature, data integrity breaches are often difficult to identify and in many cases, where this type of attack has occurred, we have yet to see the real impact,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto.
To read the full article click here.

SC Magazine UK – Greenwich University Breach costs university £120,000

scmediaGreenwich University has been fined £120,000 after a security breach at the university resulted in the leak of 19,500 students’ data to the internet, according to Signavio.

Greenwich University has been fined £120,000 after a security breach at the university resulted in the leak of 19,500 students’ data to the internet, according to Signavio. This data included names, addresses, date of birth, phone numbers, signatures and in some cases, physical and mental health problems.

Jason Hart, CTO of Data Protection, Gemalto concludes: “This should be a reminder for organisations around the world to dig deep when it comes to protecting their data. If businesses don’t know where it is or whether it’s properly secured then they are leaving themselves and their customers vulnerable. While many are taking steps to improve their data security, the fact that some breaches can lay undiscovered for three years leaves little doubt that there is still work to do before there is widespread GDPR compliance. In order to adequately protect their data, businesses must regularly audit and ensure security controls, such as encryption and key management are implemented, whether the data is being stored or used in a transaction”.

To read the full article click here.

CSO Online – Let’s get serious about security: 2.6 billion records stolen or compromised in 2017

csoonlineGemalto’s 2017 Breach Level Index found 2.6 billion records were compromised in 2017, as well a number of new data breach tactics. Breached or exposed data is not only a headache for security teams. It also impacts brand reputation, customer confidence and stock prices, but risk can be managed by mapping out where data resides.

Gemalto, my employer, recently published the latest research from its Breach Level Index (BLI), sharing that 2.6 billion records were stolen, lost or exposed worldwide during the year of 2017. A global database, the BLI follows and studies breaches, the types of data compromised and how it was accessed or lost.

To read the full article click here.

IT Pro – UK businesses failing basic security measures

itproBritain’s business are still ignoring basic security fundamentals, with almost half failing to implement foundational security protections. This is according to the annual Cyber Security Breaches Survey, conducted by the Department for Digital, Culture, Media and Sport to assess the security awareness and preparedness of businesses in the UK, which found that many UK companies are not following the basic security steps laid out as part of the government’s Cyber Essentials scheme.

“While it’s troubling to hear that almost half of UK businesses have experienced a cyber attack in the past year, the actual volume of these incidents is likely considerably higher,” said Gemalto’s CTO and former ethical hacker, Jason Hart. “In fact, we’ve seen from our Breach Level Index that almost as many data incidents are caused by accidental loss, as malicious outsiders.”

To read the full article click here.

 

Cybersecurity Insiders – Fancy Bear Leaks Documents Allegedly Stolen from International Luge Federation

cybersecurity_insiders_logoFancy Bear has leaked what it asserts are documents stolen from the International Luge Federation (ILF) two weeks ahead of the 2018 Winter Olympics.

On 24 January, the digital espionage group posted a statement explaining its motivation for conducting what it calls “OpOlympics”:

Jason Hart, CTO of Data Protection at Gemalto, is familiar with the 2016 incident…

MUCH LIKE FANCY BEARS’ HACK OF THE WORLD ANTI-DOPING AGENCY’S (WADA) WEBSITE LAST YEAR, THESE DOCUMENTS NEED TO BE TAKEN WITH A PINCH OF SALT, AS THE HACKING GROUP HAS A HISTORY OF CHANGING THE DATA THEY STEAL TO SUIT THEIR OWN PURPOSES. THIS DATA MANIPULATION POSES AN ARGUABLY GREATER THREAT TO ORGANIZATIONS THAN SIMPLE DATA THEFT, AS IT CAN ALLOW HACKERS TO ALTER ANYTHING FROM STOCK OR SALES NUMBERS AND IN THIS CASE, POTENTIALLY THE REPUTATIONS OF INNOCENT ATHLETES.

To read the full article click here.

Cyber Security Hub – Cyber Security: Who’s In Charge?

cyber-security_1_0It’s no mystery that the threat landscape has intensified, widened and spooked many security practitioners around the globe. Between breach anxiety amongst the C-Suite, the increasing perimeter size of large enterprises, numerous endpoints tapping into the network and a glaring disconnect between departments, cyber security is still an often-overlooked facet of the business. This, of course, should not be so.

In recent years, the threat vectors have multiplied and security practitioners have been forced to deploy various solutions to mitigate – or attempt to mitigate – the many network dangers.

According to Gemalto’s 2017 Breach Level Index report, a whopping 2 billion data records were lost or stolen via cyber-attacks in the first part of 2017. Gemalto’s Vice President and Chief Technology Officer for Data Protection, Jason Hart, also added that two-thirds of firms breached had their share price negatively impacted. Of 65 companies evaluated, breaches cost shareholders $52.4 billion.

To read the full article click here.

CSO Online – Data breaches are taking a toll on customer loyalty

csoonlineData breaches are happening on a daily basis. And as the number of breaches has soared, the scale of attacks has escalated as well. According to the Breach Level Index, 1.9 billion data records worldwide were compromised during the first half of 2017 due to 918 data breaches. The number of lost, stolen or compromised records increased by an overwhelming 164 percent compared to the last six months of 2016. (Disclosure: the Breach Level Index is operated by Gemalto, where I am employed.)

This year saw major security incidents affecting numerous high-profile corporations such as Equifax and Deloitte. And the consequences of such breaches now appear to be moving beyond the direct financial impact. As businesses struggle to maintain and protect consumer data, consumers are growing wary of both the attitude and practices those organisations take in order to do so.

To read the full article click here. 

 

Four Data Security Trends that Defined 2017

With 2018 upon us, it’s important we take stock of the data security trends and threats that defined 2017. Several notable trends emerged over the course of the year, after all, and these will no doubt continue to shape the data security landscape into 2018 and beyond.

Here are four such remarkable data security trends that helped mould the past year:

1. International Malware Outbreaks

One of the most notable data security trends of 2017 were three strains of malware made headlines for attack campaigns that swept across national boundaries. On 12 May, WannaCry ransomware got things going with an outbreak that claimed the United Kingdom’s National Health Service (NHS), Spanish telecommunications giant Telefonica, and at least 200,000 other organizations worldwide as victims. NotPetya followed less than two months later when the Petya impersonator/wiper malware struck a Ukrainian power supplier, France’s Saint-Gobain, and close to 17,000 other targets primarily in North America and Europe. Both attacks leveraged EternalBlue, an exploit which abuses a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol, for distribution.

It wasn’t until October 2017 that Bad Rabbit, a strain of Diskcoder, reared its head. This malware used drive-by attacks as its primarily means of infecting users. As a result, it infected only a few hundred computers mainly located in Russia, Ukraine, Germany, Turkey, South Korea, the United States, and a few other countries.

2. Mega-Breaches (and Curious Responses)

In light of the hacking attack disclosures involving LinkedInDropbox, Yahoo (which only got worse), and others, history will no doubt remember 2016 as the “Year of the Mega Breach.” 2017 didn’t produce as many mega-breaches as 2016, but it nevertheless yielded some notable data security incidents…with some equally extraordinary responses. You can find a database of data breaches going back to 2013 in Gemalto’s Breach Level Index.

For instance, Equifax acknowledged in the beginning of September that hackers had breached its systems and thereby compromised the personal information of 143 million American citizens. Consumers’ personal data was simply left unencrypted. Things went awry on the day of disclosure when the credit bureau directed concerned users to visit a resource to verify if they were victims of the breach. That resource was located at a separate site riddled with bugs. Additionally, a slow disclosure time and subsequent gaffes on Twitter led Brian Krebs to call the response a “dumpster fire.”

Two months later, the world learned of the data breach at Uber that compromised 57 million driver and rider accounts in 2016. The ride-sharing company ultimately met the hackers’ ransom of $100,000 to ensure the attackers deleted their copy of the stolen data. It then went further by insisting the hackers sign a NDA, camouflaging the ransom payment as a bug bounty program payout, and remaining silent about the breach for more than a year.

3. CIA Hacking Tools

In the spring of 2017, WikiLeaks published a series of documents pertaining to the Central Intelligence Agency’s hacking operations. Detailedin those leaked sources are various tools used by CIA agents to infiltrate their targets, including malware for smart TVsand iOS exploits. The documents even include borrowed code from public malware samples.

Symantec subsequently analyzed those hacking tools in April and linked them to 40 attacks in 16 countries conducted by a group called Longhorn. It’s unclear how many additional attacks those tools have since facilitated.

4. Attacks against Cryptocurrency Exchanges

One Bitcoin was worth just $979 on 1 January 2017. Since then, its value has multiplied more than 13 times, with its rate peaking at $19,843. Investors no doubt celebrated that price explosion. But they weren’t the only ones tracking the digital money’s increase. Malefactors also saw the rise of Bitcoin; they took it upon themselves to try to hack various exchanges for the cryptocurrency. Indeed, at least eight marketplaces have suffered data breaches as of 23 December, with Parity Technologies losing $32 million in Ethereum and hackers stealing $70 million in Bitcoinfrom NiceHash. One can expect this data security trend to continue into 2018.

What Made 2017 Stand Out for You?

Which of these data security trends and threats concerns you most? Also, what other data security trend grabbed your attention in 2017? If so, let me know in the comments!

 

This post also appeared on the Gemalto Security blog here.

Channel Eye – Consumers will abandon insecure businesses

channeleyeCompanies that suffer from a data breach could lose more than 70 percent of their customers, according to a new survey.

Ok, the survey was carried out by Gemalto which is a security company, but it was based on questions asked to 10,000 consumers.

Gemalto Identity and Data Protection CTO Jason Hart said: “Consumers are evidently happy to relinquish the responsibility of protecting their data to business, but are expecting it to be kept secure without any effort on their part.”

“In the face of upcoming data regulations such as GDPR, it’s now up to businesses to ensure they are forcing security protocols on their customers to keep data secure. It’s no longer enough to offer these solutions as an option. These protocols must be mandatory from the start – otherwise, businesses will face not only financial consequences but also potential legal action from consumers.”

To read the full article click here.