[Security Weekly] Capital One Fined $80 Million for Massive Data Breach in 2019

2nd Week of August 2020


1. Capital One fined $80 million for massive data breach in 2019

Capital One, one of the largest commercial banks and credit card issuers in North America, was issued a fine of $80 million by the U.S. Office of the Comptroller of the Currency (OCC), for a massive data breach in 2019 that compromised the personal data of over 100 million Americans and 6 million Canadians.

The data breach happened in March 2019, when a hacker named Paige Thompson leveraged a misconfiguration in one of Capital One’s AWS S3 servers to gain access to the database. She then exfiltrated the data and published them on Github.

The leaked data contained credit card application forms, which included personal information such as names, dates of birth, addresses, phone numbers, email addresses, postal codes, and self-reported income figures. Other information such as credit scores, credit limits and balances, payment histories, transaction data, and Social Security Numbers of Americans and Social Insurance Numbers of Canadians, were also compromised.

Apart from the fine, the Federal Reserve requested Capital One’s Board of Directors to submit within 90 days a detailed plan on how to enhance its risk management system.

Businesses must be aware of the system configurations of their servers hosted in the public cloud. Misconfigurations of public cloud servers are one of the most common causes of data breaches today. Moreover, sensitive personal information should always be encrypted so that the consequences of a data breach can be minimized.

Looking for a safe and convenient encryption solution? See D’Amo.

Sources: Washington Business Journals, SC Media


2. Online exam platform ProctorU leaks 440,000 user records in data breach

ProctorU is among the latest victims hit by the ShinyHunters ransomware group, with over 440,000 of its user records published online.

ProctorU offers online examination invigilator services by tracking all browsing activities to prevent examinees from cheating. It has gained increased popularity during the COVID-19 pandemic and is widely used by educational institutions around the world.

This data breach incident involved mostly users from Australia, including the accounts of students and staff from the University of Melbourne, the University of Queensland, the University of Western Australia, Adelaide University, and a few others.

Compromised data included full names, home addresses, usernames, and unencrypted passwords of all users who registered on or before 2014.

The specific point of entry remains unknown. Affected universities are cooperating with ProctorU on the investigation.

Sources: Infosecurity, Honi Soit


3. SANS Institute falls victim to phishing attack leaking 28,000 personal data

SANS Institute, a cybersecurity training company that offers certificate-granting training courses, has suffered a phishing attack that compromised the personally identifiable information (PII) of 28,000 individuals.

The attack was discovered on August 6 when the company discovered a forwarding rule in an employee’s work email configuration. By that time, it had already forwarded a total of 513 sensitive emails to an external email address.

These leaked emails contained the full names, home addresses, email addresses, job titles, company names, and countries of residence of over 28,000 people who registered for an online summit hosted by SANS Institute.

The company quickly removed the forwarding rule. After a series of investigations, it concluded that the incident was caused by a phishing attack directed at the specific email account, and that no other accounts were compromised.

This incident shows the importance of cybersecurity awareness among employees, because even a company built by security experts can fall victim to phishing attacks.

Sources: Computer Weekly, Bleeping Computer


4. Credit card details of 2,600 users breached at Michigan State University online store

Michigan State University (MSU) recently disclosed a cybersecurity incident that compromised the personal and payment information of over 2,600 customers who shopped at its online store.

According to MSU, the attackers injected Magecart-style skimmers into the website’s payment forms by exploiting an application vulnerability. The skimmers were in place for nine months between October 19, 2019 and June 26, 2020, impacting 2,600 customers who shopped at the store during this period.

All information entered into the payment forms were compromised, including full names, home addresses, billing addresses, and credit card numbers.

The university has now patched the application vulnerability and is providing free identity theft protection services to all those impacted.

A web application firewall (WAF) like WAPPLES would have easily prevented such an incident. As the majority of web attacks are directed at the application layer, having a WAF is essential for any website that involves personal data and financial transactions.

To learn more about WAPPLES, click here.

Source: Bleeping Computer


5. Amazon Alexa flaw allows attackers to access voice history and personal data

Crucial flaws in Amazon’s AI voice assistant Alexa had allowed hackers to access user voice history by persuading them to click on a malicious link.

The flaws were discovered by cybersecurity researchers at Check Point back in June, after which they immediately notified Amazon. The flaws had been fixed since then. However, the incident was only disclosed on August 13 in a report published by Check Point.

The case involved several web application vulnerabilities in Alexa’s subdomains, including a cross-site scripting (XSS) flaw and a cross-origin resource sharing (CORS) misconfiguration.

The first vulnerability allowed hackers to bypass SSL pinning and view traffic transmitted between the Alexa app and the Echo speaker. The second vulnerability allowed hackers to send requests from any Amazon subdomain.

These flaws, combined together, allowed hackers to trick a user into clicking a link to a subdomain in which the attacker had already compromised, eventually allowing attackers to take over the entire application.

Sources: ZDNet, Threatpost


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Car, Energy, Factory, City Solutions: Penta IoT Security