Recent Data Breaches 4 OCT 2017
Given the nature the breach I have been tracking this is a separate blog post. So far we can determine their inventory process, configuration process, patch management, vulnerability management, data leak protection, SQL programming, incident response and crises management processes are in need of some work.
Information this far seem to indicate that Sonic was not aware of the breach and did not know until the credit card information that was stole showed up on the dark web for sale. Since they don't know all we can determine is that they do not have adequate detection mechanisms.
ISMG "Fast-Food Chain Sonic Investigates Potential Card Breach, Full Scope of Potential Breach Remains Unknown," by Jeremy Kirk, 27 SEP 2017: https://www.govinfosecurity.com/fast-food-chain-sonic-investigates-potential-card-breach-a-10337
Wall Street Journal "Sonic Confirms Data Breach," Cara Lombardo, 27 SEP 2017: https://www.wsj.com/articles/fast-food-chain-sonic-reportedly-victim-of-data-breach-1506512675
The Securities and Exchange Commission (SEC) disclosed Wednesday that hackers penetrated its electronic system for storing public-company filings last year and may have traded on the information. At this point I have found no other information on how the breach happened or how it was discovered. We do know that the breach happened in 2016.
New York Times, "SEC Says It Was a Victim of Computer Hacking Last Year" by Alexandia Stevenson & Carlos Tejada, 21 SEP 2017: https://www.nytimes.com/2017/09/20/business/sec-hacking-attack.html
Hackers May Have Traded on Stolen SEC Data, SEC Commissioner Faces Senate Questioning Over Newly Disclosed May 2016 Breach, by Jeremy Kirk September 22, 2017
ISMG, "Senate Testimony: SEC Chairman Offers Cyber 'Mea Culpa', Regulator Also Launches 'Cyber Unit' to Investigate 'Cyber-Related Misconduct'" by Mathew J. Schwartz 26 SEP 2017: https://www.govinfosecurity.com/senate-testimony-sec-chairman-offers-cyber-mea-culpa-a-10334
Reuters, "SEC Chairman Belatedly Learned of 2016 Agency Hack: Testimony" 25 SEP 2017: https://www.nytimes.com/reuters/2017/09/25/business/25reuters-usa-senate-sec.html
Wall Street Journal, "SEC Says Hackers Accessed Two People's Personal Information" by Dave Michaels, 3 OCT 2017: https://www.wsj.com/articles/sec-says-hackers-accessed-personal-information-in-2016-breach-1506957334
There has been no information on how many records were compromised. The only thing we know at this point is that it is client information and Deloitte says very few clients are affected. In addition, we know that it was an email systems that had been compromised and that it was last year when the breach happened. One security expert said that multifactor authentication would have prevent this breach.
BBC News, "Deloitte Hit by Cyber Attack" 25 SEP 2017: http://www.bbc.com/news/technology-41385951
ISMG, "Report: Deloitte Suffered Breach Last Year, Hackers Breached Emails, Client Data Stored In Microsoft Azure Cloud Service" by Mathew J. Schwartz, 25 SEP 2017: https://www.bankinfosecurity.com/report-deloitte-suffered-breached-last-year-a-10330
Whole Foods Market
One thing security expert say is that network segmentation help limit the scope of this breach. Only part of Whole Foods systems POS system was breached and parent company Amazon.com was not effected at all.
ISMG, "Whole Foods Market Investigates Hack Attack, Payment Card Data Stolen From Taprooms and Restaurants, Supermarket Chain Says" by Mathew J. Schwartz , 29 SEP 2017: https://www.govinfosecurity.com/whole-foods-market-investigates-hack-attack-a-10346
Business Insider, "Whole Foods is investigating a credit-card security breach" by Kate Taylor, 28 SEP 2017: http://www.businessinsider.com/whole-foods-credit-card-breach-2017-9
Looks like this incident was not so much a data breach but a compromise of the system that lead to unscheduled downtime. Apparently an employee of HP who had been laid off was the one who brought down the system. Here the problem is that Oregon Medicaid did not manage vendor connections and HP did not remove access to former employees. All the security standards have controls concerning vendor management and former employees termination of system access, either of which would have prevented this breach.
ISMG, "Vendor's Ex-Employee Allegedly Shut Down Medicaid System, Criminal Case Claims Defendant Shuttered Oregon's System for Hours" by Marianne Kolbasuk McGee, 29 SEP 2017: https://www.govinfosecurity.com/vendors-ex-employee-allegedly-shut-down-medicaid-system-a-10347
I have created a separate blog post for the breach given the nature of the event. This is a supply chain management issue. Do you trust provider that are there to protect your systems? In this case the anti-malware provider was the one that was hacked and the malware was injected into their download site. The target was to exfiltrate trade secrets from tech firms.
Released on October 3rd, was an announcement from Yahoo that the number of accounts compromised in 2013 was not limited to the 1 billion accounts originally reported. Today it seems all 3 billion of their accounts were compromised. No word on why it took so long to determine.
Reuters, "Yahoo says all 3 billion accounts affected in 2013 hack" 3 OCT 2017: http://www.msn.com/en-us/money/companies/yahoo-says-all-3-billion-accounts-affected-in-2013-hack/ar-AAsS3Br
ISMG, "Yahoo: 3 Billion Accounts Breached in 2013 'New Intelligence' Reveals Every Single Yahoo User Account Was Pwned." by Jeremy Kirk, 4 OCT 2017: https://www.govinfosecurity.com/yahoo-3-billion-accounts-breached-in-2013-a-10355
#DataBreach #ITManagement #ITOperations #Cybersecurity #PatchManagement #ConfigurationManagement #Vulnerability #IncidentResponse #DLP #CrisesManagement #PatchManagemen #InventoryControl #MultifactorAuthentication #POS #PCI #SupplyChain