Ferrari Data Breach: The Industry has its say

Apparently, the team at Ferrari may not have been up to speed with the latest ways to ensure your security is top priority. It was announced on Monday via a statement uploaded to their website that Ferrari was “recently contacted by a threat actor with a ransom demand related to certain client contact details”.

Ferrari then went on to say that it “will not be held to ransom” and that the best course of action was to inform their clients about the potential data exposure.

The Guru team reached out to some industry experts to understand their perspectives on the incident, and gain some valuable insights for companies looking to avoid this kind of incident in the future:

Christopher Handscomb, Solutions Engineer, EMEA, Centripetal:

“In today’s digital age, it’s becoming all too common for customer data to be breached & exfiltrated with alarming ease. This poses serious concerns for luxury good vendors and their clients alike.


From the company’s perspective, a data breach can result in severe reputational damage and even legal action, not to mention a loss of trust from consumers who may be reluctant to share their sensitive information again leading to an impact in sales.


On the other hand, consumers may find their personal information – including details on their wealth, status, employment, living arrangements, and more – shared with an unknown party, potentially leading to identity theft, financial fraud, or even physical harm.


The good news is that a rapidly growing number of cybersecurity experts are dedicated to defending against these malicious actors. However, companies must be proactive in their approach to securing essential infrastructure and safeguarding customer data.


It’s time for organisations to take a serious and proactive stance on cybersecurity before it’s too late.”


Brad Freeman, Director of Technology at SenseOn

“Like its cars, Ferrari is a highly sophisticated organisation with extensive research and development, racing, manufacturing and retail operations. However this complexity can provide more opportunities for an attacker to penetrate defences.The Ferrari data breach exposes the unique risk faced by high net worth individuals. This means compromised data may be worth significantly more than in a general data breach as attackers are likely to spend significant time crafting targeted attacks against its valuable clients.”


Michael White, technical director, and principal architect at the Synopsys Software Integrity Group:

 In this case it is not known whether any direct access to vehicles was involved in the attack, but this does highlight a notable concern for the future. The automotive industry is moving toward so-called ‘software defined vehicles’ (SDVs), meaning that many of the day to day driving experiences will rely upon extensive cloud hosted infrastructure and applications. The consequences of an attack in such an SDV environment would not just be leakage of data but in the worst case may even allow an attacker to manipulate functionality on the vehicle itself. This means that automotive OEMs such as Ferrari will need to place an increased focus on protecting so-called hybrid infrastructure, including web portals and mobile apps, from malicious attacks across the software supply chain.


Martin Jartelius, CSO at Outpost24:

“Largely as expected we see those incidents where an organization is pressured to pay as a means of silencing information on a breach, potentially leveraging the fear of GDPR fines as an element of extortion against organizations. As so far very little information is available it’s hard to determine what happened, but this does not appear to be a severe or remarkable event, it attracts more attention than it should due to the targeted organization’s brand than to the event itself.”

Javvad Malik, lead security awareness advocate at KnowBe4:

Ransomware is a cyber pandemic that attacks all organisations regardless of size and vertical. It is why it’s important that all organisations need to put the pedal to the metal when it comes to ensuring they have the right cybersecurity controls in place. 

When it comes to ransomware, most attacks are successful through phishing, taking advantage of poor credentials, or by exploiting unpatched vulnerabilities. So as a bare minimum organisations should focus on these avenues of attack.”

The post Ferrari Data Breach: The Industry has its say appeared first on IT Security Guru.

Research Reveals ‘Password’ Still the Most Common Term Used by Hackers to Breach Enterprise Networks

Password management and user authentication solutions provider Specops Software has today announced the release of its annual Weak Password Report which analysed over 800 million breached passwords and suggests that passwords continue to be a weak spot in an organisation’s network.

The study found 88% of passwords used in successful attacks consisted of 12 characters or less, with the most common being 8 characters (24%).  The most common base terms used in passwords were: ‘password’, ‘admin’, ‘welcome’ and ‘p@ssw0rd’. Passwords containing only lowercase letters were the most common character combination found, making up 18.82% of passwords used in attacks.

Ironically, the study revealed that 83% of compromised passwords did satisfy both length and complexity requirements of cybersecurity compliance standards such as NIST, PCI, ICO for GDPR, HITRUST for HIPAA and Cyber Essentials for NCSC. 

“This shows that while organisations are making concerted efforts to follow password best practices and industry standards, more needs to be done to ensure passwords are strong and unique,” said Darren James, Product Manager at Specops Software. “With the sophistication of modern password attacks, additional security measures are always required to protect access to sensitive data.”

Furthermore, brute force attacks are a common tactic used by cybercriminals to gain access into an organisation’s network to steal sensitive data. Threat actors will use common, probable, and even breached passwords to systematically run them against a user’s email to gain access to a given account. For example, the Specops researchers also noticed the inclusion of ‘homelesspa’ – a password term found in 2016 MySpace data leak, proving that ‘old’, breached password terms are still being leveraged by hackers many years later. This is a critical reason why organizations need strong password policy enforcement.

The research was largely compiled through analysis of 800 million breached passwords, a subset of the 3 billion unique passwords in Specops Breached Password Protection.

Real-world example: Nvidia

In Nvidia’s data breach in 2022, where thousands of employee passwords were leaked, many employees had used passwords such as ‘Nvidia’, ‘qwerty’ and ‘nvidia3d’. Having passwords related to the organisation is an easy route for hackers into the network.  Despite industry warnings against easily guessable passwords, users are still resorting to common passwords.

“The 2023 edition of the Weak Password Report reiterates the ongoing challenges of securing the weakest link in the enterprise IT environment,” said James. “To stay on top of today’s credential attacks, all companies should put strong password policy enforcement in place, including custom dictionaries related to the organisation.”

Password Protection Best Practices

Three key enforcement measures recommended by Specops are:

  • For most business, this starts with protecting Active Directory, the universal authentication solution for Windows domain networks. 
  • Default password policy settings in Active Directory do not go far enough. Third-party password security software can strengthen Active Directory accounts. 
  • Look for a solution that can block the use of compromised passwords and commonly used terms with custom dictionaries.

For more information about the research, check out the full data and analysis here.


The post Research Reveals ‘Password’ Still the Most Common Term Used by Hackers to Breach Enterprise Networks appeared first on IT Security Guru.

KrebsOnSecurity in Upcoming Hulu Series on Ashley Madison Breach

KrebsOnSecurity will likely have a decent amount of screen time in an upcoming Hulu documentary series about the 2015 megabreach at marital infidelity site Ashley Madison. While I can’t predict what the producers will do with the video interviews we shot, it’s fair to say the series will explore compelling new clues as to who may have been responsible for the attack.

The new docuseries produced by ABC News Studios and Wall to Wall Media is tentatively titled, “The Ashley Madison Affair,” and is slated for release on Hulu in late Spring 2023. Wall to Wall Media is part of the Warner Bros. International Television Production group.

“Featuring exclusive footage and untold firsthand interviews from those involved, the series will explore infidelity, morality, cyber-shaming and blackmail and tell the story of ordinary people with big secrets and a mystery that remains unsolved to this day,” reads a Jan. 12, 2023 scoop from The Wrap.

There are several other studios pursuing documentaries on the Ashley Madison breach, and it’s not hard to see why. On July 19, 2015, a hacker group calling itself The Impact Team leaked Ashley Madison internal company data, and announced it would leak all user data in a month unless Ashley Madison voluntarily shut down before then.

A month later, The Impact Team published more than 60 gigabytes of data, including user names, home addresses, search history, and credit card transaction records. The leak led to the public shaming and extortion of many Ashley Madison users, and to at least two suicides. It’s impossible to say how many users lost their jobs or marriages as a result of the breach.

I’m aware that there are multiple studios working on Ashley Madison documentaries because I broke the story of the breach in 2015, and all of those production houses approached me with essentially the same pitch: It would be a shame if your voice wasn’t included in our project.

What stood out about the inquiry from Wall to Wall was that their researchers had already gathered piles of clues about the breach that I’d never seen before.

I’d assumed that participating in their documentary would involve sitting for a few interviews about known historical facts related to the breach. But when Wall to Wall shared what they’d found, I was hooked, and spent several weeks investigating those leads further.

The result was a collaborative research effort revealing key aspects of the breach that have somehow escaped public notice over the years.

I won’t go into detail on what we discovered until the Hulu series is ready for release. Also, I am not privy to what they will produce with the interviews I gave. I can’t say that what we found untangles everything about the breach that was previously unknown, but it sure explains a lot.

JD Sports admits data breach

JD Sports has warned customers that bought items on its website, as well as those of Size?, Blacks and Millets, between November 2018 and October 2020 may have been impacted in the breach.

The company has urged customers to be wary of potential phishing emails, calls and texts in the aftermath of the breach, while claiming they were proactively contacting those whose details were confirmed to be stolen. Paul Bischoff, Consumer Privacy Advocate at Comparitech echoed this sentiment, warning that “customers of JD and its affiliated brands should be on the lookout for targeted phishing messages from JD or a related company. These emails will attempt to get victims to click on a link or malicious attachment. The links might go imitation login pages where victims are tricked into handing over their passwords or payment info. Never click on links or attachments in unsolicited messages!”

While it is not believed that passwords or full payment card data was exposed, JD Sports has admitted that cybercriminals may have gained access to the final four digits’ of customers’ payment cards.

Neil Greenhalgh, CFO at JD Sports, apologised to affected customers and confirmed that the company is working to mitigate damages.

“We are continuing with a full review of our cyber security in partnership with external specialists following this incident. Protecting the data of our customers is an absolute priority for JD,” he said.

A spokesperson for the Information Commissioner’s Office later confirmed it was working with the retailer to get to the bottom of the breach.

“We have been made aware of a cyber incident involving the retailer JD Sports and we are assessing the information provided,” they said.

The breach comes amidst a spate of high-profile cyberattacks in recent weeks, including on the UK newspaper The Guardian and email marketing service Mailchimp. Jamie Akhtar, CEO and co-founder of CyberSmart, notes that “JD Sports is the latest British household name to fall prey to a cyber attack. And this really fits the trend we’re seeing; the current economic downturn has led to cybercriminals redoubling their efforts to steal potentially valuable personal data.” 

Aside from economic downturn, some experts have cited a fluctuating technology landscape as key factor in these high-profile cyberattacks.

“The JD Sports cyber incident is a reminder for all organisations that globally we can expect an increase in breaches due to our digital dependence, especially as businesses recover from the COVID technology shifts, and continuing threat shifts. Sadly, whilst companies spent years solidifying their capabilities for GDPR, in the last couple of years data has become far more fragmented by quick shifts to the cloud,” said Greg Day, SVP and Global CISO at Cybereason.

Erfan Shadabi, Cybersecurity Expert  at comforte AG, argued that cyberattacks on large retail and e-commerce businesses should come as no surprise, considering the enormous amount of sensitive personal data (PII) about existing and prospective customers, as well as their dependence on transactions to drive their business forward.

Retailers and e-commerce organizations must absolutely assume that their environment is currently under attack and protect this sensitive data accordingly. Businesses in these sectors need to apply data-centric protection to any sensitive data within their ecosystem (PII, financial, and transactional) as soon as it enters the environment and keep it protected even as employees work with that data. By tokenizing any PII or transactional data, they can strongly protect that information while preserving the original data format, making it easier for business applications to support tokenized data within their workflows,” he said. 







The post JD Sports admits data breach appeared first on IT Security Guru.

T-Mobile Data Breach: 37 million customers affected

Roughly 37 million T-Mobile customers have had their information stolen in a data breach, according to a statement published by the company late last night. Fortunately, T-Mobile has said that while hackers accessed names, addresses, and dates of birth, they were not able to access more sensitive information such as Social Security or credit card numbers. 


But according to Sam Curry, Chief Security Officer at Cybereason, “what is or isn’t sensitive is an important question to ask. Whether or not sensitive data and financial information was lost, isn’t the point. Customer information is a privilege to hold, not a right; and while it’s great that T-Mobile’s network wasn’t compromised in this instance, and that outright theft wasn’t enabled through loss of direct billing numbers, eroding privacy and making it easier for hackers to compromise identities is still important and sensitive.” 

T-Mobile has also revealed the hacker leveraged an application programming interface (API) to obtain the data. This isn’t the first time a major telecom has been hit with a data breach at the hands of an API issue – just last year the Australian organisation Optus suffered a similar fate, being forced to allocate $140m to rectify the issue. 

An attack of this magnitude was bound to make waves in the industry, and experts are waiting with baited breath for the results of T-Mobile’s investigation. 

“It appears that T-Mobile moved quickly and, while the details aren’t yet known, the world is paying attention to the results of this investigation. Hackers are innovative, and companies with valuable data and services are always a target, but it remains to be seen if the compromises in 2023 are similar to the ones suffered by T-Mobile in 2021. Did the company learn from 2021? Was 2023 unique? Was this a case this time around if anyone can fail occasionally or is it worse than that? Only time and the facts will tell us and tell T-Mobile and fellow practitioners what the new lessons-to-be-learned are,” Curry continued. 

The post T-Mobile Data Breach: 37 million customers affected appeared first on IT Security Guru.

New T-Mobile Breach Affects 37 Million Accounts

T-Mobile today disclosed a data breach affecting tens of millions of customer accounts, its second major data exposure in as many years. In a filing with federal regulators, T-Mobile said an investigation determined that someone abused its systems to harvest subscriber data tied to approximately 37 million current customer accounts.


In a filing today with the U.S. Securities and Exchange Commission, T-Mobile said a “bad actor” abused an application programming interface (API) to hoover up data on roughly 37 million current postpaid and prepaid customer accounts. The data stolen included customer name, billing address, email, phone number, date of birth, T-Mobile account number, as well as information on the number of customer lines and plan features.

APIs are essentially instructions that allow applications to access data and interact with web databases. But left improperly secured, these APIs can be leveraged by malicious actors to mass-harvest information stored in those databases. In October, mobile provider Optus disclosed that hackers abused a poorly secured API to steal data on 10 million customers in Australia.

The company said it first learned of the incident on Jan. 5, 2022, and that an investigation determined the bad actor started abusing the API beginning around Nov. 25, 2022.

T-Mobile says it is in the process of notifying affected customers, and that no customer payment card data, passwords, Social Security numbers, driver’s license or other government ID numbers were exposed.

In August 2021, T-Mobile acknowledged that hackers made off with the names, dates of birth, Social Security numbers and driver’s license/ID information on more than 40 million current, former or prospective customers who applied for credit with the company. That breach came to light after a hacker began selling the records on a cybercrime forum.

Last year, T-Mobile agreed to pay $500 million to settle all class action lawsuits stemming from the 2021 breach. The company pledged to spend $150 million of that money toward beefing up its own cybersecurity.

In its filing with the SEC, T-Mobile suggested it was going to take years to fully realize the benefits of those cybersecurity improvements, even as it claimed that protecting customer data remains a top priority.

“As we have previously disclosed, in 2021, we commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity,” the filing reads. “We have made substantial progress to date, and protecting our customers’ data remains a top priority.”

Despite this being the second major customer data spill in as many years, T-Mobile told the SEC the company does not expect this latest breach to have a material impact on its operations.

While that may seem like a daring thing to say in a data breach disclosure affecting a significant portion of your active customer base, consider that T-Mobile reported revenues of nearly $20 billion in the third quarter of 2022 alone. In that context, a few hundred million dollars every couple of years to make the class action lawyers go away is a drop in the bucket.

The settlement related to the 2021 breach says T-Mobile will make $350 million available to customers who file a claim. But here’s the catch: If you were affected by that 2021 breach and you haven’t filed a claim yet, please know that you have only three more days to do that.

If you were a T-Mobile customer affected by the 2021 incident, it is likely that T-Mobile has already made several efforts to notify you of your eligibility to file a claim, which includes a payout of at least $25, with the possibility of more for those who can document direct costs associated with the breach. says the filing deadline is Jan. 23, 2023.

“If you opt for a cash payment you will receive an estimated $25.00,” the site explains. “If you reside in California, you will receive an estimated $100.00. Out of pocket losses can be reimbursed for up to $25,000.00. The amount that you claim from T-Mobile will be determined by the class action administrator based on how many people file a legitimate and timely claim form.”

There are currently no signs that hackers are selling this latest data haul from T-Mobile, but if the past is any teacher much of it will wind up posted online soon. It is a safe bet that scammers will use some of this information to target T-Mobile users with phishing messages, account takeovers and harassment.

T-Mobile customers should fully expect to see phishers taking advantage of public concern over the breach to impersonate the company — and possibly even send messages that include the recipient’s compromised account details to make the communications look more legitimate.

Data stolen and exposed in this breach may also be used for identity theft. Credit monitoring and ID theft protection services can help you recover from having your identity stolen, but most will do nothing to stop the ID theft from happening. If you want the maximum control over who should be able to view your credit or grant new lines of credit in your name, then a security freeze is your best option.

Regardless of which mobile provider you patronize, please consider removing your phone number from as many online accounts as you can. Many online services require you to provide a phone number upon registering an account, but in many cases that number can be removed from your profile afterwards.

Why do I suggest this? Many online services allow users to reset their passwords just by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over your phone number thanks to an unauthorized SIM swap or mobile number port-out, divorce, job termination or financial crisis can be devastating.

The Equifax Breach Settlement Offer is Real, For Now

Millions of people likely just received an email or snail mail notice saying they’re eligible to claim a class action payment in connection with the 2017 megabreach at consumer credit bureau Equifax. Given the high volume of reader inquiries about this, it seemed worth pointing out that while this particular offer is legit (if paltry), scammers are likely to soon capitalize on public attention to the settlement money.

One reader’s copy of their Equifax Breach Settlement letter. They received a check for $6.97.

In 2017, Equifax disclosed a massive, extended data breach that led to the theft of Social Security Numbers, dates of birth, addresses and other personal information on nearly 150 million people. Following a public breach response perhaps best described as a giant dumpster fire, the big-three consumer credit reporting bureau was quickly hit with nearly two dozen class-action lawsuits.

In exchange for resolving all outstanding class action claims against it, Equifax in 2019 agreed to a settlement that includes up to $425 million to help people affected by the breach.

Affected consumers were eligible to apply for at least three years of credit monitoring via all three major bureaus simultaneously, including Equifax, Experian and Trans Union. Or, if you didn’t want to take advantage of the credit monitoring offers, you could opt for a cash payment of up to $125.

The settlement also offered reimbursement for the time you may have spent remedying identity theft or misuse of your personal information caused by the breach, or purchasing credit monitoring or credit reports. This was capped at 20 total hours at $25 per hour ($500), with total cash reimbursement payments not to exceed $20,000 per consumer.

Those who did file a claim probably started receiving emails or other communications earlier this year from the Equifax Breach Settlement Fund, which has been messaging class participants about methods of collecting their payments.

How much each recipient receives appears to vary quite a bit, but probably most people will have earned a payment on the smaller end of that $125 scale — like less than $10. Those who received higher amounts likely spent more time documenting actual losses and/or explaining how the breach affected them personally.

So far this week, KrebsOnSecurity has received at least 20 messages from readers seeking more information about these notices. Some readers shared copies of letters they got in the mail along with a paper check from the Equifax Breach Settlement Fund (see screenshot above).

Others said they got emails from the Equifax Breach Settlement domain that looked like an animated greeting card offering instructions on how to redeem a virtual prepaid card.

If you received one of these settlement emails and are wary about clicking the included links (good for you, by the way), copy the redemption code and paste it into the search box at Successfully completing the card application requires accepting a prepaid MasterCard agreement (PDF).

The website for the settlement — — also includes a lookup tool that lets visitors check whether they were affected by the breach; it requires your last name and the last six digits of your Social Security Number.

In February 2020, the U.S. Justice Department indicted four Chinese officers of the People’s Liberation Army (PLA) for perpetrating the 2017 Equifax hack. DOJ officials said the four men were responsible for carrying out the largest theft of sensitive personal information by state-sponsored hackers ever recorded.

Equifax surpassed Wall Street’s expectations in its most recently quarterly earnings: The company reported revenues of $1.24 billion for the quarter ending September 2022.

Of course, most of those earnings come from Equifax’s continued legal ability to buy and sell eye-popping amounts of financial and personal data on U.S. consumers. As one of the three major credit bureaus, Equifax collects and packages information about your credit, salary, and employment history. It tracks how many credit cards you have, how much money you owe, and how you pay your bills. Each company creates a credit report about you, and then sells this report to businesses who are deciding whether to give you credit.

Americans currently have no legal right to opt out of this data collection and trade. But you can and also should and freeze your credit, which by the way can make your credit profile less profitable for companies like Equifax — because they make money every time some potential creditor wants a peek inside your financial life. Also, it’s probably a good idea to freeze the credit of your children and/or dependents as well. It’s free on both counts.

Optus telco data breach – what we know so far

Optus, an Australian telecoms provider, has become the latest high-profile victim of a data breach – with the alleged attacker demanding payment to buy back millions of customer records, having already made 10,000 public online.  In the most recent developments, the attacker has now rescinded threats and deleted them from a data breach website. However, it does not change the fact that someone was able to access these customer records, including names, dates of birth, drivers license numbers, addresses, phone numbers, Medicare numbers and passport numbers, in the first place, leaving many Optus customers feeling vulnerable.


But how did this happen?


It appears that an unauthenticated application programming interface (API) was to blame.


Curtis Simpson, CISO at Armis explained: APIs are the entry point into the modern application and the data it processes. Exposures associated with APIs range from configuration-based to logic-based vulnerabilities that can be exploited to compromise platforms, networks, users, and data. Traditional edge security and application security testing capabilities are not identifying nor facilitating the remediation or protection against the exploitation of such exposures at scale across our cloud environments that continue to transform alongside our business operations. Real-time logic-based protections, API exposure analysis, prioritisation, and remediation through development stacks are examples of capabilities that must be embraced in order to safeguard modern web services.”


He continued: “Digital business is done over APIs. Our security programmes and technologies must continue to evolve around where our businesses live and operate.”


Adam Fisher, solutions architect at Salt Security elaborated further in his blog on the incident:


“Human error nearly always plays a role in breaches, but it’s not just a case of individuals being more careful. APIs touch all areas within an organisation, not just development. Typically, multiple teams share ownership across APIs. Often miscommunication (or incomplete communication) can lead to problems. For example, infrastructure teams may assume that the development team has already managed authentication requirements. They may believe that the API has already gone through a security review when, in fact, it hasn’t.


“Unfortunately, miscommunication is fairly commonplace. Moreover, in the case of Optus, it appears that the network team unintentionally made a test network available on the Internet, which could then be easily exploited.”


Professor John Goodacre, director of the UKRI’s Digital Security by Design challenge and professor of computer architectures at the University of Manchester, added:


“Cyber attackers work in a promiscuous world in which a single mistake in configuration or vulnerability in a digital system can be used to potentially steel data or perturb its operation. Connection with the Internet means this can originate from anywhere, with no one anywhere safe. Accepting that to err is human means everyone, everywhere can suffer attacks. Barriers need to be placed in systems by design that work to block the exploitation of vulnerabilities. The ISP and telco that deliver the Internet can see trends in traffic from where attacks originate, but if a single hacker’s request finds an open door in a remote system, there is little technology can do to differentiate this in isolation.”


While Salt Security’s Fisher posited that there is value in organisations considering API security as its own discipline, particularly with the rise of digitisation and APIs underpinning this movement. He advised ISPs and telcos to:

  • Know the risks – starting with the threats identified in the OWASP API Security Top 10
  • Ensure a cross-functional approach – API security must be communicated and supported cross-functionally across the organization
  • Continuously monitor APIs – in addition to having a complete API inventory, telcos and ISPs must continuously monitor the APIs in their environment for deviations in behavior.


“To identify potential API threats, organisations must understand how APIs normally operate within their environments. Having this insight will enable telcos to quickly identify and speed threat response before a bad actor accesses their critical user data…or worse,” Fisher concluded.

The post Optus telco data breach – what we know so far appeared first on IT Security Guru.

Samsung Hit By Data Breach

In Late July, an undisclosed number of Samsung customers in the US had their personal information accessed by an unauthorised user.

Samsung, the Korean electronics giant, said that it discovered the breach on 4th August 2022. It has since secured the affected systems, engaged a third-party security firm and contacted law enforcement.

A statement issued by the firm said: “We want to assure our customers that the issue did not impact Social Security numbers or credit and debit card numbers, but in some cases, may have affected information such as name, contact and demographic information, date of birth, and product registration information.”

“The information affected for each relevant customer may vary. We are notifying customers to make them aware of this matter.”

Samsung also said that those affected by the incident are entitled to one free credit report annually from each of the three major US credit reporting agencies.

The stolen data could be desirable to cybercriminals for follow-on phishing attacks. The firm urged customers to be cautious of unsolicited messages and avoid clicking on links in suspicious emails.

Users should review their accounts for suspicious activity.

Recently, Samsung was compromised by the Lapsu$ extortion gang. In the breach, 190GB of its internal data was posted online, although it is believed that no customer information was taken.

The post Samsung Hit By Data Breach appeared first on IT Security Guru.

When Efforts to Contain a Data Breach Backfire

Earlier this month, the administrator of the cybercrime forum Breached received a cease-and-desist letter from a cybersecurity firm. The missive alleged that an auction on the site for data stolen from 10 million customers of Mexico’s second-largest bank was fake news and harming the bank’s reputation. The administrator responded to this empty threat by purchasing the stolen banking data and leaking it on the forum for everyone to download.

On August 3, 2022, someone using the alias “Holistic-K1ller” posted on Breached a thread selling data allegedly stolen from Grupo Financiero Banorte, Mexico’s second-biggest financial institution by total loans. Holistic-K1ller said the database included the full names, addresses, phone numbers, Mexican tax IDs (RFC), email addresses and balances on more than 10 million citizens.

There was no reason to believe Holistic-K1ller had fabricated their breach claim. This identity has been highly active on Breached and its predecessor RaidForums for more than two years, mostly selling databases from hacked Mexican entities. Last month, they sold customer information on 36 million customers of the Mexican phone company Telcel; in March, they sold 33,000 images of Mexican IDs — with the front picture and a selfie of each citizen. That same month, they also sold data on 1.4 million customers of Mexican lending platform Yotepresto.

But this history was either overlooked or ignored by Group-IB, the Singapore-based cybersecurity firm apparently hired by Banorte to help respond to the data breach.

“The Group-IB team has discovered a resource containing a fraudulent post offering to buy Grupo Financiero Banorte’s leaked databases,” reads a letter the Breach administrator said they received from Group-IB. “We ask you to remove this post containing Banorte data. Thank you for your cooperation and prompt attention to this urgent matter.”

The administrator of Breached is “Pompompurin,” the same individual who alerted this author in November 2021 to a glaring security hole in a U.S. Justice Department website that was used to spoof security alerts from the FBI. In a post to Breached on Aug. 8, Pompompurin said they bought the Banorte database from Hacker-K1ller’s sales thread because Group-IB was sending emails complaining about it.

“They also attempted to submit DMCA’s against the website,” Pompompurin wrote, referring to legal takedown requests under the Digital Millennium Copyright Act. “Make sure to tell Banorte that now they need to worry about the data being leaked instead of just being sold.”

Banorte did not respond to requests for comment. Nor did Group-IB. But in a brief written statement picked up on Twitter, Banorte said there was no breach involving their infrastructure, and the data being sold is old.

“There has been no violation of our platforms and technological infrastructure,” Banorte said. “The set of information referred to is inaccurate and outdated, and does not put our users and customers at risk.”

That statement may be 100 percent true. Still, it is difficult to think of a better example of how not to do breach response. Banorte shrugging off this incident as a nothingburger is baffling: While it is almost certainly true that the bank balance information in the Banorte leak is now out of date, the rest of the information (tax IDs, phone numbers, email addresses) is harder to change.

“Is there one person from our community that think sending cease and desist letter to a hackers forum operator is a good idea?,” asked Ohad Zaidenberg, founder of CTI League, a volunteer emergency response community that emerged in 2020 to help fight COVID-19 related scams. “Who does it? Instead of helping, they pushed the organization from the hill.”

Kurt Seifried, director of IT for the CloudSecurityAlliance, was similarly perplexed by the response to the Banorte breach.

“If the data wasn’t real….did the bank think a cease and desist would result in the listing being removed?” Seifried wondered on Twitter. “I mean, isn’t selling breach data a worse crime usually than slander or libel? What was their thought process?”

A more typical response when a large bank suspects a breach is to approach the seller privately through an intermediary to ascertain if the information is valid and what it might cost to take it off the market. While it may seem odd to expect cybercriminals to make good on their claims to sell stolen data to only one party, removing sold stolen items from inventory is a fairly basic function of virtually all cybercriminal markets today (apart from perhaps sites that traffic in stolen identity data).

At a minimum, negotiating or simply engaging with a data seller can buy the victim organization additional time and clues with which to investigate the claim and ideally notify affected parties of a breach before the stolen data winds up online.

It is true that a large number of hacked databases put up for sale on the cybercrime underground are sold only after a small subset of in-the-know thieves have harvested all of the low-hanging fruit in the data — e.g., access to cryptocurrency accounts or user credentials that are recycled across multiple websites. And it’s certainly not unheard of for cybercriminals to go back on their word and re-sell or leak information that they have sold previously.

But companies in the throes of responding to a data security incident do themselves and customers no favors when they underestimate their adversaries, or try to intimidate cybercrooks with legal threats. Such responses generally accomplish nothing, except unnecessarily upping the stakes for everyone involved while displaying a dangerous naiveté about how the cybercrime underground works.