What the security horror stories of 2023 should teach us
In Association with
From data breaches to internal mishaps, during 2023, security lessons came thick and fast.
While October may be the season for scary stories, this year has already seen a number of cyber security horror stories unfold. These nightmare scenarios were both critical and wide-ranging, with one having potentially dire long-term consequences. Where some data breaches can be mitigated with a good response, others can have a lasting impact on those involved.
MOVEit response
As horror stories go, Progress Software subsidiary Ipswitch had a scare that will undoubtedly haunt them for years to come when a vulnerability was heavily exploited in its managed file transfer application, MOVEit. The service is used extensively worldwide for automated, secure file transfer. However, roughly 600 of its customers were reportedly attacked via the platform when the CVE-2023-34362 vulnerability was exploited by the Russian affiliate hacking group CL0p.
The MOVEit Transfer platform is run on both servers and as SaaS application via the MOVEit cloud system. A key element of the application is a database running a form of SQL, where the vulnerability was discovered. Specifically, it was a SQL injection to remote code execution flaw (SQL-to-RCE) that enabled unauthenticated users to access the MOVEit servers remotely.
The total cost of the MOVEit breach is estimated to be more than $9 million by August, according to IBM’s Cost of a Data Breach Report 2023. Progress Software labeled the CVE-2023-34362 vulnerability with a severity rating of 9.8 out of 10 when it issued an advisory on 31 May 2023. It is also thought to be one of the biggest supply chain attacks in recent history with the ransomware gang using the exploit to extract data from companies including British Airways, the BBC, Maximus, Missouri Medicaid, and many more. Security experts even suggest it had similarities to the notorious SolarWinds exploit of 2020 and the Log4j flaw that surfaced in 2021.
However, despite being thrown into such a nightmare scenario, Progress Software was actually praised by many in the security community for its swift and proactive response to the vulnerability. This was achieved through diligent and timely publishing of patches and remedial advice, and also its work with other organizations and security authorities to shut down the vulnerability.
The lesson here is to plan for the worst and be ready to respond. While IT departments and security teams should prioritize proactively stopping threats and issues before they happen, nothing will soften the blow of a breach like a preplanned response and mitigation plan. Train your employees to know what they need to do in the event of a data breach, and have a step-by-step guide to follow.
There are best practices to follow and it starts with an investigation – establish the who, what, why, when, and how. And while those are being solved you should also address the three ‘Cs’ of a data breach – confirm, contain, and communicate. These are all necessary steps and, as Progress Software showed, it really helps if the whole organization knows them beforehand.
Data on spreadsheets
Sometimes a data breach can have a lasting impact, regardless of how well or quickly the remedial action is taken. This is certainly the case for the Police Service of Northern Ireland (PSNI) which suffered an internal data breach that surfaced in August of 2023.
While dealing with a Freedom of Information (FOI) request, the PSNI inadvertently published an entire Excel spreadsheet containing data pertaining to the names, ranks, and locations of its officers, including special forces and surveillance teams. Under the Freedom of Information Act 2000, members of the public can request information that is held by public authorities. In this case, it was a request made on 3 August to provide the number of officers at each rank and the number of staff members at each grade.
But they got more than they bargained for when a large Excel spreadsheet with over 10,000 lines of information was also made available by mistake. The PSNI referred to this as the ‘source data’ and said it shouldn’t have been released. Unfortunately, the information was online for almost three hours before it was spotted and taken down. In a press conference, assistant chief constable and risk information officer Chris Todd outlined the severity of the breach and just how critical it was.
“As a service, we are acutely aware of the seriousness of this breach and have declared it to be a critical incident,” Todd said. “We fully understand the very real concerns being felt by our colleagues and their families and we are working hard to do everything we can to mitigate any risk. We are working with our security partners and organizations to investigate this incident.”
Following the breach, PSNI officers and staff members were given personal security advice, and emergency threat assessment groups were set up for their welfare. The multi-disciplinary group’s focus was to offer immediate support to those with specific circumstances where they believed they or their families were at immediate risk or increased threat.
There are a number of lessons here; firstly it’s important to have a system in place to double-check communications and or information you’re publishing on a public site. While technology controls can save all kinds of errors, there is nothing as stringent as simply having protocols that keep members of staff accountable – proofreading emails and making sure attachments are correct for example.
However, if there is something that absolutely must be learned here, it is something we have already been taught. Excel - and other types of spreadsheets - should really be avoided for storing data, particularly in public offices where FOI requests are common or in places where data is critical.
This is not the first spreadsheet blunder to lead to a mass breach, despite regular warnings from the UK’s Information Commissioner’s Office (ICO), and it isn’t likely to be the last.
What goes around..
A final lesson teaches us that karma works just as painfully in cyber security as more than 100,000 hackers reportedly ended up compromising their own hardware, according to research firm Hudson Rock in August. The researchers identified some 120,000 devices infected with malware from login credentials for cyber crime forums. It is believed the hackers inadvertently infected their devices with a type of malware that steals information, which resulted in their details being leaked online.
‘Infostealers’ are a form of Trojan that is designed to gather data from the system it infects. Login information, such as user names and passwords, are the most common types of info they steal – these are typically sent to another system, where they can be seen and used by an unauthorized party.
Hudson Rock’s research suggested that these hackers had compromised their machines through their involvement in cyber crime forums that had a “substantial amount” of data exposed. The credentials found on infected devices included emails and usernames, as well as auto-fill data containing personal details such as names, addresses, and phone numbers. Comically, much of this could point to their real-world identities.
