InfoSec News

Security

Cyber criminals cook up another data breach of 8 million Home Chef customers

By

InfoSec NewsBy William Knowles @c4i
Senior Editor
InfoSec News
May 21, 2020

Just as Chicago can’t go a whole week without a gang-related shooting, there’s another data breach in the news, sadly this data breach happened down the road from InfoSec News’ office in Chicago Illinois.

In a security alert posted on Home Chef’s website on Wednesday, May 20th, the Chicago-based, Kroger owned meal company had learned of a data breach and the following was stolen, email address, name and phone number, encrypted passwords, The last four digits of credit card numbers and other account information such as frequency of deliveries and mailing address may also have been compromised in the data breach.

Home Chef reports that it does not store complete credit or debit card information and “Protection of customer data is a top priority for Home Chef, and we work hard to safeguard our customers’ information”

The Home Chef data breach statement continues “We are taking action to investigate this situation and to strengthen our information security defenses to prevent similar incidents from happening in the future.”

In early May 2020, BleepingComputer reported a hacking group known as Shiny Hunters were selling over 70 million user records from eleven different companies on a dark web hacking marketplace which included eight million records for Home Chef, the asking price for Home Chef’s list was a mere $2,500.00

While the Home Chef passwords were encrypted, Home Chef recommends their users to change their password in an abundance of caution. InfoSec News recommends all users to seriously consider purchasing and using a password manager like KeePass, LassPass or 1Password to both safely store and create long, complex, hard to crack passwords.

Home Chef was founded in the summer of 2013 by Pat Vihtelic (Now Home Chef’s CEO) who taught himself to code, built a website, and quit his job as an investment banker. Last year, Home Chef delivered over 10 million meals and expanded its delivery to cover more than 97% of the U.S. population.

In May 2018, Cincinnati-based Kroger (NYSE: KR), the nation’s largest operator of traditional supermarkets, agreed to buy Chicago-based Home Chef in a deal worth as much as $700 million.

Texas Department of Transportation reports ransomware attack on agency network

By

InfoSec NewsBy William Knowles @c4i
Senior Editor
InfoSec News
May 16, 2020

The Texas Department of Transportation in a statement on Twitter says they were the victims of a ransomware attack on their agency network.

On May 14, 2020, there was unauthorized access to the network in a ransomware event and TxDot took immediate steps to isolate the incident and shut down any further unauthorized access.

“We believe we have a duty to inform our fellow Texans and our fellow state agencies of this unfortunate incident,” executive director James Bass said. “We want every Texan to rest assured that we are doing everything we can to swiftly address this issue. We also are working to ensure critical operations continue during this interruption.”

The Texas Department of Transportation says they are working closely with the FBI to find those responsible and prosecute them to the fullest extent of the law.

InfoSec News is trying to find out if this is a separate attack or related to the ransomware attack that crippled the Texas Supreme Court’s website earlier in the week.

Ransomware attack disables Texas Supreme Court’s website

By

InfoSec News

 

By William Knowles @c4i
Senior Editor
InfoSec News
May 13, 2020

On Friday, May 8th, the Office of Court Administration (OCA), the information technology (IT) provider for the appellate courts and state judicial agencies within the Texas Judicial Branch, identified a serious security event in the branch network, which was later determined to be a ransomware attack.

The attack began during the overnight hours and was first discovered in the early morning hours on Friday. The attack is unrelated to the courts’ migration to remote hearings amid the coronavirus pandemic.

Immediately upon discovery, OCA IT staff disabled the branch network including websites and servers to prevent further harm. The network has remained disabled since this time and will continue to do so until the breach is remediated.

OCA is working with law enforcement and the Texas Department of Information Resources (DIR) to investigate the breach. DIR and other information security authorities are providing assistance to OCA with recovery support.

OCA was able to catch the ransomware and limit its impact and will not pay any ransom. Work continues to bring all judicial branch resources and entities back online. In the meantime, a temporary web site has been established with critical judicial branch information, including information concerning the COVID-19 pandemic.

In recent years, the majority of the Texas Judicial Branch entities supported by OCA have moved many IT functions to the cloud. These services have not been impacted by the attack. These cloud services include eFileTexas (for filing of documents), reSearchTX (for reviewing filed documents), collaboration tools for editing and sharing documents, and email.

This action will permit many of the courts and judicial branch agencies to continue operations and ensure that filing of documents can continue uninterrupted. At this time, there is no indication that any sensitive information, including personal information, was compromised.

Additionally, due to the structure of the IT function within the state judiciary, individual trial court networks throughout the state were unaffected by the cyberattack. Judicial branch employees supported by OCA have received training in cybersecurity in recent weeks and will continue to receive updated training.

Blake Hawthorne, Clerk of the Supreme Court of Texas, tweeted on Tuesday night “I have a feeling that before long I will be giving a continuing legal education talk on the oddly specific topic “Operating a Court During a Pandemic and a Ransomware Attack.”

In August 2019, 22 Texas towns were hit with a ransomware attack by “one single threat actor” who demanded a $2.5MM ransom.

National Security Agency releases guide to secure video conferencing

By

InfoSec News

By William Knowles @c4i
Senior Editor
InfoSec News
April 29, 2020
[Updated: June 21, 2020]

Last Friday, the National Security Agency released a guide aimed mainly towards U.S. Government employees and military service members are working from home, but is also ideal for business professionals on Selecting and Safely Using Collaboration Services for Telework.

This cybersecurity guidance contains a snapshot of current, commercially-available collaboration tools available for use, along with a list of security criteria to consider when selecting which capability to leverage. In addition, the guidance contains a high-level security assessment of how each capability measures up against the defined security criteria, which can be used to more quickly identify the risks and features associated with each tool.

Criteria to Consider When Selecting a Collaboration Service

The criteria below identify risks and features to consider when choosing collaboration services to support your mission. All criteria should be strongly considered but may not be fully supported based on your own operating environment and constraints. The criteria are intended to align with related USG guidance to include NIST SP 800-171r2 – Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations (Feb 2020) and NIST SP 800-46r2 Guide to Enterprise Telework, Remote Access and BYOD Security (Apr 2016).

1. Does the service implement end-to-end encryption?

End-to-end (E2E) encryption means that content (text, voice, video, data, etc.) is encrypted all the way from sender to recipient(s) without being intelligible to servers or other services along the way. Some apps further support encryption while data is at rest, both on endpoints (e.g. your mobile device or workstation) and while residing on remote storage (e.g. servers, cloud storage). Only the originator of the message and the intended recipients should be able to see the unencrypted content. Strong end-to-end encryption is dependent on keys being distributed carefully. Some services such as large-scale group video chat are not designed with end-to-end encryption for performance reasons.

2. Are strong, well-known, testable encryption standards used?

Even in the absence of end-to-end encryption, NSA recommends the use of strong encryption standards, preferably NIST-approved algorithms and current IETF secure protocol standards. Many collaboration services protect data-in-transit between clients and servers via the Transport Layer Security (TLS) version 1.2 (or later) secure protocol, which is commonly used for sensitive but unclassified information. The use of published protocol standards, such as TLS and DTLSSRTP, is preferred. If the product vendor has created its own encryption scheme or protocol, it should undergo an independent evaluation by an accredited lab. This includes not just cryptographic protocols, but also key generation.

3. Is multi-factor authentication (MFA) used to validate users’ identities?

Without MFA, weak or stolen passwords can be used to access legitimate users’ accounts and possibly impersonate them during the use of the collaboration service. Multi-factor authentication requires that a second form of identification (code, token, out-of-band challenge, etc.) be provided to allow access to an existing account.

4. Can users see and control who connects to collaboration sessions?

The collaboration service should allow organizers to limit access to collaboration sessions to only those who are invited. This can be implemented through such features as session login passwords or waiting rooms, but preferably would support reasonably strong authentication. Users should also be able to see when participants join through unencrypted/unauthenticated means such as telephone calls.

5. Does the service privacy policy allow the vendor to share data with third parties or
affiliates?

While collaboration services must often collect certain basic information needed to operate, they should protect sensitive data such as contact details and content. Collaboration information and conversations should not be shared with third parties. This could include metadata associated with user identities, device information, collaboration session history, or various other information that may put your organization at risk. Information sharing should be spelled out clearly in the privacy policy.

6. Do users have the ability to securely delete data from the service and its repositories as needed?

While no services are likely to support full secure overwrite/deletion capabilities, users should be given the opportunity to delete content (e.g. shared files, chat sessions, saved video sessions) and permanently remove accounts that are no longer used.

7. Has the collaboration service’s source code been shared publicly (e.g. open-source)?

Open-source development can provide accountability that code is written to secure programming best practices and isn’t likely to introduce vulnerabilities or weaknesses that could put users and data at risk.

8. Has the service and/or app been reviewed or certified for use by a security-focused nationally recognized or government body?

NSA recommends that cloud services (which collaboration apps rely on) be evaluated under the Office of Management and Budget (OMB) FEDRAMP program. NSA also recommends that collaboration apps be evaluated by independent testing labs under the National Information Assurance Partnership (NIAP) against the Application Software Protection Profile (PP) [1]. NSA has worked with the DHS S&T Mobile Security R&D Program to develop excellent semi-automatable testing criteria for app vetting based on the application PP [2]. These criteria include tests of how apps interact with platform resources, how they defend themselves from exploitation, the crypto libraries they use, what permissions they request, and many others.

9. Is the service developed and/or hosted under the jurisdiction of a government with laws that could jeopardize USG official use?

Since it is well documented that some countries require that communications be provided to law enforcement and intelligence services, it may not be wise for certain USG missions to be performed on services hosted or developed under certain foreign legal jurisdictions. Users should be aware that the country of origin where products were developed is not always public knowledge. This criterion was not assessed in the table on page 5.

Selecting and Safely Using Collaboration Services for Telework. 

Leading privacy and cybersecurity law firm investigates Tandem Diabetes Care data breach

By

InfoSec News

By William Knowles @c4i
Senior Editor
InfoSec News
April 20, 2020

Its almost cliche at this point.

We take the privacy and confidentiality of our customers’ information very seriously and apologize for any inconvenience or concern this incident may cause our customers.

With the next sentence…

Tandem Diabetes Care, Inc. (“Tandem”) is committed to protecting the confidentiality and security of our customers’ information. Regrettably, this notice is to inform our customers of a recent phishing incident that may have involved some customer information.

Some customer information is “reputational risk management code” for only 140,781 customers.

We are continuing to invest heavily in cyber security and data protection safeguards. We are also implementing additional email security controls, strengthening our user authorization and authentication processes, and limiting the types of data permitted to be transferred via email.

On January 17, 2020, Tandem Diabetes Care learned that an unauthorized person gained access to a Tandem employee’s email account through a security incident commonly known as “phishing.”

Once we learned about the incident, we immediately secured the account and a cyber security firm was engaged to assist in our investigation. Our investigation determined that a limited number of Tandem employee email accounts may have been accessed by an unauthorized user between January 17, 2020 and January 20, 2020.

Through the investigation, Tandem Diabetes Care learned that some customers’ information may have been contained in one or more of the Tandem email accounts affected by the incident. The affected email accounts may have contained customer names, contact information, information related to those customers’ use of Tandem’s products or services, clinical data regarding their diabetes therapy, and in a few limited instances, Social Security numbers.

On LinkedIn, Tandem Diabetes Care lists some 935 employees, but only three security people (understandably some of the security team might have temporarily pulled their profiles offline) and currently Tandem is looking for a Security Analyst II and a VP, Information Technology but neither of the job descriptions mention having knowing how to perform phishing exercises.

While you would think all this bad news is terrible for Tandem Diabetes Care’s stock price, guess again, when the data breach was submitted to the U.S. Department of Health and Human Services on March 13, 2020, TNDM – Tandem Diabetes Care, Inc closed at $46.55 a share and closed on Apri 18, 2020 at $72.94 a share.

So it should come to no surprised that Stueve Siegel Hanson LLP, a small Kansas City law firm known for their eight-figure legal outcomes would explore legal options for this data breach.

KANSAS CITY, Mo., April 1, 2020 /PRNewswire-PRWeb/ — Stueve Siegel Hanson LLP, a national leader in privacy and cybersecurity litigation, is investigating the data breach at Tandem Diabetes Care, Inc. that compromised the sensitive personal information of 140,000 patients, the firm announced today.

On January 17, Tandem discovered its email system had been hacked through a “phishing” scheme. An internal investigation showed several employee email accounts were compromised for three days between January 17 and January 20. The compromised information included names, email addresses, contact information, Social Security numbers and a range of patient data, including details related to customers’ use of Tandem products or services, and clinical data about diabetes therapy.

Tandem announced the data breach on March 16 and said it would notify affected customers. Individuals who receive these notifications can contact Stueve Siegel Hanson at 816.714.7105 or online to discuss their legal options.

Recognized by Law360 as “Cybersecurity & Privacy Group of the Year,” Stueve Siegel Hanson has prosecuted cases involving the largest data breaches in U.S. history, securing billions of dollars for affected customers. In 2019, the firm’s work included:

  • Securing final approval of a $1.5 billion settlement with Equifax in a nationwide class action resulting from its massive 2017 data breach;
  • Obtaining a $3.25 million settlement in a class action by optometrists following a data breach at the national testing organization for new eye doctors;
  • Serving as co-lead counsel against Capital One following a data breach affecting 106 million credit applicants; and
  • Pursuing a consumer lawsuit accusing Facebook of tracking users’ location information even after they opt-out of Location History features.