This doesn’t add up: Chartered Professional Accountants Canada Breached!

With most industries, there is a trade association or group. The focus with these is to bring together leaders and members to discuss issues, communicate messages to the membership and be a portal for the industry. Accounting is no different. In the US, we have the AICPA which functions to administer these tasks. This is accomplished is a timely, exceptionally professional manner. Canada is no different in that the accounting industry likewise has this for our northern friends. Another commonality is these are generally targets due to the data they hold for their clients. The Chartered Professional Accountants Canada (CPA Canada) recently found this out, as they were breached.

CPA Canada

Just as the name implies, the organization is involved with Canadian accountants, representing the over 210k members. The organization provides accounting and guidance for its membership. This service is vital for business, accounting firms, and the stock market.

 

Attack

 The organization was unfortunately the victim of a successful phishing attack. The organization on June 3, 2020 notified the affected parties of the breach. Curiously, the organization was aware of the attack on April 24^th, meaning it took over a month to notify the persons. The organization will not be disclosing the methodology used in the attack. On a level, this is understandable. The organization may not want the details published as these may be used in other attacks as indications of their security posture. After the issue is corrected though, this could be used as a learning tool or use case for others.

 

Data

CPA Canada definitely held useful information for the attackers to focus on. This included the member's personal information. This included their contact details (names, addresses, email addresses, and employer name). The passwords and credit card numbers, fortunately, were encrypted. The list of persons was primarily composed of the CPA Magazine subscribers. This wasn’t just on the members, but also the stakeholders, totaling over 329k persons.  Granted the data involved was confidential. However, this could have been much worse if the other data was not encrypted, or if the attackers were able to pivot from this point and gain access elsewhere.

 

Post-Breach

The organization has notified its members and others whose data was affected, of the breach. The members and stakeholders were recommended to change their passwords. The organization is also working with cybersecurity personnel to verify the system is secure and exactly what data was copied from them. In addition, they naturally also contact the appropriate law enforcement, the Canadian Anti-Fraud Centre, and other privacy authorities.

 

One point from this to be used is phishing continues to and will be for the foreseeable future, an absolutely viable attack. This has proven to be successful and will not slow down. The organizations need to continue training for this with their employees. The system may be completely secure, however, all it takes is the right person in the right department to click the link, attachment, etc., and we are off to the races.

 

References

Solomon, H. (2020, June 4). Canadian accounting association website gets hacked. Retrieved from https://www.itworldcanada.com/article/canadian-accounting-association-website-gets-hacked/431712

 

Solomon, H. (2020, June 8). Canadian accounting association website gets hacked. Retrieved from https://business.financialpost.com/technology/tech-news/canadian-accounting-association-website-gets-hacked

 

The Canadian Press. (2020, June 4). Canadian accountants’ association suffers cyberattack; data of nearly 330k affected. Retrieved from https://globalnews.ca/news/7025862/cpa-canada-accountants-cyberattack/

 

The IJ Staff. (2020, June 4). CPA Canada hacked, subscriber information exposed. Retrieved from https://insurance-portal.ca/article/cpa-canada-hacked-subscriber-information-exposed/

 

Sberbank Breached

Banks are located throughout the world. They perform vital services for consumers and commercial organizations in every country they are located in. These are also connected with the respective nation’s banking systems. Another commonality is these hold a mass amount of data also. This is very attractive to the attackers for many reasons. This is also a concern for the consumers, as their personally identifiable information (PII) is in the hands of unauthorized persons. Sberbank is was targeted and data removed without their authorization. Sberbank is Russia’s largest bank, with 45% of all retail deposits within their bank and 41% of the consumer loans held. In this instance, the Russian state owns the controlling stake in the bank.

Attack

Obviously, the attack was successful, which is a problem. The organization estimates the breach occurred near the end of August 2019.  The cause of this breach is unfortunately somewhat common, in the US and abroad. With employees, there is always the chance of the internal threat with the disgruntled, greedy, or unhappy employee. In this case, the bank is reporting the breach of data was due to an employee’s intentional acts. The bank noted it has to be an internal employee due to the data’s location being impossible to breach.

Later, the speculation ended when the bank reported the attacker had been apprehended. During the investigation, the employee had been focused on and eventually confessed. The employee was the head of one of the bank’s divisions. As part of their role, they had access to databases as part of their position, which explains how this was exfiltrated given the data’s remote location and access.

Data

With the attack, millions of Sberbank’s customer's personal data was allegedly initially leaked. Fortunately for the affected persons, the target was the data. The funds in the affected person’s account(s) were not targeted. The bank initially estimated 60M Sberbank credit cardholders have had their personal data stolen and was for sale on the dark web. This estimate appears to have been a bit inflated, and the true number was far less, possibly as low as 5k. The last reported sales price per entry at $0.08/record.

Surprisingly, the data leak and data for sale was not noticed by the bank. For instance, even if the amount of data was the 5k of records, seemingly this would have triggered some form of an alarm. After all, even a division manager probably would not have a need to download 5k individual records. Their position would be more engaged with summaries and forward-looking goals. This oversight was noticed by DeviceLock Cybersecurity, a cybersecurity organization when they noticed the data for sale on the dark web. At times, the seller may make fantastic claims of the data composition for sale. In this case, however, a sample of 200 credit card holder’s data was verified, indicating this is real. The data liberated in this case included the credit card details excluding the three-digit CVV, and place of employment for the last ten years. While the affected persons do have a bit of good news with the CVV not being a part of this, they may still have been targeted for fraud due to the nature of the data itself.

Follow-Through

After the bank was notified, they contacted reported this and is working closely with law enforcement and the Central Bank of Russia to find the culprits. As noted, this was beneficial as the

Resources

Auyezov, O., & Lyrchikova, A. (2019, October 3). Russia’s sberbank investigating potential client data leak. Retrieved from https://www.reuters.com/article/us-sberbank-russia-dataprotection/russias-sberbank-investigating-potential-client-data-leak-idUSKBIN1@i0Wl

Hinchliffe, R. (2019, October 9). Russia’s sberbank catches internal culprit of data leak. Retrieved from https://www.fintechfutures.com/author/hinchliffer/

Leprince-Ringuet, D. (2019, October 4). Russia’s sberbank investigates credit card data leak. Retrieved from https://www.zdnet.com/article/russieas-sberbank-investigates-credit-card-data-leak

Ljubas, Z. (2019, October 19). Russia: Huge data leak hits sberbank. Retrieved from https://www.occrp.org/en/daily/10797-russia-huge-data-leak-hits-sberbank

PMNTS. (2019, October 4). Russia’s sberbank investigating potential client data leak. Retrieved from https://www.pymnts.com/news/security-and-risk/2019/russias-sberbank-investigating-cleint-data-leak/

Spadafora, A. (2019, October 3). Russia’s sberbank hit with huge data leak. Retrieved from https://www.techradar.com/news/russias-sberbank-hit-with-huge-data-leak

The Moscow Times. (2019, October 3). Sberbank hit by huge data breach. Retrieved from https://www.themoscowtimes.com/2019/10/03/sberbank-hit-by-huge-data-breach-a67570

The Moscow Times. (2019, October 3). Sberbank hit by huge data breach. Retrieved from https://www.wedn.com/2019/10/03/sberbank-hit-by-huge-data-breach/

Walker, J. (2019, October 8). Sberbank of Russia completes investigation into the dark web data leak. Retrieved from https://portswigger.net/daily-swig/sberbank-of-russia-completes-investigation-into-dark-web-data-leak  

Insecure code will cause problems

For consumers, ease of use in the user experience (EX) is paramount. This aspect of daily life draws consumers to the service. One aspect involves entertainment and recreation. To attend certain events, a ticket for entrance is required. One service to purchase this from is Ticketmaster, which is an online option. Ticketmaster, as with many of the other organizations within this field, is multinational. Within the UK arm of Ticketmaster, there was a recently detected issue.

Affected Parties
As this organization is so large, a mass number of clients were affected. There were an estimated 40K clients who purchased tickets within the exposure period ending June 23, 2018. The exposure was through Ticketmaster and other websites owned by Ticketmaster, which were Ticketweb and Get Me In!. The affected may, unfortunately, become victims of identity theft, and fraudulent use of their credit cards.

Compromise
This was not a quick operation with the attackers breaching the organization for notoriety. The breach and subsequent compromise occurred over several months. This period is estimated from September 2017 to June 23, 2018. The organization was notified of the breach in April 2018. The issue was disclosed on June 23, 2018.
From this issue, the client’s personal data was exfiltrated. This included the client’s name, addresses, phone numbers, payment data, logins for Ticketmaster, and password. The attackers are still unknown.
The organization should have known there was an issue from the various indicators. The InfoSec team should have noticed something was not correct when the logs were reviewed. What actually brought this to the attention of Ticketmaster was an increase in fraud complaints.
The cause of this issue was from a simple copy/paste. Ticketmaster recycled code from one of their contractors, Ibenta. The code was originally used in a chat function. This was not coded in a secure manner, but with functionality in mind. With this code, the attackers were able to monitor the data inflow from the client’s orders. The Javascript used for the payment page thus was not coded for this function. Although the intention was economical, security was not focussed on in the SDLC.
Handling
The issue was not handled exceptionally well. Generally, the entity should embrace the best practice of urgency, transparency, and empathy. Ticketmaster was notified of the breach and elected not to act on it for a month. Ticketmaster did eventually warn the affected customers. The primary recommendation was for the clients to reset their passwords. The company should have recognized if a mistake is made, own it, and accept the responsibility. This responsibility should not have been shifted to third parties. In this case, Ticketmaster attempted too push the blame onto the contractor, since this was originally their code.

Lessons Learned
Any entity should be open and honest when there is a breach. This may work to minimize the potential exposure and effects. The code was for the application and should be secure. When this does not cc


Resources
CISOMAG. (2018, June 28). Ticketmaster hacked, payment information of several customers may have been compromised. Retrieved from https://www.cisomag.com/ticketmaster-hacked-payment-information-of-several-customers-may-have-been-compromised/

Freedman, L.F. (2018, July 5). Ticketmaster hit with malware compromising UK customer’s data. Retrieved from https://www.dataprivacyandsecurityinsider.com/2018/07/ticketmaster-hit-with-malware-compromising-uk-customers-data/

Levin, A. (2018, June 28). Why the ticketmaster UK breach could happen to your organization. Retrieved from https://adamlevin.com/2018/06/28/ticketmaster-uk-breach/

Ticketmaster. (2018). Information about data security incident by third party supplier. Retrieved from https://security.ticketmaster.co.uk/

Townsend, K. (2018, June 28). Ticketmaster blames third party over data breach. Retrieved from https://www.securityweek.com/ticketmaster-blames-third-party-over-data-breach

Whittaker, Z. (2018, June 28). Inbenta, blamed for ticketmaster breach, admits it was hacked. Retrieved from https://www.zdnet.com/article/inbenta-blamed-for-ticketmaster-breach-says-other-sites-not-affected/

Zhou, M. (2018, June 28). Ticketmaster says credit card data may have been stolen in UK breach. Retrieved from https://www.cnet.com/news/ticketmaster-hit-by-data-breach-in-the-uk/

Railway breach in Europe

For a business to be targeted, there needs to be something of value to exfiltrate.
The attackers are not going to go through the effort of the full attack cycle for
practice. If there were to happen to be a breach, there should be tools in place
monitoring activities so the attacker’s actions would be noticed and halted.

An incident occurred in Europe on their railway system. If you happen to be
traveling on the rail in Europe, naturally the traveler has to purchase a ticket.
This process includes the usual information with credit card numbers, full legal
name, mailing address, email, and phone numbers. This information in its entirety
would provide for a nice target for any attacker. THis sensitive data used in unison
could provide for a fair number of successful attacks.

Such an incident occurred in late 2017. On November 29, 2017, the Rail Europe
system was breached. If this was not bad enough for a scenario, the attackers
had accessibility from the breach (November 29, 2017) through February 16, 2018.
During this time, the attackers had time to exfiltrate the PII and data they desired.
To further worsen the situation, Rail Europe was not aware they had been breached.
A bank affiliated with RENA noted this and informed the company. The number of
affected clients was unknown. The number could be rather substantial, as RENA
had transactions with 5M Americans.

The recommendation at this point is for RENA customers to change their password
and watch their accounts. There is also identity theft protection available, which over
the long-term may not have a substantial amount of value, as the attackers would be
able to use certain data indefinitely, not just a year.

The vulnerability involved the webpage used by the clients. This was infected by
malware coded to log the client’s information, including the debit and credit card
numbers, expiration date, and the important CVV numbers.

There are several areas to focus on with this compromise. Primarily, the lesson
would be to monitor the logs, network, and access. The business should have
known something was occurring within the network over the three months of exfiltrating
so many records
(https://www.informationsecuritybuzz.com/expert-comments/rail-europe-customer-data-breach/).
This amount of traffic should have been noticed on some level at some junction of time.

Bank Client's PII Valuable

            Banks have the privilege of collecting our data and storing this for their uses. As the banks store this data and information, the banks are acting as stewards of this data. Being a steward and responsible, there are certain aspects of InfoSec which a reasonably prudent bank would deploy to protect the bank, its assets, and customer’s data.

            Apparently, there was an issue with two banks which allowed an oversight to occur (https://www.ehackingnews.com/2018/05/two-financial-institutions.html, http://www.palada.net/index.php/2018/05/29/news-6184/, & http://www.cbc.ca/news/business/simplii-data-hack-1.4680575). In May 2018, the Bank of Montreal and Simplii Financial, owned by CIBC announced their alleged breach. Simplii Financial is CIBC’s direct banking brand. The affected clients number at approximately 90k people. These may have been accessed by the attacker or the people the data was sold to, as evidenced by the Bank of Montreal receiving a tip stating a limited number of people’s accounts had been accessed by unauthorized parties.

            After the breach was noted and analysis began, Simplii began to implement additional measures to improve their online cybersecurity. This included, but was not limited to, fraud monitoring and actions to monitor online banking to a greater measure.

            To make things worse, the attackers threatened to release the data from the compromise and exfiltration. The attackers would not release this if they were to happen to pay them $1M on or before May 28^th. The Bank of Montreal did not pay the attacker’s ransom but are however focusing their efforts on their clients.

            In this day and age, banks and other entities and institutions have to be more proactive in implementing a defense in depth to ensure, as much as possible, the security for the client’s data. At times, budgets, internal politics, and other timing issues slow these implementations. These, however, should be pushed more to the front of development and implementation. The alternative is to be breached, have the opportunity to publish the breach and claim only highly trained “hackers” could have done this, etc., and pay fees.