At a glance.

  • US electric utility experiences third-party data breach.
  • Afni, Inc. announces customer data breach one year after the fact.
  • Razer sues vendor over data breach.
  • Comment on the Adversary-in-the-Middle phishing campaign Microsoft discovered.

US electric utility experiences third-party data breach. 

Colorado Springs Utilities, an electric company in the US state of Colorado, has disclosed a data breach that occurred last month. KRDO reports that an unauthorized party accessed customer information stored by one of the company’s third-party subcontractors. Fortunately the subcontractor’s system did not contain customer financial information, but the compromised data includes names and addresses, account numbers, phone numbers, and email addresses. Impacted individuals will be receiving notification letters over the next few days.

Afni, Inc. announces customer data breach one year after the fact.

JDSupra reports that Afni, Inc, a US business services company based in the state of Illinois, suffered a data breach in June of 2021. Though the incident occurred almost exactly a year ago, Afni only today began officially notifying impacted customers. After “anomalous activity” was discovered on Afni’s systems last June, an investigation revealed that an unauthorized party had gained access to the company’s computer system on or before June 7, 2021. Further investigation indicated the intruder may have viewed and potentially exfiltrated customer data including names, addresses, Social Security numbers, and dates of birth. It’s unclear why Afni waited until a year later to file an official notice of the breach, but JDSupra speculates that the delay could have been due to a law enforcement investigation or a prolonged probe to determine exactly what data had been impacted.

Razer says vendor played a dangerous game with customer data. 

American-Singaporean gaming hardware manufacturer Razer is suing a vendor over a 2020 data breach that exposed customer and sales data, and the civil trial in Singapore’s High Court commenced yesterday. TODAY reports that approximately 100,000 Razer customers were impacted in the incident. Razer claims that an employee at the vendor, IT solutions provider Capgemini, caused the breach by recommending that Razer use an ELK Stack platform for storing their data. The breach was allegedly traced to a misconfiguration in the ELK Stack, and Razer claims the Capgemini employee was responsible for configuring and troubleshooting the system. Razer’s lawyers stated, “Razer understands that Capgemini wants to dig in and ditch Razer at this altar of liability due to reputational issues. However, Capgemini was engaged for the job and was paid in full for it. Capgemini should therefore do the right thing by its customer — stand up and take responsibility.” Capgemini says the ELK Stack misconfiguration was not their fault, and that the employee in question resolved the issue as soon as it was discovered. Razer is suing Capgemini for ​​$7 million in losses. The trial is set to continue through the end of the week.

Comment on the Adversary-in-the-Middle phishing campaign Microsoft discovered.

Microsoft Security researchers have found a campaign that uses adversary-in-the-middle techniques (AitM) to stage more effective business email compromise (BEC) attacks. Phishing messages directed victims to AitM sites that would steal passwords and hijack sign-in sessions, skipping authentication even where multifactor authentication had been enabled. The attackers used stolen credentials and session cookies to access victims’ mailboxes for more effective and plausible BEC attacks against the victims’ colleagues. Microsoft says that more than 10,000 organizations have been affected since last September.

Will LaSala, Field CTO, Americas, at OneSpan, commented on the persistence of the particular style of phishing Microsoft researchers described this week.

“Realtime Man-in-the-Middle (MitM) and Adversary-in-the-Middle (AitM) attacks continue to be on the rise. With this incident in particular, users were sent a phishing email with an attachment that when opened infected the user’s system and redirected the user to a fake Microsoft Office 365 Login page. The user, believing they were on the real site, entered their credentials, including their multi-factor authentication (MFA) values, and then the hacker took over the session and was able to send corporate-wide emails to compromise more users. 

“The attacker’s emails directed users to make payments to fraudulent accounts, putting money directly into the hacker’s pockets and users’ bank accounts at serious risk. In phishing attacks like these, this typically leads to pharming of the accounts where the attacker then sells the accounts. Here lies the importance of encrypting users’ payment information into a visual code. Once scanned, a payer can check the transaction details before it is authorized. This extra layer of authentication is key as these attacks can be performed in as little as five minutes. 

“To protect against these types of attacks, proper email hygiene needs to be enforced. Organizations should consistently remind employees to not open attachments or click on links contained in emails, especially from unknown sources. Proper MFA, including secure PUSH authentication, FIDO, and secure transaction authentication should always be leveraged to protect against these style attacks, however, as we see in this attack, MFA is not just enough to solve this problem on its own. Transaction technologies like secure messaging, and transaction authentication with what you see is what you sign, continuous risk analytics, and electronic document signing with secure tamper evidence auditing will help protect against these attacks.”