Genetic Testing Company Hacked || Toyota Financial Services Hacked
CyberInsights #122 - 23andMe hacked. Says it was credential stuffing || Customer data of Toyota Financial Services impacted in a ransomware attack
What do you do when your company gets hacked?
You change your terms and conditions. 🙄
23andMe is a company that helps you “Find out what your DNA says about you and your family.
Their security DNA was challenged when they were the victim of a cyber attack. Their official statement [LINK] says it was due to a ‘credential stuffing’ attack (hence the stuffed bun - a rather complicated analogy).
Credential stuffing is a type of attack where once an attacker gets to know the credentials of a user for one website or login, he tries those credentials on other sites to see if they stick. It’s a complex name for a rather simple attack vector. If I get to know your password for Google, I can try the same on Yahoo and hope it works.
So far, this is a straight forward piece of news. That is, barring the fact that the compromised data could be your DNA data and your ancestry. A bit of sensitive personal data.
What makes this news interesting is that Wired did a bit of investigation and claim that many users were using unique usernames and passwords on 23andMe and were confident that they had not used it elsewhere. Then, how could it be credential stuffing? [LINK]
What makes it disgusting is that 23andMe then changed the terms and conditions of the website in such a manner that you accept by default, unless you specifically decline them. The change, it appears, is that 23andMe want their customers to ‘informally’ try and resolve disputes before taking it to arbitration or the courts. [LINK]
Take Action:
The easiest way to mitigate a credential stuffing attack is to enable 2FA for your applications. It’s nearly 2024 - just implement 2FA.
Also, try not to incorporate legalese after an incident. It just makes you appear slimy. The time to consult your lawyers and create terms and conditions is when you make your Cyber Crisis Response Plan (CCMP).
Toyota Financial Services ransomware attack
It might impact customers credit scores.
Toyota Financial Services - a Toyota group subsidiary that offers financial services. It was the victim of a ransomware attack. [LINK]
Threat actors were able to obtain confidential personal data. The news is banal. The implications are not.
Firstly, conglomerates tend to ignore smaller sized subsidiaries. This is not just a one-off case. Many large groups have been hacked through smaller subsidiaries that have lesser cybersecurity controls.
Secondly, the kind of data that was compromised is highly confidential in nature - primarily financial data. A lot can be done with such data. Hence, the suspected impact on credit scores of individuals. It shows that the group didn't think holistically when doing a risk assessment and identifying Crown Jewels.
Take Action:
If you are a conglomerate business, you have to think about the group as a whole and not just your primary business. Remember - the most cash generating business might not be the one with the most critical information asset to protect.
If you are a cyber insurer, remember that any product provided to financial services firm should explicitly cover or exclude credit monitoring and credit score restoration. Have your actuarial assess the claims and expected peak losses for this and then decide to include or exclude the same in your policy.
Liked what you read?