ITMG Insider Threat News – September 22, 2021

Massachusetts AG Launches Probe into T-Mobile Data Breach

The attorney general of Massachusetts, Maura Healey, has announced a probe into the recent data breach suffered by American telecommunications company T-Mobile.

In August, the United States wireless carrier disclosed a data breach impacting some 54.6 million individuals. Data exposed in the security incident included names, addresses, birth dates, phone numbers, Social Security numbers, information from driver’s licenses, International Mobile Equipment Identity (IMEI) numbers, and International Mobile Subscriber Identity (IMSI) numbers belonging to T-Mobile pay monthly customers and to people who applied for T-Mobile credit.

Healey proclaimed on Tuesday that her office had launched an investigation to examine what safeguards T-Mobile had put in place before the breach to protect consumers’ data and mobile device information.

Australia, UK, and US Announce Security Partnership

The United States, United Kingdom and Australia have announced a historic trilateral security and defense agreement.

Under the new AUKUS pact, the three nations will cooperate more closely than ever before in several areas that include artificial intelligence, cyber capabilities, quantum computing critical technology, and defense-related industrial bases and supply chains.

A joint statement released by the three world leaders on September 15 read: “This is an historic opportunity for the three nations, with like-minded allies and partners, to protect shared values and promote security and prosperity in the Indo-Pacific region.”

FTC: Health Apps Must Notify Consumers of Data Breaches

The United States Federal Trade Commission (FTC) has warned the developers of health apps and connected devices that they must disclose data breaches to consumers or face a fine.

In a policy brief issued Wednesday, the Commission clarified that healthcare apps that collect or use consumers’ health information are subject to the Health Breach Notification Rule requiring entities not covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to notify consumers when their health data is breached.

Misconfigured APIs Account for Two-Thirds of Cloud Breaches

Shadow IT and misconfigured APIs accounted for the vast majority of security incidents in the cloud last year, according to a new report from IBM Security X-Force.

The threat intelligence player drew on multiple data sources, including dark web analysis, pen-testing data, incident response cases and threat intelligence to compile the 2021 IBM Security X-Force Cloud Threat Landscape Report.

Quarter of Fortune 500’s External IT Assets Are a Cyber Risk

Nearly three-quarters (73%) of these organizations’ IT infrastructure is now located externally, but this outsourcing trend appears to have created a significant visibility gap. Some 24% of these assets are considered risky or have a known vulnerability, Cyberpion claimed.

This includes a quarter (25%) of externally hosted cloud-based assets that failed at least one security test, such as misconfigured storage.

The report also claimed that the average Fortune 500 firm has 126 different login pages for customers and employees — but 10% of these allow data transmission over unencrypted HTTP or have invalid certificates.

Global Databases Riddled with an Average of 26 Vulnerabilities

Nearly half (46%) of the world’s on-premises databases contain known vulnerabilities — most of which are high or critical severity, according to a new five-year study from Imperva.

The security vendor scanned 27,000 databases globally over five years and discovered that they contained 26 vulnerabilities each on average. Some 56% of these were ranked in the top two severity categories, meaning they could lead to serious compromise if exploited.

Discover more from ITMG

Subscribe now to keep reading and get access to the full archive.

Continue reading