Weekly CyberTip: Back up your data!
A sound backup strategy acts as your last line of defense against cyber attack. If your data and systems are irreparable damaged or compromised, a copy of your data – including business information and system configuration details – will be critical in helping you rebuild. Take backups regularly (ask yourself: how much data can I afford to lose?) and keep them physically or logically isolated from your production systems.
Dutch airline faces fine after data breach
In a November 12, Dutch-language press release, the Dutch Data Protection Authority (DDPA) announced that it is levying a fine of €400,000 on regional discount airline Transavia for failing to protect the personal data of the carrier’s customers under the GDPR rules in the country.
The fine relates to a security breach suffered by Transavia in 2019 and disclosed in February 2020. In that incident, a hacker gained access to Transavia’s network, including its employee email accounts. From one of those accounts, the hacker downloaded a file containing the personal information of 83,000 passengers and flight personnel, pertaining to flights taken in January 2015.
According to a report at the time, the data disclosed in the breach consisted of full name, date of birth, flight data, booking number and any special services purchased at flight time. Sensitive data such as payment data, credit card information, passport information, and contact information was not involved. Nonetheless, the regulator pointed out that the breach could have been much worse: with the wide access gained by the hacker, the personal data of up to 25 million people could potentially have been exposed in the incident.
The DDPA finding focused on three key areas of weakness (all of which, Transavia reported in their GDPR filing, have now been addressed):
+ The password complexity rules used by the airline were inadequate, making it comparatively easy for the hacker to guess the credentials for two privileged accounts.
+ No multi-factor authentication was in place to protect the systems. The hacker was able to gain access through the accounts over Citrix simply by using a password.
+ Account access was not appropriately segmented or isolated: once the hacker took control of the two accounts, wide-ranging network access was available beyond was what reasonably necessary, even for an authorized user.
Transavia, a wholly-owned subsidiary of KLM, has not contested the ruling, and will reportedly pay the fine.
TTC ransomware attack update
The Toronto Transit Commission (TTC) has engaged the services of a “breach counsel” to help manage the aftermath of the ransomware attack that started on October 28. According to a report in The Toronto Star, the TTC has hired Montreal lawyer Sunny Handa, a partner at Blake, Cassels & Graydon LLP. A breach counsel refers to a lawyer retained to help an organization deal with the legal aspects of a cyber attack, including ransomware negotiations and maintaining the confidentiality around the incident.
The hiring news came just days after the transit authority revealed that, in addition to the service disruptions and outages originally reported, personal information was disclosed in the security breach.
“Based on the investigation so far, it now appears that personal information of some TTC employees, former employees and pensioners may have been stolen. This information may include the names, addresses and Social Insurance Numbers of up to 25,000 TTC employees, past and present,” according to the TTC bulletin.
On November 14, The Toronto Star reported that the TTC has been working on a new cybersecurity assessment since August, but quoted TTC spokesperson Stuart Green as saying there is no connection between the timing of the work and the recent ransomware attack.
The TTC has made progress is bringing many of the affected systems back online, but some problems remain as the incident enters its third week.
Palo Alto Networks fixes “critical” bug in GlobalProtect
Palo Alto Networks (PAN) has confirmed a critical bug in certain versions of their GlobalProtect security appliances. Coded CVE-2021-3064, the memory corruption vulnerability could enable an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The issue affects PAN-OS 8.1 versions earlier than PAN-OS 8.1.17.
PAN qualifies that the attacker must have VPN access to the GlobalProtect interface in order to exploit this vulnerability, and that they are not aware of any malicious exploitation of this bug.
Administrators are strongly urged to patch or upgrade to a later, unaffected version of the PAN-OS. If patching is not possible, administrators should disable unprotected portals or gateways, or enable threat prevention signatures for Unique Threat IDs 91820 and 91855 on traffic destined for GlobalProtect portal and gateway interfaces to block attacks against the vulnerability.