Data Vulnerable to Critical Flaws and Third Parties

Further data breach news for the automotive industry, in connection with a third-party vendor: this time it is car rental company Hertz that has announced a security breach.  Personal data including names, contact info, credit card and driver’s license info were exposed for an undisclosed number of customers around the globe (though over 3,400 in the state of Maine alone).  A smaller number also had Social Security numbers, government IDs, and passport and Medicare or Medicaid info exposed.

Zero-day vulnerabilities in the software of file-sharing manager Cleo Communications exposed Hertz to this incident.  The infamous ransomware group Clop has even touted their efforts in targeting Cleo’s servers with cyberattacks.

We have frequently observed the risks inherent in third-party vendor relationships – necessary for business but nevertheless tempting targets for cyber criminals.  Prior to Hertz, Grubhub is another company that has recently fallen prey.  Again, a hacker was able to gain entry to its systems via a third-party vendor that provides service support, subsequently stealing personal data on drivers and customers, as well as Grubhub campus diners.  Grubhub terminated the compromised account once they discovered the breach, but the damage was done.

Yet another critical vulnerability has just been discovered in the Erlang/OTP platform, commonly used throughout connected devices, telecom platforms, and distributed applications.  Other services also use it as a debug utility.  In short, a fairly important platform, within which a critical flaw has now been found that allows attackers with network access to execute arbitrary code.  From there, they could exfiltrate or manipulate sensitive data, launch distributed denial-of-service (DDoS) attacks, or gain total access to an afflicted device.

Meanwhile, we also receive news that recently disrupted online black market, Cracked, has recovered and resumed operations.  A few months earlier, international law enforcement claimed to have disrupted infrastructure, but Cracked claims that their seized servers were encrypted, thus barring authorities from accessing the data of their users.  How ironic, for a hub of cybercrime to protect itself and its data better than many legitimate companies.

Whether dealing with critical security vulnerabilities or third-party business associates, one false step is all it takes to end up in a marketplace that consistently proves extremely resilient to takedown.  All the more reason to ensure that when a cyber criminal does try to break in and post your stolen data to the dark web, it remains encrypted and unreadable via solutions like NetLib Security’s Encryptionizer.  Across all environments, whether physical, virtual or cloud, Encryptionizer provides a robust layer of protection for stored data with minimal performance impact and no additional programming.  Personal data is a more valuable resource than ever, and keeping it secure from bad actors is imperative for companies and customers alike.