Wasting no time while their prior breach story unfolds, the hacking group ShinyHunters continues to run amok. Now the group claims responsibility for an attack against 7-Eleven last month, which the company has confirmed.
Certain 7-Eleven systems were accessed, which contained personal information on an undisclosed number of individuals, including Social Security numbers. Unlike Instructure Canvas, which we examined previously, this time the company refused to pay the extortion. And so ShinyHunters posted it. Six hundred thousand stolen records ended up shared online.
The hackers claim that the company “failed to reach an agreement with us despite our incredible patience, all the chances and offers we made. They don’t care.” How charitable of them to express concern for those who are now at risk for fraud. You could almost believe they cared themselves.
In any event, 7-Eleven did not pay, and over 9.4 GB of 600,000 Salesforce records containing personally identifiable information (PII) and other internal corporate data were made available for download. Just add another one to the list. In the past year, ShinyHunters has also targeted Salesforce data from hundreds of organizations for what they claim to be billions of records, pulling off breaches at Google, Cisco, Vimeo and Rockstar Games.
Cyberscoop emphasizes that this incident demonstrates how current attempts at data breach prevention are often insufficient. The educational institutions that were so deeply plugged into Canvas platforms left themselves susceptible, when the breach did occur, to mass disruption, whereby student and faculty work and communications ground to a halt.
We are not here to solve any such overdependence, of course, but to merely remind everyone that cyberattacks are inevitable, and sooner or later critical operational systems will be accessed by malicious agents. Who wants to leave their valuable resource readable and exploitable?
When a breach does occur, strong encryption drastically reduces the damage done by scrambling the sensitive data and decreasing its value on the dark web. Not to mention its use as a method of extortion, such as Instructure succumbed to, and further legal ramifications, as they now experience. Despite their assurance that the stolen data was destroyed, a Congressional investigation has been opened regardless, and those educational institutions affected still bear responsibility for student data that they no longer control. See how a poor security posture can spiral into full organization chaos.