Disney Leaves Slack: A Strategic Retreat

Walt Disney Co. is transitioning away from Slack after a serious data breach. The breach, which occurred in July 2024, compromised more than 1.1 terabytes of confidential data. This incident included 44 million messages and inside information about various projects at Slack. According to a news article in The Wall Street Journal, Disney has decided to shift to new corporate-wide communication software before the end of its fiscal year.

Why Disney Is Getting Off Slack

The NullBulge hack led Disney to move away from Slack. Hackers accessed thousands of internal channels, exposing unreleased projects, login credentials, and sensitive corporate data. This breach highlighted Slack’s vulnerability, especially due to weak employee security practices like not using robust authentication.

Disney’s decision isn’t just a reaction to the breach but a preventive step to reduce reliance on a platform that became a weak link in its cybersecurity. By switching to streamlined collaboration tools, Disney aims for platforms that offer tighter security and better integration with its IT systems.

History of Breaches at Disney

This is not the first time that the House of Mouse has faced a breach. In July 2024, Disney suffered a breach that exposed over 1.1TB of sensitive data, including 44 million messages, 18,800 spreadsheets, and internal project details. Several months ago in early June 2024, hackers targeted the Club Penguin Confluence server and led to leaking of 2.5 GB of data and information related to the company’s legacy operations.

Mitigation and Prevention: Enhancing Your Security Position

To prevent future incidents, companies like Disney harden up their security approach. One of these approaches involves using zero-trust products, where all actions are considered to be malicious unless proved otherwise and authenticated. The shift away from Slack for Disney should be used as an opportunity to have stronger encryption and more secure, decentralised methods of communication in a place.

Despite the risks, companies often prioritise familiar tools like Slack for their ease of use. Employees enjoy the convenience of SSO and real-time communication. However, this same ease of use can make these platforms vulnerable to attacks, as Disney’s breach demonstrated. Companies often avoid stricter security measures, such as multi-factor authentication (MFA), due to perceived inconvenience. This balance between convenience and security is where many organizations falter.


PureAUTH on the other hand, offers one-click access through passwordless authentication, which is friendly and secure.

Conclusion : One Move Toward Collaboration Over A Secure Platform

As Disney steps away from Slack, this highlights an emerging trend: companies must prioritise security in their collaboration tools. Convenience is awesome, but so is the robust security against emerging threats. PureAUTH balances convenience with the protection required to secure company data. If Disney had solutions like PureAUTH, then the breach might have been far less effective. As companies rethink their internal platforms for communication, the lesson is stark: security and usability are not mutually exclusive with PureAUTH. #gopasswordless

Read Also

Disney to ditch slack following July Data Breach

Fortinet Data Breach: Insights and Implications for Cloud Security

Introduction

Fortinet recently experienced a data breach with 440GB of stolen files. This incident underscores the critical importance of securing data in third-party cloud environments. In this blog, we dive into the details of the Fortinet breach, its implications, and why moving towards passwordless authentication is an essential step for enhancing security.

The Fortinet Breach: A Detailed Overview

Fortinet, renowned for its comprehensive cybersecurity solutions, has confirmed a significant data breach. The hacker, using the name “Fortibitch,” claimed to have exploited an Azure SharePoint vulnerability to steal 440GB of data in this breach, dubbed “Fortileak“.

Fortinet data breach: Fortibitch
Credit: Hackread.com

How the Breach Happened

According to reports, the breach involved unauthorised access to Fortinet’s Azure SharePoint instance. The hacker provided credentials to an Amazon S3 bucket where the stolen data was allegedly stored. The leaked data included customer information and various corporate documents.

Fortinet confirmed the breach involved less than 0.3% of its customer base, affecting a limited number of files. The company assured stakeholders that there was no evidence of malicious activity affecting its operations or services. No ransomware was deployed, and Fortinet’s corporate network remained secure.

The Response from Fortinet

Fortinet acted swiftly to mitigate the impact of the breach. The company engaged in immediate containment measures, including terminating the unauthorised access and notifying affected customers. They also worked with law enforcement and cybersecurity agencies to address the situation.

In their update, Fortinet emphasised that the breach did not involve data encryption or ransomware. The company’s operations and financial performance remain unaffected, with no significant impact reported.

Key Takeaways and Security Lessons

This incident highlights several critical lessons for organisations:

1. Secure Cloud Environments

The Fortinet breach underscores the need for robust security measures around cloud-based environments. Companies must properly configure their cloud storage solutions and actively protect them against unauthorized access.

2. Implement Strong Access Controls

Using multi factor authentication (MFA) is minimum, but given the MFA are also getting bypassed, more secure authentication like PureAUTH is highly recommended

3. Continuous Monitoring and Response

Proactive monitoring of cloud assets and rapid response to security incidents are essential for minimising the impact of breaches. Organisations should have incident response plans in place to handle such situations effectively.

Embracing Passwordless Authentication for Enhanced Security

As demonstrated by the Fortinet breach, traditional security measures, including passwords and MFA, are increasingly inadequate. The shift towards passwordless authentication offers a more secure and resilient alternative.

Passwordless authentication solutions like PureAuth provide a breach-resilient architecture by leveraging advanced cryptography and just-in-time access. This approach significantly reduces the risk of third-party breaches and enhances overall security. Key benefits include:

  • Breach Resilience: PureAuth’s architecture is designed to withstand breaches by eliminating the reliance on passwords and minimising attack vectors.
  • Flexible Security Measures: We work with you to design fallback and recovery mechanisms, ensuring uninterrupted access to enterprise resources.
  • Ongoing Support: Comprehensive breach support is available to address any issues that arise.
Fortinet data breach: Embracing passwordless authentication

Transitioning to passwordless authentication is no longer just a best practice but a necessity for enterprises aiming to protect critical assets. Passwords and traditional 2FA/MFA methods are becoming increasingly inefficient and insecure. Adopting a passwordless approach enhances security, simplifies access management, and aligns perfectly with modern cybersecurity needs.

Conclusion

The Fortinet data breach serves as a stark reminder of the evolving threats in the cybersecurity landscape. While Fortinet’s response has been commendable, organisations must take proactive steps to safeguard their data, especially in cloud environments. Moving towards passwordless authentication solutions like PureAuth offers a forward-thinking approach to security, addressing the limitations of traditional methods and providing a more resilient defence against breaches.

For enterprises looking to enhance their security posture, embracing passwordless authentication is not an option—it is a necessity. Ensure your organisation is equipped to handle the future of cybersecurity with advanced, breach-resilient solutions. #gopasswordless

How Hackers Exploit Active Directory Certificate Services for Long-Term Persistence

Introduction

Active Directory Certificate Services (AD CS) may seem like a helpful gatekeeper for managing digital certificates and encryption, but if it’s not configured just right, it can leave the door wide open for hackers. AD CS is often overlooked when it comes to security, making it a perfect treasure trove for attackers. And once they’re in, they can sneak around undetected, establishing long-term persistence in your network like they’re on an extended vacation.

Meme :  AD Certificate Services
Credit: Medium

In this blog, we’ll break down how hackers exploit AD CS, dive into some clever tactics from recent findings, and most importantly, explain what you can do to keep them out.

Hackers in the Shadows: How AD CS Is Exploited

AD CS is Microsoft’s Public Key Infrastructure (PKI) solution for issuing and managing digital certificates in Active Directory environments. When configured correctly, it helps secure network communications. But if misconfigured, AD CS can quickly become a hacker’s best friend, enabling them to access networks, steal credentials, and stay hidden for the long haul.

Key Attack Vectors

  1. Stealing Certificates: Imitation is the Best (Criminal) Strategy
    Hackers can grab user or machine certificates, along with private keys, and use them to impersonate legitimate users or machines. This is like copying someone’s ID, if the certificate remains valid, they can continue authenticating, even after passwords change.
  2. Requesting Fake Certificates: Elevation Without the Effort
    Imagine asking for a regular office key but getting access to the CEO’s office instead. Similarly, if there are any misconfigured certificate templates, low-privileged users can request certificates that grant admin-like privileges.
  3. Misconfigured Certificate Templates: Unintentional Free Pass
    Certificate templates can be dangerous when they allow attackers to specify Subject Alternative Names (SANs). This essentially hands over the keys to high-level users’ certificates—like getting access to a domain admin’s credentials. Templates that aren’t secured give attackers serious access.
  4. CA Private Key Theft: A Permanent Invitation
    If an attacker can get their hands on a Certificate Authority (CA) private key, they can generate certificates for any user in the domain. This grants them persistent access that’s nearly impossible to revoke.
  5. Become a Shadow CA
    If an attacker can get a certificate signing request (CSR) signed by CA, which has constraint isCA is set to True, and allowed its use for signing other certificates, then the issue\d certificate makes the attacker a Parallel CA, which can independently generate any arbitrary certificates which will be considered as valid.
How to exploit AD Certificate Services

Tools of the Trade: Certify and ForgeCert

Hackers aren’t going in blind—they’ve got tools that make exploiting AD CS a breeze. The whitepaper by Will Schroeder and Lee Christensen highlights two key tools:

  • Certify: This tool scans for AD CS misconfigurations and assists attackers in requesting malicious certificates. It functions like a vulnerability scanner specifically designed for certificates.
  • ForgeCert: Attackers use this tool to create fake certificates with a stolen CA private key. By forging these certificates, they gain permanent access to your network, making detection much more challenging.
 Certify tool to exploit AD Certificate Services

Mitigation: Fortify Your AD CS Before It’s Too Late

So, how can companies stop attackers from abusing AD CS? It’s all about treating your certificates like they’re gold and your CAs like they’re Fort Knox. Here’s a breakdown of what you need to do:

  1. Treat CAs as Critical Assets
    Your CA servers should be protected like domain controllers (or fort knox), lock them down and apply Tier 0 security controls. These systems are high-value targets, and attackers know it.
  2. Audit and Harden Certificate Templates
    Regularly audit your certificate templates and remove any unnecessary features, like SAN customization, which could give attackers an easy way in. Ensure templates are configured for minimum privilege.
  3. Secure CA Private Keys
    Store CA private keys in hardware security modules (HSMs). This keeps them away from prying hands and makes it significantly harder for attackers to steal them.
  4. Monitor Certificate Activity
    Keep an eye on your certificate enrolments, authentications, and template modifications. If something seems off, it probably is. Proactive monitoring can be your early warning system.

Conclusion

Active Directory Certificate Services isn’t inherently insecure, but its complexity makes it ripe for misconfiguration. When that happens, hackers can sneak in, steal credentials, and establish persistence that’s incredibly tough to detect and eliminate. As the Certified Pre-Owned whitepaper highlights, understanding the risks and securing AD CS is key to preventing these kinds of attacks.

To learn more about Secure usage & management of X509 Certificates, you can refer to this in depth Practitioners Guide authored by our founder Ajit Hatti as part of Null Cipher Security Club

In short, if you’re not securing AD CS, hackers might just settle in and stick around your network for longer than you’d like.

Read Also

Certified Pre-Owned: Abusing Active Directory Certificate Services

Microsoft Entra ID Vulnerabilities: Pass-Through Authentication Risks

Microsoft Reveals Russian Hack: Executives’ Emails Compromised

Secure Usage & Management of X509 Certificate

RockYou2024: Nearly 10 Billion Passwords Leaked Online

Introduction

On July 4, 2024, the cybersecurity community was rocked by the discovery of RockYou2024, the largest password compilation leak in history. This staggering breach, revealed by a Cybernews research team, includes nearly 10 billion unique plaintext passwords. The massive dataset, posted on a popular hacking forum, presents severe security risks, especially for users prone to reusing passwords.

The RockYou2024 Password Leak

The RockYou2024 password leak, tracked as the largest of its kind, was unveiled by Cybernews researchers. The file, named rockyou2024.txt, contains an astounding 9,948,575,739 unique plaintext passwords. The dataset was posted by a user named “ObamaCare,” who has a history of leaking sensitive information. This compilation is believed to be a mix of old and new data breaches, significantly increasing the risk of credential stuffing attacks.

Credit: Cybernews

A Brief History of RockYou

The RockYou series of password leaks dates back to 2009, when the original RockYou breach exposed over 32 million user account details. In 2021, the RockYou2021 compilation, containing 8.4 billion passwords, set a new record at the time. RockYou2024 expands on this legacy, adding another 1.5 billion new passwords, making it the largest password dump to date.

Impact and Exploitation Risks

The RockYou2024 leak poses significant dangers due to the vast number of real-world passwords it contains. Cyber-criminals can leverage this data to execute brute-force attacks, attempting to gain unauthorised access to various online accounts. Combined with other leaked databases containing usernames and email addresses, RockYou2024 could lead to widespread data breaches, financial fraud, and identity theft.

How to Protect Against RockYou2024

Reset Compromised Passwords

Immediately reset passwords for any accounts associated with the leaked data. Ensure new passwords are strong, unique, and not reused across multiple platforms.

Enable Multi-Factor Authentication (MFA)

Enable MFA wherever possible. This adds an extra layer of security by requiring additional verification beyond just a password.

Implement Passwordless Solutions

Adopting passwordless solutions can further enhance security. SAML-based passwordless solutions, such as Single Sign-On (SSO) systems, eliminate the need for passwords by using secure tokens for authentication. These solutions reduce the risk of password-related attacks and improve user convenience.

Monitor Accounts and Stay Informed

Regularly monitor accounts for suspicious activity and stay informed about the latest cybersecurity threats and best practices.

Conclusion

This recent breach highlights how fragile and unsafe passwords are, underscoring the need for more secure authentication methods. The RockYou2024 leak demonstrates that even with strong, unique passwords, the risks remain significant. Multi-factor authentication (MFA), while an added layer of security, is not foolproof. For example, MFA breaches such as the 2022 Uber hack and the attack on Microsoft’s Office 365 users in 2021 show its vulnerabilities.

Additionally, password managers are not entirely reliable. The Okta breach in 2022 and the OneLogin breach in 2017 exposed millions of user accounts, demonstrating that even these tools can be compromised.

In light of these risks, passwordless systems are emerging as the next hot trend in cybersecurity. SAML-based passwordless solutions, like PureAuth, provide enhanced security by eliminating the need for passwords and reducing the attack surface for cybercriminals.

Embracing passwordless systems, combined with continuous monitoring and updated security practices, is essential for protecting against the evolving threat landscape. Stay ahead of cyber threats by adopting innovative authentication methods and ensuring your digital assets are well-protected.

New York Times Source Code Leak

Introduction

The New York Times recently experienced a significant security breach, leading to the leak of their source code. This breach was initiated through an exposed GitHub token, allowing unauthorised access to their repositories

How It Happened

An anonymous hacker posted the New York Times’ source code on 4chan. The breach occurred due to an exposed GitHub token, which provided access to over 5,000 repositories, totalling 270 GB of data. The stolen data included sensitive and proprietary information.

Response from The New York Times

The New York Times confirmed the breach and revealed that a credential was inadvertently exposed in January 2024. They quickly addressed the issue, emphasising that their systems remained non-compromised and their operations unaffected. However, this incident highlights the critical need for stringent security measures.

Implications of the Leak

The breach exposed vast amounts of data, including source code for various projects. This poses significant risks for the New York Times, including potential security vulnerabilities and intellectual property theft. The leaked data also included uncompressed tar files, with the hacker urging users to seed due to potentially insufficient seed-boxes. Reactions ranged from disbelief at the volume of repositories to jokes about the newspaper’s digital complexity.

Connection to Disney Leak

Just days before, another breach occurred involving Disney’s internal servers. A hacker associated with the defunct game Club Penguin leaked 2.5 GB of sensitive data, including corporate strategies and internal emails. This shows a disturbing trend of high-profile data breaches. The Disney breach exploited Confluence servers via exposed credentials, further emphasising the need for robust security practices.

Conclusion

This incident underscores the critical importance of securing access tokens and implementing robust security measures to prevent unauthorised access to sensitive information. As cyber threats evolve, organizations must remain vigilant and proactive in safeguarding their digital assets. Securing the CI/CD Pipeline should be a priority for every organization and PureID’s CASPR can be a game-changer.

Okta Warns Customers of Credential Stuffing Attacks

In a recent advisory, Okta, a leading identity and access management services provider, sounded the alarm over a rise in credential stuffing attacks targeting online services. Let’s delve into the details of this warning and understand the implications.

Overview of the Threat

Okta reported a significant increase in the frequency and scale of credential stuffing attacks against online services in recent weeks. These attacks have been fuelled by the widespread availability of residential proxy services, lists of previously stolen credentials, and automation tools. The surge in attacks poses a severe threat to the security of user accounts and sensitive data.

Observations by Security Experts

Duo Security and Cisco Talos also observed large-scale brute-force attacks against various targets, including VPN services, web application authentication interfaces, and SSH services. The attacks, originating from TOR exit nodes and other anonymizing tunnels and proxies, targeted VPN appliances and routers from multiple vendors.

Modus Operandi of Credential Stuffing Attacks

Credential stuffing attacks involve the automated trial of username and password combinations obtained from previous data breaches or phishing campaigns. Threat actors exploit the reuse of login credentials across multiple accounts, attempting to gain unauthorised access to compromised accounts.

Recommendations for Organisations

  • Enable ThreatInsight in Log and Enforce Mode for proactive IP address blocking.
  • Deny access from anonymizing proxies to prevent attacks from dubious sources.
  • Switch to Okta Identity Engine for enhanced security features.
  • Utilize CAPTCHA challenges and passwordless authentication with Okta FastPass.
  • Implement Dynamic Zones to manage access based on geo-location and other criteria.
Okta's Warning on Credential Stuffing Attacks
Blocking anonymized requests from Admin Console > Settings > Features
Okta

Implementing these recommendations can fortify an organisation’s defence against credential stuffing attacks, ensuring a safer online environment for users and stakeholders.

Conclusion

Credential stuffing attacks pose a significant threat to the security of online services and user accounts. By heeding Okta’s warning and implementing robust security measures, Okta customers can better protect themselves against these malicious activities and safeguard their sensitive data.

Another approach to create a safer cyber world is to not use the typical password based authentication. By eliminating passwords, organizations can improve their defences, increase security and reduce the risk of future incidents. Typical cyber attacks such as Credential Stuffing are not applicable to Passwordless authentication, so the best way to move forward is to #gopasswordless

Read Also

Unpacking Okta’s Recent Security Breach

Okta Breach Part 2: Unveiling the Full Scope and Impact

Google 2FA Breach: Rethink Authentication Security

In today’s digital landscape, safeguarding our online presence is paramount. Two-factor authentication (2FA) has emerged as a crucial tool in this endeavour. Platforms like Google and Facebook offer 2FA to bolster account security. However, there have been multiple incidents revealing vulnerabilities in this system, prompting concerns among users.

The Case of the Bypassed 2FA

Recent reports unveiled breaches in Gmail and YouTube accounts despite 2FA activation. This revelation underscores a fundamental truth: security with passwords, along with 2FA or MFA is fallible. Hackers continuously adapt their tactics, exploiting weaknesses even in trusted systems like 2FA.

Credit : Forbes

Understanding the Bypass

While the exact method remains undisclosed, hackers may employ various strategies to circumvent 2FA. According to Forbes, It’s probable that these users fell prey to what’s known as a session cookie hijack attack. Typically initiated through a phishing email, hackers direct victims to a counterfeit login page. Upon entering their credentials, users are prompted to complete a simulated 2FA challenge, which they unwittingly comply with.

The Role of Vigilance

Despite these challenges, I would personally suggest moving away from systems that solely rely on 2FA for authentication. But in the extreme case where abandoning 2FA is not the solution, users must adopt additional measures to enhance their security posture.

Secure Alternative to 2FA/MFA

As we have seen numerous instance of 2FA & MFA getting by passed, enterprises need better methods to secure access to their resources. PureAUTH Secure IAM platform provides Zero Trust -Passwordless access and protects enterprises from following type of attacks

  1. Password Spraying & brute forcing attacks
  2. Credential Phishing, Push fatigue and Adversary in the middle attacks
  3. Public Key replacement attacks targeted at solutions using Public Key based authentication like FIDO keys
  4. Social Engineering attacks to reset user credentials and reset or disable MFA/2FA
  5. Abuse of shared credentials or leaked credentials and in general credential stuffing attacks

Elevating Security: Going Beyond 2FA

Security is an ongoing journey, requiring a multifaceted approach. While the challenges of bypassing 2FA are evident, there’s a growing trend towards passwordless authentication methods. Embracing secure identity and access management technologies, adopting a zero-trust architecture are some promising alternatives. By adapting these alternatives and staying vigilant, users can reinforce their online security against the ever-evolving tactics of cyber criminals.

PureID offers solutions that curate a robust defence against unauthorised access, heralding a more secure digital future for organizations. Embrace the resilience of passwordless authentication, reinforce your security posture with PureID, and navigate the cybersecurity landscape with renewed strength. The journey continues—Passwordless Authentication awaits.

Read Also

Breach Chronicles: MongoDB’s Unsettling Security Saga Unfolds

Passwords Leaked : Microsoft in Trouble

Introduction

Recent reports unveil a significant data breach at Microsoft, exposing employee passwords and confidential corporate data to the internet. This breach underscores the pressing need for robust cybersecurity protocols and heightened vigilance to safeguard sensitive information.

About the Breach

Security researchers from SOCRadar (Can Yoleri, Murat Özfidan and Egemen Koçhisarlı )discovered an open and public storage server on Microsoft’s Azure cloud service. This server was housing internal data related to the Bing search engine. Left unprotected, it exposed code, scripts, and configuration files containing credentials used by Microsoft employees to access internal systems.

Data Exposure

The exposed data poses severe risks, potentially granting malicious actors access to other confidential files within Microsoft’s network. The lack of password protection on the server facilitated easy access to sensitive information, raising concerns about cybersecurity vulnerabilities.

Response and Resolution

The researchers promptly notified Microsoft of the vulnerability in February, prompting the company to secure the exposed server by March. However, the duration of the data exposure and the extent of unauthorised access remain unclear.

In a statement shared after publication on 10th April, Microsoft’s Jeff Jones said: “Though the credentials should not have been exposed, they were temporary, accessible only from internal networks, and disabled after testing. We thank our partners for responsibly reporting this issue.” But Microsoft has yet to issue an official statement addressing the breach.

Breach History: The latest addition to a series of “Mishaps”


Microsoft has faced numerous security breaches, like the ‘Summer 2023 Exchange Intrusion,’ where hackers accessed mailboxes of 22 organizations and 500 individuals, including senior US government officials. The company’s lax corporate culture and failure to prioritise security investments were criticised by the US Cyber Safety Review Board. Recent oversights, like mislabelling CVEs in Patch Tuesday releases, exposed gaps in Microsoft’s security protocols. Last year, researchers found that Microsoft employees were exposing their own corporate network logins in code published to GitHub.

Conclusion

As Microsoft grapples with the aftermath of this data breach, it highlights the ongoing battle against evolving cybersecurity threats. Human error is inevitable, and we require systems that are error-proof to avoid such breaches occurring in the future. By embracing secure identity and access management technologies, such as passwordless authentication, organizations can significantly reduce the risk of security lapses and enhance overall cybersecurity posture.

Read Also

Microsoft Reveals Russian Hack: Executive’s Emails Compromised

Securing Cloud Environments: Lessons from the Microsoft Azure Breach

BoAt Lifestyle: Understanding the Data Breach

Introduction

A recent data breach has shaken boAt, a leading manufacturer of audio products and smartwatches. The personal data belonging to over 7.5 million customers of boAt is getting sold for 2 euro only. This breach highlights the critical need for robust security measures and the adoption of zero trust architecture to protect customer data effectively.

About the Breach

A hacker named “ShopifyGuy” claimed to have leaked personal data of over 7.5 million boAt customers on the dark web. The compromised information includes names, addresses, contact numbers, email IDs, and customer IDs, posing severe risks to customer privacy and security.

Data Loss

The leaked data, totaling approximately 2GB, exposes boAt customers to potential financial scams, identity theft, and phishing attacks. Threat actors could exploit this information to conduct fraudulent activities, posing significant threats to individuals’ financial and personal well-being.

Credit : TOI

Aftermath

The aftermath of the data breach includes a loss of customer confidence, legal consequences, and reputational harm for boAt. Prompt action is necessary to mitigate risks and restore trust among affected customers.

Strengthening Data Security: The Role of Zero Trust Architecture

In preventing data breaches like the one experienced by boAt, adopting a zero-trust architecture proves crucial. By implementing strict access controls, continuous monitoring, and privilege access policies, organizations can reduce the chances of unauthorised access and mitigate the risks associated with potential breaches.

With these proactive measures, boAt and other organizations can better safeguard customer data and maintain trust in an increasingly digital world.

American Express Warns Customers of Third-Party Data Breach

Introduction

American Express (Amex) has disclosed a potential data breach, affecting some of its credit card holders. The breach, originating from a third-party service provider, has raised concerns about the security of cardholder information.

Timeline

  • March 4, 2024: Breach Notification:
    • American Express files a breach notification letter with the Massachusetts State Attorney General’s Office as a precautionary measure.
    • The breach is attributed to a point-of-sale attack at a merchant processor, not directly involving American Express or its service providers.
  • March 5, 2024: Public Disclosure:
    • Details of the breach are publicly disclosed by American Express, acknowledging the potential compromise of cardholder names, account numbers, and expiration dates.
    • American Express reassures card members and emphasises its robust monitoring systems.
Screenshot of American Express Breach Notice

Details of the Breach

Incident Overview:

  • The breach occurred due to a point-of-sale attack at a merchant processor, not directly involving American Express or its service providers.

Affected Information:

  • Account information potentially compromised includes cardholder names, American Express card account numbers, and expiration dates.
  • Both active and previously issued credit card account numbers may have been impacted.

Customer Perspective

Customer Liability:

  • American Express assures its card members that they won’t be liable for fraudulent charges on their accounts.
  • The company emphasises its sophisticated monitoring systems to detect and address any suspicious activity promptly.

Recommendations for Customers:

  • Customers should regularly review and monitor their account activity.
  • American Express recommends Free fraud and account activity alerts via email, SMS text messaging, and app notifications for added protection.

Industry Perspective

Accountability of Third-Party Service Providers:

  • Cyber security experts such as Liat Hayun, CEO and co-founder of Eureka Security, stress the importance of holding third-party service providers accountable for data security.
  • Recent incidents, like the Bank of America breach with Infosys McCamish Systems, highlight the persistent challenge of third-party vulnerabilities.
  • With breaches attributed to groups like LockBit ransomware, there’s a pressing need to fortify security measures.
  • Previous breaches, such as Bank of America’s exposure via Ernst & Young, emphasise the necessity of securing access points to sensitive data.

Conclusion

The American Express data breach serves as a reminder of the ongoing cybersecurity challenges faced by financial institutions and the imperative need for proactive security measures. Using and Managing passwords also costs a lot. The easiest solution of this unavoidable situation is adopting passwordless solutions for Identity and Access Management (IAM). Password-based authentication methods are increasingly vulnerable to cyber threats.  Embracing advanced authentication mechanisms can mitigate unauthorised access risks and safeguard sensitive information.