UpGuard Blog

Preventing Data Breaches

Data is being mishandled. Despite spending billions on cybersecurity solutions, data breaches continue to plague private companies, government organizations, and their vendors. The reason cybersecurity solutions have not mitigated this problem is that the overwhelming majority of data exposure incidents are due to misconfigurations, not cutting edge cyber attacks. These misconfigurations are the result of process errors during data handling, and often leave massive datasets completely exposed to the internet for anyone to stumble across.

Filed under: data breaches, S3, github, cloudleaks, rsync

Why Pen Testing is Not Enough To Prevent Data Breaches

Essential to enterprise security, or a waste of time? Security professionals' opinions regarding penetration testing (pen testing) seem to fall squarely on either side of the spectrum, but—as with most IT practices—its efficacy depends on application and scope. And while pen testing alone is never enough to prevent data breaches from occurring, information gleaned from such efforts nonetheless play a critical role in bolstering a firm's continuous security mechanisms.

Filed under: security, data breaches, IT security

The Nightmare Scenario: When Your Security Provider Becomes a Security Problem

You’ve spent months with your team designing your company’s security strategy-- you’ve demoed and chosen vendors, spent money, and assured your users that this investment will pay off by keeping their business safe. The next thing you know, the very software you’ve put in place to protect your data is exposing it instead. This nightmare scenario has turned into reality for some companies when major security software was compromised or had fatal flaws that exposed sensitive information to unknown third parties. Just because you sell security doesn’t mean you always practice it.

Filed under: security, data breaches, IT security

A New Season for Baseball and Cyber Threats

Another regular season is underway as teams—fresh from spring training—dive head first into a sea of possibilities: will the Cubs win a World Series this year? How about those Mariners? Who will be this year's Hall of Famers? For fans, another question is increasingly becoming the subject of bar room chatter: which team will be hacked this season?

Filed under: data breaches, baseball

The Healthcare Security Epidemic

Your medical records live in a database or file system on servers somewhere, on someone’s network, with someone’s security protecting them. A recent PBS article about cyber security in the healthcare industry reports that over 113 million medical records were compromised in 2015. Medical records, perhaps even more than financial data, are the epitome of sensitive, private data, yet the healthcare industry has reported breach after breach, with over a dozen separate breaches already logged in March of this year.

Filed under: security, CSTAR, data breaches, healthcare, webscan

The Amex Partner Data Breach and Downstream Liability

If you're one of its 140 million cardholders around the globe, American Express wants you to know that your data is safe. The data breach recently announced by the U.S.' second largest credit card network reportedly involved a partner merchant and not Amex itself. However, if you're one of the customers whose credit card and personal information was stolen, the difference is negligible.

Filed under: cyber security, data breaches

Hackers Publish Time Warner Business Database

On February 28th 2016, “grey-hat security research group” TeaMp0isoN breached Time Warner Cable’s Business Class customer support portal with a SQL injection attack, defacing the site and snatching a database dump with more than 4,000 records including usernames, email addresses and (encrypted) passwords. 

Filed under: data breaches

Why Companies Will Keep Getting Breached In 2016 And Beyond

The answer is simple: because it's highly profitable. Credit card numbers are still the best we've got for transacting digitally and health records are 10 times more valuable on the black market. And despite efforts from the infosec community at large, cybercrime continues to increase in frequency and severity. The more important and difficult question is not why, but howthat is, how can companies not just survive, but thrive in a landscape of digital threats?

Filed under: cyber security, insurance, cyber risk, data breaches

Casino Data Breaches And Doubling Down On Digital Resilience

In what is being described as a landmark case, Nevada-based casino operator Affinity Gaming is suing cybersecurity firm Trustwave for inadequately investigating and containing a 2014 data breach. The lawsuit not only marks the first time a security firm is sued over post-breach remediation efforts—it also highlights the complexities around managing cyber risk for high risk organizations in today's threat landscape. 

Filed under: cyber security, cyber risk, data breaches, digital resilience

The Mysterious Case Of The Leaked Voter Database

The election year is officially underway, but for non-voters and the apatheticanother reason not to register to vote has surfaced: on December 20th, 2015, a security researcher discovered a publicly exposed database of 191 million voter registrant records—names, addresses, dates of birth, phone numbers, party affiliations, state voter IDs, and more—posted online and freely accessible.

Filed under: cyber security, cyber risk, data breaches, hack, cyber attack

Top 10 Data Breaches Of 2015—A New Year's Day Retrospective

2015 may have come and gone, but the effects of last year's data breaches are far-reaching—for both millions of consumers and internet users as well as the companies and organizations whose systems were breached. Such events are no less devastating in terms of brand damage, and 2016 will undoubtedly bring forth a heightened collective security awareness in both organizations as well as consumers.

Filed under: cyber security, cyber risk, data breaches, hack

The OPM Data Breach And Threat Of Compromised Nuclear Data

The figures are staggering: 21.5 million records containing social security numbers, names, places of birth, addresses, fingerprints, and other highly sensitive personal data—stolen by cyber attackers.

Filed under: cyber security, cyber risk, data breaches, cyber attack

Sanrio's Data Leak And The New Data Privacy Normal For Minors

It's been barely a month since the VTech data breach resulted in the theft of over 6.4 million children's records, and yet another massive compromise affecting kids' data privacy is upon us—this time involving venerable children's toy and accessory brand Sanrio (of Hello Kitty fame). The data leak resulted in the exposure of details from more than 3 million user accounts: first/last names, birth dates, genders, countries, and email addresses, all openly available to the public. With children becoming prime targets for cyber criminals seeking low hanging fruit, companies that deal with and manage minors' data are increasingly under pressure to bolster their security controls and practices.

Filed under: cyber security, data breaches, hacked, cyber attack

The VTech Data Breach And Exploding Teddy Bears

What's the difference? The former offers no legal recourse, at least for now. Just in case you've been de-sensitized by the recent ongoing barrage of security compromises, the latest data breach involving electronics and educational toy manufacturer VTech is sure to instill new fear in the hearts of parental consumers, putting at stake the one thing they arguably hold nearest and dearest: the safety of their children.

Filed under: cyber security, cyber risk, data breaches, hack

Four Winds Casino Data Breach Is Not The First—Or The Last—Of Its Kind

There's a classic line (one out of many) in the movie Casino by DeNiro's character Ace Rothstein:

"Since the players are looking to beat the casino, the dealers are watching the players. The box men are watching the dealers. The floor men are watching the box men. The pit bosses are watching the floor men. The shift bosses are watching the pit bosses. The casino manager is watching the shift bosses. I'm watching the casino manager. And the eye-in-the-sky is watching us all.”

Filed under: cyber security, cyber risk, data breaches, hack, cyber attack

The Lucrative Rewards of Hacking Higher Education

In a news flash buried beneath a slew of other notable security news items, UCLA Health revealed last week it was the victim of a massive data breach that left 4.5 million patient records compromised. Like previous attacks on Anthem and Premera Blue Cross, the intrusion gave hackers access to highly sensitive information: patient names, addresses, date of births, social security numbers, medical conditions, and more. And while matters around healthcare IT have taken center stage as of late, the ineffective security at leading institutions of higher education and research is equally distressing.

Filed under: cyber security, data breaches, cyber attack

Your Secret's Safe With No One: Lessons Learned From The Ashley Madison Hack

For those of you harboring secrets behind a website paywall, a word of warning: your skeletons are now easy targets for cyber criminals and nefarious 3rd parties around the globe. The recent data breach and compromise of 3.5 million Ashley Madison user accounts may turn out to be largest case of broad-scale extortion the world has ever seen, but for many—the outcome is hardly surprising.

Filed under: cyber security, data breaches

Insights from Verizon's 2015 Data Breach Investigations Report

Every year, Verizon compiles data from a list of prominent contributors for its annual report highlighting trends and statistics around data breaches and intrusions from the past year. The 70-page Data Breach Investigations Report (DBIR) covers a myriad of data points related to victim demographics, breach trends, attack types, and more. Reviewing these shifting security trends can give indications as to how well-postured one’s organization is against future threats. And just in case you’ve got your hands full patching server vulnerabilities, we’ve done the legwork of expanding on a few critical key points from the report.

Filed under: cyber security, cyber risk, data breaches, cyber attack