Security researcher Jeremiah Fowler together with the Website Planet research team discovered a non-password protected database that contained 822,789 records. The dataset had detailed information on trucking, transport companies, and individual drivers. The data appeared to be connected to credit accounts, loans, repayment, and debt collections. This included banking information and tax ID numbers. Many of the Tax IDs were consistent with what appeared to be SSN (Social Security Numbers) and stored in plain text.
<p>As 2021 wound down, many of us in the cybersecurity industry made predictions about continued attacks against targets positioned within supply chains. The reasons for this are pretty straightforward: threat actors want to generate havoc, confusion, and pressure placed against the target of attack. Nothing puts pressure on an enterprise quite like a supply chain, with multiple suppliers and vendors pushing products along the line to ready consumers, who definitely feel the pain when the supply chain is disrupted. For any organization within a supply chain, then, the writing is on the wall. A data breach isn’t a matter of if but when.</p>
<p>These predictions bring context to the report that Jeremiah Fowler and the Website Planet research team discovered an unprotected database filled with hundreds of thousands of records and what seemed to be ample sensitive information related to the trucking and transport industry. An organization called TransCredit, which creates “trustworthiness” reports for the industry, purportedly was referenced multiple times within the dataset, along with account information, Tax IDs, and even potentially SSNs, which was stored in plaintext. Perhaps the lack of password protection was human oversight and error, which is still a major cause of data breaches, but the fact that such sensitive information was not guarded with data-centric security protection—with tokenization or format-preserving encryption applied directly to the data—is a huge risk to any organization, especially within supply chains.</p>
<p>Enterprises should take away a very clear lesson: perform the proper due diligence with an audit of your defensive posture, and with an eye toward overlooked unprotected sensitive data. Where that data exists, consider tokenizing or encrypting it with format-preserving protection, either of which enables protected data to be handled within the organization without the need for de-protection. The alternative may hit your organization like a Mack truck.</p>