Today it was announced that Frost & Sullivan experienced a data breach exposing sensitive information such as first and last names, log in names, and hashed passwords. It was determined that the exposed folder was discovered during a daily monitoring routine and included the data of employees and clients among other tables that identify access as administrator.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
As we have seen many times, with this breach and larger ones [e.g. Equifax], organizations are not being breached by attacking their fortified front gates, but by finding a service door lying on rusty hinges. The three most important ways to avoid this kind of attack are coverage, coverage and coverage, to make sure all of your assets are safe, at least from trivial attacks. Having an amazing level of security that covers 99 percent of the organization isn\’t enough, when bad actors can easily sneak in through the other 1 percent.
Frost & Sullivan’s breach of over 12,000 customer and company records adds even more personal information to the dark web, including email addresses, login names and employee hashed passwords. As some hashed passwords can be easily deciphered, cybercriminals can use this information to log in to Frost & Sullivan’s database as the employee, gaining access to client personal information and other employee details. As enterprises across all industries have trusted Frost & Sullivan for over 60 years, the company has a responsibility to keep customer and employee data safe, as do all companies with a digital presence. Because usernames and passwords were compromised, attackers can leverage bots and credential stuffing to try these stolen login credentials across thousands (or hundreds of thousands) of websites in search of an opening. Because of this omnipresent and growing threat , there’s no way for any online organization to confirm the authorized user is the one logging in. Biometric authentication (using a person’s unique human traits to verify identity) is a more secure alternative to passwords, giving only the account owner access.