In response to the recent news about ProctorU’s data breach after a threat actor released a stolen database of user records, below are some insightful comments from cybersecurity experts on this topic.
In response to the recent news about ProctorU’s data breach after a threat actor released a stolen database of user records, below are some insightful comments from cybersecurity experts on this topic.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
This is another example of how exposed our digital lives have become. Personally identifiable customer data needs to be protected against more and more sophisticated attacks. Building a diverse security team that\’s trained to handle the ever-shifting vulnerabilities is essential to securing the data your company holds.
This is a case of who’s watching the watchers! The organization charged with watching students to discern bad behavior have themselves suffered from that very fate. Companies cannot turn a blind eye to their own security gaps. In this case, the gaps were dramatic enough to leak an entire database of student data. Time to rethink behavior analytics by monitoring for bad behavior both inside and outside the organization. Myopic security practices suffer from attacker blind spots.
One of the more interesting fields of information buried in the schema details of the Proctoru.com database is “eu_citizen”. While one can’t say for certain based on the information provided, this field almost undoubtedly exists because of the groundbreaking EU GDPR data privacy regulation, which aims to hold all organizations collecting and storing the information of EU residents accountable for violations of that data’s privacy and security. Sadly, this breach event looks indistinguishable from virtually any other.
However, the element of Data Privacy adds an even more frightening twist to the keepers of this stolen data, as it’s not just reputational damage, breach recovery costs, and the seemingly obligatory free credit monitoring fees for the breach victims that they need to worry about. Harsh fines and even market-restricting measures that prevent violators from doing business with EU entities could be the death knell for many businesses that suffer a breach, especially those that demonstrate an inability to comply with the requirements of regulations like GDPR or California’s CCPA.
Essentially, a remote proctoring service boasts many of the functionalities you would expect to find in a legitimate or malicious remote access tool. While this breach is said to have been limited to personal information, it raises the specter that compromising a remote proctoring service could grant an adversary some level of access to the customers of remote proctoring services like ProctorU.
Individuals who are going to use proctoring software should take care to protect themselves before offering a third party this level of access to their computer. For example, test-takers should limit the privilege level of the accounts where they’re using this sort of software and they should consider using a clean system that does not have access to any sensitive personal or work-related information.
The same is effectively true of an organization that runs a remote proctoring service. Since they are potentially gaining access to very sensitive information, it’s very important that they have good IT hygiene and follow security best practices.
The mission of ProctorU is a good and beneficial one, ensuring that test-taking is fair and conforms to the rules. The irony in this data breach is that ProctorU specializes in monitoring (the testing process), but they overlooked the risks to their own data environment. Unfortunately, peoples’ private data is now compromised, and ProctorU must exert time, effort, and expenses in an attempt to mitigate the situation. But the most damaging part of any data breach is the loss of trust and the brand reputation which can result from a data breach.
The cautionary tale here is to make sure that data itself is protected before a breach occurs. Perimeter-based defensive methods only go part of the way toward protecting data. Why? Threat actors always find a way around perimeter defenses and into a sensitive data environment. Therefore, responsible organizations should consider data-centric methods of security such as tokenization, which replaces sensitive data with meaningless representational tokens, to obfuscate the sensitive aspects of any data which falls into the wrong hands. The real strength of data-centric security like tokenization is that it travels with the data, so even if a threat actor winds up with it, nothing private and sensitive can be derived from it. It is worthless to those cheaters who would leverage it for their own gain.