Expert Comments

ProctorU Breach: Expert Commentary

Expert(s): Security Experts
Expert(s): Security Experts

In response to the recent news about ProctorU’s data breach after a threat actor released a stolen database of user records, below are some insightful comments from cybersecurity experts on this topic.

Experts Comments

Dot Your Expert Comments
Chris Abbey
August 13, 2020
Incident Handling Manager
Red Canary

Individuals who are going to use proctoring software should take care to protect themselves before offering a third party this level of access to their computer.
Essentially, a remote proctoring service boasts many of the functionalities you would expect to find in a legitimate or malicious remote access tool. While this breach is said to have been limited to personal information, it raises the specter that compromising a remote proctoring service could grant an adversary some level of access to the customers of remote proctoring services like ProctorU. Individuals who are going to use proctoring software should take care to protect themselves before.....Read More
Essentially, a remote proctoring service boasts many of the functionalities you would expect to find in a legitimate or malicious remote access tool. While this breach is said to have been limited to personal information, it raises the specter that compromising a remote proctoring service could grant an adversary some level of access to the customers of remote proctoring services like ProctorU. Individuals who are going to use proctoring software should take care to protect themselves before offering a third party this level of access to their computer. For example, test-takers should limit the privilege level of the accounts where they’re using this sort of software and they should consider using a clean system that does not have access to any sensitive personal or work-related information. The same is effectively true of an organization that runs a remote proctoring service. Since they are potentially gaining access to very sensitive information, it’s very important that they have good IT hygiene and follow security best practices.  Read Less
Trevor Morgan
August 13, 2020
Product Manager
comforte AG

But the most damaging part of any data breach is the loss of trust and the brand reputation which can result from a data breach.
The mission of ProctorU is a good and beneficial one, ensuring that test-taking is fair and conforms to the rules. The irony in this data breach is that ProctorU specializes in monitoring (the testing process), but they overlooked the risks to their own data environment. Unfortunately, peoples’ private data is now compromised, and ProctorU must exert time, effort, and expenses in an attempt to mitigate the situation. But the most damaging part of any data breach is the loss of trust and the.....Read More
The mission of ProctorU is a good and beneficial one, ensuring that test-taking is fair and conforms to the rules. The irony in this data breach is that ProctorU specializes in monitoring (the testing process), but they overlooked the risks to their own data environment. Unfortunately, peoples’ private data is now compromised, and ProctorU must exert time, effort, and expenses in an attempt to mitigate the situation. But the most damaging part of any data breach is the loss of trust and the brand reputation which can result from a data breach. The cautionary tale here is to make sure that data itself is protected before a breach occurs. Perimeter-based defensive methods only go part of the way toward protecting data. Why? Threat actors always find a way around perimeter defenses and into a sensitive data environment. Therefore, responsible organizations should consider data-centric methods of security such as tokenization, which replaces sensitive data with meaningless representational tokens, to obfuscate the sensitive aspects of any data which falls into the wrong hands. The real strength of data-centric security like tokenization is that it travels with the data, so even if a threat actor winds up with it, nothing private and sensitive can be derived from it. It is worthless to those cheaters who would leverage it for their own gain.  Read Less
Adam Laub
August 11, 2020
CMO
STEALTHbits Technologies

Sadly, this breach event looks indistinguishable from virtually any other.
One of the more interesting fields of information buried in the schema details of the Proctoru.com database is “eu_citizen”. While one can’t say for certain based on the information provided, this field almost undoubtedly exists because of the groundbreaking EU GDPR data privacy regulation, which aims to hold all organizations collecting and storing the information of EU residents accountable for violations of that data’s privacy and security. Sadly, this breach event looks.....Read More
One of the more interesting fields of information buried in the schema details of the Proctoru.com database is “eu_citizen”. While one can’t say for certain based on the information provided, this field almost undoubtedly exists because of the groundbreaking EU GDPR data privacy regulation, which aims to hold all organizations collecting and storing the information of EU residents accountable for violations of that data’s privacy and security. Sadly, this breach event looks indistinguishable from virtually any other. However, the element of Data Privacy adds an even more frightening twist to the keepers of this stolen data, as it’s not just reputational damage, breach recovery costs, and the seemingly obligatory free credit monitoring fees for the breach victims that they need to worry about. Harsh fines and even market-restricting measures that prevent violators from doing business with EU entities could be the death knell for many businesses that suffer a breach, especially those that demonstrate an inability to comply with the requirements of regulations like GDPR or California’s CCPA.  Read Less
Saryu Nayyar
August 11, 2020
CEO
Gurucul

Companies cannot turn a blind eye to their own security gaps.
This is a case of who’s watching the watchers! The organization charged with watching students to discern bad behavior have themselves suffered from that very fate. Companies cannot turn a blind eye to their own security gaps. In this case, the gaps were dramatic enough to leak an entire database of student data. Time to rethink behavior analytics by monitoring for bad behavior both inside and outside the organization. Myopic security practices suffer from attacker blind spots.
Paul Taylor
August 11, 2020
ESCALATE Mentor
Point3 Security

Personally identifiable customer data needs to be protected against more and more sophisticated attacks.
This is another example of how exposed our digital lives have become. Personally identifiable customer data needs to be protected against more and more sophisticated attacks. Building a diverse security team that's trained to handle the ever-shifting vulnerabilities is essential to securing the data your company holds.

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

ObliqueRAT Trojan Lurks On Compromised Websites – Experts Comments

Microsoft Multiple 0-Day Attack – Tenable Comment

Experts Reaction On Malaysia Airlines 9 Years Old Data Breach

IoT Security In The Spotlight, As Research Highlights Alexa Security...

Oxfam Australia Confirms ‘Supporter’ Data Accessed In Cyber Attack

Expert Reaction On Solarwinds Blames Intern For Weak Passwords

Expert Reaction On Go Is Becoming The Language Of Choice...

Experts On Google Voice Outage

Expert Reaction On GCHQ To Use AI In Cyberwarfare

Comment: Hackers Break Into ‘Biochemical Systems’ At Oxford Uni Lab...