Expert(s):
Technical Program Managerfeature_status*/ ?>
HackerOne

Comments Dotted : 6
November 18, 2020

Ticketmaster Fined £1.25m Over Payment Data Breach
Data breaches can cost millions in damages and fines.
The ICO’s decision is evidence of the changing times. Data breaches can cost millions in damages and fines, as well as have a devastating impact on customer trust. In fact, our research has studied the costs, lawsuits and fines associated with the data breach that affected TicketMaster in 2018 and compared it to the bounty prices associated with the third-party JavaScript vulnerability that was exploited in that breach. Had the vulnerability been identified and responsibly disclosed by.....Read More
The ICO’s decision is evidence of the changing times. Data breaches can cost millions in damages and fines, as well as have a devastating impact on customer trust. In fact, our research has studied the costs, lawsuits and fines associated with the data breach that affected TicketMaster in 2018 and compared it to the bounty prices associated with the third-party JavaScript vulnerability that was exploited in that breach. Had the vulnerability been identified and responsibly disclosed by hackers as part of a bug bounty program, the organisations would have only had to pay out between £4,149 - £8,328 based on average bug bounty prices. Surely this is a small price to may when taking into account the fine now facing the company. Attack surfaces have increased as we continue to digitally transform and adapt, meaning it will always be a challenge trying to stay ahead of cybercriminals. To remain secure, organisations must identify where they are most vulnerable. By running bug bounty programs and using hackers to find the holes in their security, our customers have safely resolved over 180,000 vulnerabilities before a breach could occur. Through just an estimate of the pay-outs hackers have received for reporting similar vulnerabilities, our research highlights how companies can save millions and reduce risk by being proactive when it comes to identifying and patching their vulnerabilities.  Read Less
May 20, 2020

UK airline easyJet data breach impacts 9M customers – expert commentary
If a hack leads to fines and loss of trust that will cost them at a time they really can't afford it.
So many organisations and businesses are facing threats to their very existence at the moment that cyber threats almost pale into insignificance compared to the other challenges. However, cybercriminals will take advantage of anyone taking their eye off the ball and could well be targeting industries and companies they think are struggling, knowing that budgets will be cut and focus will be elsewhere. Staying vigilant to any vulnerabilities that could provide an entry point to these.....Read More
So many organisations and businesses are facing threats to their very existence at the moment that cyber threats almost pale into insignificance compared to the other challenges. However, cybercriminals will take advantage of anyone taking their eye off the ball and could well be targeting industries and companies they think are struggling, knowing that budgets will be cut and focus will be elsewhere. Staying vigilant to any vulnerabilities that could provide an entry point to these opportunists needs to remain a priority - for the price of a bounty paid to a hacker for reporting anything they find, companies could save themselves far more than if a hack leads to fines and loss of trust that will cost them at a time they really can't afford it.  Read Less
January 21, 2020

Expert On Breach: Regus Sales Staff Data Exposed After Huge Data Breach
Such a breach as this is so easily avoidable and like with many incidents, was simply caused by human error rather than anything malicious.
Such a breach as this is so easily avoidable and like with many incidents, was simply caused by human error rather than anything malicious. Where companies now rely on so many digital services to do all aspects of their work, they need to make sure that they extend identity management and security best practices to the third party agencies that they work with. Having a basic level of security practices regardless of a company’s function will start to be expected by customers wanting to do.....Read More
Such a breach as this is so easily avoidable and like with many incidents, was simply caused by human error rather than anything malicious. Where companies now rely on so many digital services to do all aspects of their work, they need to make sure that they extend identity management and security best practices to the third party agencies that they work with. Having a basic level of security practices regardless of a company’s function will start to be expected by customers wanting to do business and without offering those assurances, businesses could start to suffer if found to be lacking in security awareness and process. Regus and its supplier were quick to respond once discovered, which we can take as a demonstration of how seriously organisations are taking data breaches these days.  Read Less
October 31, 2019

The World’s First Internet Domain Name Provider Confirms Data Breach – Expert Reactions
With the increasing pace of development, bugs are inevitably going to exist and will be exploited unless found.
Another day, another data breach. It's not a question of 'if' a company will be breached but 'when'. With the increasing pace of development, bugs are inevitably going to exist and will be exploited unless found and disclosed before they can cause a breach. For customers, while they do place trust in companies to keep their data secure, when they learn of a data breach like this, I’d recommend they also take precautionary steps to secure their data regardless of whether or not they think.....Read More
Another day, another data breach. It's not a question of 'if' a company will be breached but 'when'. With the increasing pace of development, bugs are inevitably going to exist and will be exploited unless found and disclosed before they can cause a breach. For customers, while they do place trust in companies to keep their data secure, when they learn of a data breach like this, I’d recommend they also take precautionary steps to secure their data regardless of whether or not they think they’ve been affected to avoid any nasty surprise years down the line. Breaches like this also drive home the point that every company should have a formal process to accept vulnerability reports from external third parties. A Vulnerability Disclosure Policy or Security@ email is the best way to ensure that when someone sees something exposed, they can say something.  Read Less
September 25, 2019

Comments: vBulletin Flaw Zero-Day Now Has Script To Mass Identify Potential Victims
It looks like the Version 5 of vBulletin that has this issue is only in use by 6.4% of users so this risk is mitigated by… well… being out of date.
Having looked into this a little, it looks like the Version 5 of vBulletin that has this issue is only in use by 6.4% of users so this risk is mitigated by… well… being out of date. That does not mean these sites are safe, as there is a plethora of other vulnerabilities out there that affect versions below 5.0. Admins and site owners using vBulletin should check what version they're running and, if using Version 5, update it as soon as they can or this trivial issue could cause some major.....Read More
Having looked into this a little, it looks like the Version 5 of vBulletin that has this issue is only in use by 6.4% of users so this risk is mitigated by… well… being out of date. That does not mean these sites are safe, as there is a plethora of other vulnerabilities out there that affect versions below 5.0. Admins and site owners using vBulletin should check what version they're running and, if using Version 5, update it as soon as they can or this trivial issue could cause some major problems.  Read Less
September 06, 2019

Chinese APT Group Targeting Fortinet And Pulse Servers
Everyone, on both sides of the coin, has a responsibility for security: companies need to alert and advice their customers.
Hackers, both white hat and black hat, collect huge amounts of data on their targets. They have a passive understanding of the types of services and systems that their targets are running. When a vulnerability is made public (as with Pulse and Fortinet), researchers are able to search through their data and find targets with the vulnerable software running. This enables them to exploit these systems incredibly quickly. However, a number of Pulse and Fortinet customers still haven’t.....Read More
Hackers, both white hat and black hat, collect huge amounts of data on their targets. They have a passive understanding of the types of services and systems that their targets are running. When a vulnerability is made public (as with Pulse and Fortinet), researchers are able to search through their data and find targets with the vulnerable software running. This enables them to exploit these systems incredibly quickly. However, a number of Pulse and Fortinet customers still haven’t installed patches that were released in April and May, respectively. In Fortinet’s case, they both failed to notify their customers of the flaw and make the subsequent patch accessible. Pulse on the other hand, took the right action: they sent a security advisory to their customers and requested a CVE. Therefore, it seems the unpatched flaws in their servers lays with the negligence of their customers.Everyone, on both sides of the coin, has a responsibility for security: companies need to alert and advice their customers and, in turn, the customers need to heed this advice.  Read Less