Digital banking app and tech unicorn Dave.com confirmed the security breach in a blog post affecting 7,516,625 users on a public forum. Dave said this breach is due to their former business partner, Waydev, an analytics platform used by engineering teams.
The data breach of Dave’s customer information highlights the dangers of improper IT security vendor management. Failing to quantify the risk of granting 3rd parties access to sensitive data leads to lax controls and monitoring by many organizations. As part of an effective vendor management program, all business partners that interact with sensitive systems or data should be contractually bound to regularly demonstrate that they are following information security best practices and have regular security testing or “ethical hacking” performed against their environment. The root cause of the breach at Waydev was a blind SQL injection attack that should have been caught by regular penetration tests and would have prevented this particular breach if remediated.
The latest hack by ShinyHunters reflects the serious challenges posed by network visibility and user access. Despite the fact that digital banking app Dave no longer worked with Waydev, compromised OAuth tokens used by Waydev exposed the information of 7.5 million Dave users, including their real names, phone numbers, emails, birth dates and home addresses as well as encrypted Social Security numbers.
Dave is far from alone in struggling to manage vulnerabilities across a rapidly growing digital infrastructure. According to a recent report, nearly half (46%) of organizations find it hard to tell which vulnerabilities are real threats versus ones that will never be exploited. This leaves security teams flying blind when it comes to prioritizing risk and leaves organizations vulnerable to unexpected attacks, such as those exploiting a breach at a former third party partner with access to sensitive data. To manage risk across their networks as well as a growing array of partners, the enterprise needs to tools that can monitor and prioritize vulnerabilities across the entire threat ecosystem, particularly areas with low visibility like user management.
There are two important things to keep in mind here. First, the security of your 3rd party partners is just as important as your own security. We see this over and over again in high profile breaches, including last year’s FBI, Facebook,and Quest Diagnostics breaches. Second, SQL Injection is a threat that’s been around since the inception of the OWASP Top 10 list — so it should be troubling that an estimated 25% of breaches last year started with an SQL Injection attack. Organizations need to do a few things to better protect themselves against SQL vulnerabilities – a) implement better coding practices to prevent SQL Injection, b) do better testing for SQL Injection vulnerabilities before code makes it to production, and c) have protection against SQL Injection attacks during runtime.
This breach demonstrates the importance of vetting third parties and implementing security best practices across the entire supply chain. This is not the first time nor will it be the last that cybercriminals circumvent an organisation’s security measures by individuating the weakest link and exploiting it as an entry point. It is essential for companies to design their environment with least privilege in mind and to review the access permissions they grant on a regular basis.
Dave users whose details might be included in the database of stolen credentials should be cautious of any email they receive, no matter how legitimate the message might look. The wealth of personal information included in the database means that attacks could be designed to be extremely convincing, which is why users are encouraged to type URLS in their browser rather than following a link.
The data breach at Dave is probably among the last thing people who are already struggling financially need to hear. It\’s good to hear that Dave hashed passwords with Bcrypt, and they are confident no financial information was stolen, but the fact that names, emails, birth dates, home address, and phone numbers were exposed does make this a significant breach as it gives criminals enough information to steal identities, take out loans on the victims behalf, or use the information to authenticate themselves to other services.
Dave claims that the breach occurred through a third party. While this may be true, the fact remains that whenever an organisation outsources any part of its operation to a third party, be it physically or in the cloud, they are still responsible for the security of the data and need to put in place comprehensive security controls with the third party as well as gain assurance those controls are working correctly.