Weekly podcast: Accenture, Disqus and Equifax (yet again)

This week, we discuss the exposure of four unsecured Accenture servers to the Internet, how Disqus handled its data breach, and bad news for Equifax’s UK customers.

Hello and welcome to the IT Governance podcast for Friday, 13 October 2017. Friday the thirteenth? Unlucky for some. Here are this week’s stories.

Chris Vickery, the security researcher who’s made his name identifying poorly secured servers and other Internet-connected devices, has discovered that the consulting giant Accenture “left at least four cloud-based storage servers unsecured and publicly downloadable, exposing secret API data, authentication credentials, certificates, decryption keys, customer information, and more data that could have been used to attack both Accenture and its clients”.

Vickery, now the director of cyber risk research at UpGuard, discovered the servers on Amazon Web Services’ S3 storage service on 17 September and promptly informed Accenture, which secured them the next day, according to ZDNet.

As UpGuard explains, “All four S3 buckets contain highly sensitive data about Accenture Cloud Platform, its inner workings, and Accenture clients using the platform” – which include 94 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500.

“In the hands of competent threat actors,” UpGuard concludes, “these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage.”

At the end of last week, the online comment hosting service Disqus was alerted to a data breach affecting 17.5 million of its users from 2012. Information dating back to 2007, including “email addresses, Disqus user names, sign-up dates, and last login dates in plain text” was compromised, and “passwords (hashed using SHA1 with a salt; not in plain text) for about one-third of users” – i.e. approximately 5.8 million of them – were also accessed. SHA1 has been considered insecure for years now, and these passwords could conceivably be decrypted even though they were salted. Unfortunately for Disqus, it changed its password hashing algorithm to the more secure bcrypt in late 2012 – after this breach.

Troy Hunt, who informed Disqus about the breach, was impressed with its handling of the incident, specifically the speed of its response. Within 24 hours of his informing Disqus of the incident, it had reviewed the data and established its legitimacy, ensured there was no ongoing risk to its system, invalidated passwords that had been exposed, contacted affected users and prepared communications about the incident.

Cisco’s former CEO John Chambers is widely quoted as saying there are two types of companies: those that have been hacked and those that don’t know that they’ve been hacked. This isn’t just a glib soundbite, either: according to numerous studies, the vast majority of breaches are discovered externally and well after the event, immediately putting the affected organisations on the back foot as they scramble to deal with the aftermath. In this day and age, how you handle your response to a breach is everything.

As Hunt said: “This was a dark moment for Disqus and there’s no sugar-coating the fact that somehow, somewhere, someone on their end screwed up and they lost control of customer data. But look at the public sentiment after their disclosure; because of the way Disqus handled the situation, it’s resoundingly positive.”

As we’re talking about good and bad incident responses, it’s probably time for this week’s Equifax update – because it’s clear that that needs to be a weekly thing now. You’ll remember that Equifax was unclear about the number of British records affected by the data breach that occurred between 2011 and 2016, with initial estimates suggesting 400,000 UK customers had had their personal data exposed. On 8 September, the ICO suggested that Equifax investigate and alert UK victims “at the earliest opportunity”. This week, Equifax announced that it will soon be writing to 693,665 customers in the UK whose personal information was compromised.

Of these, 12,086 had their email address accessed; 14,961 had portions of their Equifax.co.uk membership details, such as their username, password, secret questions and answers, and partial credit card details accessed; 29,188 had their driving licence number accessed; and 637,430 consumers had their phone numbers accessed.

According to Equifax, a further 14.5 million records “may contain the name and date of birth of certain UK consumers. Whilst this does not introduce any significant risk to these people Equifax is sorry that this data may have been accessed.”

Patricio Remon, Equifax’s president for Europe, said, “Once again, I would like to extend my most sincere apologies to anyone who has been concerned about or impacted by this criminal act. Let me take this opportunity to emphasise that protecting the data of our consumers and clients is always our top priority.”

The National Cyber Security Centre has advised that “If you have been told by Equifax that security details from your Equifax.co.uk membership account – such as password and secret questions – have been accessed, you should ensure those details are not used on any other accounts. NCSC advise that passwords are managed carefully across online services and more information can be found on the NCSC website.” You should also beware of phishing emails.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.