Cyber Intelligence Weekly (April 14, 2024): Our Take on Three Things You Need to Know

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight the various roles that we have open over here at Echelon! Please check out our LinkedIn page to see all the great roles and apply today!

Excited to announce the fourth installment of our "Chew On This" webinar series, where we'll tackle the intricate world of cybersecurity investment strategies tailored for diverse business portfolios!

Join us for this co-branded episode with Expel, where we'll uncover pivotal insights into effectively securing companies with multifaceted ventures.🎙️

Presented by Matt Donato, Partner at Echelon Risk + Cyber, and Paul Interval, Director of vCISO Services, we'll dissect critical questions surrounding cybersecurity integration within complex business structures. How should companies synchronize their cybersecurity efforts across diverse ventures?

Our distinguished guest, Greg Notch, CISO at Expel, brings extensive expertise in developing secure solutions to drive business strategy. As a seasoned information security and technology executive, Greg's insights will be invaluable in navigating the cybersecurity landscape for expanding portfolios.

🗓️ Save the Date: 📅 April 16th 🕑 12:00 - 12:45 PM ET

Don't miss out on this opportunity to gain practical strategies and perspectives to safeguard your business ventures against evolving cyber threats! Reserve your spot now and ensure your cybersecurity investment aligns with the dynamic needs of your expanding portfolio. Sign up here: https://www.linkedin.com/events/7178404402116898816/comments/

Away we go!

1. Credential Stuffing Strikes Roku: Over Half a Million Accounts Compromised

Roku, the well-known streaming video platform, has recently reported a substantial data breach affecting 576,000 accounts, a dramatic escalation from an earlier breach that impacted 15,000 accounts. This revelation came about as Roku was wrapping up its investigation into the initial security incident. The company had already informed affected customers of the first breach in early March and had been vigilantly monitoring account activity to safeguard user data. It was during this period of heightened scrutiny that the second, much larger breach was discovered. Interestingly, the breach was not the result of a direct hack into Roku’s systems but rather occurred through a technique known as “credential stuffing.” This method involves hackers using login credentials obtained from other breaches to gain unauthorized access to accounts.

In this latest incident, fewer than 400 of the compromised accounts experienced unauthorized transactions, which included purchases of streaming services and Roku hardware. Crucially, the attackers did not access sensitive financial information, such as full credit card details. In response, Roku has taken several steps to strengthen security and restore user trust. The company has reset passwords for the affected accounts and has begun notifying the account holders. Moreover, Roku, which boasts over 80 million active accounts globally, announced plans to implement two-factor authentication across all accounts as an additional layer of security to prevent future breaches.

This series of breaches highlights the ongoing challenges companies face in protecting consumer data against increasingly sophisticated methods employed by cybercriminals. For Roku and its users, the move towards more robust security measures such as not re-using passwords and two-factor authentication represents a critical step forward in safeguarding personal and financial information in an era where digital security threats are becoming more prevalent.

2. Congress Unveils APRA in Landmark Privacy Legislation Attempt

The United States Congress is on the brink of a potentially transformative move in online privacy with the introduction of the bipartisan American Privacy Rights Act (APRA). This new legislative proposal aims to establish a comprehensive data privacy framework at the federal level, a goal that has eluded lawmakers for decades due to persistent partisan divides. APRA seeks to restrict the types of consumer data companies can collect, store, and use—limiting it strictly to what is necessary for the operation of their services. Moreover, the bill would empower users with the ability to opt out of targeted advertising and manage their online data by viewing, correcting, deleting, or downloading it. Notably, the proposal includes the creation of a national registry for data brokers and mandates that these brokers allow users to opt out of the sale of their data.

The push for APRA comes after previous efforts faltered amid disagreements over state-level preemption and the extent of private rights of action, which would allow individuals to sue for privacy violations. The current draft of APRA appears to balance these concerns by permitting states to enact their own privacy laws in certain areas while also incorporating provisions from California’s privacy law that allow individuals to sue over data breaches. This approach has garnered cautious optimism from key legislative figures, including Maria Cantwell and Cathy McMorris Rodgers, who believe the draft addresses long-standing concerns while preserving stringent state-level protections in places like California and Illinois.

The legislative journey for APRA is far from over, as it remains a discussion draft with no set date for formal introduction. As it stands, lawmakers are engaging with their colleagues and relevant stakeholders to refine the proposal, with the aim of moving it through committee stages soon. This comprehensive approach to data privacy reflects a growing recognition of the need for robust protections in an increasingly digital world, balancing business interests with consumer rights and security.

3. Customer Turmoil Following Sisense's Vague Breach Announcement

Following a recent security breach announcement, Sisense, a data analytics company, has faced a deluge of inquiries and demands for clarity from its customers. The concerns started to surface Wednesday evening when the company’s Chief Information Security Officer (CISO) acknowledged that certain information had leaked to a “restricted access server.” Customers were promptly advised to change their credentials used with the Sisense application. However, the lack of detailed information provided in subsequent updates has only fueled customer frustrations. On Thursday, Sisense issued another advisory urging customers to reset all related keys, tokens, and other credentials, but failed to disclose specifics about the breach’s nature, the perpetrators, or the extent of the data compromised.

The situation escalated on the company’s technical troubleshooting message board, where numerous customers expressed their dissatisfaction and confusion over the sparse details released. The breach's potential impact is particularly concerning given Sisense’s clientele, which includes major corporations like Philips Healthcare, Verizon, Nasdaq, and Air Canada—all of which rely on Sisense to manage significant volumes of sensitive data. Amidst growing customer unrest, the Cybersecurity and Infrastructure Security Agency (CISA) has stepped in, echoing Sisense’s recommendations for stringent security measures and confirming its collaboration with private industry partners to mitigate the breach’s effects.

The breach reportedly originated from a hack into Sisense’s GitLab code repository, according to cybersecurity journalist Brian Krebs, who cited sources claiming that hackers gained access to credentials and subsequently infiltrated cloud servers holding customer data, allegedly exfiltrating several terabytes worth of information. This incident underscores the vulnerability of software suppliers in the digital ecosystem, highlighting the massive potential impact of such breaches across various industries. Chris Hughes, a chief security advisor and Cyber Innovation Fellow at CISA, commented on the significance of the breach, noting the strategic targeting by attackers of software suppliers due to the rich data troves they possess and often insufficient security measures.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about