No, phishing is not the latest fashion. The airline apologizes for the customer data breach. Millions of students exposed to lending platform breach.
In one look.
- No, phishing is not the latest fashion.
- The airline apologizes for the customer data breach.
- Millions of students exposed to lending platform breach.
No, phishing is not the latest fashion.
NordVPN has published the results of a survey in which they asked a thousand Americans about the impact of social engineering on their online habits, and the report shows that while 51% of respondents are unaware of the term “social engineering” (and an alarming 31% thought it referred to a job title on social media), 84% experienced social engineering behavior. The most frequent attacks include suspicious emails asking for their personal information (48%), suspicious texts (39%), persistent contextual advertisements (also 39%) and emails asking for professional or commercial information (37 %). When successful, these phishing scams most often resulted in their emails, social media, or financial accounts being blocked, their personal login details stolen, or their purchases lost. It’s encouraging to hear that many respondents are taking precautions to protect themselves from scams, with 61% avoiding suspicious links, 50% rejecting requests for financial data and 50% limiting the information they share on social media. However, there are still 6% who think phishing involves real fish, and another 5% think it’s a dance move. There is always room for improvement.
The airline apologizes for the customer data breach.
India’s new commercial airline Akasa Air has revealed that it suffered a data breach that allowed an intruder to gain unauthorized access to customer data. India DNA reports that the airline, which is less than a month old, issued an apology to passengers and reported the incident to India’s Computer Emergency Response Team. Akasa explained that the breach was the result of a temporary technical misconfiguration related to its login and registration service, and that “certain Akasa Air registered user information limited to names, gender, email addresses email and phone numbers may have been accessed by unauthorized persons.We can confirm that apart from the details above, no travel related information, travel records or payment information has been compromised. The company added that their records revealed no indication of an “intentional hacking attempt”, but customers are advised to be wary of phishing attempts.
Millions of students exposed to lending platform breach.
Technology service provider Nelnet Servicing suffered a data breach that exposed the data of more than 2.5 million people. Nelnet provides technology services, including a web portal, for the Oklahoma Student Loan Authority and student loan provider EdFinancial, and the breach impacted students who use those services to access their loan accounts. Nelnet says unidentified intruders compromised their system, likely by exploiting a vulnerability, in June, gaining access to their networks until July 22. The data concerned includes users’ full names, postal addresses, email addresses, telephone numbers and social security numbers. but fortunately no financial information has been disclosed. beeping computer adds that the law firm Markovits, Stock & DeMarco has launched an investigation into the possibility of a class action.
We received a number of comments about the incident. Erfan Shadabi, cybersecurity expert at data security specialist Comforte AG, explained why higher education is, and will likely remain, a target for data theft:
“Given the wealth of personal information stored at universities and related higher education institutions, they will always be a likely target for cybercriminals. With an ever-increasing attack surface, building just another wall around the institution’s network or segment of sensitive data is not the best way to go. Ultimately, the most important thing to do is to protect student and employee data, rather than borders around this information.With modern solutions such as format-preserving encryption or tokenization, you can render any PII (including names, addresses, and IDs) or other data that you deem sensitive, even s ‘they manage to break into your hardened perimeters and get their hands on them.’
Aaron Sandeen, CEO and co-founder of Cyber Security Works, thinks security teams need to up their game if they hope to prevent this type of breach:
“Security teams need to be smarter and act proactively before a breach like this happens. As this incident shows, it is no longer enough to block the attack as soon as it is detected. Crucial data such as names, addresses and social security numbers have already been exposed.
“IT administrators need to be aware of the risks and threats built into their systems. And they need to deal with them! More often than not, security incidents arise as a result of a well-known problem in a service widely used that has not been fixed despite a patch being released to the public for months or years.To prevent incidents such as the Nelnet breach, security teams should prioritize the proactive remediation of vulnerabilities that pose significant threats.
Gal Helemski, CTO and co-founder of PlainID, noted that this type of breach has long-lasting effects and offers some advice on how to manage this risk:
“Data breaches as large as this have dire consequences for potentially years to come. It is time to strengthen all security infrastructures. When it comes to internal breaches where networks are compromised, identity remains the Challenge number one. Organizations must embrace “Zero Trust”, which means not trusting anyone – not even known users or devices – until they have been verified and validated. Zero Trust provides this layer of unparalleled defense when it comes to defending internal systems.
Access policies and dynamic permissions are a crucial part of the zero-trust architecture, they help verify who is requesting access, the context of the request, and the risk of the access environment. You cannot control human cyber hygiene and so the power of verification is demonstrated. Organizations need a more targeted strategy focused on purchasing the highest paying tools. Identity and authorization is where the smart money should go. If we assume that adversaries are already in the network, it makes sense to focus budgets on restricting movement inside the network.
Arti Raman, CEO and Founder of Titaniam, describes how the breach happened and why it was worth it for the attackers:
“Hackers were able to compromise the servers of technology service provider Nelnet Servicing and obtain the information of 2.5 million people with student loans from the Oklahoma Student Loan Authority (OSLA) and EdFinancial by exploiting a vulnerability in the This incident, like the best majority of incidents these days, shows us that attackers are able to infiltrate corporate networks even in cases where there has been a substantial investment in security. inside, they seek to exfiltrate valuable data that can be used to generate revenue for them, either through extortion or simply by selling the data.
“It’s time for security leaders to recognize that in addition to prevention, detection and recovery solutions, the security program must include a robust plan to keep data out of the reach of attackers once they get there. This is where Encryption-in-use encryption, also known as data-in-use encryption, provides organizations with unparalleled immunity from data-driven cyberattacks. enables sensitive information to be encrypted and protected even when actively in use, neutralizing any possible data leverage and significantly limiting the impact of a data breach.