Data Breaches in 2022: A Lesson For Monitoring Contractors

There has been an unprecedented amount of data breaches this year, many resulting in the theft of source code. This is a timely reminder of the importance of monitoring contractors given that they make up a large amount of the software designers and programmers who are creating the code, often on their own devices and  away from their employer’s office. IT security risks are greater with contractors than with internal personnel. Accidental data exposure and the lack of understanding of IT security policies and procedures are the risks most closely associated with agency contractors and temporary personnel. Below we look at a few of the incidents from this year and how an organization can prevent these attacks happening. 

1. Toyota

Toyota admitted it put 296,019 email addresses and customer management numbers of folks who signed up for its T-Connect assistance website at risk of online theft. The automaker explained that an outsourced developer tasked with building T-Connect uploaded the source code for the site to a GitHub public repo in December 2017 and went unnoticed until September 15, 2022. Once Toyota looked at that source code, the manufacturing giant realized this public-facing code repository contained an access key to a server that stored customer data. That server was therefore also open to the world.

Toyota said it hasn’t noticed any unauthorized use of data but warned customers to remain vigilant of spoofing or phishing scams. To mitigate the fallout of the breach, the company removed third-party access to the server, changed the access keys, and changed the GitHub repository to private.

2. Red Cross

On Jan. 18, the International Committee of the Red Cross revealed that the organization had experienced a data breach. This attack resulted in a loss of personal data for more than a half a million people—many in vulnerable positions—including names, locations, and contact information. The hackers attacked a contractor in Switzerland that was storing this data. As a result, the Red Cross was temporarily forced to halt a program that helps reunite families torn apart by armed conflict, migration, natural disasters, and other tragedies.

It said the hackers targeted an external company in Switzerland that the ICRC contracts to store data. There was no evidence so far that the compromised information had been leaked or put in the public domain.

The ICRC said its “most pressing concern” was the “potential risks that come with this breach – including confidential information being shared publicly – for people that the Red Cross and Red Crescent network seeks to protect and assist, as well as their families”.

3. Go To & Last Pass

Remote access and collaboration company GoTo suffered a security breach where hackers gained access to their development environment and third-party cloud storage service.

The company says they first learned of the incident after detecting unusual activity in their development environment and third-party cloud storage service.

“Based on the investigation to date, we have detected unusual activity within our development environment and third-party cloud storage service. The third-party cloud storage service is currently shared by both GoTo and its affiliate, LastPass.”

This incident also affected GoTo subsidiary LastPass where hackers accessed customer information through the same cloud storage breach. LastPass also revealed in September 2021 that hackers had access to their internal network for four days during an August cyberattack where threat actors stole source code.

4. Dropbox

A threat actor gained access to some Dropbox source code which was contained within 130 GitHub code repositories. The Dropbox security team became aware of a phishing campaign apparently targeting staff. The phishing email purported to originate from the code integration and delivery platform, CircleCI; a company used by Dropbox for specific internal code deployments. “While our systems automatically quarantined some of these emails, others landed in Dropboxers’ inboxes,” the report stated. 

The phishing emails used realistic-looking templates directing the recipients to a website that appeared to be a CircleCI login page where they were directed to enter GitHub account credentials. Although protected by a second authentication challenge (in this case, a hardware authentication system to generate a one-time password) the threat actor was able to eventually succeed in using both to access “one of our GitHub organizations where they proceeded to copy 130 of our code repositories,” the security team confirms. However, at  no time did the threat actor have access to anyone’s Dropbox account, passwords or payment information.

5. Cash App

Cash App went public with a data breach on April 4. Losses included names and account numbers for more than 8 million users. A former Cash App employee downloaded reports that contained American users’ personal information—specifically, users of Cash App Investing were affected. To address the issue, Cash App contacted all former and current users of the feature so they could answer users’ questions and provide resources and information. They also notified law enforcement about the breach, and advised all users of Cash App to change their passwords and utilize two-factor authentication.

Monitoring Contractors 

Third-party and contract monitoring is a way to ensure external vendors stay within their scope and are only performing their assigned tasks. This allows for more flexible access without sacrificing security. Having monitoring software eliminates “who did what?” doubts, confirms SLA agreements and eases vendor billing verification. In addition, it can also provide monitoring and auditing as part of the overall risk management and regulatory compliance.

TSFactory’s RecordTS v6 will record Windows remote sessions reliably and securely for RDS, Citrix and VMware systems. Scalable from small offices with one server to enterprise networks with tens of thousands of desktops and servers, RecordTS integrates seamlessly with the native environment.

Click here to learn more about secure remote session recording.