When it comes to ensuring the security of large organizations, relying on third-party vendors can be a risky proposition. Yes, use of third-party services has become the norm for many organizations, but not all these services are created equal. Some of the vendors behind these services do not value security in adequate ways. This week, Uber suffered yet another data breach. This time, it was the result of attackers gaining unauthorized access to the Amazon Web Services server of a third-party vendor. This third-party was Teqtivity, which provides asset management and tracking services to Uber. The threat actor was "UberLeaks," who posted the data (including employee email addresses, corporate reports, and IT asset information) on the BreachForums hacking forum. One could argue that this is old news, as Uber has suffered several recent breaches. However, the reality that this was the result of entrusting a thirty-party vendor with their data is of note. Relying on third-party services and apps is a security blindspot that looks to be on the rise for 2023. When companies make decisions to use these services, they should consider if these third parties are serious about cybersecurity.
Educational apps can be marvelous tools for teaching children. In the age of COVID, they allow children to remotely learn the knowledge needed to succeed in school. Additionally, these apps let kids become familiar with technology from an early age. However, educational apps are not a wholly charitable industry. Realizations about how these apps turn a profit might have parents second-guessing their value. A study by the nonprofit Internet Safety Labs has found that 96% of apps used in US K-12 schools share students' personal information with third parties, including advertisers, without the students' or schools' knowledge or consent. The study found that Google was the most common third party to receive data, with 70% of all apps observed sending data to Google. Due to revelations like this, there has been a growing push to curb the information-gathering abilities of tech aimed at children. In May, the FTC issued a warning against companies that harvest data from their educational technologies, saying they will be prosecuted under the Children’s Online Privacy Protection Act of 1998. Whether this is an idle threat remains to be seen, but for cautious parents, maybe your child’s education need not be digitized.
Ransomware attacks can target victims as singular as a person or as massive as a multinational corporation. Still, you rarely hear of them targeting an entire city. Such was the case of Antwerp, Belgium, which was hit by a cyber attack on its digital provider, Digipolis, disrupting a wide variety of city services. The ransomware attack (carried out by the Play ransomware group) disrupted all Windows operations in the city, causing several issues. Phone, email, and decision-making platforms were down, and the attack comprised the Antwerp Healthcare Company's software, which tracks who should receive medication in 18 residential care centers. Thankfully, prescriptions were able to be filled by hand. Still, the risk of patients being unable to get their medication in time is a dangerous proposition, one that echoes the recent Sobey’s hack in Canada. It is unclear when the city's IT systems will be back up and running. Municipal security professionals everywhere should be lucky that this attack proved more of a nuisance than a catastrophic blow to Antwerp’s operations.