In June of 2017 Nelson Berg wanted to buy a house in Amsterdam. He registerd with a real estate agent and was asked to upload his passport, pay slips and bank statements into their online tool.
Anyone else may not have had any qualms about sharing these privacy sensitive data, but Nelson Berg wasn’t your ordinary internet user. He happened to be a cybersecurity analyst and an ethical hacker. So he decided to check out how secure the website actually was.
Not very secure, it turned out.
Berg quickly found a glaring vulnerability in the uploading tool , through which he was able to run code and get access to 80 databases of other real estate agents using the same online tool. With a bit of hacking he was able to acquire over 300,000 documents containing personal and financial data of people that had registered with the online tool.
The databases contain a rough 300.000 documents which include copies of passports, employer statements, bank statements, pay slips and annual statements. -https://tweakers.net/nieuws/126599/lek-in-vastgoeddienst-gaf-toegang-tot-duizenden-nederlandse-paspoortkopieen.html
Keeping up appearances
Being the ethical hacker that he is, Berg immediately notified the developers of the online tool, Dutch software company EyeMove, about the data breach. On his website Berg writes the company handled the situation “very professionally”.
We beg to disagree.
EyeMove’s reaction to Berg’s hack was a classic example of a company trying to keep up appearances. In order to avoid reputational damage they downplayed the implications of the security breach. Unfortunately for them the story of Berg’s hack was picked up by tech website Tweakers and even made the pages of the Financieele Dagblad, a major Dutch financial newspaper.
Unacceptable and irresponsible
It’s interesting to take a closer look at EyeMove’s reaction to Berg’s hack, prior to their story making national headlines. Let this be a lesson to all companies handling privacy sensitive data.
Ten days (!) after Berg’s notification EyeMove issued a public statement on their website acknowledging the data breach. The company said that after patching the vulnerability and contacting the real estate agents whose databases were exposed, they had started an investigation to see if any other attacks had taken place in the past. Since they hadn’t found any other traces of previous hacks, they concluded that Berg’s attack was the first and only one they had ever encountered. They backed up this claim by stating that without deep knowledge of their systems, it was impossible for hackers to remove their traces.
This statement is problematic for two reasons. First of all it came about a week too late, as the law requires data breaches to be reported within 72 hours. Secondly, the statement lacks evidence. We’re expected to take the conclusion that no previous hacks have taken place purely at face value. That’s not only unacceptable but also irresponsible, especially in the context of the privacy sensitive nature of the breached data.
It’s 2017, and the authorities are in enforcement mode. We really can’t get away anymore with half-hearted measures when privacy is concerned.
Stating that without deep knowledge of the systems, it is impossible to remove all traces, is not accepted in 2017
CubicEyes Data Breach Disclosure Timeline - Nelson Berg https://nelsonberg.nl/disclosures/eye/
EyeMove’s statement would definitely not be accepted under the new General Data Protection and Regulation (GDPR) legislation. The GDPR law requires companies operating in The Netherlands to provide the Dutch government with evidence of the data breach as well as information on exactly which data was stolen.
Although the GDPR only takes effect in May 2018, judges and legislative bodies expect companies to already comply with the new regulations. You have to be prepared to give a full and detailed disclosure when sensitive data that your company collects or processes has been compromised.
The law states that you must notify both the Authority and the User if the data breach is likely to affect the privacy of the person concerned. - Meldplicht Datalekken
So how to prevent the kind of painful situation described above, risking serious reputation damage to your company?
At BitSensor we’ve developed a groundbreaking new approach to cyber security that sits on the application itself, providing direct feedback about extracted data and attacks that are taking place.
Most companies take an average of nine months before they realize they’ve been hacked. With BitSensor software we bring the detection time back to fifty milliseconds.
The moment a hacker would start probing an application looking for vulnerabilities, BitSensor takes notice of his actions and makes a hacker profile. This profile is based on his data, like browser settings, tools, timezone and login details. The moment the hacker launches an actual attack our algorithms immediately recognize his or her profile and immediately notify the organisation. The company can then take action, whether it is blocking the attack or observing the hacker in a sandbox environment to collect more data.
Half an hour
Once the hack is detected our software stores all the hacker’s actions in an automated audit log that the company can send to the government as evidence once the attack is over. No extensive investigations are necessary. The company knows exactly what has happened and when, and further chaos is averted. The whole procedure takes about half an hour, easily complying with the required 72 hour framework.
Our security software is especially suitable for financial institutions, insurance companies and government bodies, who are dealing with highly sensitive data on a daily basis.
Free emergency service
We’re happy to assist you in reducing damage, organisational chaos and legal work the moment you face a data breach, by providing free emergency forensic service for half a day. In turn we get a chance to train our algorithms. We’ll provide you with an extensive report on which data has been breached during this or previous attacks.
BitSensor finds hackers in 50 milliseconds. Contact us for more information
The moment you face a data breach, BitSensor provides free emergency forensic services for 1⁄2 day. We do this to train our algorithms. - Add Ruben on firstname.lastname@example.org to your crisis contact list
Before the breach: prevention using best practices
As the hacker could exploit their databases without attracting any attention, the security measures that were taken to safeguard the sensitive data, were insufficient for the associated risk.
The hacker had full control over the application, yet was not detected by security measures such as an Intrusion Detection System, Web Application Firewall or self-made alerting mechanism. The Dutch government proposes sensible measures in their Guideline for Securing Web Applications. Another common guideline is the OWASP Top 10, a shortlist of 10 common security pitfalls. Not adhering to common application security practices proposed in these industry standard documents in itself already indicates a potential lack of suitable security measures.