State of (in)security - Week 32, 2023
Take action: The "lazy human syndrome" to educate and push back on: Storing credentials in source code instead of environment or parameter stores, attaching the source sensitive data with the summary report, sending emails to wrong recipients for years, ignoring a vulnerability for 5 years and then fixing it with the finesse of a bulldozer.
Learn More
In the week between Aug. 7, 2023, midnight and Aug. 14, 2023, midnight we witnessed a total of:
- 14 advisory/vulnerability events
- 23 incident/data breach events
We also shared 2 practical knowledge items
Week over Week comparison of week 32 vs week 31 is a mixed bag:
- There is a slight upward trend in advisories and a sliight downward trend in incidents: down 3 incidents, and up 5 critical vulnerabilities.
- There is 10-fold jump in impacted individuals from data breaches.
Total impacted individuals via the events of the week
There were a total of 42,255,138 impacted individuals across 10 incidents, with the largest breach being the UK Electoral Commission hacked, Data of 40 million UK voters exposed incident exposing 40,000,000 individuals. Since not all incidents report a number of impacted individuals, the real number is definitely higher than that.
Cause breakdown of incidents
| Industry | Number of incidents |
|---|---|
| third party breach | 9 |
| ransomware | 4 |
| human error | 2 |
| email server breached | 1 |
| leaked source code | 1 |
| live data in exposed test system | 1 |
Industry breakdown of incidents
| Industry | Number of incidents |
|---|---|
| Healthcare | 8 |
| Government | 7 |
| Other | 2 |
| Insurance | 1 |
| IT/software | 1 |
| Military/Defense | 1 |
| Hospitality/Events | 1 |
| Finance | 1 |
| Education | 1 |
Read the Event Details of the Week
Knowledge
- awareness | Don't be lazy in patching - hackers love it - Zyxel, Fortinet and Magento examples
- awareness | Fun story, Serious Risk of data leak via email typos: US military emails go to Mali
Vulnerabilities
- critical vulnerability | Android patches 40 Vulnerabilities, 4 critical - but it may be a while before you get the patch.
- critical vulnerability | SAP releases twenty patches, two critical
- critical vulnerability | Impact on Industrial Automation: Unveiling Vulnerabilities in CODESYS V3 Software Development Kit
- critical vulnerability | Adobe patches over 30 vulnerabilities in Adobe Software suites
- critical vulnerability | Pixel 6 modem critical exploit - Google advises users to disable 2G on their phones
- critical vulnerability | Kadence Blocks plugin for WordPress patches critical Vulnerability
- critical vulnerability | Cryptocurrency flaws called 'BitForge' expose crypto wallets to theft
- critical vulnerability | Spring framework WebFlux High-Severity Access Control Vulnerability
- critical vulnerability | Siemens Fixes Vulnerabilities in Ruggedcom as well as Other Products
- critical vulnerability | AMD Zen systems vulnerable to 'Inception' data leak side channel attack
- critical vulnerability | Intel Patches vulnerability found in many generations of Processors
- critical vulnerability | Microsoft August Patch fixes 6 critical bugs, fixes two unpatched actively exploited issues
- critical vulnerability | PHP releases version 8.0.30, patching two critical vulnerabilities
- critical vulnerability | Lexmark printers vulnerability let hackers execute code, remotely play music
Incidents
- critical vulnerability | Source code and records of Integrated Road Accident Database of India breached
- data breach | Colorado Dept. of Health Care Policy reports MOVEit related data breach
- data breach | Russian missile and satellite developer breached by North Korean hackers
- data breach | Bank OZK reports MOVEit related Data Breach
- data breach | UK Electoral Commission hacked, Data of 40 million UK voters exposed
- data breach | State University of New York campuses reports MOVEit related data breach
- data breach | Brigham and Women's Hospital reports data breached via Tableau
- data breach | Jefferson County Health Center reports data breach
- data breach | Law firm Gunster, Yoakley & Stewart reports data breach
- data breach | Department of Human Services reports data breach of Child Care Works
- data breach | Hub International reports data breach
- data breach | Vermont Department of Financial Regulation impacted by MOVEit related data breach
- data breach | Radius Global Solutions exposes over 600,000 people through MOVEit breach
- data breach | Alberta Dental Service Corp reports data breach, exposing 1.5 million individuals, pays ransom
- data breach | Northern Ireland Police Services staff and civilians impacted by data breach
- data breach | Missouri Department of Social Services reports MOVEit related data breach
- data breach | Hospitality Staffing Solutions reports Data Breach, exposes over 100,000 individuals
- data breach | Jackson County Fire Rescue data leaked through MOVEit related data breach
- data breach | Lurie Children’s Surgical Foundation patients' data breached
- data breach | Johnson County ambulance service impacted by MOVEit data breach
- ransomware | Mayanei Hayeshua Medical Center targeted by ransomware, shuts down computers
- ransomware | Belt Railway Company of Chicago reports ransomware data theft
- ransomware | Rapattoni systems brought down by Ransomware
