Database Security Digest – November 2018

Database Security Digest – November 2018

Please take a look at the biggest database security incidents in November 2018.

Voxox

Voxox, a San Diego communications provider has leaked a database containing at least 26 million text messages, most of which are password reset links, two-factor authentication codes and shipping notifications.

It has been found out that the database was not password protected and that resulted in the exposure of the personal sensitive data, phone numbers and two-factor authentication codes messages, etc. What made this data leak more dangerous is the fact that the messages were being exposed in near real time.

Such information is very useful for criminals engaged in account hijacking. The main reason for this data exposure is the fact that the database wasn’t protected with a password. And this is the first step in securing data.

It’s impossible for humans to carry out the continuous monitoring of all proprietary IT assets. Only the machine can do that! DataSunrise Database Security Suite has several module that can do that and much more! Please download your trial version right now!

US Postal Service

60 million account details of US Postal Service customers have been exposed due to an API vulnerability.

USPS offered to businesses a service called “Informed Visibility” which allowed them to get tracking data on packages near real time. But together with this information, the API was also enabling anyone logged into the official website of the company to query the account details of any other users of the website and even change some sensitive information.

According to researchers any potential cybercriminal could get access to email addresss, usernames, user IDs, account numbers, street addresses, phone numbers.

Also, the researchers say that the API developers forgot to add the key element of cybersecurity when designing the API: access controls.

USPS claim that the potential data exposure has not been used in any criminal endeavor and they are taking this accident very seriously.

Atrium Health

Atrium Health, a healthcare and wellness program provider, formerly known as Carolinas HealthCare Systems, has made an announcement about a massive data breach. After the company’s third-party vendor AccuDoc was hacked, Atrium Health announced that about 2.65 million patient records had been potentially compromised. The exposed data includes the patients’ insurance details, medical record numbers, invoice numbers, addresses, dates of birth and social security numbers.

IT security researchers say that third-party risk management is a very important problem nowadays. Your company database protection can be very efficient but when it comes to sharing proprietary data with third parties big problems may arise. So, companies should be very careful when choosing a vendor, partner or when expanding business.

A forensic investigation has been started by both companies.

Marriott

Marriott, the famous hotel chain has confirmed that sensitive details of 500 millions of its customers have been possibly compromised.

In the official statement the company is saying about in September 2018 Marriott was alerted by their internal security tool about an attempt to get access to one of their guest reservation databases. The company immediately started an investigation to understand what was happening.

Marriott soon learned that somebody had had unauthorized access to their internal network starting since 2014. The accessed information had been copied and encrypted and some steps have been taken to remove the information. In November 2018 the company was finally able to decrypt the information.

The company fears that up to approximately 500 million guests who made a reservation may be in the exposed database. The data includes the following: names, mailing addresses, phone numbers, emails, passport numbers, customer account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences.

Security updates for databases

Oracle

https://nvd.nist.gov/vuln/detail/CVE-2018-5407

MS SQL Server

https://nvd.nist.gov/vuln/detail/CVE-2018-18982

MySQL

https://nvd.nist.gov/vuln/detail/CVE-2018-15768
https://nvd.nist.gov/vuln/detail/CVE-2018-19654
https://nvd.nist.gov/vuln/detail/CVE-2018-19558
https://nvd.nist.gov/vuln/detail/CVE-2018-19328
https://nvd.nist.gov/vuln/detail/CVE-2018-18805
https://nvd.nist.gov/vuln/detail/CVE-2018-19222

MS SQL Azure

https://nvd.nist.gov/vuln/detail/CVE-2018-8600

IBM DB2

https://nvd.nist.gov/vuln/detail/CVE-2018-1897
https://nvd.nist.gov/vuln/detail/CVE-2018-1857
https://nvd.nist.gov/vuln/detail/CVE-2018-1834
https://nvd.nist.gov/vuln/detail/CVE-2018-1802
https://nvd.nist.gov/vuln/detail/CVE-2018-1799
https://nvd.nist.gov/vuln/detail/CVE-2018-1781
https://nvd.nist.gov/vuln/detail/CVE-2018-1780

Apache Hive

https://nvd.nist.gov/vuln/detail/CVE-2018-17187
https://nvd.nist.gov/vuln/detail/CVE-2018-1314
https://nvd.nist.gov/vuln/detail/CVE-2018-11777

Vertica

https://nvd.nist.gov/vuln/detail/CVE-2018-19437
Download free 30 days Trial