Toyota blames contractor for five-year data leak, code from Intel is leaked and more.
Welcome to Cyber Security Today. It’s Wednesday, October 12th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Third parties such as partners and contractors who have access to your IT systems and applications have long been known as a security risk. The latest example is Toyota’s admission that email addresses of just under 300,000 customers were copied by someone because of a mistake by a contractor. Five years ago the contractor mistakenly uploaded part of the source code of Toyota’s T-Connect app that they were working on to the open Github software development platform. That code included an access key to a data server that held the personal information. Uploading the code was a violation of Toyota’s software handling rules with the contractor. Toyota only learned of the breach last month. As of the recording of this podcast on Tuesday afternoon, Toyota hadn’t replied to a request to clarify if the email addresses of American or Canadian customers were stolen. The Toyota notice of the breach was written in Japanese on the company’s Japan website.
UPDATE: After this podcast was recorded Toyota Canada said the victims were only in Japan.
The incident is another example of why any organization with a software development team must have controls in place to check where code is going at all times. And organizations that allow third parties to develop applications shouldn’t give them real customer or corporate data for testing. Fortunately in this case, no other customer information – such as names, addresses, phone numbers, or credit card details — was involved. But stolen email addresses can be used to send phishing messages.
In August the U.S. Cybersecurity and Infrastructure Security Agency issued a best practices guide for developers for securing the software supply chain. There’s a link to it here.
Intel has confirmed some of source code for its UEFI chip firmware has leaked for its 12th generation Core processors. SecurityWeek said a researcher believes Intel’s Boot Guard feature, which protects the integrity of the boot process can no longer be trusted. For its part Intel told SecurityWeek the leak doesn’t create any new vulnerabilities. However, a Hong Kong cybersecurity firm argued that the leaked code might help an attacker find a vulnerability.
On Monday I reported that Fortinet is advising some customers to take action due to the discovery of a serious vulnerability. Now Fortinet is reporting this hole has already been exploited against an unnamed organization. IT security leaders are urged to apply the recommended workarounds.
Critical infrastructure providers in the United States and Canada were warned months ago to be ready for cyber attacks from Russian-backed threat actors. The theory is they would want to hit back against Western nations supporting Ukraine. Last week a pro-Russian group called KillNet claimed responsibility for forcing several American airports to take their websites offline after launching distributed denial-of-service attacks.
As part of Cybersecurity Awareness Month several security companies are releasing studies with interesting statistics. Here’s one with disappointing numbers from Kaspersky. It surveyed 1,300 business owners and decision-makers in small and medium-sized firms in 13 countries: Only 39 per cent of respondents said they have an IT disaster recovery plan. Twenty-three per cent said they are working on one. Thirty-one per cent of firms said they’d consider using a pirated copy of software in a crisis to save money.
Here’s another survey released this week, this time by Cisco Systems of 2,600 adults in 12 countries. The results suggest how important data handling is to a company’s reputation. Eight-one per cent of respondents agreed the way an organization treats personal data is indicative of how it views and respects customers. Seventy-six per cent said they would not buy from a company they don’t trust with their data.
Finally, a reminder that next week IT World Canada is hosting another session of its free MapleSec cybersecurity summits. The Wednesday, October 19th session will be in-person at Toronto’s Aga Khan Museum in mid-town. One panel discussion will be on ransomware. Another will feature a panel of CISOs. The Thursday, October 20th sessions will be online and includes a presentation on cybersecurity essentials for SMBs. Click here to see the full agenda and register.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.