The Weekend Cybersecurity Review: January 22, 2018

Another weekend in this still very young year, and another inundation of cybersecurity headlines to process and evaluate. As is our new tradition, we’ve compiled the big headlines and added our takeaways so you can prepare your enterprise against hacks and attacks.

OnePlus Hacked, 40,000 Users’ Credit Card Info Affected

Over the weekend, China-based mobile device manufacturer OnePlus confirmed that they had suffered a data breach, exposing the complete credit card information of as many as 40,000 customers. Reports and rumors of a hack had been swirling around the company for the past week.

An ongoing investigation revealed that customers’ credit card information were being stolen as they were making purchases. OnePlus had no choice but to shut down credit card payments on its online store three days before the announcement to prevent further thefts. Although reports of the breach have only arisen in the past week, evidence suggests that the hacking script has been running on OnePlus servers since November of 2017.

While OnePlus insists that 40,000 is a small subset of their customer base, online credit card payments remain suspended until the investigation—conducted by a third-party security agency—is complete. In a statement, OnePlus said “We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident. We have sent out an email to all possibly affected users.” OnePlus stated that customers should check their credit card statements for erroneous charges; they are offering one year of credit consulting to those affected.

Takeaway: In a statement to eWeek Chris Vectra, head of security analytics at Vectra, put it best: “HTTPS, while encrypted, is not a guarantee of a secure transaction as attackers can compromise the systems at both ends of any encrypted conversation.” This is important for enterprises conducting their business primarily online, whether B2C or B2B. Never assume safety or security.

Additionally, OnePlus is a good model for how to conduct yourself after a breach has been revealed: consult with a third-party to investigate the depth of the breach and the damage, admit and apologize for the breach, directly contact those who may be affected, and offer some form of amelioration. The damage from a hack isn’t limited to the financial—it is also reputational, dissolving the trust your customers have in your business and potentially hurting your bottom line far into the future. Getting ahead of the story and handling it professionally will help your enterprise recover that much more quickly.

Kaspersky Lab Files Injunction Against U.S. Government Ban

Moscow-based anti-malware vendor Kaspersky Lab has filed a motion for a temporary injunction against the U.S. government’s ban against their products on federal agency servers. In the motion, the vendor alleged that the ban damaged their reputation and revenue in the North American market and argued for a complete overturn. Kaspersky Lab is allegedly connected to Russian intelligence agencies and espionage efforts against the U.S., although no concrete proof has yet emerged  to confirm any involvement. The ban, signed by President Trump, was signed in December of 2017, although the Department of Homeland Security ordered the removal of their software and services in September.

Kaspersky argues that the ban did not give them sufficient time to respond, violating their right to due process under the Fifth Amendment.

Takeaway: We don’t necessarily have a best practice to gain from this, but is important to stay aware of this story as it develops. It may prove vital in understanding how hacking may change in the future, as it becomes the tool of choice for nation states acting subversively, and in how we need to evaluate the connections and motivations of our security partners if the allegation against Kaspersky Lab proves true.

If however Kaspersky Lab is vindicated and proven innocent, it may prove something else entirely; that the inherent suspicion and caution of cybersecurity’s culture can be weaponized against innocent actors. We always recommend vigilance, but vigilance should never be allowed to slip into paranoia. Paranoia tends not to be productive.