A few weeks ago, an appointment scheduling solution, FlexBooker notified its customers that it had been breached.
Imperva has no specific insider knowledge into how the breach unfolded, but we can learn a lot from FlexBooker’s data breach notification as well as additional related sources. In this blog, we’ll review what we learned about this breach and use it as a starting point for explaining the importance of having a solution in place that applies security best practices, as well as establishes what consists of normal behavior in the organization, so they can quickly find deviations from it.
What we learned from FlexBooker
According to FlexBooker’s notification to customers, “On December 23, 2021, starting at 4:05 PM EST our account on Amazon’s AWS servers was compromised, resulting in our temporary inability to service customer accounts, and preventing customers from accessing their data. As part of the incident, our system data storage was also accessed and downloaded. In response to the outage, we worked closely with Amazon to restore a backup, and were able to restore operations within 12 hours. After working further with Amazon to understand what happened, we learned a certain set of data, including personal information of some customers was accessed and downloaded including: first and last names, email addresses, and phone numbers. The data accessed did not include credit card or other payment card numbers. Customer passwords included in the data were encrypted. The encryption key was not accessed or downloaded. We have worked with Amazon to restore the security of our account, and will continue to work with Amazon to maintain security.”
During the holiday season, many people take time off. It is easy to understand that an activity in an account when people are most likely not working or on vacation could be a clear risk indicator.
- The first key takeaway is that understanding the standard working hours/days in business organizations and deviations from it can help to detect a potential data breach.
What we learned from third party sources
According to “have I been pwned,” a service that tracks data breaches and leaked data, FlexBooker’s data breach exposed 3.7 million accounts including email addresses, names, phone numbers and for a small number of accounts, password hashes and partial credit card data.
In this type of attack, the attacker is often after “juicy” information (i.e. sensitive personal data) and likely had to look for it. One way that an attacker could have obtained this information is by accessing the database system tables to check for interesting columns, where the table is known to contain sensitive information.
- The second takeaway is that understanding where your sensitive data is and who accessed this information can help to detect a potential data breach.
The third takeaway is that following security best practices and regulations to reduce permissions to access such sensitive data can help to prevent potential data breaches.
A data source containing user names and passwords is often used by applications to authenticate users or update their information. If the attacker gained access through a phishing campaign, as often happens, the data that is usually accessed by an application is now accessed by a different user – which could be a sign of a potential attack.
- The fourth takeaway is that understanding who usually access the data and detecting deviations can help to detect a potential data breach.
Let’s assume for illustration purposes that an attacker in a data breach uses a phishing campaign to gain access through a compromised user, which would be typical for this sort of attack. Another sign of a potential attack would be if this compromised user usually accessed, for example, 400K records at a certain time period (hour/day/week) and now accesses ~10x that number of records (very plausible given the data breach was said to have exposed 3.7 million accounts).
- The fifth takeaway is that understanding the standard usage of users in your systems and deviations from it can help to detect potential data breaches.
All data breaches are different. This incident simply presents an opportunity to emphasize why organizations need to monitor access to their databases and should have a solution in place that is able to apply security best practices. This should include detection of sensitive data, permission reduction and learning regular behavior including typical working hours, typical type of data, and typical usage of data. Ask yourself what would happen within your organization if an attacker used a typical phishing campaign, like the one described above, to gain access to your sensitive data. Can your breach detection capabilities function in a way that would enable you to quickly, and with confidence, identify policy violating behavior in its tracks while still enabling business as usual?
It doesn’t matter how comprehensive your orchestrated breach mitigation response solution is if you don’t have the foundation in place to recognize policy-violating behavior.
Imperva data security solutions can help you prevent and detect potential data breaches. For more information please visit https://www.imperva.com/
Try Imperva for Free
Protect your business for 30 days on Imperva.