> Cyber Security Strategy - From Idea to Mobile App RealityVinova Our team will brainstorm with you on where to begin, where to go, and how to get you there. Whether you have a spark of an idea or an existing app – we can help. Getting your mobile strategy right is what our unique services are all about. We’ll wrestle with business challenges, discover new opportunities that will help you define and refine your product ideas into mobile app reality.

Cosmetics firm Avon faces new cyber security incident

Cosmetics firm Avon faces new cyber security incident

Avon, the cosmetics brand that suffered an alleged ransomware attack in June 2020, has found itself at the centre of a new and significant security incident after inadvertently leaving a Microsoft Azure server exposed to the public internet without password protection or encryption.

Discovered by Anurag Sen of security tool comparison service SafetyDetectives, the vulnerability meant that anybody who possessed the server’s IP address could have accessed an open database of information.

The latest incident comes a little over a month after Avon confirmed a major security incident, although not confirmed to have been a ransomware attack, that took its back-end systems offline and left many of its renowned representatives unable to place any orders.

According to SafetyDetectives, the leaky server contained API logs for Avon’s web and mobile sites, which means that all production server information, including 40,000 security tokens and internal OAuth tokens, was exposed.

OAuth, an open standard authorisation framework for online token-based authorisation, enables end-user account information to be used by a third-party service such as Facebook or Twitter without exposing their credentials to it. Effectively, it acts as a go-between.

OAuth tokens expire after a certain amount of time, which means users must generate refresh tokens to get a new one. In the case of Avon’s vulnerability, both sign-in and refresh tokens were exposed, which means it would have been possible for a hacker to gain full access to a user account.

The server also contained internal logs that cyber criminals could have used to attack Avon’s IT infrastructure, or inject cryptominers, malware or ransomware into its systems. It is possible that this is what was behind the firm’s operational issues, although, as Sen said, it is very important to note that no link has yet been confirmed.

Other data exposed included personally identifiable information (PII) including full names, phone numbers, birth dates, email addresses, home addresses, GPS coordinates, payment amounts, Avon employee names (suspected), and admin user emails.

Sen said the SafetyDetectives team found close to 7GB of data and more than 19 million document records on the server, which has now been secured.

In a report detailing the team’s work, SafetyDetectives’ Jim Wilson said the breach could yet have a significant impact on Avon.

“First and foremost, exposed details could potentially be used to conduct identity fraud across different platforms and institutions,” he said. “Users’ contact details could be harnessed to conduct a wide variety of scams, while personal information from the leak could be used to encourage click-throughs and malware download. Personal information is also used by hackers to build up rapport and trust, with a view of carrying out a larger-magnitude intrusion in the future.

“Worryingly, the leak exposed reams of technical logs which could be used to not only target Avon customers, but also Avon’s IT infrastructure directly, leading to further security risks and financial ramifications.”

Read more about cloud configuration security

Wilson added: “Given the type and amount of sensitive information made available, hackers would be able to establish full server control and conduct severely damaging actions that permanently damage the Avon brand – namely, ransomware attacks and paralysing the company’s payments infrastructure.”

Raif Mehmet, Europe, Middle East and Africa (EMEA) vice-president at Bitglass, said that, unfortunately for Avon, the exposure of server data via cloud misconfiguration was something for which the data owners had to take responsibility.

“Time and again, cloud misconfiguration issues allow servers to expose sensitive data that is not protected or encrypted, enabling unauthorised access and a host of other headaches for the enterprise and its data subjects,” said Mehmet.

“A recent Gartner report cited that 99% of cloud security failures will be the customer’s fault through 2025, and consequently misconfigurations will continue to be a leading cause of data leakage across all organisations. To prevent future incidents and protect customer data, organisations need to have full visibility and control over their customers’ data.”

Censornet CEO Ed Macnair added: “The leaked information – including phone numbers, dates of birth and home and email addresses – provides hackers with everything they need to launch a multitude of sophisticated and targeted attacks. Cyber criminals only need to be given an inch and they will take a mile, and the company has certainly left itself and its customers in a vulnerable position. Besides the potential cyber security ramifications, as customers’ home addresses have been exposed, their physical safety could also be at risk.”

Avon had not responded to a request for comment on this incident at the time of writing.

This content was originally published here.

Malcare WordPress Security

mobile app developer singapore,mobile game developer singapore,singapore web design,graphic designer in singapore,website designer singapore,singapore web development,developers in singapore,web design singapore,mobile app development singapore,mobile apps singapore,mobile apps development singapore,design agency singapore,website developer singapore,mobile application development singapore,web development company singapore,singapore website design,website development singapore,app developer singapore,singapore web design services,singapore mobile application developer,design firms in singapore,app development singapore,web design services singapore,ruby on rails developer singapore,ios app development singapore,website design singapore,web development singapore,developer in singapore,web application singapore,singapore app developer,android developer singapore,singapore mobile app developer,web designer singapore,mobile developer singapore,web design company singapore,mobile application developer singapore,ios developer singapore