Tag Archives: firm

ComplyRight data breach affects 662,000, gets lawsuit

A data breach at ComplyRight, a firm that provides HR and tax services to businesses, may have affected 662,000 people, according to a state agency. It has also prompted a lawsuit, which was filed in federal court by a person who was notified that their personal data was breached. The lawsuit seeks class-action status.

The ComplyRight data breach included names, addresses, phone numbers, email addresses and Social Security numbers, some of which came from tax and W-2 forms.

ComplyRight’s services include a range of HR products, such as recruitment, time and attendance, as well as an online app for storing essential employee data. This particular attack was directed at its tax-form-preparation website. Hackers go after customer and employee data. The Identity Theft Resource Center 2018 midyear report, for instance, lists every known breach so far this year. It said the compromised data is a shopping list of HR managed data.

Company: No more than 10% of customers affected

The breach occurred between April 20 and May 22, and the company notified affected parties by mail.

ComplyRight, in a posted statement, said “a portion (less than 10%)” of people who have their tax forms prepared on its web platform were affected by a cyberattack, but it did not say how many customers were affected by its breach. The company knows the data was accessed or viewed, but it was unable to determine if the data was downloaded, according to the firm’s statement.

But the state of Wisconsin, which publishes data breach reports, has shed some light on the scale of the impact. It reported the ComplyRight data breach affected 662,000 people — including 12,155 Wisconsin residents. A spokesman for Wisconsin Department of Agriculture, Trade and Consumer Protection said this figure was provided verbally to the state by an attorney for ComplyRight.

Rick Roddis, president of ComplyRight, based in Pompano Beach, Fla., said in an email that the firm won’t be commenting, for now, beyond what it has posted on the site.

Among the steps ComplyRight said it took was the hiring of a third-party security expert who conducted a forensic investigation. The firm is also offering credit-monitoring services to affected parties.

Security expert Nikolai Vargas, who looked at the firm’s statement, said ComplyRight “is doing the bare minimum in terms of transparency and informing their clients of the details of the security incident.”

“In cases of a data breach, it is important to disclose how long the exposure occurred and the scope of the exposure,” said Vargas, who is CTO of Switchfast, an IT consulting and managed service provider based in Chicago. ComplyRight stating that “less than 10%” of individuals were affected “doesn’t really explain how many people were impacted,” he added.

“Technical details are nice to have, but they’re not always necessary and may need to be withheld until protections are put in place,” Vargas said.

Federal suit alleges poor protection

[ComplyRight] is doing the bare minimum in terms of transparency and informing their clients of the details of the security incident.
Nikolai VargasCTO at Switchfast

The ComplyRight data breach was first reported by Krebs on Security, which had heard from customers who had received breach notification letters.

Susan Winstead, an Illinois resident, received the notification from ComplyRight on July 17, outlining what happened. She is the plaintiff in the lawsuit filed July 20 in the U.S. District Court for the Northern District of Illinois.

The lawsuit faults ComplyRight for allegedly not properly protecting its data and not immediately notifying affected individuals, and the suit seeks damages for the improper disclosure of personal information, including the time and effort to remediate the data beach. 

Company faced difficult detective work

Another independent expert who looked at ComplyRight’s notice, Avani Desai, said the company “followed best practice for incident response.”

With a cyberattack, one of the most difficult processes initially is identifying that there was an actual attack and the true extent of it, said Desai, president of Schellman & Company, a security and privacy compliance assessor in Tampa, Fla. It’s important to ask the following questions early: Was there sensitive information that was involved? Which systems were exploited? The firm quickly hired a third-party forensic group, she noted.

“ComplyRight locked down the system prior to announcing the breach, which is important, because when organizations announce too quickly, we see copycat attacks hit the already vulnerable situation,” Desai said.

Mike Sanchez, chief information security officer of United Data Technologies, an IT technology and services firm in Doral, Fla., said the things the firm did right are “they disabled the platform and performed a forensic investigation to understand the cause of the breach, as well as the breadth of the malicious actor’s actions.”

But Sanchez said the firm’s statement, which he described as a “very high-level summary,” lacked many specifics, including the exact flaw that was used to gain access to the data.

The Identity Theft Resource Center reported that as of the first six months of this year, there were 668 breaches exposing nearly 22.5 million records.

DHS, SecureLogix develop TDoS attack defense

The U.S. Department of Homeland Security has partnered with security firm SecureLogix to develop technology to defend against telephony denial-of-service attacks, which remain a significant threat to emergency call centers, banks, schools and hospitals.

The DHS Science and Technology (S&T) Directorate said this week the office and SecureLogix were making “rapid progress” in developing defenses against call spoofing and robocalls — two techniques used by criminals in launching telephony denial-of-service (TDoS) attacks to extort money. Ultimately, the S&T’s goal is to “shift the advantage from TDoS attackers to network administrators.”

To that end, S&T and SecureLogix, based in San Antonio, are developing two TDoS attack defenses. First is a mechanism for identifying the voice recording used in call spoofing, followed by a means to separate legitimate emergency calls from robocalls.

“Several corporations, including many banks and DHS components, have expressed interest in this technology, and SecureLogix will release it into the market in the coming months,” William Bryan, interim undersecretary for S&T at DHS, said in a statement.

In 2017, S&T handed SecureLogix a $100,000 research award to develop anticall-spoofing technology. The company was one of a dozen small tech firms that received similar amounts from S&T to create a variety of security applications.

Filtering out TDoS attack calls

SecureLogix’s technology analyzes and assigns a threat score to each incoming call in real time. Calls with a high score are either terminated or redirected to a lower-priority queue or a third-party call management service.

SecureLogix built its prototype on existing voice security technologies, so it can be deployed in complex voice networks, according to S&T. It also contains a business rules management system and a machine learning engine “that can be extended easily, with limited software modifications.”

Over the last year, SecureLogix deployed the prototype within a customer facility, a cloud environment and a service provider network. The vendor also worked with a 911 emergency call center and large financial institutions.

In March 2013, a large-scale TDoS attack highlighted the threat against the telephone systems of public-sector agencies. An alert issued by DHS and the FBI said extortionists had launched dozens of attacks against the administrative telephone lines of air ambulance and ambulance organizations, hospitals and financial institutions.

Today, the need for TDoS protection has grown from on premises to the cloud, where an increasing number of companies and call centers are signing up for unified communications as a service. In 2017, nearly half of organizations surveyed by Nemertes Research were using or planned to use cloud-based UC.

Exactis leak exposes database with 340 million records

A marketing firm exposed records on most adults in the U.S., but experts weren’t surprised at the number of people affected and said the lesson should be about the depth of data gathered.

Marketing firm Exactis, a data company based in Palm Coast, Fla., exposed 340 million records — 230 million for individuals and 110 million for business customers — via a publicly accessible server, meaning anyone who knew where to look could have taken the data. Vinny Troia, security researcher and founder of NightLion Security, headquartered in St. Louis, Mo., discovered the potential Exactis leak and wrote on Twitter that he is working with the company to determine if anyone accessed the data. Exactis has since secured the server.

The data potentially exposed in the Exactis leak added up to 2 terabytes of information, including phone numbers, home and email addresses, but Bruce Silcoff, CEO of Shyft Network International, a cybersecurity company based in Barbados, said the Exactis leak is noteworthy “not only for the number of customers impacted, but also for the depth of compromised data.”

“It’s been reported that every record includes more than 400 variables of personal characteristics,” Silcoff wrote via email. “The reality is that we live in a digitized world and all our interactions on social channels are recorded, and this isn’t stopping anytime soon. The centralized storage of user information makes institutions like Exactis hacker bait. Never has there been such urgency nor opportunity to introduce a disruptive alternative to an antiquated system and solve an urgent global problem.”

Wired’s original report on the Exactis leak noted that the personal characteristics data could include information such as personal interests and habits, if the person smokes, has pets or the number, age and gender of the person’s children.

The reality is that we live in a digitized world and all our interactions on social channels are recorded, and this isn’t stopping anytime soon.
Bruce SilcoffCEO of Shyft

Troia told Wired that he found the Exactis leak with a simple Shodan search for ElasticSearch databases on publicly accessible servers in the U.S. While there is a huge trove of personal information, the dataset does not include Social Security numbers or credit cards, so experts said it would be more useful for social engineering.

Nico Fischbach, global CTO at Forcepoint, said the highly sensitive data in the Exactis leak “could be exploited by malicious actors to carry out a number of different types of attacks.”

“If an attacker combined this intel with data from the 2015 OPM breach, they could run human intelligencetype special operations attacks against cleared personnel. It’s also a huge asset to criminals using impersonation as a tool for phishing. Further, as 110 million of the records pertain to businesses, criminals could utilize the data for spear-phishing campaigns aimed at data exfiltration,” Fischbach wrote via email. “In the case of Cambridge Analytica, attackers had to ‘steal’ this type of profile data from Facebook, but, with Exactis, the data was publicly accessible on a server with weak or no authentication. This further underscores the need for enterprises to focus on knowing how their people interact with their data, have insight to risky activity and to think ahead on how vulnerabilities like this could be mitigated against, or prevented entirely.”

Ruchika Mishra, director products and solutions at Balbix, a cybersecurity company headquartered in San Jose, Calif., said this was likely a problem of Exactis not understanding the mindset of an attacker.

“There’s no doubt in my mind that Exactis knew exactly what type of information they had and the ramifications there would be if there was a breach,” Mischra wrote via email. “But the problem with most enterprises today is that they don’t have the foresight and visibility into the hundreds of attack vectors — be it misconfigurations, employees at risk of being phished, admin using credentials across personal and business accounts — that could be exploited.”

Robert Capps, vice president and authentication strategist for NuData Security, a behavioral biometrics company based in Vancouver, British Columbia, said “if U.S. citizens did not think their personal information has ever been compromised, this should convince them it definitely is.”

“Unfortunately, breaches are here to stay, but government agencies, businesses, and organizations across the U.S. can protect users by applying a new authentication framework,” Capps wrote via email. “Multi-layered security solutions based on passive biometrics and behavioral analytics make this stolen information useless to cybercriminals, as they identify users based on their behavior instead of data such as names, last names, dates of birth, passwords, addresses, and more.”

Office Depot says ‘no’ to Oracle ERP Cloud customizations

Office Depot, a firm with about $11 billion in sales, is moving major applications to the Oracle ERP Cloud. In doing so, Office Depot wants to avoid any customizations as it shifts from in-house systems.

The retailer will use best practices embedded in various Oracle ERP Cloud platforms: in this case, Oracle’s Supply Chain Management Cloud, its cloud-based Human Capital Management (HCM) and Enterprise Performance Management (EPM) systems. Oracle announced Office Depot’s decision Jan. 29.

Rejecting customizations was easier for some systems than others. HR business processes lend themselves well to this change, said Damon Venger, senior director of IT applications at Office Depot.

With HR they “are not reviewing our customizations — we are getting rid of them,” Venger said.

By not customizing its Oracle ERP applications, the retailer will simplify its IT processes, and reduce the cost of maintaining and managing them, he said.

Office Depot started selling the initiative internally last year. “It’s hard for executives in the business to say, ‘I have to do performance management in a specific way,” Venger said. That’s the goal at least. Supply chain will “definitely be more challenging,” he said.

Deciding on no customization is ‘trendsetting’

Office Depot uses Oracle products, including PeopleSoft, hosted in an Oracle data center. It uses Hyperion Financial Management products, and a supply chain product.

It’s hard for executives in the business to say ‘I have to do performance management in a specific way.’
Damon Vengersenior director of IT applications, Office Depot

The HCM and EPM migration will take about a year, and supply chain about two years. The company plans to use Agile development processes to complete the migrations.

For a company its size, Office Depot’s decision on customizations is “trendsetting,” said Seth Lippincott, an analyst at Nucleus Research. But it’s also possible because vendors are developing “what they would consider best practices in every one of their capabilities,” he said.

Some users argue that they need ERP customizations because of unique business requirements or industry-specific practices. But those arguments are waning as vendors add industry-specific capabilities, Lippincott said.

If customizations are about “letting people feel comfortable and safe in what they’re used to, it won’t help,” Lippincott argued. A firm will still go through a change management process. It makes sense for the long-term to force users into the new environment, he said.

APIs will connect customizations, but once started problems mount.

Office Depot made ‘pragmatic’ decision

Judith Hurwitz, the CEO of Hurwitz & Associates, called Office Depot’s decision “pragmatic.”

Routine updates mean testing against the customizations. “You are always sort of out of sync” with the latest updates. They may take months of testing. Asking a vendor for customizations can add millions, she said.

“Are your processes really so unique, so different?” Hurwitz said. For most firms, they aren’t, she said.

Venger said the decision to migrate to the cloud “was not a blind move to go.” Office Depot analyzed its real costs, including data center costs, licensing — every aspect.

Oracle ERP Cloud “came with a significant cost-savings,” and functionality upgrades, Venger said. With the on-premises system, “unless we customized it, you wouldn’t have functionality changes,” he said.

New ‘task’ for Datto backup: Merging with IT management firm

In a play to bring several technologies under one roof for SMBs, a private equity firm acquired data protection vendor Datto Inc. and will merge it with IT management provider Autotask Corp.

Vista Equity Partners Management entered into a definitive agreement last week with Datto, which launched in 2007 and is based in Norwalk, Conn. The merger will create a company that includes professional services automation, backup and disaster recovery, networking continuity, file sync and share, and remote monitoring and management. Datto and Autotask, which is based in New York, sell their products through service providers.

“We’re both growing. We’re both profitable,” Datto Chief Revenue Officer Brooks Borcherding said. “The expectation is we’re investing in growth.”

Datto backup to integrate with Autotask

Brooks BorcherdingBrooks Borcherding

The Datto backup product line and Autotask’s IT management suite are complementary, Borcherding said.

Datto offers a range of data protection, including business continuity and disaster recovery, cloud-to-cloud backup and ransomware protection, as well as managed networking. Autotask’s services include IT business management, endpoint management, file sync and share, and cloud services. Autotask also has an endpoint backup product.

The combined organization has about 1,300 employees with offices in nine countries. Datto and Autotask’s 13,000 customers service more than 500,000 SMBs in 125 countries.

Vista Equity Partners has the world’s largest software portfolio for a private equity firm and brings “a significant amount of wisdom and expertise,” Borcherding said. The firm acquired Autotask in 2014.

Patrick BurnsPatrick Burns

Patrick Burns, vice president of product management for Autotask, said to expect integration and innovation, such as trending analytics and automated workflows.

One of the first steps is the integration planning. There’s an opportunity for integrating Datto’s business continuity and Autotask’s endpoint backup, Borcherding said.

“Datto had gotten some good attention as a first to make a splash with ransomware detection,” Robert Rhame, research director of backup technologies and storage at Gartner, wrote in an email.

The combined company, though, will need to figure out a way to boost the presence of Datto’s cloud-to-cloud backup technology. Datto backup moved into the cloud-to-cloud market in 2014 by acquiring Backupify, one of the first vendors to protect data created in software as a service (SaaS) applications.

“SaaS backup is not a cash cow right now as, for example, about half of Microsoft Office 365 customers are trusting that their data is safe with the service provider and not doing external backups of any sort,” Rhame said. “This problem of trusting the provider is even more apparent if we look at the fragmented state of what other SaaS offerings vendors support. In general, there is not wide third-party support for backup of SaaS, and the SaaS vendors do the absolute bare minimum for native backup as a rule.”

A ‘bet for the long term’

The merger marks a chance for the Datto backup line to grow internationally, as Autotask has a large share outside of the United States, Borcherding said. There is overlap in customers, but the products do not overlap, he said.

For example, Autotask’s endpoint backup is complementary to Datto backup and disaster recovery, Datto CEO Austin McChord said in a webinar about the merger Monday.

“It brings a combined scope that’s unparalleled,” said McChord, who will retain the title of CEO in the merged company. Autotask CEO Mark Cattini will serve as a strategic advisor to the Board of Directors.

Datto and Autotask are both strong brands known to managed service providers (MSPs) and the combined entity will need to pick a company name, but has not settled on a new one yet, Burns said.

The expectation is we’re investing in growth.
Brooks Borcherdingchief revenue officer, Datto

Borcherding said they are not looking at real estate consolidation at the moment unless it’s obvious, such as two offices in the same city.

“Having local presence is critical,” Burns said.

In response to a question about employee status, Borcherding said the merger is not a cost-cutting move.

McChord said he has personally invested hundreds of millions of dollars in the combined entity.

“This is a bet for the long term that we’re going to be able to build some really differentiated stuff down the road,” McChord said in the webinar. “MSPs are going to need to have a suite of different things to provide the solutions that really matter.”

McChord said he does not anticipate pricing changes at the moment.

A Vista Equity Partners representative was not available for comment.

Datto closed a funding round of $75 million in late 2015 to bring its total funding to about $100 million. Earlier this year, Datto purchased cloud-based networking provider Open Mesh.

Datto and Autotask are not disclosing terms of the deal, which is expected to close by the end of the year.