Compromises: It’s Not Just for Banks Anymore
The typical target in the past has been entities holding confidential, sensitive information. This is readily marketable and depending on the information, may be significantly valuable. This has been experienced with the medical field for the last few years. For example, the number of retail clients visiting stores in a region of the U.S. would be less valuable than schematics from a DoD contractor for the new jet or strategy documents from the FDIC.
The attackers have switched their focus a bit to another industry and entity, which happens to hold sensitive information. The latest notable compromise victim is involved with the automobile finance companies. Employees of the Nissan Canada Finance (NCF) and Infiniti Financial Services Canada detected on December 11, 2017 a portion of the customer’s data had been compromised. This did not affect every one of their customers. The data exfiltrated may have contained the names, addresses, details of the vehicle, VINs, credit scores, loan amounts, and information on the monthly payments. This is the second known time Nissan had been targeted, with the prior instance being in 2012.
Seemingly, this is not very valuable to the unauthorized third party. Upon further review, this is actually quite useful. The holder of the data has the person’s private, relevant information. With the social security number, the person is able to fully validate the identity of another person. Banks have begun to use information from the user’s credit report for a secondary source of identification. If the person seeking to assume the other’s identity had this, the impersonator could easily use.
It is curious the attack had waited this long to focus on and attack these entities. The businesses do hold a large amount of sensitive information and may not have deemed themselves a sufficient target. The recent breach and outward data flow shows any entity is a target, especially those with helpful information.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.