Austin, Texas-based ALTR emerged from stealth mode on Wednesday with a blockchain-based data security platform and £15 million in funding. ALTR announced the immediate availability of its product, which has been in development for nearly four years while the company operated in stealth mode. Originally designed to serve as the public transactions ledger for the Bitcoin cryptocurrency, blockchain is a distributed database consisting of blocks that are linked and secured using cryptography.
Companies have been increasingly using blockchain for purposes other than cryptocurrency transactions, including for identity verification and securing data and devices. ALTR's platform uses blockchain technology for secure data access and storage. Built on what the company names ALTRchain, the solution allows organizations to monitor, access and store highly sensitive information.
The ALTR platform is designed to sit between data and applications, and it can be deployed without making any changes to existing software or hardware infrastructure. It offers support for all major database systems, including from Oracle, Microsoft and others.
The platform has three main components: ALTR Monitor, ALTR Govern, and ALTR Protect. ALTR Monitor provides intelligence on data access activities, creating an audit trail of blockchain-based log files. ALTR Govern is designed for controlling how users access business applications.
Organizations can create and apply rule-based locks and access thresholds in an effort to prevent breaches. ALTR Protect is designed to protect data at rest. It decentralizes sensitive data and stores it across a private blockchain in an effort to protect it against unauthorized access in case any single node has been compromised.
The company also announced that it has opened access to its proprietary blockchain technology by making available its ChainAPI, which allows developers to add ALTRchain to their applications. ALTR has raised £15 million in funding from private and institutional sources in the cybersecurity, financial services and IT sectors. The money will be used to extend the reach of the company's platform and launch additional products based on ALTRchain.
ALTR told SecurityWeek that its platform has already been deployed at a healthcare organization, a mid-sized service provider that caters to both Fortune 1000 companies and government agencies, and a couple of firms in the financial services sector.
MyHeritage, a DNA and genealogy firm, announced Monday that the access credentials of 92 million users had been stolen. It only discovered the breach when a security researcher informed the company he had found a file named myheritage stored outside of MyHeritage. The file contains, writes MyHeritage CISO Omer Deutsch in a statement, "the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach." He stresses that the passwords are stored as "a one-way hash of each password, in which the hash key differs for each customer" (possibly implying that each password is hashed with a unique salt).
Deutsch believes that only the credentials were stolen. "We have no reason to believe that any other MyHeritage systems were compromised." Furthermore, he adds, "we have not seen any activity indicating that any MyHeritage accounts had been compromised." Payment data, user DNA data and family trees have not been affected. MyHeritage went public with commendable speed - on the same day it learnt of the breach. However, some aspects of the statement are concerning.
For example, it immediately set up an incident response team to investigate the incident. Best practice would have such a team already established in anticipation of a breach. The firm is expediting "work on the upcoming two-factor authentication feature that we will make available to all MyHeritage users soon." Best practice would have had MFA in place long ago.
Furthermore, it will 'recommend' rather than require users to employ the MFA option. It also recommends users should change their passwords, when it should perhaps force a password reset on all users. "It appears that MyHeritage hasn't taken the steps to automatically require users to change passwords, just that they recommend they do," comments Absolute Software's Global Security Strategist Richard Henderson. "That should be an immediate action for any breach of this type.
We still don't know (and neither do they) how this information was stolen, or the motives for doing so... and the statement by MyHeritage that they believe no other data was taken, especially unique DNA information and genealogy information, is probably a little premature, until they can determine exactly what happened late last October." The reassuring tone of the MyHeritage statement is also challenged by Anthony James, CMO of CipherCloud. "Don't believe for a second that a hashed password is safe," he says. "Hashed passwords are absolutely not safe if stolen - these hashed passwords are still highly vulnerable to a dictionary attack, where the attacker runs a hash function against the top 100,000 most popular passwords and computes the hash function against all of them. Then all they need do is compare these calculated values to the list stolen from MyHeritage.
So, NO, a smart cyber-attacker could be working diligently, even now, to map the hashed values to real passwords and break the accounts." The unknown quality of the hashing function could make the credential cracking more difficult, but not necessarily impossible. Furthermore, it may not be necessary if the user has had the same password with the same email address stolen in a different breach with a weak hash function.
SecurityWeek has contacted MyHeritage asking for further details on the hashing process, and will update this report with any response. Rick Moy, CMO at Acalvio, is concerned that MyHeritage did not itself detect the intrusion, "as demonstrated by the seven-month delay, and the fact they were alerted by a third party." The implication is that the firm does not have adequate detection capabilities - and if it failed to detect this, there may be other incidents with the other systems that have also gone undetected. This possibility also concerns Rashmi Knowles, EMEA Field CTO at RSA Security. "If your password is stolen, it can be updated, but this isn't the case with genetic information," she warns. "You only have one genetic identity, so if this is stolen there are potentially much more serious consequences.
But many people don't think about this when applying for such services. No matter how secure the organization, no one is completely risk-free, and if breached, genetic data could be sold on to other hackers without your consent, or the characteristic data it contains could be used to hijack your online accounts. There's even a possibility that hackers can amend or even delete genetic data in some cases, which could have serious implications for the victim and the level of healthcare or even health insurance they could access in the future."
There is potentially an additional side-story to this incident. MyHeritage reports, "We are taking steps to inform relevant authorities including as per GDPR." SecurityWeek has asked MyHeritage to expand on this. Who are the relevant GDPR authorities for MyHeritage?
The firm lists numerous contact phone numbers in various European countries, including the provision of "24/7 support" from the Irish phone. This suggests that the Irish regulator may be the relevant GDPR authority for MyHeritage. There is little doubt that MyHeritage is liable under GDPR, and it seems that it is reachable by the GDPR authorities via its European offices.
The only question here is whether Europe will decide to make a high-profile example of MyHeritage early into the GDPR age. But what about the researcher? Is he or she also liable under GDPR for unsanctioned storage of and access to European PII?
It is a moot point. The UK's Information Commissioner's Office has told SecurityWeek that researchers are exempt from GDPR under the principle of 'legitimate interest'. This is not the view of David Flint, senior partner at MacRoberts LLP.
Asked if researchers should be concerned about GDPR, he told SecurityWeek, "The short answer is YES! Under the GDPR/DPA 2018 the researcher couldn't be a Processor (as he is not acting on instructions of a Controller) therefore he must be a Controller." So, as a controller, "If a researcher comes across that data he should advise all the Data Subjects that he has the data and what he intends to do with it, sending them a Privacy Notice. (article 14).
Article 89 GDPR deals with an exemption for historical research which doesn't seem relevant here." It is interesting times. MyHeritage users will need to wait to see if their DNA has or may be compromised, researchers will need to wait to see if GDPR may be enforced against them; and businesses around the world - including MyHeritage - will be waiting to see how forcefully GDPR will be enforced by the European Union.
PageUp, an Australian company that provides HR software, informed customers this week that it launched an investigation on May 23 after detecting suspicious activity on its IT infrastructure. The firm's analysis of the incident revealed on May 28 that hackers may have gained access to names, contact information, usernames, and password hashes. Documents, such as signed employment contracts and resumes, should be safe as they are stored on different servers.
"There is no evidence that there is still an active threat, and the jobs website can continue to be used. All client user and candidate passwords in our database are hashed using bcrypt and salted, however, out of an abundance of caution, we suggest users change their password," said Karen Cariss, CEO and co-founder of PageUp. While the company has only shared limited technical information regarding the incident, it did say that the attack involved a piece of malware.
The breach has been investigated by both law enforcement and cybersecurity experts. Cybersecurity organizations and data regulators in Australia and the United Kingdom have been notified. PageUp says it has 2.6 million active users across over 190 countries.
Some of the company's customers have notified job applicants and shut down their online recruitment pages following the incident. Australia Post, which has been using PageUp since October 2016, highlighted that in the case of individuals whose applications were successful, bank details, tax file numbers and other sensitive information was also stored on PageUp servers. There is no evidence, however, that this data has been accessed by hackers, Australia Post said.
Wesfarmers-owned supermarket chain Coles has shut down its careers website and issued a statement saying it has suspended all connections between its systems and PageUp while an investigation is conducted. Other Wesfarmers retailers, including Kmart, Target and Officeworks, have also shut down their careers websites. Australian telecoms giant Telstra has also suspended its online recruitment system due to the breach at PageUp.
The company warned successful applicants that their date of birth, employment offer details, and pre-employment check outcomes were stored on PageUp systems. The incident also impacts logistics and supply chain company Linfox and private health insurer Medibank, both of which have suspended their careers pages. Several universities in the United States also use PageUp.
However, at the time of writing, none of the U.S. universities listed on PageUp's testimonials page have issued security alerts or suspended their online recruitment systems.