Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Third Party Vendors. Show all posts

OpenSea Warns API Customers of Third-Party Security Breach

 

Following a third-party security breach that left them potentially susceptible to malicious actors, OpenSea issued a security warning to specific users, urging them to rotate their API credentials. 

OpenSea informed impacted customers via email that one of its vendors had experienced a safety concern that may have exposed information connected to consumers' OpenSea API keys. The leak prompted worries regarding the security of these keys, prompting OpenSea to act quickly. 

OpenSea has asked customers to immediately stop using their current API keys and replace them with new ones. They emphasised that the current keys will expire on Monday, October 2. While the breach is not likely to have an immediate impact on users' integration with the platform, OpenSea warned that third-party access could potentially influence users' allotted rate limitations and usage criteria. 

To reassure users, OpenSea stated that the newly created API keys will have the same rights and rate limits as the expiring ones. However, the site did not disclose the exact number of people affected by the incident, nor did it say whether any data besides API credentials was at risk. 

This incident occurred not long after one of Nansen's third-party vendors experienced a similar security breach, which resulted in the exposure of specific customers' email addresses, password hashes, and blockchain addresses. Approximately 6.8% of its user base was impacted, according to Nansen, an on-chain analytics tool. Nansen said that many Fortune 500 businesses employ it, without specifically mentioning the vendor. 

In addition to this new attack, OpenSea has already suffered security issues. OpenSea faced a data leak issue in June of the previous year, when customer emails were exposed owing to an employee's error while working with the email delivery partner, Customer.io. As a result of such data breaches, criminals frequently use compromised emails to start plausible phishing scams targeting clients. 

Furthermore, in May 2022, OpenSea's Discord server was hacked, with cybercriminals promoting a bogus NFT minting event while claiming to be in conjunction with YouTube. These incidents highlight the persistent challenges and security risks that crypto-related platforms face in an ever-changing digital ecosystem.

American and Southwest Airlines Witness Data Breach


This Friday, two of the world’s largest airlines, American Airlines and Southwest Airlines confirmed a data breach where their Pilot Credentials, a third-party software that controls the pilot recruitment and application for numerous airlines, were compromised.

Apparently, the incident took place on May 3, targeting primarily the third-party vendor. No impact on the airlines’ own network or systems has been reported.

What Transpired?

On April 30, the threat actor gained unauthorized access to the Pilot Credentials’ systems and stole files comprising data supplied by a few candidates in the pilot and cadet recruiting process.

According to the official information shared with Maine’s Office of the Attorney General, the breach impacted 5745 pilots and applicants of American Airlines, whereas Southwest reported that around 3009 individuals’ information was compromised.

"Our investigation determined that the data involved contained some of your personal information, such as your name and Social Security number, driver’s license number, passport number, date of birth, Airman Certificate number, and other government-issued identification number(s)," says the American Airline.

The airlines will now drive all pilot and cadet candidates to self-managed internal portals, even though there is no proof that the pilots' personal information was intentionally targeted or exploited for fraudulent or identity theft purposes.

"We are no longer utilizing the vendor, and, moving forward, Pilot applicants are being directed to an internal portal managed by Southwest," Southwest Airlines stated. Both Airlines further notified law enforcement pertaining to its authorities in case of data breaches and are cooperating with the ongoing investigation of the issue.

Recent Years Have Seen More Such Cases

Another case of a data breach that came to light was when American Airlines was targeted back in September 2022. This breach impacted around 1,708 customers and airline employees.

Prior to this, the airline was a victim of a phishing attack that resulted in the compromise of the email accounts of numerous of its employees. The breach included employees’ and customers’ credentials like their names, dates of birth, mailing addresses, phone numbers, email addresses, driver's license numbers, passport numbers, and/or certain medical information.

Further investigation on the matter indicated that the threat actors involved in these breaches may as well have utilized the employees’ compromised accounts to launch more phishing attacks.

Here's How Global Firms are Capturing First- & Zero-Party Data of Consumers

 

Changes in consumer privacy in the digital marketing environment are forcing firms to fundamentally rethink their data-driven marketing tactics.

Consumers are becoming more conscious of the importance of their personal information. Simultaneously, tech titans and authorities worldwide are cracking down on the gathering, storage, and sale of consumer data. In addition to Apple's well-publicized privacy-focused software updates, Google intends to phase out third-party cookies on both Chrome and Android next year in an effort to prevent consumer tracking. 

The loss of access to large amounts of third-party data has complicated everything from ad targeting to attribution for advertisers, who have long relied on user-level tracking techniques. 

A rising number of businesses are responding by using novel strategies to get consumers to provide their personal information. This can take the shape of first-party data, or information a business obtains directly from its clients, or even zero-party data, or details a client voluntarily provides to a business. Consumers are receiving innovative new rewards from brands in return for their important data. 

The leading consumer packaged goods (CPG) and restaurant businesses are profiled here, along with some creative first- and zero-party data collecting methodologies they have employed. We discuss how these strategies may have helped these companies survive the post-cookie era. 

For the win, use game-based incentive programmes 

Brands are coming up with strategies to engage consumers in order to obtain first- and zero-party data. For a membership sign-up, email address, or phone number, you might receive a range of incentives, such as discounts or entry into sweepstakes.

Some companies, on the other hand, are thinking outside the box and developing fresh strategies, including ones that combine gamification, loyalty rewards, personalised marketing, and unique product offerings. 

For instance, in January, the sandwich company Jimmy John's started distributing its first "Achievement badges" to its "Freaky Fast Rewards Members." Even though the company has offered rewards since 2019, the addition of badges makes using the Jimmy John's app more enjoyable and encourages members to return. 

One badge, dubbed "The Gauntlet," which was introduced earlier this year, gave a special, limited-edition beanbag chair to the first 100 members who ordered every sandwich on the menu. 

Low-cal workouts drive conversions 

Halo Top, a brand of low-calorie ice cream owned by Wells, has another gamified strategy. 

And CPG firms like Halo Top that frequently market and sell largely via retail channels as opposed to direct-to-consumer are especially well-served by acquiring first- and zero-party data. As stated by Adam Fish, director of omnichannel strategy at Wells, "Gaining first-party data scale for CPG brands is challenging because we don't own the transaction; however, first-party data helps brands best understand their consumer and build long-term data durability." 

The 'No Work Workouts' campaign, launched by Halo Top last month, encourages people to take pauses from their usual workout routines to partake in enjoyable, low-effort calorie-burning hobbies, such playing air guitar or watching scary movies

"For those consumers who give consent, we can ingest first-party data into our audience segments," says Fish. He continues by saying that the company has witnessed a notable increase in conversions since switching from using third-party data collection to a variety of data sources a few years ago.

What Choices Ought to Influence the Supply Chain in 2023?

 

Due to the increase in cybercrime, many businesses are infected by viruses and malware that are distributed to them by vendors and business partners. 

There has not been a definite plan of action that addresses this as of yet. However, new third-party risk assessment techniques, products, and services are now available to find security "weak spots" in the supply chain of your business. 

Threats by supply chain vendors 

BlueVoyant, a cybersecurity provider, reported in 2021 that 98% of organizations surveyed had been impacted by a supply chain security breach. In a global survey of 1,000 chief information officers conducted in 2022, 82% of respondents said their organizations were vulnerable to cyberattacks targeting their supply chains. 

There are multiple reasons for these statistics and concerns. The following stand out:

  • The enormous size of corporate supply chains can include up to 100,000 suppliers for a single business 
  • Different cybersecurity standards are required in different countries 
  • Supplier unpreparedness, lack of knowledge, and lack of resources for sound cybersecurity practices 
  • Lack of understanding of supplier security in areas like purchasing, which frequently issue requests for proposals from suppliers without mentioning the security requirements for conducting business with the company. 

Best practices for supply chain security 

While cybersecurity frameworks provide an excellent overview of general supply chain security requirements, they do not provide a detailed plan for implementation. 

What organizations require is a guide for a multifaceted approach to supply chain security — but no single playbook can meet the needs of every organization. Instead, as organizations develop their own security approaches, leaders should follow supply chain security best practices: 

Become familiar with your data 

It may seem obvious, but it cannot be overstated: you must understand your own data, that is, what type of data your organization stores and how sensitive that data is. Use discovery and classification tools to find databases and files in your organization that contain sensitive data, such as customer data, financial information, health records, etc. 

Conduct a risk assessment of supply chain security 

Simply comprehending your data is insufficient. You must also understand your supply chain thoroughly in order to identify potential security risks and take preventative measures. 

Begin by gathering data on your third-party partners. What security safeguards do they have in place? Consider each partner's level of vulnerability, breadth and depth of data access, and the impact on your organization if their security is compromised. 

Next, evaluate the software and hardware products that your company employs. What are their weaknesses? Also, don't overlook compliance. Examine your organization's current security governance and consider where it may need to pivot. 

Create an incident response plan 

Attacks will occur, and your system will be compromised, no matter how thoroughly you prepare your organization's supply chain security. As a result, supply chain security best practices include more than just prevention — they also include preparation. 

An incident response plan should be a key component of your supply chain security app. This plan should outline everyone's responsibilities as well as all procedures to be followed in the event of a security incident. Make specific plans for data breaches, system shutdowns, and other security interruptions. And don't just write these procedures down. Test them, practice them, and make sure they're ready to go. 

Conclusion 

Because the supply chain is so fragile, maintaining solid supply chain security is a dangerous game. While eliminating all threats is impossible, adhering to best practices in supply chain security will position your organization to anticipate and mitigate their effects.