The recent security breach experienced by CalPERS serves as a reminder of the ever-present threat to sensitive data.
As an individual who is directly impacted by the breach, I have been personally affected and left with a multitude of questions. It is important to delve into the specifics of the incident, comprehensively understand the scope of the breach, and explore the measures being undertaken to address the situation and prevent future occurrences.
Let’s talk about it.
What is CalPERS?
CalPERS stands for the California Public Employees’ Retirement System. It is a public pension fund that provides retirement and health benefits to public employees, retirees, and their beneficiaries in the state of California.
Structure of the Attack
CalPers uses a third party vendor, PBI Research Services/Berwyn Group (PBI) for their MOVEit Transfer Application. This application allows payments and benefits to be sent to users.
CalPERS received a notification from PBI on June 6, 2023, regarding a “zero-day” vulnerability discovered in their MOVEit Transfer Application. This vulnerability resulted in unauthorized third-party access, enabling the downloading of our data.
“Zero-day” is a vulnerability that refers to a security flaw or weakness in a system or device that has been discovered by an attacker before a developer or security engineer. The name stems from a software vendor having zero days or no advance notice to address and patch the vulnerability.
Extent of Breach
It has been confirmed that sensitive personal information of individuals currently receiving monthly benefit payments through CalPERS (as of Spring 2023) has been unlawfully accessed and downloaded. The compromised data included the following categories of personally identifiable information (PII):
-
-
- Names
- Dates of birth
- Social security numbers
- Family names of individuals, such as spouses, domestic partners, children, etc.
- Work history information
-
CalPERS Response
CalPERS stated that PBI’s initial communication “did not provide sufficient detail as to the scope of the data that was impacted and the individuals to which that data belonged”. Additionally, “as soon as we received additional information, CalPERS officials moved quickly to set up new security procedures, secure credit monitoring and identity theft protection services for our members” [1].
Issues CalPERS Addressing the Breach
There were two main issues with how CalPERS addressed the breach:
- The unknowing of the extent of the breach.
Due to the lack of knowledge of the breach, it led to CalPERS having a two week delay in informing the public of the attack. Additionally, placing reliance on a third-party entails depending on the business to remain vigilant, promptly communicate updates, and keep the affected company informed regarding the breach.
- Stating “new security procedures” were in place.
Given the limited understanding of the third-party’s internal structure, how can CalPERS ensure the implementation of appropriate security measures?
Breach Details
The Clop group was identified to have exploited the MOVEit Transfer application via a vulnerability before a patch was deployed. Meaning the group probably injected malicious software to gain unauthorized access to sensitive information. The injected software could have been in the form of malware, viruses, worms, or other types of malicious code designed to exploit vulnerabilities and compromise the security of the targeted system.
Insufficient elaboration has been provided regarding the specifics of the attack and the safeguards implemented to prevent further exploitation. This lack of information leaves numerous questions unanswered and creates uncertainty regarding the level of protection in place.
Identifying The Potential Issue
The MOVEit Transfer Application allows for the transfer of mass information, meaning the following vulnerabilities can pose security risks:
-
-
- Insecure data transmission – Without the use of secure communication protocols, sensitive information transferred between devices or servers can be intercepted by attackers.
- Lack of Encryption – Failure to apply strong encryption leads to a vulnerable state of data during transmission or storage.
- Weak Authentication /Authorization – Improper authorization controls can allow unauthorized users to gain access.
- Code Injection Attacks – Applications that do not validate user inputs can be open to code injection attacks, where malicious code is injected into the app’s codebase.
- Inadequate Session Management – Having insecure session management can lead to session hijacking, enabling unauthorized individuals to access and control user sessions.
- Insufficient Error Handling – Applications that do not handle errors properly may inadvertently leak sensitive information or provide attackers with insights into the app’s infrastructure.
- Data Storage Vulnerabilities – Weak or insecure storage mechanisms can make mass information susceptible to unauthorized access, retrieval, or modification.
- Inadequate Input Validation: Lack of proper input validation can allow attackers to exploit vulnerabilities such as SQL injection or cross-site scripting (XSS) to gain access to mass information.
-
Mitigations Techniques
To address and minimize these vulnerabilities, application developers should adhere to a comprehensive application development lifecycle that prioritizes robust security protocols. This lifecycle should encompass the following essential stages:
-
-
- Follow secure coding practice, including input validation, proper error handling, and safe memory management. Using frameworks and libraries with built-in security features can assist with applying these security measures.
- Secure network communication by using secure communication protocols, to protect data transmitted between the app and backend servers. Additionally, the implementation of certificate pinning to ensure the authenticity of the servers.
- Implement encryption for data transmission and secure storage. Ensure there are proper access controls and enforce data separation to minimize the impact of a potential breach.
- Enforce strong authentication and authorization measures to verify the identity of users and authorize their access to specific functionalities and/or data. This can be enhanced with session management controls, secure password storage techniques and multi-factor authentication.
- Regularly update and patch the app focusing on the app’s underlying framework, libraries, and operating system.
- Conduct security testing and code review including penetration testing and code reviews, to identify vulnerabilities and weaknesses.
- Stay informed about emerging threats and best practices in app security. Promote security awareness among app developers by providing training and resources on secure coding practices, common vulnerabilities, and emerging threats.
-
Conclusion
Rebuilding trust in the aftermath of a security incident is crucial for maintaining a strong relationship between a service provider and its users. In the case of the MOVEit Transfer incident, it is essential for PBI to take proactive steps to address concerns and provide transparency to regain trust. One effective approach is the release of a comprehensive technical security report. Such a report should include the following elements:
-
-
- Incident overview
- Vulnerability Assessment:
- Impact Assessment
- Remediation Plan
- Future Plans/Lessons Learned
-
Reference:
1. PBI Data Breach – Frequently asked questions. CalPERS. (2023, June 23). https://www.calpers.ca.gov/page/home/pbi