Envision is a credit union based in Tallahassee, Florida operating in Northern Florida and Southern Georgia, serving more than 54,000 members. On August 5, 2021, Envision became aware of suspicious traffic within its network. Company management immediately brought in a third-party IT vendor to investigate the activity and isolate any impacted areas. Based on that investigation, it was confirmed that an outside party gained unauthorized access to the data involving its entire member base over a 48-hour period beginning on August 5th. The credit union enacted a clean sweep of its systems to remove all malware and terminate the access of the attackers. A New York-based cybersecurity threat intelligence company disclosed that the LockBit ransomware group was threatening to publish the exfiltrated data on August 30. Envision sent out breach notification letters to its customers on January 31, informing them that their personal information had possibly been compromised including their name, Social Security number (SSN), payment card information, financial account information and government issued identification numbers.
Basis of the Case and Settlement
Two representative plaintiffs filed a suit on behalf of all other victims of the incident on February 18 in the Northern District of Florida. The plaintiffs alleged five causes of action including negligence, breach of implied contract and unjust enrichment. The suit was eventually settled in mediation. As compensation, all settlement class members are eligible for up to $300 in reimbursement for documented out of pocket expenses that incurred because of the data breach. Members may also be eligible for reimbursement of documented monetary losses up to $4,000. Individuals whose information was possibly compromised will receive three years of free credit monitoring and identity theft protection. In return, Envision denies all charges of all alleged wrongdoings or liabilities. The defendant has also agreed to implement a series of remedial measures and security enhancements that include the following:
- Enacted Duo multi-factor authentication (MFA) or Microsoft products.
- Develop a plan to address any legacy authentication protocols.
- Implemented an information security program that includes a dedicated DIO position.
- Continued system hardening.
- Increased cybersecurity training for all customers
Call to Action
One of the remedial measures agreed on by Envision is to address their current legacy authentication protocols. Many of these protocols have been deprecated due to the following reasons:
- Some legacy authentication protocols do not enforce strong password requirements, making it easier for attackers to guess or crack passwords. For instance, Microsofts Windows New Technology LAN Manager (NTLM) only allows 8-character passwords which are now considered an insufficient length for privileged accounts.
- Some older authentication protocols such as Password Authentication Protocol (PAP) don’t support multifactor authentication which makes it far easier for an attacker to launch a credential stuffing or dictionary attack.
- Some of these protocols are highly vulnerable to various types of password related attacks. One example is Challenge Handshake Authentication Protocol (CHAP), which is susceptible to man-in-the-middle (MITM) attacks.
- Many of these protocols do not support encryption. For instance, Simple Mail Transfer Protocol (SMTP) was created when security was not of great concern. Because of its inherent security weaknesses, Microsoft will begin disabling the use of SMTP Authentication and other basic authentication protocols such as POP and IMAP on March 31 for Office 365.
Some authentication protocols are considered legacy but are still utilized and supported. For instance, many organizations are transitioning from on-prem Active Directory environments that use the Kerberos authentication protocol to the cloud that uses more modern authentication protocols such as SAML and OAuth 2.0. You must confirm that your current applications support these new protocols before retiring the depreciated legacy protocols.
A risk assessment can uncover legacy security protocols being used in your environment. The assessment may include vulnerability scans and penetration testing that identify vulnerability points such as the utilization of these authentication protocols that may be highly exploitable. Once identified, a risk assessment team can evaluate the risks associated with these older protocols and outline a call of action to upgrade them.