Security News Survey – October 25, 2019

This week, we look at two security vendor data breaches and an unsecured database compromising hotel customers and U.S. government personnel.

We’re just a few days away from Halloween, readers, and things are suitably frightening out there among the cybersecurity news headlines. Let’s take a look 

Avast’s CCleaner targeted again in cyberattack 

Popular antivirus/anti-malware provider Avast has confirmed a security incident in which a third party accessed Avast’s network via compromised employee VPN credentials. According to the Czech-based company, it detected suspicious network behavior on September 23 and began investigating. It appears the ultimate target of the infiltration was the company’s system cleaner, CCleanerThe third party, which Avast refers to as “Abiss,” was not able to advance past the early stages of the attack. 

This isn’t the first time that CCleaner has been the target of a cyberattack. In 2017, state-sponsored hackers were able to insert malware into releases via a backdoor that had been created before Avast acquired CCleaner creator, Piriform. The attacked turned out to be targeting major technology companies, including Google, Microsoft, and Intel.  

NordVPN discloses 2018 data breach 

Avast isn’t the only security vendor to suffer a security breach. Early this week, NordVPN, a popular Panama-based VPN provider, confirmed that it fell victim to a data breach last year. According to the company, an unauthorized third party accessed a rented Finland-based server, but no client usernames or passwords were compromised. NordVPN has canceled its contract with the data center provider and is boosting security measures following a comprehensive audit of its infrastructure, which the company says contributed to the delay in disclosing the breach to the public.  

Unsecured database exposes hotel customers and US military personnel data 

misconfigured cloud database has led to the exposure of sensitive information belonging to Best Western hotel customers and US military personnel and officials. Security researchers discovered aunprotected Elasticsearch database belonging to Autoclerk, a reservations management system used by Best Western Hotels and Resorts groupAccording to the researchers, the database had no encryption or security measures and contained 179GB of data, including names, dates of birth, contact information, dates of travel, and more. Credit card details were masked. Among the data were logs of U.S. government and military personnel who traveled to places such as Moscow and Tel Aviv. The database was discovered on September 13 but not secured until October 2.