Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: CyberAttack Grab Bag
Quick Take
On this episode, the CU Guys uncover the latest cyber threats, from AI-driven breaches to cloud misconfigurations, that put your data at risk. Learn about real-world examples of high-profile breaches and simple social engineering tricks that can compromise your security.
Discover the role of AI and quantum computing in cyberattacks and get practical steps to enhance your defenses. Perfect for cybersecurity professionals and anyone serious about data protection, this episode offers essential insights to stay ahead of cybercriminals.
Don’t wait for a breach, arm yourself with knowledge and strategies today.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process.
Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside your compliance, Walter Cronkite, Mr. Adam Goslin, how the heck are you, sir?
I am doing far, far better today.
Yes, I understand that some apologies are in order. Same one.
I’ll tell you what, I was sicker than a dog, I took a trip and of course I come back from the trip and start with the head cold, heads to the chest cold, 10 days of antibiotics involved. Yeah, it was a good time, but finally on the other side of it, so apologies to the listeners for not having some content for them last week, but hey, we’re back in the proverbial saddles, shall we say.
I love it. I love it. Well, you know, as always, we invite the folks out there to reach out to us. Let us know your thoughts, your questions, your concerns. We love to hear what you have to say.
[email protected]. Well, today, Adam, it’s a little bit of a mixed bag. As a matter of fact, it’s a little bit of a grab bag. That’s right. We’re going to do a grab bag of security related things. Tell the folks more today.
Sure. So I wanted to go through some of the top breaches and whatnot that were happening and we’re all of what, about 10 weeks or so into 2026. So I figure we’ll give the folks a little bit of an update. We’ve got some AI-powered attacks, supply chain vulnerabilities, a little ransomware sprinkled into the mix. So yeah, it’s been a lot of exciting stuff happening out there.
So I’ll just kind of bebop around and we can talk about some of these. But one of the public sector breaches was a contractor and suffered a ransomware attack that exposed something along the lines of 25 million individuals, which was having some pretty substantive impacts on state benefit systems. So it’s definitely interesting seeing that type of exposure, but it’s just one of the things that folks don’t realize is just how much all of this security and compliance, layers of controls all work together to help to protect you. But it’s one of the areas that organizations don’t focus heavily enough on is the security and compliance of the folks that are working for them, if you will.
Why do you think that is, Arut?
Well, a lot of people will go under the, you know, under the guiding assumption that, oh, you know, and especially based on, you know, the name of the company or, you know, whatever, and they just don’t take that that threat as as seriously as they should or need to, you know, and nobody out there is perfect, right? But you do expect that, you know, larger scale organizations have their act together, but time after time, they end up kind of proving out that that’s not necessarily the case.
And so, but, you know, in the grand scheme of things, we’ve got, shit, we even had the FBI had, you know, had an issue. This is another vendor driven, you know, another vendor driven, you know, incident where there was a vendor’s internet service provider that was compromised so that they could access a federal digital collection system network. So, you know, you’ve got, you know, you got the bad guys out there, kind of indirectly, indirectly hitting critical FBI systems as well. So it’s not just the corporate arena, you know, out there that, you know, that gets hit. But yeah, this one, this one was in like mid, mid February. They were.
There seems to be a rash of federal mishandlings in the information realm these days.
They’re not immune, so apparently around the middle of February they were seeing some irregular network activity that was leading them straight to the digital collection system network and finding out that there’s sensitive data with court-authorized wiretaps, FISA warrants and personal information on active FBI agents, etc. They claim that they’ve identified and addressed the suspicious activity, but they’re not saying, go figure.
They’re not saying a lot more than that, shall we say. The government is definitely not immune, shall we say.
That is a, uh, that is a very fair statement. Uh, one of the ones that really hurt my heart, because I like what they bring to the table, tell us what happened on the Cargoo roost front.
Well, they ended up having something along the lines of 12 million users that got exposed. So, let’s see here, just trying to, let’s see, it was the, they were hit with a significant data breach.
It was Shiny Hunters. I’ve seen their name pop it up here and there. They ended up stealing and then leaking 12 million user accounts. So, that one also came around the middle of February. So, it was like stolen names, emails, phone numbers, et cetera. So, it included the auto finance pre-qualification app data, finance application outcomes, dealer accounts, subscription information, et cetera. So, there was something along the lines of six gig of data with a little over 12 million records that was released out. They were allegedly using a Vishing attack to impersonate IT staff tricking employees into revealing SSO credentials through Okta, Microsoft, Google, et cetera. So, yeah, it’s not fun when the bad guys end up kind of being able to pull those types of attacks off, gain access inappropriately to a lot of sensitive data, shall we say.
Absolutely. Now they say that one in three relationships start online, but that does not. I mean, your data is necessarily safe. Tell us more.
Well, it was a match group which does dating apps. Similarly, Shiny Hunters leaked about 10 million records there. So they were doing some targeting of various information and whatnot as they were going through it. So this was affecting some of their platforms like Tinder, Hinge, OkCupid, Match.com, etc. So apparently they haven’t released a lot about what all happened there, but allegedly includes contact info, subscription detail, matches, things along those lines were some of the aspects of what was released, if you will. So I guess we’ll we’ll wait and see if additional information comes out on that one. But yeah, it’s tough when you’ve got platforms like that. And especially one of the fun ones was when, what the hell was the name of that? Madison. Why can’t I remember the damn name? It was that site that was for married people that wanted to cheat.
Oh, oh, oh, uh, Ashley Madison, Ashley. Thank you. I, I, I, I want.
to say model medicine. I knew it was wrong. That’s part of the danger, right? When you’re leveraging, there’s a lot of folks that’ll use those apps for cheating on their current partner, et cetera. So that’s part of the joy that comes along with those different dating app type platforms when they get hit is there’s all sorts of repercussions, ripple impacts, things along those lines. So yeah, that’s always a good time.
There was another one. It was a Dutch telecom company. It was called Odido. They had a social engineering attack on their Salesforce system and that exposed something along the lines of six and half million people, 600,000 companies and whatnot. They’re saying that one happened in early February and just earlier in March, they ended up publishing the data out there on that. So it was impacting a bunch of their different services and whatnot.
So we got what? So far we’ve got car companies, dating companies, telephone companies, et cetera. So it’s always entertaining when you got those folks in the mix. No doubt.
Now, a lot of these issues are human-related, as you would imagine. Anything else on the horizon on that front?
Well, the one interesting part here is that there was a recent study that was released, released actually by Experian, where they were calling out one of their headline items, which was kind of, it’s certainly an interesting tidbit, although not particularly surprising. They were saying that the AI is surpassing human error as the top cause of breaches.
They’re just seeing this rise in AI-related systems getting, being in some way, shape, or form involved in the breaches that are floating out there. So, you know, they’ve got, they’ve also got rising threats from, you know, quantum computing. They’ve got synthetic identity theft, and one of their findings was, oh god.
Oh, I was just, I’m sorry, I didn’t, I got excited about the quantum computing piece in the sense of like, how are they even managing the hacks from a quantum
computer. I can imagine that that would be tremendously challenging and complex and complicated to be able to, you know, to be able to, you know, appropriately address the threats that are coming out of that arena. That certainly is a new frontier that’s been, you know, kind of they still say that cloud misconfiguration. So, you know, a ton of people, you know, over the years have been moving from, you know, kind of local servers, colo-style locations, you know, over toward putting all their stuff up in the cloud. And of course, the misconfigurations of those cloud environments are remaining, you know, one of the top causes of, you know, of security breaches.
So that part is, you know, that that part is, you know, certainly, you know, certainly entertaining that with as much time as gone by, it’s like we’re still having problems with cloud misconfigurations, like, and figure this out. Yeah, I mean, seriously.
Are there any particular sectors that are being targeted more than any others?
Well, I mean, you know, healthcare has, you know, has, has will and remains a prime target. But, you know, some of the, they’ve been in there for a while. Retail remains, you know, kind of remains a platform that’s continuously, you know, targeted. But, you know, interestingly enough, wireless carriers are, you know, kind of picking up, Steam is a, you know, kind of as a, a group that is, you know, that is being targeted, you know, whatnot. It kind of makes sense, right?
You’ve got these organizations that have the, you know, the personal, you know, the personal information and connection information. Yeah, I don’t know about you, but I’ve been seeing more and more things hitting, you know, hitting, you know, the, the mobile phones through, through text messages. You know, sometimes it’s, you know, sometimes they’ll start, starts off benign, right? With a, you know, I keep getting these like, whatever, are you, are you going to just place for the party on Saturday or stuff like that, right? It’s like, you know, they’re obviously just straight fishing for, you know, trying to get a, you know, open a dialogue with somebody, you know, type of a deal. But I’m also seeing, I’m also seeing more and more things coming in through the mobile devices with, you know, kind of like, you know, shortened URLs, tiny URL, you know, typed links in there, you know, where, Hey, we, we, you know, we were attempting to deliver your package, but, you know, we weren’t able to, you know, we weren’t able to deliver it, you know, please click here for, so that you can, you know, organize your, you know, your delivery being, you know, being sent again, you know, type of a deal. And it’s, it’s nothing that I’ve ordered, obviously, it’s just somebody, you know, trying desperately to get someone to go mash on the button. But, you know, you look at, you know, some of the, some of the folks in society that, you know, that don’t have nearly the, you know, nearly the capabilities that we would have to be able to, you know, detect and identify, you know, bad guys trying to do nefarious things. And, you know, you’ve got, you know, like some elderly, you know, elderly person that’s getting a, you know, getting a text message, you know, like that, seriously, what are the odds that they’re just going to go punch the button and, you know, punch the button and click on the link and, you know, bring some ugly booglies onto their, you know, onto their devices or expose their personal information, you know, type of type of a deal. So yeah, it’s tough. It’s tough out there. It’s one of the, you know, one of the things that, you know, I like, you know, as I run across these things and learn, you know, different attack vectors, things I’m seeing, etc., I’ll share that, you know, with my parents repeatedly, just so that they can, you know, I can give them a heads up about things that I’m seeing out in the,
you know, out in the space. But, you know, that’s probably, the elderly are, you know, certainly are not as attuned to keeping their eyeball out for it, but what’s interesting is that the, you know, the younger generation, you know, having, you know, having less, kind of less concern, you know, and less awareness around attack vectors and, you know, and things that could be coming their way. So I don’t know.
I think the folks in the middle of the road are probably best, you know, best prep to be able to handle it. But, you know, we’ve got a, we’ve got a lot of education and a lot of sharing that we need to do with folks just to kind of keep them out of hot water, if you will.
Well, that kind of leads to the next piece of conversation, like what type of actionable items can these folks take away given what we’re looking at here?
Well, I mean, when you’re, when you get notified and everybody’s gotten, you know, gotten, gotten the breach notices, right? Uh, which, which I just effing love when you get the notice that’s, oh, by the way, we were breached, but we really care about your information and your security, blah, blah, blah. It’s like, don’t start your, we fucked up ladder with we care. You know, if you cared, you wouldn’t be sending the letter.
Dollars to donuts. You know what I mean? It’s like, you know, sorry, you’re, you’re, you’re, uh, your lawyer, your lawyer speak is not going to necessarily work on me, but, um, you know, if, if you do get notified of a breach, you know, certainly, uh, you know, making sure that you’re keeping an eyeball on your credit reports, um, you know, if it’s a, you know, particular system that got, you know, that got, uh, you know, that got attacked, going in, changing your passwords. I mean, this would be a good opportunity, you know, for, for anybody that in this day and age, it’s not doing this, um, you know, leveraging a password management system. I mean, I Scott, I started using, I started using one of those probably 15 to 20 years ago, uh, you know, type of a deal and, um, yeah, there’s some downsides, you know, there’s some downsides to the choices you make in that arena, but, um, you know, but in my case, I’ve got literally a separate password on every single thing that I log into. I don’t even know the passwords for the, for the systems that I go into because I always set them to random scramble barf. Well, you know, for me, when I, when I go get a notification that I got, you know, such and such an organization got breached, I need to go in and change my password. Well, even if they ended up, even the bad guys ended up getting that password, you know, they can’t use it anywhere else. Uh, there’s, there’s, there’s no possibility, but you know, for those folks that aren’t using, uh, you know, cause I’m form of a password management system, um, you know, where they’ve got some type of a pattern for their passwords, whatever it’s puffy one, two, three underscore the name of the vendor and an exclamation point, you know, type of a deal, but they use it everywhere. Well, guess what? The minute that the bad guys breach a system, get ahold of the password and whatever, let’s say it was, you know, bank, bank number one got breached or something. Well, what are they going to immediately do? They’re going to go and take the same password pattern with your email address and go try it on other systems, you know, type of a deal. So, you know, there’s a huge risk to these folks that don’t leverage password management systems and whatnot. So, you know, making sure that you are going in, changing your passwords. If you’re an individual that is not using a password management system, please, you know, go ahead, uh, pick your, you know, pick your password management system of choice and, you know, start getting all of your, all of your passwords in there, changing them, making them unique for different sites.
That’ll go a long way to helping, um, you know, and certainly monitoring of your, you know, any, any of your impacted accounts, uh, for any suspicious activity. Um, you know, you want to, you want to go and, uh, you know, do that. In addition, you know, any, any, um, you know, anybody that that’s, that’s involved in it, if you’ve got the option or opportunity to use some form of multi-factor authentication, a lot of, you know, a lot of systems will, uh, either use, uh, you know, use the mobile app. So like I’m trying to go log into my browser, it’ll send a, some type of like a push notification to your phone through the vendor’s actual mobile app. That’s one, one approach or methodology I’ve seen. Uh, I’ve seen folks using MFA vendors like, you know, the Googles and Microsoft’s and Octas and, you know, duos of the world. Um, so leveraging, you know, the, the, the two factor system there, um, you know, another common one that you’ll see is they’ll send you a text message with a, uh, you know, with a six digit code or something along those lines that you’ve got to be able to go put in, but if you have the option for MFA. Go ahead and get that implemented wherever you can.
I know a lot of people will shy away from leveraging multi-factor authentication just because they view it as painful. Well, guess what? It’s gonna be a lot less painful not having the bad guys getting into your data, your information, et cetera. Even if they ended up getting your password, they still can’t go log in. And for the individual, the one thing that they need to keep their eyeball on is let’s say that you’ve got multi-factor authentication set up with your bank as an example. And it sends you a six digit code or something to be able to go authenticate. If you’re receiving the text messages saying, hey, here’s your multi-factor code to be able to log into, fill in the blank system, that should be an immediate indicator that, hey, maybe we got a problem here because generally speaking, the only way that that particular code can get issued from the source, if you will, is because somebody’s entered a username and a password that was yours. And now it’s sending you the multi-factor code. So if you’re seeing those codes popping up, that should be an instant alarm bell. Who sent me the, what system sent me the code? I would immediately go and change my password there as well. But when you start talking about, for organizations proper, certainly if you’re a company that’s responsible for the protection of data and information, implementing MFA on your systems, whether it’s for clients that are logging in and users, but also for all of your internal users, making sure that you’re implementing strong multi-factor authentication across the board. Gee, we talked about it earlier, right? The cloud misconfigurations remaining a top cause of breaches. Go through and audit your cloud configs if your stuff’s up in and on the cloud. And finally, going through, making sure that, a lot of people will say, oh, well, I have backups, right?
Or I’ve got a disaster recovery system in place, so I’m cool. Well, guess what? There’s a large distinction between the backup exists and I can actually recover from the backup. So don’t be that organization that stops at we created the backup or we’ve created the disaster recovery arena.
One of the things that TCT does is every six months, literally tests and validates that the disaster recovery, flipping over to our DR location functions, that it will come up, we can pass the torch, it’s still functioning, it does have recent data, within there, that type of a thing. I mean, that’s the way that you wanna be able to go through and get that validation done that way. You’re not sitting there with a problem when all hell breaks loose, where, oh, now I’ve got some, whether it doesn’t work, type of a deal, all the way to just run into some unexpected challenges with, how do I go ahead and flip over to, how do I recover from backup or switch over to this DR system? You don’t wanna be learning that when you got a proverbial gun at your temple. You know what I mean?
No doubt about it. No doubt about it. Parting shots and thoughts for the folks this week, Adam.
Well, don’t, uh, don’t stop taking your security and your compliance seriously. Um, you know, do, do your part. It is important.
Uh, you know, I’ve often said to organizations that, um, you know, if I, if I had somebody saying, well, would you rather, yeah, would you rather maintain your strong security and compliance stance, or would you rather keep your, uh, you know, your, uh, you know, cyber insurance, you know, for the, for the organization. I’m like, I’ll drop the cyber insurance in a heartbeat because the cyber insurance, yes, is your holy moly emergency parachute. However, the thing that is actively protecting your organization, your stakeholders, your personnel, your vendors, and most importantly, your customers is the various layers of security and compliance that you’ve got for your organization and taking that responsibility seriously, making sure that you’ve got, you know, validated and vetted evidence that all of these things are in place, that they are in place properly, you know, those, and doing those activities, uh, periodically throughout your compliance cycle. Um, you know, those are some of the most critical elements for, for organizations to, to really take seriously.
Uh, especially, um, the notion of what we, what we like to call operational compliance at TCT. Um, you know, if you’re not implementing an operational compliance program, where you are, uh, for all of those periodic tasks that ought to, or need to, or occur, you know, throughout the compliance cycle, if you’re not going in and periodically collecting evidence, uh, then definitely, if you’re, if you’re still running in that kind of annual firefighting mode for security and compliance, which a lot of organizations do start, start moving toward that operational compliance approach. Um, you get near insight to potential issues, problems, et cetera. You’re getting validation all the way through the year. Uh, it’s going to make your security or compliance consultant and or assessor far happier because they, you know, they, it’s not lip service that you’re taking the shit seriously. It is validated in hand evidence that you’re actually taking this crap seriously. So, um, is a big difference between, you know, kind of between those two stances. And I can’t emphasize enough, uh, you know, how much I want organizations to take the shit seriously.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin. I hope we helped to get you fired up to make your compliance suck less.
