News April 12, 2024
Reported Major Data Breach May Have Compromised Companies Across Industries
A federal cybersecurity agency is investigating the hacking of Sisense, a business intelligence company. Organizations that had a relationship with the firm are being advised to quickly take safety precautions.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is investigating a data breach that may have enabled hackers to gain access to a trove of sensitive information from organizations in industries including financial services, telecommunications, healthcare and higher education.
Whether or not promotional products industry firms are affected wasn’t immediately clear, but Krebs on Security said that Sisense – the business intelligence company victimized by the hacking – works with over 1,000 clients across a range of verticals. A source told ASI Media it’s likely that some promo firms are impacted. Even if a company didn't directly work with Sisense, there's at least the potential for exposure if one of their subprocessors/vendors did.
More broadly, the potential scope of businesses affected across industries is considered big enough that CISA has gotten involved. That agency and Sisense are warning Sisense customers to take certain steps to protect themselves. These include resetting any credentials that may have been shared with Sisense (more advice is below).
“CISA is taking an active role in collaborating with private-industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations,” the agency said. “We will provide updates as more information becomes available.”
CISA urges potential victims to investigate and report any suspicious activity as soon as possible.
Sisense is a New York City-headquartered firm with solutions focused on data analytics and visualization tools that enable clients to see the status of various third-party online services in one dashboard.
In a note to customers, Sisense indicated it had received reports that company information may have been “made available on what we have been advised is a restricted access server.”
Citing sources, Krebs on Security reported that the hackers were able to copy and exfiltrate several terabytes’ worth of Sisense customer data, including millions of access tokens, email account passwords and secure socket layers (SSLs). SSLs secure an internet connection by encrypting data sent between a website and a browser, helping prevent hackers from seeing or stealing transferred information, such as personal data.
“It is clear … that unknown attackers now have all of the credentials that Sisense customers used in their dashboards,” Krebs on Security reported.
Research shows that data breaches increased more than 20% year over year in 2023 compared to 2022. One of the largest distributors in the promo products industry was recently the victim of a breach.
In a follow-up message to customers, Sisense’s chief information security officer advised that companies should reset keys, tokens and other credentials that were used within the Sisense app. The message said to:
- Change all Sisense-related passwords on http://my.sisense.com.
- Non-SSO:
- Replace the Secret in the Base Configuration Security section with your GUID/UUID.
- Reset passwords for all users in the Sisense application.
- Logout all users by running GET /api/v1/authentication/logout_all under Admin user.
- Single Sign-On (SSO):
- If you use SSO JWT for the user’s authentication in Sisense, you will need to update sso.shared_secret in Sisense and then use the newly generated value on the side of the SSO handler.
- Rotate the x.509 certificate for your SSO SAML identity provider.
- If you utilize OpenID, it’s imperative to rotate the client secret as well.
- Following these adjustments, update the SSO settings in Sisense with the revised values.
- Logout all users by running GET /api/v1/authentication/logout_all under Admin user.
- Customer Database Credentials: Reset credentials in your database that were used in the Sisense application to ensure continuity of connection between the systems.
- Data Models: Change all usernames and passwords in the database connection string in the data models.
- User Params: If you are using the User Params feature, reset them.
- Active Directory/LDAP: Change the username and user password of users whose authorization is used for AD synchronization.
- HTTP Authentication for GIT: Rotate the credentials in every GIT project.
- B2D Customers: Use the following API PATCH api/v2/b2d-connection in the admin section to update the B2D connection.
- Infusion Apps: Rotate the associated keys.
- Web Access Token: Rotate all tokens.
- Custom Email Server: Rotate associated credentials.
- Custom Code: Reset any secrets that appear in custom code Notebooks.