Customer data stolen as S.F. cybersecurity firm hacked, Stanford medical school reportedly a client

Cybersecurity is big business in the Bay Area, with new firms popping up virtually every week to meet the global demand for data protection in a world teeming with sophisticated hackers.

Now one of the region’s more established firms has been hacked, with customer data stolen, according to a company blog post and a reported letter to clients.

And it appears that among the company’s clients is the Stanford School of Medicine. The company, OneLogin, says the school has used its services to monitor patients’ logins to the school’s online portal and third-party sites. The school did not immediately respond to a request for information about whether any loss of patient data occurred.

OneLogin was launched in 2010, and sells an “identity management system” for businesses, a service giving company employees “one-click access” to applications used in the workplace, such as  Microsoft’s Office 365, Google’s G Suite, Amazon’s AWS and management platform Workday.

“When your identity management system is secure and reliable, everyone in the enterprise enjoys peace of mind,” the firm says in promotional materials.

The company’s May 31 blog post definitely will not bring peace of mind to its business customers — of which there are more than 2,000 in 44 countries around the world, according to the firm.

“Today we detected unauthorized access to OneLogin data in our U.S. data region,” OneLogin said in the post.

OneLogin lists among its customers Yelp, SoftBank, Midas, Pinteret, Pandora and OneLogin’s website also includes a testimonial from the Stanford School of Medicine, which says the school has used the firm’s services in connection with clinical trials.

In the blog post, the company went on to say it had blocked the intrusion, reported it to law enforcement, and brought aboard an independent security firm to find out how it happened and ascertain the extent of the impact.

“We want our customers to know that the trust they have placed in us is paramount,” the post said, adding that the company had “reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future.”

OneLogin apparently revealed to affected customers more information than was provided in the blog post.

“Customer data was compromised, including the ability to decrypt encrypted data,” the message to those clients said, according to tech website Motherboard, which said numerous customers sent it the message.

OneLogin said in a blog post June 1 that the “threat actor” had been “able to access database tables that contain information about users, apps, and various types of keys.

“While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data.”

The attacker used Amazon Web Services access keys to get into the company’s system, OneLogin said.

The company said it had evidence that the intrusion started around 2 a.m. May 31, and that its staff were alerted to unusual database activity about seven hours later then shut down the attack “within minutes.”

Gartner cybersecurity analyst Avivah Litan told prominent security researcher Brian Krebs that she discourages companies from using cloud-based, single-sign-on services such as OneLogin’s.

“It’s just such a massive single point of failure,” Litan said. “And this breach shows that other [cloud-based single sign-on] services are vulnerable, too.

“This is a big deal and it’s disruptive for victim customers, because they have to now change the inner guts of their authentication systems and there’s a lot of employee inconvenience while that’s going on.”


Photo: A Stanford University student walks in front of Hoover Tower on the Stanford University campus in Palo Alto in 2012. (AP Photo/Paul Sakuma)


Tags: , , , , , , ,


Share this Post