Check Point, which bills itself as the leader in cybersecurity solutions, has been breached. Data records of over 5k ZoneAlarm forum users have been hacked.
Check Point, arguably the biggest cybersecurity company in the world, has acquired several other companies, and ZoneAlarm is one of them. It acquired it in March 2004. ZoneAlarm (Slogan: Keeping you safe is what we do best) provides firewalls and antivirus products, and it is ironic that they have been hacked themselves.
Check Point main business is to provide cybersecurity solutions and keep their customers safe. But can the company keep its customers safe if they can’t even keep their own sites secure?
A file containing 5175 unique records allegedly belonging to ZoneAlarm was found today. It contained emails, hashed passwords, birth dates and IPs of ZoneAlarm forum users. Although there has be no public admission of this breach from either Check Point or ZoneAlarm, ZoneAlarm reached out to us and confirmed this leak.
The hacker could have exploited CVE-2019-16759 vulnerability. This vulnerability allows hackers without an account of the target forum to execute shell commands on a server running vBulletin. CVE-2019-16759 is thus a remote execution vulnerability that does not require authentication.
But despite claiming security to be its highest priority, Check Point failed to patch its forum software several weeks after vBulletin developers released patches for CVE-2019-16759 vulnerability.
This vulnerability was reported on September 24, 2019, but patches were released on September 26, 2019, two days later. If the claims that the hacker could have used this vulnerability are true, where has the leading cybersecurity solutions company been for over 40 days?
It may not be the most bruising data breach on record. However, it is a bruising security failure for a company that claims to the leader in cybersecurity solutions.
The General Data Protection Regulation (GDPR) requires companies to notify their customers and report data breaches to the relevant Data Protection Authority (DPA) within 72 hours of becoming aware of the breach. Upon enquiring whether the the company had or would comply with this GDPR policy, ZoneAlarm confirmed they had indeed reached out to a small number of registered forum members members regarding a leak of index from this forum’s website.