Protecting Service Member Data Amidst National Security Concerns

In the wake of recent news highlighting national security risks associated with the sale of service member data, it’s imperative to reiterate our unwavering commitment to safeguarding the privacy and integrity of service members’ information at Quandis Military Search (QMC). Our automated service ensures that no Quandis employees are involved in data processing, and it strictly caters to customers who have a legitimate financial relationship with service members, solely for SCRA and MLA compliance. The security measures in place exceed Department of Defense standards, emphasizing our dedication to data protection. As national security concerns loom large, our focus remains firmly on ensuring the responsible and secure handling of service member data in alignment with the highest ethical and legal standards.

HTTP/2 Rapid Reset Vulnerability: Quandis Not Affected, Cloud providers have remediated

Vulnerabilities in the HTTP/2 protocol were recently announced a per CVE-2023-44487.

Quandis uses cloud services from AWS, Azure and Google.

These cloud providers have remediated the HTTP/2 issue as per the links below.

Our web applications are hosted in AWS which are fronted by AWS Application Load Balancers, and AWS has remediated  the HTTP/2 issue.

MOVEit Transfer Vulnerability: Quandis Not Affected

Quandis is not impacted by the MOVEit Transfer vulnerability flagged by CVE-2023-34362  as we do not use the product.

Silicon Valley Bank (SVB) and Signature Bank failures: Quandis Not Affected

The recent failure of SVB and Signature Bank does affect Quandis or QBO-based systems.
Quandis does not have a relationship with either bank and none of our cloud service providers are impacted ( AWS, Microsoft, Google )

Okta/Sitel breach: Quandis Not Affected

The recent security breach at Okta’s via their partner Sitel does not affect Quandis or QBO-based systems.  Quandis does not use Okta’s IDP platform.

Apache Log4j2 Vulnerability: Quandis Not Affected

Quandis is not impacted by the Apache Log4j2 vulnerability flagged by CVE-2021-44228.

Partners such as LogicMonitor, AWS, Microsoft and Google were impacted and have mitigated the issue as of December 11.

Apache Path Normalization Vulnerability: Quandis Not Affected

Quandis is not impacted by the Apache path normalization vulnerability flagged by CVE-2021-41773 and CVE-2021-42013. Quandis does not use Apache servers.

Kaseya VSA Software Vulnerability: Quandis Not Affected

Quandis does not use Kaseya VSA Software, and as such, we are not affected by the recent ransomware attacks.

  1. Does your company use Kaseya VSA Software? (Y/N)
    • NO
  2. If you answered YES above:
    • Have you scanned or otherwise assessed your networks to ensure unauthorized parties have not gained access? (Y/N)
      • N/A
    • Have you experienced any unauthorized activity or access within your environment as a result of the Kaseya VSA vulnerabilities aforementioned? (Y/N)
      • N/A
    • Have you taken the steps to implement the cybersecurity best practices recommended by CISA and the FBI (https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa) ?  (Y/N)
      • N/A
    • If not, please provide details of the steps you have taken.
      • N/A
  3. Have you inquired of your third parties that process Client data (fourth parties to the Client) to determine the impact to their systems and remediation steps being taken? (Y/N)
    • We have had no integration partners indicate they are impacted by the attack.

 

Please forward any detailed questions to compliance@quandis.com.

Pulse Secure Connect Vulnerability: Quandis not Affected

Quandis does not use Pulse Secure Connect, and is not directly affected by the recently announced vulnerability. No third party data source that Quandis uses is known to use it either. However, the Department of Defense is still evaluating the impact of this vulnerability, so we do not yet have positive confirmation that DMDC (used by QMS) is unaffected.

Please forward any detailed questions to compliance@quandis.com.

SolarWinds Orion breach: Quandis not affected

Quandis does not use the SolarWinds Orion software platform, and is thus not affected by this breach. We have also verified that our monitoring partners are also not affected by this breach.

Please forward any detailed questions to compliance@quandis.com.