A curated list of Data Security News happening across the world, in a simple yet intuitive form for the fast-paced cybersecurity professionals.
WEEK OF FEBRUARY 17, 2019
GDPR enforcement is on fire
- While fines are not always particularly high, in terms of volume, data protection authorities (DPAs) are rapidly increasing their GDPR enforcement activities. Some interesting trends are
- DPAs have levied 190 fines and penalties to date.
- Failures of data governance — not security — trigger the most fines and penalties.
- Breaches get the enforcement ball rolling but are just a starting point.
- Compromised data from a single customer can be expensive.
- Failure to respect individuals’ rights will lead to the next wave of fines and penalties.
- Third-party risk management is the next big thing in the privacy arena.
Toll stops services after security breach
- Toll has not said how many customers are affected. The company delivers 95 million items around the globe every year, including United States travel documents to Australians.
- “As a precautionary measure, in response to a cyber security incident on Friday, Toll deliberately shut down a number of systems across multiple sites and business units,” a spokesperson said.
- “Toll is making progress with our recovery activities to restore our systems and Toll customer-facing applications,” the spokesperson said.
Twitter Data Breach: Govt Accounts Tried To Access User Phone Numbers
- A large network of fake accounts was being used to exploit its API and match usernames to phone numbers.
- “While we identified accounts located in a wide range of countries engaging in these behaviours, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia,” Twitter said.
The company said it is also possible that some of these IP addresses may have ties to state-sponsored actors.
Pabbly Email Marketing Exposes 51.2 Million Records Online
- One more data leak in recent times, due to not protecting the publicly accessible cloud database without a password.
- The records appear to go back to 2014 and contained customer names, email addresses, subject lines, email messaging and more internal records like host path and SMTP data. It should be noted that Pabbly also offers email scrubbing where users upload their own lists and they will remove invalid, duplicate email addresses and provide users with a “clean list”.
Health Share of Oregon discloses data breach, theft of member PII
- A burglary and stolen laptop from GridWorks IC, a vendor hired by Health Share of Oregon, has led to the exposure of Medicaid member data.
- Information contained on the laptop included names, addresses, phone numbers, dates of birth, Social Security numbers, and Medicaid ID numbers. This data can now be considered as potentially compromised but the CCO says that no personal medical histories were involved in the data breach.
- Due to the nature of the theft, Health Share of Oregon is not able to confirm what happened to the laptop and information contained therein, including whether or not the records have been utilized or sold.
Major Data Breach Exposes Card Details of Half a Million Indians
- Cybersecurity company Group-IB on Friday revealed that a database of over 460,000 payment card records has been posted on one of the most popular darknet card shops on 5 February.
- The worrying bit about the report is that over 98 percent of records detected belonged to some of the biggest Indian banks. And it also mentions the market value of this database on the dark web is estimated at more than $4.2 million. This is the second major incident to have been reported in less than six months involving data of Indian debit or credit card users.
WEEK OF FEBRUARY 10, 2019
China wakes up to wide web of online data leaks and privacy concerns
- State broadcaster CCTV reported that the data was illegally mined from financial lending platform databases by a web of small-scale tech firms. Those firms then sold the information to other small-scale lenders for as little as 0.1 yuan (1 US cent) per piece.
- The problem is apparently widespread in China. Ninety-five per cent of respondents to a survey by Southern Metropolis Daily last month said their personal data had been stolen. Nearly half believed e-commerce and financial lending apps had serious privacy issues, and almost 80 per cent were concerned that their facial recognition data could be leaked from apps.
Wawa Breach May Have Compromised More Than 30 Million Payment Cards
- The fraud intelligence company Gemini Advisory discovered stolen payment card data from Wawa data breach was uploaded to Joker’s Stash, an online cybercrime marketplace.
- According to Gemini, Joker’s Stash has so far released only a small portion of the claimed 30 million. However, this is not an uncommon practice: Releasing too many stolen cards for sale at once tends to have the effect of depressing the overall price of stolen cards across the underground market.
- Gemini’s director of research Stas Alforov stressed that some of the 30 million cards advertised for sale as part of this BIGBADABOOM batch may in fact be sourced from breaches at other retailers, something Joker’s Stash has been known to do in previous large batches.
Breach at Indian airline SpiceJet affects 1.2 million passengers
- Each record included details such as name of the passenger, their phone number, email address and their date of birth.
- The security researcher, who described their actions as “ethical hacking” but whom we are not naming as they likely fell afoul of U.S. computer hacking laws, gained access to one of SpiceJet’s systems by brute-forcing the system’s easily guessable password.
An unencrypted database backup file on that system contained private information of more than 1.2 million passengers of the budget-carrier last month, TechCrunch has learned.
Japanese company NEC confirms 2016 security breach
- NEC needed seven months to discover the hack, did not disclose it publicly.
- NEC said they failed to detect the intrusion until June 2017, when they finally spotted unauthorized encrypted traffic originating from one of its internal sytems. The company said it managed to decrypt this traffic in July 2018. According to its investigations, the decrypted traffic revealed that the attacker exfiltrated 27,445 files from its defense business division.
Phone Hacks Can Happen to Anyone. Here’s How to Protect Yourself.
- Start by knowing what could expose you to an attack, like vacation clues, hotel Wi-Fi and inadequate verification procedures.
- In the last two years, security experts have seen a steady increase in simple schemes to get into accounts, like phishing, as well as more complicated campaigns to gain control over a victim’s financial life, like taking over a phone or a computer.
- The scariest threats yet may be the plots in which criminals impersonate an adviser, an employee or even a family member to get approval for a transaction.
AppSec Concerns Drove 61% of Businesses to Change Applications
- The marketplace is beginning to pinch the software industry for application security failings and complications, according to a new Dark Reading study.
Some have even left behind commercial software and migrated to open source or in-house homegrown applications.
Meanwhile, attacks exploiting vulnerabilities in open source code libraries have increased — and while that might initially make open source applications appear less attractive, these components are also frequently used by internal development teams and commercial software vendors alike.
WEEK OF FEBRUARY 04, 2019
Microsoft Security Shocker As 250 Million Customer Records Exposed Online
- A new report reveals that 250 million Microsoft customer records, spanning 14 years, have been exposed online without password protection.
- Microsoft has been in the news for, mostly, the wrong reasons recently. There is the Internet Explorer zero-day vulnerability that Microsoft hasn’t issued a patch for, which came just days after the U.S. Government issued a critical Windows 10 update now alert. Now a newly published report, has revealed that 250 million Microsoft customer records, spanning an incredible 14 years in all, have been exposed online in a database with no password protection.
Data leak strikes US cannabis users, sensitive information exposed
- A database backing point-of-sale systems used in medical and recreational marijuana dispensaries has been compromised.
- According to VPNMentor, PII belonging to 30,000 individuals was leaked. In total, over 85,000 files were exposed to anyone who stumbled across the database. The full names of patients and staff members, dates of birth, phone numbers, physical addresses, email addresses, medical ID numbers, cannabis used, price, quantity, and receipts were all available to view.
GDPR: Top UK law firms falling victim to human error
- Statistics reveal that nearly half (48%) of top UK law firms have reported data breaches since the GDPR came into force, and of those breaches, 41% were a result of human error.
- Figures obtained from the Information Commissioner’s Office (ICO) reveal that nearly half (48%) of the top 150 law firms have reported data breaches since the GDPR came into force in May 2018. And, of those breaches, 41% were a result of human error (emailing the wrong person).
To prevent further situations like this, the ICO recommends that organizations:
Protect staff from emailing the wrong person
Avoid leaking sensitive information
PSA ends Teleserv deal over data breach complaints
- The Philippine Statistics Authority (PSA) ends deal with Teleserv Inc., which it blamed for two complaints of data privacy breach before the National Telecommunications Commission (NTC).
- PSA ends deal with Teleserv Inc. after they found that the company was responsible for the two cases of data privacy breaches now pending before the NTC, but they would continue to deliver civil registry documents online through its in-house Serbilis. While Serbilis had key performance indicators to measure the effectiveness of its services, Teleserv lacked such metrics and unnecessarily exposed private citizens’ data to third parties.
Amazon engineer calls for Ring to be ‘shut down immediately’ over privacy concerns
- Amazon software engineer Max Eliaser said the home security company should be “shut down immediately.”
- “The deployment of connected home security cameras that allow footage to be queried centrally are simply not compatible with a free society,” Amazon software development engineer Max Eliaser said in a post published to Medium on Sunday. “The privacy issues are not fixable with regulation and there is no balance that can be struck. Ring should be shut down immediately and not brought back.”
Avast Antivirus Collected and Sold Users’ Web Browsing Data, Company Responds
Avast is still continuing to harvest the users’ data via its antivirus apps but the company says it is prompting existing users to make an opt-in or opt-out choice.
In a sensational revelation, an investigation on Monday claimed that the popular Avast antivirus — installed on nearly 435 million Windows, Mac, and mobile devices globally — harvested users’ data via browser plugins and then sold it to third parties, including Microsoft and Google. The joint investigation by Motherboard and PCMag that relied on leaked user data and other company documents found that “the sale of this data is both highly sensitive and is, in many cases, supposed to remain confidential between the company selling the data and the clients purchasing it”.
WEEK OF JANUARY 27, 2019
Equifax to pay $380.5M to settle class-action breach lawsuit regarding the 2017 data breach
- A Georgia court granted final approval for an Equifax settlement in a class-action lawsuit. The credit rating agency will pay $380.5 million to settle lawsuits regarding the 2017 data breach.
- The company may also be required to dole out an additional $125 million “if needed to satisfy claims for certain out-of-pocket losses”.
- The $380.5 million will be placed into a fund for consumers affected who are part of the class outlined in the lawsuit.
GDPR: 160,000 data breaches reported already, so expect the big fines to follow
- Analysis by law firm DLA Piper found that after the GDPR came into force on 25 May 2018, the first eight months saw an average of 247 breach notifications per day. In the time since, that has risen to an average of 278 notifications a day.
- The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organisations.
- The GDPR Data Breach Survey also calculates the total cost of GDPR-related fines paid so far to be €114m ($126m/£97m).
The Secretive Company That Might End Privacy as We Know It
- A little-known start-up helps law enforcement match photos of unknown people to their online images — and “might lead to a dystopian future or something.”
- Clearview AI, a small company, founded by an Australian techie, devised a groundbreaking facial recognition app that may end your ability to take a walk down the road anonymously.
- Federal and state law enforcement officers said that while they had only limited knowledge of how Clearview works and who is behind it, they had used its app to help solve shoplifting, identity theft, credit card fraud, murder, and child sexual exploitation cases.
FBI seizes WeLeakInfo, a website that sold access to breached data
- WeLeakInfo website sold access to more than 12 billion user records that leaked from breaches at other online services.
- US authorities have seized this week the domain of WeLeakInfo.com, an online service that, for the past three years, has been selling access to data hacked from other websites.
- The website provided access to people’s cleartext passwords, allowing hackers to purchase a subscription on the site and gain access to billions of user credentials. Due to this illegal practice, the website built a reputation on the hacking underground as an excellent source and place to perform reconnaissance against their targets.
Hospitals Give Tech Giants Access to Detailed Medical Records
- Deals with Microsoft, IBM and Google reveal the power medical providers have in deciding how patients’ sensitive health data is shared.
- Hospitals give tech giants Amazon, IBM, and Microsoft access to detailed medical records. The scope of data sharing in these and other recently reported agreements reveals a powerful new role that hospitals play—as brokers to technology companies racing into the $3 trillion health-care sector.
- Rapid digitization of health records and privacy laws enabling companies to swap patient data have positioned hospitals as a primary arbiter of how such sensitive data is shared.
Mitsubishi Electric discloses data breach, media blame China-linked APT
Mitsubishi Electric disclosed a security breach that might have exposed personal and confidential corporate information.
The breach was detected almost eight months ago, on June 28, 2019, with the delay being attributed to the increased complexity of the investigation caused by the attackers deleting activity logs.
Media outlets Asahi Shimbun and Nikkei attribute the cyber attack to a China-linked cyber espionage group tracked as Tick (aka Bronze Butler).
WEEK OF JANUARY 20, 2019
Barclays, Lloyds, RBS and HSBC all hit by Travelex cyber attack
- Travelex was forced to take all its global websites offline and is reportedly being held to ransom by the infamous ransomware gang called Sodinokibi, also known as REvil.
- More than a dozen of the major banking players, including Lloyds Banking Group and Virgin Money, are reporting that their online foreign currency systems are down following the New Year’s Eve ransomware attack on Travelex.
- The criminals are demanding $6M (£4.6M ) in cash and are threatening to release 5GB of customers’ personal data – including social security numbers, dates of birth and payment card information – into the public domain unless Travelex pays up.
Dixons Carphone fined £500,000 for massive data breach
- Dixons Carphone discovered a massive data breach last summer and found malicious software installed on 5,390 tills in branches of its Currys PC World and Dixons Travel chains.
- The attacker harvested the payment card details of 5.6 million people, as well as the personal information – including full names, postcodes, email addresses and details of failed credit checks – of approximately 14 million, leaving them vulnerable to both financial theft and identity fraud, said the data watchdog in a statement announcing the £500,000 fine.
SIM Study Points to Lax Focus on Cybersecurity
- Of the responding organizations that generate $1 billion to $5 billion in revenue, about 29.7% indicated they do not have chief information security officers.
- Only about one-third of organizations concerned about cybersecurity despite ongoing data breaches.
- There is a big, fast-moving trend of CIOs coming from non-IT backgrounds.
Amazon fires employees for leaking customer email addresses and phone numbers.
- The email to customers sent Friday afternoon, said an employee was “terminated” for sharing the data, and that the company is supporting law enforcement in their prosecution.
- In a separate incident, Amazon said this week that it fired four employees at Ring, one of the retail giant’s smart camera and door bell subsidiaries. Ring said it fired the employees for improperly viewing video footage from customer cameras.
Grindr shares personal data with ad companies in violation of GDPR, complaint alleges
- A Norwegian nonprofit has filed three complaints against the company.
- However, the report claims the app isn’t clear about the legal basis for how it processes this personal data, and that the scale of Grindr’s adtech network makes it difficult for a user to understand, and therefore properly consent, to their data being collected.
49 million user records from US data broker LimeLeads put up for sale online
Data from an exposed LimeLeads Elasticsearch server ends up on a hacking forum.
The hacker claims the data belongs to LimeLeads, a San Francisco-based business-to-business (B2B) leads generator, which +makes its money by renting access to an internal database containing business contacts that can be used for pitches and sales.
Sources in the threat intelligence community have told ZDNet that Omnichorus is a well-known individual on underground hacking forums, having built a reputation for sharing and selling hacked or stolen data — a so-called “data trader.”
WEEK OF JANUARY 13, 2019
Aurora Water announces data breach
- Customers who used the Click2Gov payment system to make one-time payments or set up recurring payments between Aug. 30 and Oct. 14 were impacted.
- Other personal information, such as Social Security numbers or government-issued ID numbers, were not affected because Aurora Water does not collect that information for billing purposes. Click2Gov is not used by and does not affect any other city departments or functions.
- A dedicated webpage has been set up to assist affected customers and to provide updates about the breach. Customers can also call 1-844-931-1876 between 7 a.m. and 4:40 p.m. Monday through Friday for assistance.
CCPA Kickoff: What Businesses Need to Know
- The California Consumer Privacy Act is in full effect, prompting organizations to think about how they’ll remain compliant.
- As the first law of its kind in the United States, CCPA could set a precedent for states outside California. The law applies to most companies doing business in California and promises to have a “major impact” on the privacy landscape across the country.
- Instead of limiting CCPA protections to California customers alone, major companies including Microsoft and Mozilla are extending compliance across all US states. The next version of Firefox, for example, will allow users to request desktop telemetry data be deleted from the browser.
School management software provider discloses severe security breach
- Active Network discloses security incident that impacted school online stores built on the Blue Bear platform.
- Parents who accessed a school’s (Blue Bear-based) web store to pay school fees or buy books and school supplies between October 1, 2019, and November 13, 2019, might have had their personal data stolen by hackers, Active Network said.
- The type of data hackers might have collected includes their name, payment card number, payment card expiration date, payment card security code, and store username and password.
Developers Still Don’t Properly Handle Sensitive Data
- The top classes of vulnerabilities for 2019 indicate that developers still don’t correctly sanitize inputs, nor protect passwords and keys as they should.
- Software-security toolmaker DeepCode found that four of the seven vulnerabilities classes with the greatest impact on the security of software projects had to do with failures to protect data.
- Driven by increased research into software security, more software under development, companies’ greater openness to vulnerability reporting, and perhaps most of all – improvements to the process of recording vulnerability reports – the number of software security issues published in the National Vulnerability Database rose to the highest recorded level in 2019, surpassing 17,300 issues reported during the year.
Credit card breach affects 60 national restaurant chains
- Landry’s Inc. operates more than 60 chains, including Joe’s Crab Shack, Rainforest Cafe and Morton’s steakhouses.
- Landry Inc., which operates hundreds of restaurants including Rainforest Cafe, Bubba Gump Shrimp Co., Morton’s steakhouses, Joe’s Crab Shack and more, issued a warning after it was discovered that a 2019 data breach might have compromised customers’ credit card information.
- The breach may have affected customers who paid with credit cards at its restaurants between March 13, 2019, and Oct. 17, 2019. A smaller group of restaurant locations may have also been comprised as early as Jan. 2018.
Will complying with India’s privacy law mean violating GDPR?
The most common conclusion emerging from such literature is the Privacy Bill being referred to as a replica of the EU General Data Protection Regulation.
This conclusion may not be wrong if you limit your comparison to broad topics under both the regimes, which look strikingly identical. For instance, the concept of “data controller” under the GDPR appears to be the same as “data fiduciary” under the PDPB, who has to comply with most of the legal obligations rather than entities that process personal data on behalf of the data controller/fiduciary.
Similarly, the list of privacy principles under the PDPB looks like GDPR principles, so is the definition of “personal data” containing a catch-all language covering almost every piece of information that can directly or indirectly identify an individual.
WEEK OF JANUARY 06, 2019
U.S. convenience store chain Wawa says data breach affected thousands
- Wawa says it’s notifying customers and offering free credit card monitoring and identity theft prevention services to anyone whose information may have been collected.
- The breach affected all of Wawa’s 850 locations, which are all in the following states: Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida, and Washington, D.C.
Chinese hacker group caught bypassing 2FA
- Chinese state-sponsored group APT20 has been busy hacking government entities and managed service providers.
- How they did it remains unclear; although, the Fox-IT team has their theory. They said APT20 stole an RSA SecurID software token from a hacked system, which the Chinese actor then used on its computers to generate valid one-time codes and bypass 2FA at will.
- In short, all the actor has to do to make use of the 2 factor authentication codes is to steal an RSA SecurID Software Token and to patch 1 instruction, which results in the generation of valid tokens.
The Year of Magecart: How the E-Commerce Raiders Reigned in 2019
- Breaching British Airways, Ticketmaster, and Macy’s, Magecart attack groups sharply rose in sophistication and pervasiveness this year — and show no signs of slowing down.
- The combined activity of all these groups has caused major breaches this year and hundreds of millions in fines, because many companies found themselves the target of fines under European Union’s newly minted General Data Protection Regulation (GDPR).
- One victim, hotel chain Marriott, will likely have to hand over £99 million (US$124 million), while air carrier British Airways could see a £183 million (US$229 million) fine under GDPR.
GDPR was just a warmup. CCPA will arrive with a bang
- More than eighteen months after the General Data Protection Regulation took effect, the fallout from Europe’s privacy law has been minimal. The same will not be true of the California Consumer Privacy Act, which takes effect on Jan. 1.
- “The AG’s office may not be able to enforce the CCPA until mid-year, but at that point it will be able to penalize companies for privacy violations dating back to the beginning of the year. By then companies may already be feeling the privacy law’s pinch with some advertisers planning to pull back on targeted advertising and the potential for sites’ CCPA-mandated notices to scare off visitors to publishers’ properties.
US Accounting Firm Moss Adams Discloses Data Breach
- One of the largest public accounting firms in the United States, Moss Adams, has suffered a data breach. The firm suffered the security breach that potentially exposed the names and Social Security Numbers of the customers.
- Following the incident, the company immediately took steps to contain the attack. Furthermore, they also assured that the incident did not affect any information systems.
- In October, an Italian financial service UniCredit also revealed a data breach that affected the firm in 2015. The incident potentially impacted 3 million customers.
Wyze data leak may have exposed personal data of millions of users
The security camera startup blames employee error for weeks-long data leak.
The data was accidentally left exposed when it was transferred to a new database to make the data easier to query, but a company employee failed to maintain security protocols during the process, Wyze co-founder Dongsheng Song wrote in a forum post.
Among the data exposed in the Wyze leak was the height, weight, gender and other health information of about 140 beta users participating in the testing of new hardware, Wyze said.
WEEK OF DECEMBER 30, 2019
South African IT firm Conor behind the leak of 1 million web browsing records
- Over 890GB of browsing log data of all online activities of over 1 million users has been revealed due to an unencrypted database hailing from a web filter app built by Conor.
- VpnMentor said its team was able to view a user’s activity on porn websites. It also said with usernames also exposed, locating a specific person on various social media platforms was easy.
Here are the Most Common Passwords Found From Breaches in 2019
- Passwords ‘12345,’ ‘123456,’ and ‘123456789’ were the most common passwords, followed by ‘test1’ and, of course the password ‘password’.
- Weak password logic also included strings of letters forming a horizontal or vertical line on the keyboard, such as asdfghjkl, qazwsx, 1qaz2wsx, etc.
- The most obvious—‘password’— remained popular with 830,846 people still using it.
Cyberattack on Twitter targeted Epilepsy Foundation with strobing images
- Attackers apparently tried to trigger seizures in followers of the account who have the condition.
- A Twitter spokesman said the company is committed to making Twitter safer by offering the option of preventing media from auto playing in users’ Timelines and barring GIFs from appearing when someone searches for “seizure” in GIF search.
LifeLabs pays ransom after cyberattack exposes information of 15 million customers in B.C. and Ontario
- Canada’s largest lab testing company says private data has not been exposed publicly.
- “We’ve seen this happen with a number of hospitals around the world,” said technology expert Graham Williams.
- Williams says — depending on the information that was stolen — that a big concern arising out of the cyberattack could be that medical data could not only be used for identity theft or medical fraud but also blackmail.
A Data Leak Exposed The Personal Information Of Over 3,000 Ring Users
- This gives a potential attacker access to view cameras in somebody’s home — that’s a real serious potential invasion of privacy right there.
- The Ring has not had a data breach. Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network.
- It is not uncommon for bad actors to harvest data from other company’s data breaches and create lists like this so that other bad actors can attempt to gain access to other services.
Millions of Facebook user phone numbers exposed online, security researchers say
More than 267 million Facebook user IDs, phone numbers and names were in an unsecured database.
Facebook’s latest privacy mishaps raises questions about whether the company is doing enough to protect the data of its billions of users.
It’s also another reminder that users should be wary about what information they make public on the social network. This isn’t the first time a security researcher has uncovered a database filled with Facebook user data.
WEEK OF DECEMBER 23, 2019
New Orleans mayor declares state of emergency in wake of city cyberattack
- While ransomware was detected, no ransom has been demanded in the cyberattack.
- Phishing attempts and suspicious activity were detected on the city’s network. While ransomware was detected, no ransom has been demanded in the cyberattack. At this time, the city does not believe any employee information was compromised during the phishing attempts that occurred.The incident is being investigated by the city with assistance from the Louisiana State Police, Louisiana National Guard, the FBI and Secret Service.
Google is sending text messages from your phone without telling you
- Android users from India mainly reported the message, but those in the U.S. and several countries in Europe also observed the same occurrence.
- For your security, we’ll re-verify from time to time to make sure that your phone’s number is still yours. When we re-verify, you might get text messages from Google or see outgoing texts to Google. The message could say something like, ‘Google is verifying the phone number of this device.’
Criminals Hide Fraud Behind the Green Lock Icon
- Criminals are using free certificate services to apply real security certs to fraudulent sites – and to take advantage of victims looking for surfing safety.
- In its “State of E-Commerce Phishing” report for 2019, NormShield reported that the number of potential phishing domains registered in 2019 was up by 11% over 2018. One of the reasons for this is the “green lock” icon that indicates encrypted legitimacy to its users. Already abandoned by Google for its Chrome browser, the green lock is an increasingly unreliable indicator of safety. Criminals are using free certificate services to apply real security certs to fraudulent sites – and to take advantage of victims looking for surfing safety.
2020 is when cybersecurity gets even weirder, so get ready
- AI-powered deepfakes, ransomware, IoT, and 5G all mean that protecting your data is about to get a lot harder.
If you thought cybersecurity wasn’t already challenging, the next couple of years will bring a whole new range of threats:
· Forrester predicts that deepfakes could end up costing businesses a lot of money next year, as much as $250m.
· The continued expansion of the IoT will greatly increase the number of devices and applications that security teams will have to protect.
· The gradual rise of 5G is going to make this a bigger problem because these devices might be spread across a vast geography.
· Ransomware is likely to get odder too; this year has shown just how much effort criminal gangs are willing to put into catching out large organizations. The aim now is to score a huge payday by encrypting whole networks, not just a few PCs.
Another Reason to Not Pay for Gas at the Pump
- Hackers get into the gas station’s point-of-sale system by sending phishing emails to employees, according to Visa’s report, initially shared by Engadget. From there, the hackers get access to your info from your card’s magnetic stripe when you insert your card at the pump. While most other businesses have already switched over to EMV chip payments, gas stations were given an extension by Visa and Mastercard. They have until next year to change their pumps over, which means even though your card has a chip, it’s probably not being read when you pay for gas.
SQL Server 2019 Tool Tells Attackers Which Data Is Sensitive
The design of SQL Data Discovery & Classification could let attackers pinpoint sensitive information while flying under organizations’ radars.
The tool which is built into SQL Server Management Studio (SSMS) to let users detect, classify, and report sensitive data stored within their databases. This runs against the principle of “Segregation of duties” wherein no single employee has access to too much sensitive information.
Somebody’s Watching: Hackers Breach Ring Home Security Cameras
Unnerved owners of the devices reported recent hacks in four states. The company reminded customers not to recycle passwords and user names.
At least three similar cases reported this month — the others were in Connecticut, Florida, and Georgia. A Ring spokeswoman said in a statement on Saturday that the company took the security of its devices seriously and reminded customers not to recycle passwords and user names.
College Board sold student data for 47 cents each, lawsuit claims
College Board, the nonprofit that develops and administers SAT and Advanced Placement exams, is being accused of selling more than five million students’ personal information, according to a lawsuit filed in Chicago last week.
College Board assured that students’ participation in the student search survey would assist them in the college application process. However, parents claimed that the College Board charged between $0.42 and $0.47 per student name and sold their personal information to a third-party organization.
WEEK OF DECEMBER 16, 2019
Why should we care about protecting data in our personal lives?
- As privacy practitioners, we must care about protecting our data. And just like a good education, privacy awareness starts at home. Here are some common privacy and data protection myths debunked:
- Before implementing or enforcing regulation in the commercial space, it is essential to debunk the common myths and raise awareness on the fundamental right to privacy in our personal lives. Here are the top three myths around privacy and data protection:
- Myth 1: The choice around privacy is binary (all or nothing)
- Myth 2: Breaching privacy only comes from malicious intent
- Myth 3: Pseudonymized data is not really personal data
GDPR Violation: German Privacy Regulator Fines 1&1 Telecom
- German Privacy Regulator has fined 1&1 Telecommunications $10.6 million, one of the most considerable fines to date for violating the GDPR.
- 1 & 1 Telecom, one of the country’s largest network-independent telecommunications providers with about 14 million customers, was fined $10.6 million by Germany’s Federal Commissioner for Data Protection and Freedom of Information. The BfDI says it fined 1 & 1 Telecom after discovering that callers to its call center could retrieve customer information only by giving their name and date of birth, which it said was an insufficient level of authentication for protecting customer data.
Data Leak Week: Billions of Sensitive Files Exposed Online
- A total of 2.7 billion email addresses, 1 billion email account passwords, and nearly 800,000 applications for copies of birth certificate were found on unsecured cloud buckets.
- An epidemic in the past year or so of organizations inadvertently leaving their Amazon Web Services S3 and ElasticSearch cloud-based storage buckets exposed and without proper security has added a new dimension to data breaches. Revelations this week of separate data exposure incidents — a billion passwords displayed in plaintext as well as hundreds of thousands of US birth certificate applications — shared a common thread: unsecured cloud-based databases that left the sensitive information wide open for anyone to access online.
Chrome 79 will continuously scan your passwords against public data breaches
- By default, Chrome will now let users know if their credentials are public by continually scanning passwords against public data breaches.
- Google’s “Password Checkup” extension is now being integrated into the desktop and mobile versions of Chrome 79. Google figures that since it has a significant (encrypted) database of all your passwords, it might as well compare them against a 4-billion-strong public list of compromised usernames and passwords that have been exposed in many security breaches over the years. Any time Google hits a match, it notifies you that a specific set of credentials is public and unsafe and that you should probably change the password.
Biggest Data leak of 2019
In an era where internet access is considered a necessity, it doesn’t come without its costs. Here’s a list of the biggest data leaks of 2019 that hit Indians:
- Talend released the results of its first GDPR research benchmark, which was aimed to assess the ability of organizations to achieve right to access and portability compliance with the European regulation.
- SBI leaves its server without any password protection, exposing the data of its 422 million customers
- Biggest single card database – more than 1.3 million credit and debit card details from Indian banks – for sale on the darknet
- Hackers attack Indian healthcare website, steal records of 6.8 million users
- Facebook stores passwords of 600 million users in plain text
- Personal information of 100 million JustDial users on unprotected servers
- Dating apps – Grindr, Romeo, Reco, and 3fun – reveal precise location information of users, threatening the individual safety of over 10 million users
- Facebook and Twitter users’ personal data leaked through malicious apps
- Kudankulam Nuclear Power Plant (KKNPP) and ISRO hacked
- OnePlus data breach affects 3,000 users
- A security loophole in one of Airtel’s APIs left the data of 325 million subscribers in India vulnerable
Attackers Steal Credit Cards in Rooster Teeth Data Breach
Rooster Teeth Productions have suffered a data breach that allowed attackers to steal credit card and other payment information from shoppers on the company’s online store.
Rooster Teeth Productions, known for its popular shows and documentaries, has suffered a breach; while it wasn’t a traditional Magecart attack, it achieved the same results. As part of this hack, a malicious script was injected into the store that would cause the shopper to be redirected to a fake payment page under the control of the attackers. This allowed the attackers to steal a customer’s name, email address, telephone number, physical address, and/or payment card information that was submitted.
WEEK OF DECEMBER 09, 2019
Ransomware attack hits major US data center provider
- According to details ZDNet received in a tip, the incident took place yesterday and was caused by a version of the REvil (Sodinokibi) ransomware.
- This is the same ransomware family that hit several managed service providers in June, over 20 Texas local governments in early August, and 400+ US dentist offices in late August.
- The company owns 45 data centers in Europe, Asia, and the Americas, and has more than 1,000 customers.
- CyrusOne spokesperson confirmed the incident and said they are currently working with law enforcement and forensics firms to investigate the attack, and help customers restore systems impacted systems.
Mega Breaches Are Forcing Us to a Passwordless World. Are We Finally Ready?
- The cause of breaches has been well-known since the landmark “2017 Verizon Data Breach Investigations Report,” which revealed that 81% of hacking-related breaches leveraged either stolen and/or weak passwords.
- While it’s true the industry has been slow to change, a closer look reveals that much progress has been made in 2019. For example, Microsoft and Google now support passwordless standard FIDO2, and Apple made it clear it intends to support FIDO2 for its Safari browser. In another important move, Apple says iOS 13.3 (likely available early in 2020) will support popular FIDO-compliant authentication devices like the YubiKey.
- Matthew Ulery, chief product officer at SecureAuth, says organizations will change based on a combination of four important factors: an important industry peer (i.e., a bank or insurance company) gets breached and they don’t want to be the next victim; a new CEO or top executive comes into the organization and dictates that the company will move toward passwordless authentication; an organization realizes it finally has to do something to stop the ability of synthetic IDs to steal passwords; and, finally, customers push for change.
Serious flaw in Airtel mobile app exposed data of over 325 million Indian users
- Airtel’s mobile app had a serious security flaw that likely exposed the data of its nearly 325 million customer base. This would include personal information such as names, emails, birthdays, addresses, even IMEI numbers of their mobile devices. Airtel has acknowledged the issue on its mobile app and issued a fix for the same as well.
- The bug was in the Application Program Interface (API) of Airtel’s mobile app, according to independent security researcher Ehraz Ahmed, who told the BBC that it took him about 15 minutes to find the flaw. Ahmed has also posted a video, which shows a script being used to fetch the information from the Airtel mobile app’s API.
Union Cabinet approves Personal Data Protection Bill, to be introduced in this session
- On Dec 4th, the Union Cabinet cleared the Personal Data Protection Bill (PDPB) for introduction in the current session of Parliament.
- India’s draft bill, titled the Personal Data Protection Bill, 2018, has been approved by the Union Cabinet and introduced in the Parliament. The draft bill is India’s first step towards a privacy framework for the governance of personal data. Broad guidelines on the collection, storage, and processing of personal data, consent of individuals, penalties and compensation, code of conduct, and an enforcement model are likely to be a part of the law.
Despite potential fines, GDPR compliance rate remains low
Talend released the results of its first GDPR research benchmark, which reveals that despite potential fines, the compliance rate remains low.
Talend released the results of its first GDPR research benchmark, which was aimed to assess the ability of organizations to achieve right to access and portability compliance with the European regulation.
The findings are as follows:
Of the companies surveyed,
- 58% were not able to meet data access and portability requests within the GDPR-specified-one-month time limit
- 7% of the companies surveyed do not have any electronic means to make the requests
- In average, companies provided the data in 16 days
Data from 21M Mixcloud Users Compromised in Breach
Music streaming service Mixcloud has disclosed a security incident in which unauthorized users gained access to some of its systems; the breach compromised the data of 21m users.
Mixcloud confirmed the security incident wherein unauthorized users gained access to some of its systems. While Mixcloud did not disclose the breach’s scale, the alleged attacker who provided a portion of the data to TechCrunch said there were 20 million records stolen. However, 21 million records were listed for sale, and the data sample indicated there might have been up to 22 million records stolen. Data contained includes usernames, email addresses, and salted passwords.
WEEK OF DECEMBER 03, 2019
Password data for ~2.2 million users of currency and gaming sites dumped online
- Security researcher confirms that the password data of almost 2.2 million users of Gatehub and EpicBot services has been posted online.
- Security researcher Troy Hunt, who’s behind the Have I Been Pawned breach notification service, confirms that the password data and other personal information of close to 2.2 million users have been dumped online. One haul includes personal information for as many as 1.4 million accounts from the GateHub cryptocurrency wallet service. The other contains data for about 800,000 accounts on RuneScape bot provider EpicBot. The databases include registered email addresses and passwords that were cryptographically hashed with bcrypt, a function that’s among the hardest to crack.
PayMyTab data leak exposes personal information belonging to mobile diners
- Cybersecurity researchers from vpnMentor disclosed a data leak in which personal information belonging to PayMyTab customers was exposed due to an open AWS database.
- Cybersecurity researchers from vpnMentor disclosed a data leak in which PII and partial financial details were made available online. The team found an unsecured Amazon Web Services (AWS) S3 bucket, in which PayMyTab failed to follow Amazon’s security protocols. While no exact figures on the amount of data leaked or the number of customers have been released, vpnMentor says that the leak has left “10,000s of people vulnerable to online fraud and attacks.”
Thousands of Enterprises At Risk Due to Oracle EBS Critical Flaws
- Two critical security vulnerabilities discovered in Oracle’s E-Business Suite (EBS) could allow potential attackers to take full control over a company’s entire enterprise resource planning (ERP) solution.
- According to Onapsis Research Labs, more than 21,000 enterprises use Oracle EBS for financial management, CRM, SCM, HCM, logistics, procurement and more. Two critical security vulnerabilities were discovered in Oracle’s EBS which could allow potential attackers to take full control over a company’s entire ERP solution. If successfully exploited in an attack, these flaws enable threat actors to avoid detection while printing bank checks and making electronic fund transfers.
Why Multifactor Authentication Is Now a Hacker Target
- The FBI recognized how the increased implementation of multifactor authentication (MFA) has led to a proportionate increase in cybercriminals trying to bypass MFA.
- In a recent Private Industry Notification (PIN), the FBI recognized how recent cyberattack campaigns are focusing directly on circumventing multifactor authentication (MFA). The FBI outlined four tactics – SIM swaps, insecure web design, phishing, and channel-jacking – that hackers have been developing to bypass MFA. To social engineer such an attack, an adversary tries to take advantage of a person’s naturally trusting tendencies, where many people end up processing the hacker’s request.
Android phones hacked; ‘hundreds of millions’ cameras, GPS, microphones affected
Google and Samsung disclosed several security vulnerabilities to their phones: hundreds of millions of cameras, GPS, microphones affected.
According to Forbes, the Checkmarx security research team found several security vulnerabilities in Google and Samsung phones. Checkmarx uncovered several exploits, including the ability to remotely control the smartphone camera applications, take pictures, record videos, and use the video recording to eavesdrop on a user’s phone conversations. Hackers could also use exploits to gather a user’s GPS location data remotely.
Authorities Arrest Alleged Member of Group That Hacked Jack Dorsey
Disney’s new game-changing streaming-video service hasn’t even been available for a week, but already its users have been hacked and thousands of Disney+ accounts are on sale on the Dark Web, according to a new report.
Looking ahead, therefore, there’s a strong likelihood that Disney+ accounts will continue to be traded on the Dark Web alongside the multitude of account information and illegal content already for sale in that shadowy part of the Internet. Like it or not, this is only just the beginning.