SecureFact™

A curated list of Data Security News happening across the world, in a simple yet intuitive form for the fast-paced cybersecurity professionals.

WEEK OF JANUARY 13, 2019

Aurora Water announces data breach

  • Customers who used the Click2Gov payment system to make one-time payments or set up recurring payments between Aug. 30 and Oct. 14 were impacted.
  • Other personal information, such as Social Security numbers or government-issued ID numbers, were not affected because Aurora Water does not collect that information for billing purposes. Click2Gov is not used by and does not affect any other city departments or functions.
  • A dedicated webpage has been set up to assist affected customers and to provide updates about the breach. Customers can also call 1-844-931-1876 between 7 a.m. and 4:40 p.m. Monday through Friday for assistance.

*Source

CCPA Kickoff: What Businesses Need to Know

  • The California Consumer Privacy Act is in full effect, prompting organizations to think about how they’ll remain compliant.
  • As the first law of its kind in the United States, CCPA could set a precedent for states outside California. The law applies to most companies doing business in California and promises to have a “major impact” on the privacy landscape across the country.
  • Instead of limiting CCPA protections to California customers alone, major companies including Microsoft and Mozilla are extending compliance across all US states. The next version of Firefox, for example, will allow users to request desktop telemetry data be deleted from the browser.

*Source

School management software provider discloses severe security breach

  • Active Network discloses security incident that impacted school online stores built on the Blue Bear platform.
  • Parents who accessed a school’s (Blue Bear-based) web store to pay school fees or buy books and school supplies between October 1, 2019, and November 13, 2019, might have had their personal data stolen by hackers, Active Network said.
  • The type of data hackers might have collected includes their name, payment card number, payment card expiration date, payment card security code, and store username and password.

*Source

Developers Still Don’t Properly Handle Sensitive Data

  • The top classes of vulnerabilities for 2019 indicate that developers still don’t correctly sanitize inputs, nor protect passwords and keys as they should.
  • Software-security toolmaker DeepCode found that four of the seven vulnerabilities classes with the greatest impact on the security of software projects had to do with failures to protect data.
  • Driven by increased research into software security, more software under development, companies’ greater openness to vulnerability reporting, and perhaps most of all – improvements to the process of recording vulnerability reports – the number of software security issues published in the National Vulnerability Database rose to the highest recorded level in 2019, surpassing 17,300 issues reported during the year.

*Source

Credit card breach affects 60 national restaurant chains

 

  • Landry’s Inc. operates more than 60 chains, including Joe’s Crab Shack, Rainforest Cafe and Morton’s steakhouses.
  • Landry Inc., which operates hundreds of restaurants including Rainforest Cafe, Bubba Gump Shrimp Co., Morton’s steakhouses, Joe’s Crab Shack and more, issued a warning after it was discovered that a 2019 data breach might have compromised customers’ credit card information.
  • The breach may have affected customers who paid with credit cards at its restaurants between March 13, 2019, and Oct. 17, 2019. A smaller group of restaurant locations may have also been comprised as early as Jan. 2018.

*Source

Will complying with India’s privacy law mean violating GDPR?

  • The most common conclusion emerging from such literature is the Privacy Bill being referred to as a replica of the EU General Data Protection Regulation.

  •  This conclusion may not be wrong if you limit your comparison to broad topics under both the regimes, which look strikingly identical. For instance, the concept of “data controller” under the GDPR appears to be the same as “data fiduciary” under the PDPB, who has to comply with most of the legal obligations rather than entities that process personal data on behalf of the data controller/fiduciary.

  • Similarly, the list of privacy principles under the PDPB looks like GDPR principles, so is the definition of “personal data” containing a catch-all language covering almost every piece of information that can directly or indirectly identify an individual.

*Source 

WEEK OF JANUARY 06, 2019

U.S. convenience store chain Wawa says data breach affected thousands

  • Wawa says it’s notifying customers and offering free credit card monitoring and identity theft prevention services to anyone whose information may have been collected.
  • The breach affected all of Wawa’s 850 locations, which are all in the following states: Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida, and Washington, D.C.

*Source

Chinese hacker group caught bypassing 2FA

  • Chinese state-sponsored group APT20 has been busy hacking government entities and managed service providers.
  • How they did it remains unclear; although, the Fox-IT team has their theory. They said APT20 stole an RSA SecurID software token from a hacked system, which the Chinese actor then used on its computers to generate valid one-time codes and bypass 2FA at will.
  • In short, all the actor has to do to make use of the 2 factor authentication codes is to steal an RSA SecurID Software Token and to patch 1 instruction, which results in the generation of valid tokens.

*Source

The Year of Magecart: How the E-Commerce Raiders Reigned in 2019

  • Breaching British Airways, Ticketmaster, and Macy’s, Magecart attack groups sharply rose in sophistication and pervasiveness this year — and show no signs of slowing down.
  • The combined activity of all these groups has caused major breaches this year and hundreds of millions in fines, because many companies found themselves the target of fines under European Union’s newly minted General Data Protection Regulation (GDPR).
  • One victim, hotel chain Marriott, will likely have to hand over £99 million (US$124 million), while air carrier British Airways could see a £183 million (US$229 million) fine under GDPR.

*Source

GDPR was just a warmup. CCPA will arrive with a bang

  • More than eighteen months after the General Data Protection Regulation took effect, the fallout from Europe’s privacy law has been minimal. The same will not be true of the California Consumer Privacy Act, which takes effect on Jan. 1.
  • The AG’s office may not be able to enforce the CCPA until mid-year, but at that point it will be able to penalize companies for privacy violations dating back to the beginning of the year. By then companies may already be feeling the privacy law’s pinch with some advertisers planning to pull back on targeted advertising and the potential for sites’ CCPA-mandated notices to scare off visitors to publishers’ properties.

*Source

US Accounting Firm Moss Adams Discloses Data Breach

  • One of the largest public accounting firms in the United States, Moss Adams, has suffered a data breach. The firm suffered the security breach that potentially exposed the names and Social Security Numbers of the customers.
  • Following the incident, the company immediately took steps to contain the attack.  Furthermore, they also assured that the incident did not affect any information systems.
  • In October, an Italian financial service UniCredit also revealed a data breach that affected the firm in 2015. The incident potentially impacted 3 million customers.

*Source

Wyze data leak may have exposed personal data of millions of users

  • The security camera startup blames employee error for weeks-long data leak.

  • The data was accidentally left exposed when it was transferred to a new database to make the data easier to query, but a company employee failed to maintain security protocols during the process, Wyze co-founder Dongsheng Song wrote in a forum post.

  • Among the data exposed in the Wyze leak was the height, weight, gender and other health information of about 140 beta users participating in the testing of new hardware, Wyze said.

*Source 

WEEK OF DECEMBER 30, 2019

South African IT firm Conor behind the leak of 1 million web browsing records

  • Over 890GB of browsing log data of all online activities of over 1 million users has been revealed due to an unencrypted database hailing from a web filter app built by Conor.
  • VpnMentor said its team was able to view a user’s activity on porn websites. It also said with usernames also exposed, locating a specific person on various social media platforms was easy.

*Source

Here are the Most Common Passwords Found From Breaches in 2019

  • Passwords ‘12345,’ ‘123456,’ and ‘123456789’ were the most common passwords, followed by ‘test1’ and, of course the password ‘password’.
  • Weak password logic also included strings of letters forming a horizontal or vertical line on the keyboard, such as asdfghjkl, qazwsx, 1qaz2wsx, etc.
  • The most obvious—‘password’— remained popular with 830,846 people still using it.

*Source

Cyberattack on Twitter targeted Epilepsy Foundation with strobing images

  • Attackers apparently tried to trigger seizures in followers of the account who have the condition.
  • A Twitter spokesman said the company is committed to making Twitter safer by offering the option of preventing media from auto playing in users’ Timelines and barring GIFs from appearing when someone searches for “seizure” in GIF search.

*Source

LifeLabs pays ransom after cyberattack exposes information of 15 million customers in B.C. and Ontario

  • Canada’s largest lab testing company says private data has not been exposed publicly.
  • “We’ve seen this happen with a number of hospitals around the world,” said technology expert Graham Williams.
  • Williams says — depending on the information that was stolen — that a big concern arising out of the cyberattack could be that medical data could not only be used for identity theft or medical fraud but also blackmail. 

*Source

A Data Leak Exposed The Personal Information Of Over 3,000 Ring Users

  • This gives a potential attacker access to view cameras in somebody’s home — that’s a real serious potential invasion of privacy right there.
  • The Ring has not had a data breach. Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network.
  • It is not uncommon for bad actors to harvest data from other company’s data breaches and create lists like this so that other bad actors can attempt to gain access to other services.

*Source

Millions of Facebook user phone numbers exposed online, security researchers say

  • More than 267 million Facebook user IDs, phone numbers and names were in an unsecured database.

  • Facebook’s latest privacy mishaps raises questions about whether the company is doing enough to protect the data of its billions of users.

  • It’s also another reminder that users should be wary about what information they make public on the social network. This isn’t the first time a security researcher has uncovered a database filled with Facebook user data.

*Source 

WEEK OF DECEMBER 23, 2019

New Orleans mayor declares state of emergency in wake of city cyberattack

  • While ransomware was detected, no ransom has been demanded in the cyberattack.
  • Phishing attempts and suspicious activity were detected on the city’s network. While ransomware was detected, no ransom has been demanded in the cyberattack. At this time, the city does not believe any employee information was compromised during the phishing attempts that occurred.The incident is being investigated by the city with assistance from the Louisiana State Police, Louisiana National Guard, the FBI and Secret Service.

*Source

Google is sending text messages from your phone without telling you

  • Android users from India mainly reported the message, but those in the U.S. and several countries in Europe also observed the same occurrence.
  • For your security, we’ll re-verify from time to time to make sure that your phone’s number is still yours. When we re-verify, you might get text messages from Google or see outgoing texts to Google. The message could say something like, ‘Google is verifying the phone number of this device.’

*Source

Criminals Hide Fraud Behind the Green Lock Icon

  • Criminals are using free certificate services to apply real security certs to fraudulent sites – and to take advantage of victims looking for surfing safety.
  • In its “State of E-Commerce Phishing” report for 2019, NormShield reported that the number of potential phishing domains registered in 2019 was up by 11% over 2018. One of the reasons for this is the “green lock” icon that indicates encrypted legitimacy to its users. Already abandoned by Google for its Chrome browser, the green lock is an increasingly unreliable indicator of safety. Criminals are using free certificate services to apply real security certs to fraudulent sites – and to take advantage of victims looking for surfing safety.

*Source

2020 is when cybersecurity gets even weirder, so get ready

  • AI-powered deepfakes, ransomware, IoT, and 5G all mean that protecting your data is about to get a lot harder.
  • If you thought cybersecurity wasn’t already challenging, the next couple of years will bring a whole new range of threats:

    · Forrester predicts that deepfakes could end up costing businesses a lot of money next year, as much as $250m.

    · The continued expansion of the IoT will greatly increase the number of devices and applications that security teams will have to protect.

    · The gradual rise of 5G is going to make this a bigger problem because these devices might be spread across a vast geography.

    · Ransomware is likely to get odder too; this year has shown just how much effort criminal gangs are willing to put into catching out large organizations. The aim now is to score a huge payday by encrypting whole networks, not just a few PCs.

*Source

Another Reason to Not Pay for Gas at the Pump

  • Hackers get into the gas station’s point-of-sale system by sending phishing emails to employees, according to Visa’s report, initially shared by Engadget. From there, the hackers get access to your info from your card’s magnetic stripe when you insert your card at the pump. While most other businesses have already switched over to EMV chip payments, gas stations were given an extension by Visa and Mastercard. They have until next year to change their pumps over, which means even though your card has a chip, it’s probably not being read when you pay for gas.

*Source

SQL Server 2019 Tool Tells Attackers Which Data Is Sensitive

  • The design of SQL Data Discovery & Classification could let attackers pinpoint sensitive information while flying under organizations’ radars.

  • The tool which is built into SQL Server Management Studio (SSMS) to let users detect, classify, and report sensitive data stored within their databases. This runs against the principle of “Segregation of duties” wherein no single employee has access to too much sensitive information.

*Source 

Somebody’s Watching: Hackers Breach Ring Home Security Cameras

  • Unnerved owners of the devices reported recent hacks in four states. The company reminded customers not to recycle passwords and user names.

  • At least three similar cases reported this month — the others were in Connecticut, Florida, and Georgia. A Ring spokeswoman said in a statement on Saturday that the company took the security of its devices seriously and reminded customers not to recycle passwords and user names.

*Source 

College Board sold student data for 47 cents each, lawsuit claims

  • College Board, the nonprofit that develops and administers SAT and Advanced Placement exams, is being accused of selling more than five million students’ personal information, according to a lawsuit filed in Chicago last week.

  • College Board assured that students’ participation in the student search survey would assist them in the college application process. However, parents claimed that the College Board charged between $0.42 and $0.47 per student name and sold their personal information to a third-party organization.

*Source

 

 

WEEK OF DECEMBER 16, 2019

Why should we care about protecting data in our personal lives?

  • As privacy practitioners, we must care about protecting our data. And just like a good education, privacy awareness starts at home. Here are some common privacy and data protection myths debunked:
  • Before implementing or enforcing regulation in the commercial space, it is essential to debunk the common myths and raise awareness on the fundamental right to privacy in our personal lives. Here are the top three myths around privacy and data protection:
  • Myth 1: The choice around privacy is binary (all or nothing)
  • Myth 2: Breaching privacy only comes from malicious intent
  • Myth 3: Pseudonymized data is not really personal data

*Source

GDPR Violation: German Privacy Regulator Fines 1&1 Telecom

  • German Privacy Regulator has fined 1&1 Telecommunications $10.6 million, one of the most considerable fines to date for violating the GDPR.
  • 1 & 1 Telecom, one of the country’s largest network-independent telecommunications providers with about 14 million customers, was fined $10.6 million by Germany’s Federal Commissioner for Data Protection and Freedom of Information. The BfDI says it fined 1 & 1 Telecom after discovering that callers to its call center could retrieve customer information only by giving their name and date of birth, which it said was an insufficient level of authentication for protecting customer data.

*Source

Data Leak Week: Billions of Sensitive Files Exposed Online

  • A total of 2.7 billion email addresses, 1 billion email account passwords, and nearly 800,000 applications for copies of birth certificate were found on unsecured cloud buckets. 
  • An epidemic in the past year or so of organizations inadvertently leaving their Amazon Web Services S3 and ElasticSearch cloud-based storage buckets exposed and without proper security has added a new dimension to data breaches. Revelations this week of separate data exposure incidents — a billion passwords displayed in plaintext as well as hundreds of thousands of US birth certificate applications — shared a common thread: unsecured cloud-based databases that left the sensitive information wide open for anyone to access online. 

*Source

Chrome 79 will continuously scan your passwords against public data breaches

  • By default, Chrome will now let users know if their credentials are public by continually scanning passwords against public data breaches.
  • Google’s “Password Checkup” extension is now being integrated into the desktop and mobile versions of Chrome 79. Google figures that since it has a significant (encrypted) database of all your passwords, it might as well compare them against a 4-billion-strong public list of compromised usernames and passwords that have been exposed in many security breaches over the years. Any time Google hits a match, it notifies you that a specific set of credentials is public and unsafe and that you should probably change the password.

*Source

Biggest Data leak of 2019

In an era where internet access is considered a necessity, it doesn’t come without its costs. Here’s a list of the biggest data leaks of 2019 that hit Indians: 

  • Talend released the results of its first GDPR research benchmark, which was aimed to assess the ability of organizations to achieve right to access and portability compliance with the European regulation.
  • SBI leaves its server without any password protection, exposing the data of its 422 million customers
  • Biggest single card database – more than 1.3 million credit and debit card details from Indian banks – for sale on the darknet
  • Hackers attack Indian healthcare website, steal records of 6.8 million users
  • Facebook stores passwords of 600 million users in plain text
  • Personal information of 100 million JustDial users on unprotected servers
  • Dating apps – Grindr, Romeo, Reco, and 3fun – reveal precise location information of users, threatening the individual safety of over 10 million users
  • Facebook and Twitter users’ personal data leaked through malicious apps
  • Kudankulam Nuclear Power Plant (KKNPP) and ISRO hacked
  • OnePlus data breach affects 3,000 users
  • A security loophole in one of Airtel’s APIs left the data of 325 million subscribers in India vulnerable

*Source

Attackers Steal Credit Cards in Rooster Teeth Data Breach

  • Rooster Teeth Productions have suffered a data breach that allowed attackers to steal credit card and other payment information from shoppers on the company’s online store.

  • Rooster Teeth Productions, known for its popular shows and documentaries, has suffered a breach; while it wasn’t a traditional Magecart attack, it achieved the same results. As part of this hack, a malicious script was injected into the store that would cause the shopper to be redirected to a fake payment page under the control of the attackers. This allowed the attackers to steal a customer’s name, email address, telephone number, physical address, and/or payment card information that was submitted.

*Source

 

 

WEEK OF DECEMBER 09, 2019

Ransomware attack hits major US data center provider

  • According to details ZDNet received in a tip, the incident took place yesterday and was caused by a version of the REvil (Sodinokibi) ransomware.
  • This is the same ransomware family that hit several managed service providers in June, over 20 Texas local governments in early August, and 400+ US dentist offices in late August.
  • The company owns 45 data centers in Europe, Asia, and the Americas, and has more than 1,000 customers.
  • CyrusOne spokesperson confirmed the incident and said they are currently working with law enforcement and forensics firms to investigate the attack, and help customers restore systems impacted systems.

*Source

Mega Breaches Are Forcing Us to a Passwordless World. Are We Finally Ready?

  • The cause of breaches has been well-known since the landmark “2017 Verizon Data Breach Investigations Report,” which revealed that 81% of hacking-related breaches leveraged either stolen and/or weak passwords.
  • While it’s true the industry has been slow to change, a closer look reveals that much progress has been made in 2019. For example, Microsoft and Google now support passwordless standard FIDO2, and Apple made it clear it intends to support FIDO2 for its Safari browser. In another important move, Apple says iOS 13.3 (likely available early in 2020) will support popular FIDO-compliant authentication devices like the YubiKey.
  • Matthew Ulery, chief product officer at SecureAuth, says organizations will change based on a combination of four important factors: an important industry peer (i.e., a bank or insurance company) gets breached and they don’t want to be the next victim; a new CEO or top executive comes into the organization and dictates that the company will move toward passwordless authentication; an organization realizes it finally has to do something to stop the ability of synthetic IDs to steal passwords; and, finally, customers push for change.

*Source

Serious flaw in Airtel mobile app exposed data of over 325 million Indian users

  • Airtel’s mobile app had a serious security flaw that likely exposed the data of its nearly 325 million customer base. This would include personal information such as names, emails, birthdays, addresses, even IMEI numbers of their mobile devices. Airtel has acknowledged the issue on its mobile app and issued a fix for the same as well.
  • The bug was in the Application Program Interface (API) of Airtel’s mobile app, according to independent security researcher Ehraz Ahmed, who told the BBC that it took him about 15 minutes to find the flaw. Ahmed has also posted a video, which shows a script being used to fetch the information from the Airtel mobile app’s API.

*Source

Union Cabinet approves Personal Data Protection Bill, to be introduced in this session

  • On Dec 4th, the Union Cabinet cleared the Personal Data Protection Bill (PDPB) for introduction in the current session of Parliament.
  • India’s draft bill, titled the Personal Data Protection Bill, 2018, has been approved by the Union Cabinet and introduced in the Parliament. The draft bill is India’s first step towards a privacy framework for the governance of personal data. Broad guidelines on the collection, storage, and processing of personal data, consent of individuals, penalties and compensation, code of conduct, and an enforcement model are likely to be a part of the law.

*Source

Despite potential fines, GDPR compliance rate remains low

  • Talend released the results of its first GDPR research benchmark, which reveals that despite potential fines, the compliance rate remains low.

  • Talend released the results of its first GDPR research benchmark, which was aimed to assess the ability of organizations to achieve right to access and portability compliance with the European regulation.

    The findings are as follows: 

    Of the companies surveyed, 

    • 58% were not able to meet data access and portability requests within the GDPR-specified-one-month time limit 
    • 7% of the companies surveyed do not have any electronic means to make the requests 
    • In average, companies provided the data in 16 days 

*Source

Data from 21M Mixcloud Users Compromised in Breach

  • Music streaming service Mixcloud has disclosed a security incident in which unauthorized users gained access to some of its systems; the breach compromised the data of 21m users.

  • Mixcloud confirmed the security incident wherein unauthorized users gained access to some of its systems. While Mixcloud did not disclose the breach’s scale, the alleged attacker who provided a portion of the data to TechCrunch said there were 20 million records stolen. However, 21 million records were listed for sale, and the data sample indicated there might have been up to 22 million records stolen. Data contained includes usernames, email addresses, and salted passwords.

*Source

WEEK OF DECEMBER 03, 2019

Password data for ~2.2 million users of currency and gaming sites dumped online

  • Security researcher confirms that the password data of almost 2.2 million users of Gatehub and EpicBot services has been posted online.
  • Security researcher Troy Hunt, who’s behind the Have I Been Pawned breach notification service, confirms that the password data and other personal information of close to 2.2 million users have been dumped online. One haul includes personal information for as many as 1.4 million accounts from the GateHub cryptocurrency wallet service. The other contains data for about 800,000 accounts on RuneScape bot provider EpicBot. The databases include registered email addresses and passwords that were cryptographically hashed with bcrypt, a function that’s among the hardest to crack.

*Source

PayMyTab data leak exposes personal information belonging to mobile diners

  • Cybersecurity researchers from vpnMentor disclosed a data leak in which personal information belonging to PayMyTab customers was exposed due to an open AWS database.
  • Cybersecurity researchers from vpnMentor disclosed a data leak in which PII and partial financial details were made available online. The team found an unsecured Amazon Web Services (AWS) S3 bucket, in which PayMyTab failed to follow Amazon’s security protocols. While no exact figures on the amount of data leaked or the number of customers have been released, vpnMentor says that the leak has left “10,000s of people vulnerable to online fraud and attacks.”

*Source

Thousands of Enterprises At Risk Due to Oracle EBS Critical Flaws

  • Two critical security vulnerabilities discovered in Oracle’s E-Business Suite (EBS) could allow potential attackers to take full control over a company’s entire enterprise resource planning (ERP) solution.
  • According to Onapsis Research Labs, more than 21,000 enterprises use Oracle EBS for financial management, CRM, SCM, HCM, logistics, procurement and more. Two critical security vulnerabilities were discovered in Oracle’s EBS which could allow potential attackers to take full control over a company’s entire ERP solution. If successfully exploited in an attack, these flaws enable threat actors to avoid detection while printing bank checks and making electronic fund transfers.

*Source

Why Multifactor Authentication Is Now a Hacker Target

  • The FBI recognized how the increased implementation of multifactor authentication (MFA) has led to a proportionate increase in cybercriminals trying to bypass MFA.
  • In a recent Private Industry Notification (PIN), the FBI recognized how recent cyberattack campaigns are focusing directly on circumventing multifactor authentication (MFA). The FBI outlined four tactics – SIM swaps, insecure web design, phishing, and channel-jacking – that hackers have been developing to bypass MFA. To social engineer such an attack, an adversary tries to take advantage of a person’s naturally trusting tendencies, where many people end up processing the hacker’s request.

*Source

Android phones hacked; ‘hundreds of millions’ cameras, GPS, microphones affected

  • Google and Samsung disclosed several security vulnerabilities to their phones: hundreds of millions of cameras, GPS, microphones affected.

  • According to Forbes, the Checkmarx security research team found several security vulnerabilities in Google and Samsung phones. Checkmarx uncovered several exploits, including the ability to remotely control the smartphone camera applications, take pictures, record videos, and use the video recording to eavesdrop on a user’s phone conversations. Hackers could also use exploits to gather a user’s GPS location data remotely.

*Source

Authorities Arrest Alleged Member of Group That Hacked Jack Dorsey

  • Disney’s new game-changing streaming-video service hasn’t even been available for a week, but already its users have been hacked and thousands of Disney+ accounts are on sale on the Dark Web, according to a new report.

  • Looking ahead, therefore, there’s a strong likelihood that Disney+ accounts will continue to be traded on the Dark Web alongside the multitude of account information and illegal content already for sale in that shadowy part of the Internet. Like it or not, this is only just the beginning.

*Source

WEEK OF NOVEMBER 25, 2019

Data Breaches Will Cost Healthcare $4B in 2019, Threats Outpace Tech

  • According to Black Book Research, threat actors are outpacing security technology and processes; these data breaches will cost the healthcare sector $4B by the end of 2019.
  • Black Book surveyed 2,876 security professionals from 733 provider organizations to identify gaps, vulnerabilities, and deficiencies keeping the healthcare sector from improving its cybersecurity posture.
  • Data breaches cost hospital organizations an estimated $423 per each breach patient record.
  • About 96 percent agreed that threat actors are outpacing their healthcare organizations’ ability to fend off cyberattacks, keeping them at a serious disadvantage.

*Source

Why Cyber-Risk Is a C-Suite Issue

  • NTT Security’s 2019 Risk:Value research claims that cyber risk is a c-suite issue as organizations realize the scale of cyber-risk but lack counter-actions to build resilience.
  • In a global study of more than 2,200 organizations across 22 different countries, NTT Security’s 2019 Risk:Value research found that cyberattacks (43%), data loss or theft (37%), and attacks on critical infrastructure (35%) -aimed particularly at telecoms and energy networks- concern respondents the most. The survey respondents figured these threats would present a greater risk to their organization over the next 12 months than trade barriers and other critical global issues such as the environment, terrorism, and government failures.

*Source

Americans Fed Up with Lack of Data Privacy

  • 8 out of 10 US adults are worried that their data is collected and used in concerning ways that they cannot control and don’t fully understand, a new Pew Research survey shows.
  • A Pew Research Center study shows that a majority of Americans say they have very little or no control over how companies use their data but are very concerned about how companies are using it. The report, based on a nationally representative panel of randomly selected US adults, shows that 62% of Americans feel they cannot prevent companies from collecting data on their activities, while 63% feel the same about government data collection. The study also found that a vast majority conclude that the risks of data collection outweigh the benefits.

*Source

Macy’s suffers online Magecart card-skimming attack, data breach

  • Macy’s has announced a data breach caused by Magecart card-skimming code being implanted in the firm’s online payment portal.

  • Macy’s found that card-skimming script had been injected in their website. The unauthorized code was highly specific and only allowed the third-party to capture information submitted by customers. Magecart attacks are usually made possible through a vulnerability in a website or its backend CMS. Once unauthorized access is gained, threat actors inject JavaScript code into a webpage dealing with financial information and wait for unsuspecting consumers to submit their payment card details.

*Source

Avoid juice jacking! L.A. warns travelers against public USB charging stations

  • Travelers who need to charge their smartphones while on the go might want to avoid public USB charging stations, due to the security risk known as “juice jacking,” authorities in California have warned.

  • While juice jacking may not be the weapon of choice for hackers, as there are many other ways to infiltrate the smartphones of targets, it remains a potential threat. Travelers should stick to the safe side and only consider public USB charging stations a last resort.

*Source

Thousands of Disney+ Accounts Have Been Hacked, And They’re Already For Sale on the Dark Web

  • Disney’s new game-changing streaming-video service hasn’t even been available for a week, but already its users have been hacked and thousands of Disney+ accounts are on sale on the Dark Web, according to a new report.

  • Looking ahead, therefore, there’s a strong likelihood that Disney+ accounts will continue to be traded on the Dark Web alongside the multitude of account information and illegal content already for sale in that shadowy part of the Internet. Like it or not, this is only just the beginning.

*Source

WEEK OF NOVEMBER 20, 2019

Joker’s Stash Puts $130M Price Tag on Credit Card Database

  • Skimmed at ATMs and shops, the details of about 1.3 million debit and credit cards have been put up for sale on a darknet marketplace called Joker’s Stash.
  • Group-IB, a Singapore based firm that specializes in the detection and prevention of cyberattacks, said of the 1.3 million cards, 98% are believed to be from India. Researchers say that details are being sold at $100 each, which puts the value of the card database at over $130 million. The fraudsters selling the data claim that they have both track-1 and track-2 data, which can be used for online transactions or for cloning cards.

*Source

Ransomware hits Spanish companies sparking WannaCry panic

  • Two major Spanish companies, IT consultancy firm Everis and leading radio network Cadena SER, have been hit by ransomware on the same day, sparking memories of the WannaCry outbreak.
  • Everis and Cadena SER have told employees to shut down computers and have disconnected their networks from the internet. Everis was impacted the most, as the company has more than 24,500 employees across 18 countries. According to screenshots posted on social media by supposed Everis employees, the ransomware that hit the IT firm is a version of the BitPaymer ransomware that also hit French TV station M6 and German automation tools maker Pilz.

*Source

Chinese Hackers Just Gave Us All A Reason To Stop Sending SMS Messages

  • If you haven’t shifted to an encrypted platform, now is the time to do so. China’s state-sponsored hackers have demonstrated just how insecure open SMS technology built into telcos has become.
  • The threat research and analysis blog FireEye has reported that APT41, one of China’s state-sponsored hacking groups, has been infecting Short Message Service Centre (SMSC) servers within cellular carriers with a malware tool dubbed MESSAGETAP. In this campaign, telcos were front and center. They’ve discovered the multiple vulnerabilities of SMS messaging where attackers can monitor for keywords in mass volumes within the network itself.

*Source

California DMV data breach exposes thousands of drivers’ Social Security information

  • The California Department of Motor Vehicles (DMV) suffered a data breach in which the Social Security information of 3,200 people was exposed.

  • Federal agencies, including the US Department of Homeland Security, had improper access to the Social Security information of thousands of drivers due to the California DMV breach. Notices of the data breach went out to those whose Social Security information — including whether or not a license holder had a Social Security number — was accessed during the last four years by seven agencies, including the Internal Revenue Service, the Small Business Administration, and district attorneys in San Diego and Santa Clara counties.

*Source

Siri, Google Assistant and Amazon Alexa can be hijacked with a $14 laser pointer to open garage doors, start cars, and shop online

  • Researchers found a way to hijack Google Assistant, Apple’s Siri, and Amazon’s Alexa with a $14 laser pointer, getting them to perform tasks such as starting cars and opening garage doors.

  • A team of researchers from Tokyo’s University of Electro-Communications and the University of Michigan tested popular voice assistant models from major tech firms, such as Google Assistant, Apple’s Siri and Amazon’s Alexa. They demonstrated how they were able to “speak” to smart speakers and smartphones by running voice assistants using cheap lasers, even getting them to perform tasks such as opening a garage door. Since smart speakers don’t require extra authentication, they were found to be particularly vulnerable to this kind of attack.

*Source

Twitter & Trend Micro Fall Victim to Malicious Insiders

  • Twitter and Trend Micro are the latest on a long and growing list of organizations to fall victim to malicious insiders.

  • The US Department of Justice announced indictments against two former Twitter employees for allegedly accessing private information tied to Twitter accounts belonging to several individuals of interest to the government in Saudi Arabia. They are alleged to have provided the information — which included email addresses, phone numbers, IP addresses, and dates of birth — to officials working on behalf of the Saudi government and the Saudi royal family.

*Source

WEEK OF NOVEMBER 04, 2019

Adobe left 7.5 million Creative Cloud user records exposed online

  • The basic customer details of nearly 7.5 million Adobe Creative Cloud users were exposed on the internet inside an Elasticsearch database that was left connected online without a password.
  • The exposed details primarily included information about customer accounts, but not passwords or financial information.
  • This leak is nowhere as severe as the infamous 2013 Adobe breach, where hackers obtained full records, including encrypted payment details, for nearly 38 million Adobe users. At the time, the Adobe breach was one of the biggest hacks ever.

*Source

Italian Financial Service UniCredit Discloses Data Breach Affecting 3 Million Customers

  • Two The Italian bank and financial service provider firm UniCredit has recently confessed to a data breach. The incident happened around four years ago and exposed 3 million records.
  • According to their press release, the company noticed a data file impacted during the incident having around 3 million records. However, the extent of the incident remained limited to Italian customers only.
  • The company has also fallen a victim to a third-party data breach earlier this year. Specifically, the ransomware attack on the German IT firm CITYCOMP also affected UniCredit along with other CITYCOMP clients.

*Source

Indian nuclear power plant’s network was hacked, officials confirm

  • The Nuclear Power Corporation of India Limited (NPCIL) has acknowledged today that malware attributed by others to North Korean state actors had been found on the administrative network of the Kudankulam Nuclear Power Plant (KKNPP). The admission comes a day after the company issued a denial that any attack would affect the plant’s control systems.
  • The malware in question, named Dtrack by Russian malware protection company Kaspersky, has been used in widespread attacks against financial and research centers, based on Kaspersky data collected from over 180 samples of the malware. Dtrack shares elements of code from other malware attributed to the Lazarus threat group, which, according to US Justice Department indictments, is a North Korean state-sponsored hacking operation. Another version of the malware, ATMDtrack, has been used to steal data from ATM networks in India.

*Source

Data Breach Hits 22 Million Web.com, Register.com, Network Solutions Accounts

  • The companies said they became aware of the breach on October 16, but the intrusion apparently took place in late August 2019. The hackers accessed a “limited number” of computer systems that gave them access to account information for current and former customers.

  • Network Solutions, Web.com and Register.com have started notifying impacted customers via email and their websites, and they have also reported the incident to federal authorities. A cybersecurity firm has been called in to help determine the scope of the hacker attack.

  • Web.com informed customers in August 2015 that hackers had managed to steal personal information and credit cards associated with approximately 93,000 accounts after breaching a server.

*Source

More than 28 million Canadians impacted by a data breach in past 12 months: privacy watchdog

  • One year after Canadian businesses became subject to mandatory data breach reporting, the country’s federal privacy watchdog says reports of breaches have dramatically increased, with their figures suggesting more than 28 million Canadians have been affected by a data breach in the past year.

  • The OPC also saw a “significant rise” in breaches that affect a small number of people — often only one person and “sometimes through a targeted, personalized attack.”

*Source