A curated list of Data Security News happening across the world, in a simple yet intuitive form for the fast-paced cybersecurity professionals.
WEEK OF APRIL 06, 2020
A major new Intel processor flaw could defeat encryption and DRM protections
- Security firm Positive Technologies discovered the flaw, and is warning that it could break apart a chain of trust for important technology like silicon-based encryption, hardware authentication, and modern DRM protections.
- The root of the flaw is Intel’s Converged Security Management Engine (CSME), the part of Intel’s chips that’s responsible for securing all firmware that runs on Intel-powered machines.
Telus-Owned Koodo Mobile Announces Data Breach, Stolen Info for Sale
- Affected users should also be on the lookout for mobile SMS phishing (smishing) scams that pretend to be Koodo and utilize information obtained from this breach.
- According to a data breach notification email from Koodo Mobile that was seen by BleepingComputer, their systems were hacked on February 13th, 2020, and an unauthorized person stole customer data from August and September 2017 that contains mobile account numbers and telephone numbers.
- This information can be used by scammers to port Koodo Mobile numbers to attacker’s devices to receive 2-factor authentication codes, which could allow attackers to gain access to email and bank accounts.
Polish school hit with GDPR fine for using fingerprints to verify students’ lunch payments
- This highlights the fact that GDPR isn’t only about imposing gargantuan fines, as it has in other high-profile cases.
- A school in Poland has been fined €4,600 ($5,200) for breaching Europe’s General Data Protection Regulation (GDPR) after it was found to be processing students’ fingerprint data to verify whether they had paid for school lunch.
- While parental consent was obtained for the biometric ID program, the Poland’s Personal Data Protection Office (UODO) found that the system was “not essential for achieving the goal of identifying a child’s entitlement to receive lunch.”
Walgreens Mobile App Leaks Prescription Data
- A security error in the Walgreens mobile app may have leaked customers’ full names, prescriptions and shipping addresses.
- “As part of our investigation, Walgreens determined that certain messages containing limited health-related information were involved in this incident for a small percentage of impacted customers,” according to a Walgreens data security incident customer notification.
- That potentially exposed data includes first and last names of customers, their prescription numbers and drug names, store numbers that customers picked up prescriptions from, and shipping addresses.
Ransomware attack on sheep farmers shows there’s no room for woolly thinking in cyber security
- Wool sales were severely disrupted last week by a ransomware attack on IT company Talman Software, which processes more than 75% of sales in Australia and New Zealand.
- A ransomware attack on such an important sector of Australia’s economy shows how vital it is for authorities to defend markets against cyber threats.
- Wool sales were halted for several days and hastily rescheduled, with an estimated 70,000 bales held in limbo. The industry’s turnover in a typical week is up to A$80 million, but prices may now drop as the postponed sales cause a glut in the market.
Microsoft Confirms ‘Really, Really High’ Hacking Risk For Millions Of Users: Here’s What You Do Now
- If you have an organization of 10,000 users, 50 of them are going to be compromised this month.
- The truly shocking issue here, is that only 11% of enterprise users make use of multi-factor authentication or MFA tools. That means a staggering 89% of accounts remain open to fairly simple attacks.
- 80% of those compromised enterprise accounts, which if you do the quick math is almost 1 million hacked accounts in January alone, were hit by either “password spray” or “replay” attacks.
WEEK OF MARCH 30, 2020
Louisiana’s governor declared a state of emergency after a cybersecurity attack on government servers
- The attack prompted an outage of “many state websites and emails” on Monday “due to the state taking extreme emergency protective measures, including shutting down server traffic, to neutralize the attack.”
- Louisiana is no stranger to declarations of emergency, but it never had one for a cybersecurity emergency, until recently.
- A series of attacks on school districts around the state led Governor John Bel Edwards to issue the declaration that brings new resources and statewide coordination to what had been a collection of local cybersecurity events.
Cathay Pacific hit with £500,000 fine for customer data breach
- The Information Commissioner’s Office (ICO) said that, between October 2014 and May 2018, Cathay Pacific’s computer systems lacked appropriate security measures that led to customers’ personal details being exposed, 111,578 of whom were from the UK, and around 9.4 million more worldwide.
- The Cathay Pacific data breach occurred before GDPR came into force in May 2018, which introduced significantly higher financial penalties for security breaches.
Boots stops Advantage Card payments after cyber attack on 150,000 customers’ accounts
- The suspension comes after the company’s IT security team spotted “unusual” activity on a number of Boots Advantage Card accounts with the aim of accessing and spending the points.
- The chain told the PA news agency the issue affected less than 1% of the company’s 14.4 million active Advantage Card users – around 150,000 people. But Boots insisted no credit card information had been accessed.
Virgin Media data breach affects 900,000 people
- The database, which was for marketing purposes, contained phone numbers, home and email addresses. The breach was not due to a hack or a criminal attack, but because the database had been “incorrectly configured” by a member of staff not following the correct procedures.
- The company said almost all of those affected were Virgin customers with television or fixed-line telephone accounts, although the database also included some Virgin Mobile customers as well as potential customers referred by friends as part of a promotion.
Zynga Faces Lawsuit Over Massive Words with Friends Breach
- The Zynga complaint was filed on behalf of a minor and his parent, in the U.S. District Court for California. It seeks class status and at least $5 million in damages.
- It accuses the game developer of negligence and a failure to safeguard victims’ personally identifiable information (PII), thanks to “substandard password security.” The complaint continues, the incident could lead to “further irreparable harm to the plaintiffs’ personal, financial, reputational and future well-being.”
The breaches at J.Crew, T-Mobile, and two units of cruise-line operator Carnival Corp., show that millions of customers can feel the effect of even the simplest exploit.
- The separate incidents show how data theft knows no market-based limits.
- J.Crew said that customers’ email addresses and passwords were obtained by an unauthorized third party and that significant additional personal information could have been accessed in the April 2019 incident.
- T-Mobile disclosed a breach affecting an unknown number of customers.
- Holland America Line and Princess Cruises, two units of Carnival Corp, disclosed a breach from May 2019 in which personal information including mail accounts, names, Social Security numbers, and credit card information was illegally accessed.
WEEK OF MARCH 23, 2020
Survey by Security.org found that one in four Americans won’t do business with data-breached companies
- In 2018, roughly five billion people had their information and sensitive data exposed due to hacks.
- The findings showed that almost one in four Americans stop doing business with companies who have been hacked, and more than two in three people trust a company less after a data breach.
- Breaches normally expose email addresses (49.5%) or full names (47.8%), but 13.8% of breaches expose credit card information and 11.8% of breaches expose debit card information.
Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach
- In a brief statement, the company confirmed it was “the recent target of a criminal cybersecurity incident, including access to or theft of data.”
- Security researchers say the attack was caused by the DoppelPaymer ransomware, a new kind of file-encrypting malware which first exfiltrates the company’s data. The DoppelPaymer ransomware has been active since mid-last year, and its victims have included the Chilean government and Pemex, Mexico’s state-owned petroleum company.
A shocking 623 million records breached in February 2020 alone
- At first glance, February appears to be a big improvement cyber security-wise compared to the start of the year. The 632,595,960 breached records accounts for about a third of January’s total, and is considerably lower than the figures for this time last year.
- Unfortunately, the number of breached records doesn’t tell the full story, as there were a whopping 105 incidents – making February 2020 the second leakiest month we’ve ever recorded.
Home Office Admits to 100 GDPR Breaches in EU Scheme in just five months
- The Home Office claimed it is getting better at data protection. The ICIBI also suggested that the problems it uncovered should be easy enough to fix.
- Between March 30 and August 31 2019 the government department admitted a catalog of errors including misplaced passports, documents sent to the wrong recipient’s address and unauthorized disclosure, according to the Independent Chief Inspectorate of Borders and Immigration (ICIBI)
A researcher at Security Discovery found that user data of those who connected to free Wi-Fi hotspots at several train stations in the UK had been stored in a non-password protected database
- The database contained 146 million records which included email addresses, age ranges, the reason for travel, device data, and other logs.
- C3UK, which operates the database, restricted public access to the database on Friday, February 14th, the same day that it was reported. As more and more free Wi-Fi hotspots begin to pop up around towns and cities, both providers and consumers will have to start thinking about how to better protect data.
According to a study, conducted by the Ponemon Institute, 68% of respondents say their organization has put more resources toward security technologies to detect and respond quickly to a data breach.
Since 2017, respondents who say their organization is very confident or confident in their ability to deal with spear phishing attacks has declined from 31% to 23%.
More organizations are also taking additional steps to prepare beyond their data breach response plan. These steps include:
Regularly reviewing physical security and access to confidential information (73%, up 3%)
Conducting background checks on new full-time employees and vendors (69%, up 4%)
Integrating data breach response into business continuity plans (56%, up 4%)
Subscribing to a dark web monitoring service (26%, up 7%)
WEEK OF FEBRUARY 25, 2020
Ransomware installs Gigabyte driver to kill antivirus products
- RobbinHood ransomware deploys novel technique to make sure it can encrypt files without being interrupted.
- Gigabyte’s fault resides in its unprofessional manner in which it dealt with the vulnerability report for the affected driver. Instead of acknowledging the issue and releasing a patch, Gigabyte claimed its products were not affected.
- Other ransomware gangs are expected to incorporate this trick into their arsenals as well, leading to more attacks using this technique.
Powerful Cyber Attack Takes Down 25% Of Iranian Internet
- The NetBlocks internet observatory, which maps internet freedom in real-time, confirmed that there was extensive Iranian telecommunications network disruption resulting in the national internet connectivity drop to 75%.
- With both fixed-line and mobile network providers impacted, it was seven hours before normal internet connectivity was resumed. This is just the latest in a long line of alleged cyber-attacks against Iranian infrastructure.
- Earlier last year, the U.S. had launched an “offensive cyber strike on Iran to disable the computer systems used to control rocket and missile launches.”
India’s Data Protection Bill Threatens Global Cybersecurity
- The proposed ban on re-identification discourages researchers from investigating security weaknesses—and encourages criminals to exploit them.
- One feature of the bill that’s most alarming of all is that how it would criminalize illegitimate re-identification of user data. Because of this, software vendors might be tempted to initiate legal action against security and privacy researchers, hampering research altogether.
Faced with a risk of fines or even prison, who would dare act in good faith, with the public interest in mind?
App Used by Netanyahu’s Likud Leaks Israel’s Entire Voter Registry
- Names, identification numbers and addresses of over 6 million voters were leaked through the unsecured Elector app.
- The security lapse allowed anyone to obtain the leaked information in its entirety without using sophisticated tools. Right-clicking on the Elector app’s home page and choosing “view source” revealed the original code of the internet page. The code revealed all the usernames and passwords of system admins, allowing one to log in and download the registry.
Several email apps were found to scrape the contents of people’s inboxes and sell that data
- Email apps scraping peoples’ inboxes for profit include Edison, Cleanfox and Slice. The apps are primarily interested in tracking “transaction data,” gleaning information from receipts and shipping emails that show people’s consumer behavior.
- A spokesperson for Rakuten, the company that owns Slice, told Business Insider that the company tells its users that it is collecting their data for market research and that the company values “the protection of consumer privacy.”
Facebook employees reportedly feel guilty that the company didn’t fix a known security risk fast enough
- Concerns about the risk posed by “access tokens” – digital keys that allow access to users’ accounts – were raised as early as December 2017. According to the report, Facebook employees said concerns about the tokens were largely ignored, and that the hack “could have been prevented.”
- Hackers were able to generate tokens for other users, gaining access to their accounts, through Facebook’s “View As” feature, leading to 50 million accounts’ access tokens being compromised.
WEEK OF FEBRUARY 17, 2020
GDPR enforcement is on fire
- While fines are not always particularly high, in terms of volume, data protection authorities (DPAs) are rapidly increasing their GDPR enforcement activities. Some interesting trends are
- DPAs have levied 190 fines and penalties to date.
- Failures of data governance — not security — trigger the most fines and penalties.
- Breaches get the enforcement ball rolling but are just a starting point.
- Compromised data from a single customer can be expensive.
- Failure to respect individuals’ rights will lead to the next wave of fines and penalties.
- Third-party risk management is the next big thing in the privacy arena.
Toll stops services after security breach
- Toll has not said how many customers are affected. The company delivers 95 million items around the globe every year, including United States travel documents to Australians.
- “As a precautionary measure, in response to a cyber security incident on Friday, Toll deliberately shut down a number of systems across multiple sites and business units,” a spokesperson said.
- “Toll is making progress with our recovery activities to restore our systems and Toll customer-facing applications,” the spokesperson said.
Twitter Data Breach: Govt Accounts Tried To Access User Phone Numbers
- A large network of fake accounts was being used to exploit its API and match usernames to phone numbers.
- “While we identified accounts located in a wide range of countries engaging in these behaviours, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia,” Twitter said.
The company said it is also possible that some of these IP addresses may have ties to state-sponsored actors.
Pabbly Email Marketing Exposes 51.2 Million Records Online
- One more data leak in recent times, due to not protecting the publicly accessible cloud database without a password.
- The records appear to go back to 2014 and contained customer names, email addresses, subject lines, email messaging and more internal records like host path and SMTP data. It should be noted that Pabbly also offers email scrubbing where users upload their own lists and they will remove invalid, duplicate email addresses and provide users with a “clean list”.
Health Share of Oregon discloses data breach, theft of member PII
- A burglary and stolen laptop from GridWorks IC, a vendor hired by Health Share of Oregon, has led to the exposure of Medicaid member data.
- Information contained on the laptop included names, addresses, phone numbers, dates of birth, Social Security numbers, and Medicaid ID numbers. This data can now be considered as potentially compromised but the CCO says that no personal medical histories were involved in the data breach.
- Due to the nature of the theft, Health Share of Oregon is not able to confirm what happened to the laptop and information contained therein, including whether or not the records have been utilized or sold.
Major Data Breach Exposes Card Details of Half a Million Indians
- Cybersecurity company Group-IB on Friday revealed that a database of over 460,000 payment card records has been posted on one of the most popular darknet card shops on 5 February.
- The worrying bit about the report is that over 98 percent of records detected belonged to some of the biggest Indian banks. And it also mentions the market value of this database on the dark web is estimated at more than $4.2 million. This is the second major incident to have been reported in less than six months involving data of Indian debit or credit card users.
WEEK OF FEBRUARY 10, 2020
China wakes up to wide web of online data leaks and privacy concerns
- State broadcaster CCTV reported that the data was illegally mined from financial lending platform databases by a web of small-scale tech firms. Those firms then sold the information to other small-scale lenders for as little as 0.1 yuan (1 US cent) per piece.
- The problem is apparently widespread in China. Ninety-five per cent of respondents to a survey by Southern Metropolis Daily last month said their personal data had been stolen. Nearly half believed e-commerce and financial lending apps had serious privacy issues, and almost 80 per cent were concerned that their facial recognition data could be leaked from apps.
Wawa Breach May Have Compromised More Than 30 Million Payment Cards
- The fraud intelligence company Gemini Advisory discovered stolen payment card data from Wawa data breach was uploaded to Joker’s Stash, an online cybercrime marketplace.
- According to Gemini, Joker’s Stash has so far released only a small portion of the claimed 30 million. However, this is not an uncommon practice: Releasing too many stolen cards for sale at once tends to have the effect of depressing the overall price of stolen cards across the underground market.
- Gemini’s director of research Stas Alforov stressed that some of the 30 million cards advertised for sale as part of this BIGBADABOOM batch may in fact be sourced from breaches at other retailers, something Joker’s Stash has been known to do in previous large batches.
Breach at Indian airline SpiceJet affects 1.2 million passengers
- Each record included details such as name of the passenger, their phone number, email address and their date of birth.
- The security researcher, who described their actions as “ethical hacking” but whom we are not naming as they likely fell afoul of U.S. computer hacking laws, gained access to one of SpiceJet’s systems by brute-forcing the system’s easily guessable password.
An unencrypted database backup file on that system contained private information of more than 1.2 million passengers of the budget-carrier last month, TechCrunch has learned.
Japanese company NEC confirms 2016 security breach
- NEC needed seven months to discover the hack, did not disclose it publicly.
- NEC said they failed to detect the intrusion until June 2017, when they finally spotted unauthorized encrypted traffic originating from one of its internal sytems. The company said it managed to decrypt this traffic in July 2018. According to its investigations, the decrypted traffic revealed that the attacker exfiltrated 27,445 files from its defense business division.
Phone Hacks Can Happen to Anyone. Here’s How to Protect Yourself.
- Start by knowing what could expose you to an attack, like vacation clues, hotel Wi-Fi and inadequate verification procedures.
- In the last two years, security experts have seen a steady increase in simple schemes to get into accounts, like phishing, as well as more complicated campaigns to gain control over a victim’s financial life, like taking over a phone or a computer.
- The scariest threats yet may be the plots in which criminals impersonate an adviser, an employee or even a family member to get approval for a transaction.
AppSec Concerns Drove 61% of Businesses to Change Applications
- The marketplace is beginning to pinch the software industry for application security failings and complications, according to a new Dark Reading study.
Some have even left behind commercial software and migrated to open source or in-house homegrown applications.
Meanwhile, attacks exploiting vulnerabilities in open source code libraries have increased — and while that might initially make open source applications appear less attractive, these components are also frequently used by internal development teams and commercial software vendors alike.
WEEK OF FEBRUARY 04, 2020
Microsoft Security Shocker As 250 Million Customer Records Exposed Online
- A new report reveals that 250 million Microsoft customer records, spanning 14 years, have been exposed online without password protection.
- Microsoft has been in the news for, mostly, the wrong reasons recently. There is the Internet Explorer zero-day vulnerability that Microsoft hasn’t issued a patch for, which came just days after the U.S. Government issued a critical Windows 10 update now alert. Now a newly published report, has revealed that 250 million Microsoft customer records, spanning an incredible 14 years in all, have been exposed online in a database with no password protection.
Data leak strikes US cannabis users, sensitive information exposed
- A database backing point-of-sale systems used in medical and recreational marijuana dispensaries has been compromised.
- According to VPNMentor, PII belonging to 30,000 individuals was leaked. In total, over 85,000 files were exposed to anyone who stumbled across the database. The full names of patients and staff members, dates of birth, phone numbers, physical addresses, email addresses, medical ID numbers, cannabis used, price, quantity, and receipts were all available to view.
GDPR: Top UK law firms falling victim to human error
- Statistics reveal that nearly half (48%) of top UK law firms have reported data breaches since the GDPR came into force, and of those breaches, 41% were a result of human error.
- Figures obtained from the Information Commissioner’s Office (ICO) reveal that nearly half (48%) of the top 150 law firms have reported data breaches since the GDPR came into force in May 2018. And, of those breaches, 41% were a result of human error (emailing the wrong person).
To prevent further situations like this, the ICO recommends that organizations:
Protect staff from emailing the wrong person
Avoid leaking sensitive information
PSA ends Teleserv deal over data breach complaints
- The Philippine Statistics Authority (PSA) ends deal with Teleserv Inc., which it blamed for two complaints of data privacy breach before the National Telecommunications Commission (NTC).
- PSA ends deal with Teleserv Inc. after they found that the company was responsible for the two cases of data privacy breaches now pending before the NTC, but they would continue to deliver civil registry documents online through its in-house Serbilis. While Serbilis had key performance indicators to measure the effectiveness of its services, Teleserv lacked such metrics and unnecessarily exposed private citizens’ data to third parties.
Amazon engineer calls for Ring to be ‘shut down immediately’ over privacy concerns
- Amazon software engineer Max Eliaser said the home security company should be “shut down immediately.”
- “The deployment of connected home security cameras that allow footage to be queried centrally are simply not compatible with a free society,” Amazon software development engineer Max Eliaser said in a post published to Medium on Sunday. “The privacy issues are not fixable with regulation and there is no balance that can be struck. Ring should be shut down immediately and not brought back.”
Avast Antivirus Collected and Sold Users’ Web Browsing Data, Company Responds
Avast is still continuing to harvest the users’ data via its antivirus apps but the company says it is prompting existing users to make an opt-in or opt-out choice.
In a sensational revelation, an investigation on Monday claimed that the popular Avast antivirus — installed on nearly 435 million Windows, Mac, and mobile devices globally — harvested users’ data via browser plugins and then sold it to third parties, including Microsoft and Google. The joint investigation by Motherboard and PCMag that relied on leaked user data and other company documents found that “the sale of this data is both highly sensitive and is, in many cases, supposed to remain confidential between the company selling the data and the clients purchasing it”.