Week of January 07, 2019


Week of January 07, 2019

Singapore Airlines Data Breach Affects 285 Accounts, Exposes Travel Details*:

  • Singapore Airlines (SIA) says a software glitch was the cause of a data breach that affected 285 members of its frequent flyer programme, compromising various personal information including passport and flight details.
  • The "software bug" surfaced after changes were made to the Singapore carrier's website on January 4 and enabled some of its Krisflyer members to view information belonging to other travellers
  • A spokesperson said a review of its system logs revealed 285 such cases, of which 278 might have exposed the member's name, email address, account number, membership tier status, Krisflyer miles, recent miles transactions, upcoming flights, and Krisflyer rewards.
  • The remaining seven accounts might have had their passport details compromised, said the spokesperson, who added that no changes were made to the members' accounts and no credit card details were compromised.
  • "We have established that this was a one-off software bug and was not the result of an external party's breach of our systems or members' accounts. The period during which the incident occurred was between 2am and 12.15pm, Singapore time, on 4 January 2019, at which point the issue was resolved," the spokesperson said.
  • The airline said it will contact all affected customers and has "voluntarily informed" Singapore's Personal Data Protection Commission about the data breach.
  • The commission oversees issues related to personal data protection and enforces the country's Personal Data Protection Act, in which companies that are found to have breached stipulated rules can be fined up to S$10,000 (US$7,325) per customer complaint or face a maximum penalty of S$1 million (US$732,532).
  • ZDNet earlier today reported that an SIA customer was able to view someone else's personal data after logging into her Krisflyer account using her user ID and password.
  • These details included the other member's upcoming trip, such as the destination and departure date, as well as his recent transactions, which includes the number of miles he has converted using points from his credit card and a recent trip he took to Tokyo.
  • Upon contacting SIA's customer hotline, the SIA customer was informed by the call agent that the airline was performing a system upgrade and instructed to log out of her account and log back in after 24 hours.
  • Singapore also has a Cybersecurity Bill, passed in February 2018, that outlines a legal framework addressing the management of the country's security infrastructure, including the protection of ICT systems operated by nine critical information infrastructure (CII) sectors.
  • These include the government, banking and finance, energy, water, and aviation -- which is covered under the transport sector -- among others.
  • Under the bill, CII operators are to ensure their systems are adequately protected by cyberattacks.

*Source: ZDNet, January 05, 2018


Private Data Of Hundreds Of German Politicians Released Online*:

  • Data and sensitive information from hundreds of German officials have been released online in what may be the result of a cyberattack, according to German officials.
  • A government spokesperson on Friday said that an initial review found that "no sensitive information and data" related to Chancellor Angela Merkel had been released, though that claim was contradicted by local news agency DPA, which reported that a fax number and email address belonging to Merkel along with several letters to and from the chancellor were among the information released.
  • Government officials have not confirmed specifically who was affected, what type of data was released and whether it was a hack, a leak or another type of data breach.
  • The German public broadcaster RBB reported that the information was posted on a Twitter account over a series of days in December leading up to Christmas.
  • Merkel's entire cabinet was targeted as part of a cyberattack that occurred until at least the end of October, according to the German newspaper Bild.
  • Some of the information released included private emails, mobile phone numbers and private addresses.
  • Politicians from all levels, including the European parliament, were affected by the data breach, a government spokesperson said.
  • Other people of public interest, including artists and journalists, were also among those affected.

*Source: NBC News, January 04, 2019


Marriott International Releases New Information About Data Breach*:

  • Marriott International announced on Friday that over 5 million unencrypted passport numbers may have been compromised in a previously revealed November data breach of the company
  • The company also revealed that the number of guests potentially affected by the breach is lower than initial estimates.
  • Rather than the 500 million total previously stated, the company now believes that up to 383 million guest's data may have been stolen.
  • Even this lowered total still puts the Marriott data breach into the discussion for one of the largest on record, ahead of the Equifax breach which affected nearly 145 million Americans in 2017.
  • The FBI is currently investigating the data invasion.
  • It is unclear who carried out the cyberattack, but investigators believe the hack may have originated from actors in the Chinese government.

*Source: NewsY, January04, 2018


First GDPR Fine In Portugal Issued Against Hospital For Three Violations*:

  • Centro Hospitalar Barreiro Montijo has been fined 400,000 euros for violating the General Data Protection Regulation.
  • The country's supervisory authority, Comissão Nacional de Protecção de Dados, found that there were three violations of the GDPR.
  • First was a violation of Article 5(1)(c), a minimization principle, by allowing indiscriminate access to an excessive number of users, and a violation of Article 83(5)(a) a violation of the processing basic principles.
  • For those, the fine was 150,000 euros.
  • The second, a violation of integrity and confidentiality as a result of non-application of technical and organizational measures to prevent unlawful access to personal data under Article 5(1)(f), and also of Article 83(5)(a), a violation of the processing basic principles.
  • There, the fine was 150,000 euros.
  • Both of the above were punishable with a fine of up to 20 million euros or 4 percent of the total annual turnover.
  • Finally, the CNPD fined under Article 32(1)(b), the incapacity of the defendant to ensure the continued confidentiality, integrity, availability and resilience of treatment systems and services as well as the non-implementation of the technical and organizational measures to ensure a level of security adequate to the risk, including a process to regularly testing, assessing and evaluating the technical and organizational measures to ensure the security of the processing.
  • There the fine was for 100,000 euros, though the maximum fine was 10 million euros to 2 percent of the total annual turnover.
  • The defence submitted by the hospital referred that the CNPD could not be considered as the supervisory authority as per Article 51 because it had not yet been appointed formally.
  • To this, CNPD responded that it is, for all purposes, the national authority which has the power to control and supervise the compliance in terms of data protection in accordance with the current Portuguese Data Protection Law.
  • Also, among its arguments was that the hospital used the IT system provided to public hospitals by the Portuguese Health Ministry and not its own systems.

*Source: IAPP, January 03, 2018


Town Of Salem Hacked Leaving More Than 7.6 Million With Compromised Data*:

  • BlankMediaGames (BMG) has confirmed that it suffered a data breach impacting more than 7.6 million players of popular browser-based role playing game Town of Salem.
  • The breach was first disclosed on December 28th in an anonymous email to security firm DeHashed that included evidence of the server compromise and access to the complete player database.
  • DeHashed state that the total row count of that database is 8,388,894 which included some 7,633,234 unique email addresses.
  • According to the DeHashed disclosure, the compromised data contained email addresses, usernames, IP addresses, game and forum activity, passwords (phpass, WordPress and phpBBstolen) as well as payment information.
  • It also stated "some of the users who paid for certain premium features having their billing information/data breached as well" although this has been disputed by BlankMediaGames.
  • In a January 2nd announcement posted to the official Town of Salem game forum, a spokesperson called 'Achilles' confirmed the breach but stated "We do not handle money.
  • The third party payment processors are the ones that handle all of that.
  • We never see your credit card, payment information, anything like that.
  • We don't have access to that information.
  • The breach confirmation statement did, however, confirm that "The only important data compromised would be your Username/hashed password, IP and email.
  • Everything else is just game related data.
  • BMG also advised users to update their Town of Salem passwords to be safe.
  • The passwords were not stored in plain text but were hashed, which doesn't mean weaker passwords are safe as threat actors can use rainbow tables to decipher common hashed passwords.
  • If these have been reused across multiple sites and services, when coupled to usernames which are also commonly reused they could enable further compromise so all such logins should be updated immediately.
  • If, as it would appear, the encryption used for these passwords was a mix of phpass and MD5 (both used by phpBB) then the change your passwords advice becomes even more urgent regardless of how weak your choice was.
  • MD5 has long been known to be susceptible to brute force attacks and the rainbow tables I mentioned are stupidly large in size for MD5 hashes.
  • The phpass encryption is also known to be extremely weak so whichever was used you can pretty much consider your passwords will be exposed in my opinion.
  • Indeed, according to a poster called 'lleti' in a reddit discussion about the breach more than two million passwords from the compromised database have already been decrypted and are available online.
  • Initially this appeared to be restricted to some 0Day forums on the dark web, but now it is possible to find these decrypted, plaintext, passwords using an appropriate Google search.
  • lleti says that these publicly searchable passwords do not have any additional information such as linked accounts, so the actual value of them for malicious purposes is negligible.

*Source: Forbes, January 03, 2019


Sim Swop Fraud Rises 104%*:

  • There has been a massive increase in cyber-related crimes specifically targeting online and mobile banking apps, warns IRS Forensic Investigations.
  • Other such crimes include phishing, malware, and SIM swops.
  • The SA Banking Risk Information Centre (Sabric) reported that South Africa lost a quarter of a billion rand through these type of banking app frauds in 2017.
  • What is really concerning, however, is that Sabric reported an increase of over 100% in the following year’s study from January to August 2018 in respect of SIM swop fraud in particular.
  • SIM swop incidents doubled from 4040 from January to August 2017 to 8254 over the same period the following year.
  • This is a 104% increase according to Sabric statistics.
  • National police commissioner General Khehla Sitole said at the release of the 2017-2018 financial year crime stats, cybercrime would be added to crime statistics this year.
  • He said the police were gathering more expertise and knowledge about cybercrime, and travelled to China and Thailand to learn more about it.
  • Brigadier Vishnu Naidoo confirmed to the Weekend Argus that the police were developing the cybercrime strategy and it would be integrated into their Organised Threat Analysis strategy.
  • In 2017, Sabric said there were 13438 incidents across banking apps, online banking, and mobile banking which cost the industry more than R250million in gross losses.
  • While incidents from January to August last year showed a 64% increase, this is compared to the same period in 2017.
  • Mobile banking incidents showed an increase of more than 100%, with gross losses of R23593631 and online banking incidents showed an increase of 44% with gross losses of R89368722.
  • Banking app incidents increased by 20%, with gross losses of R70156364.
  • Kalyani Pillay, Sabric chief executive, said criminals were very skilled at using social engineering to manipulate their victims into divulging their personal or confidential information.
  • The Weekend Argus interviewed three victims who had their internet banking illegally accessed with SIM cards swopped and in two incidents, ported to a different cellular network.
  • One man had R3.1m taken out of his business account when a sim swop was authorised without his consent.
  • A 78-year-old man almost lost his life savings when a SIM swop that he also didn’t authorise was done, a second attempt was made to take money out of his account after he got his number back.
  • However, he managed to freeze his bank account.
  • Another man was preyed on twice by cybercriminals. Once in 2016 when they took R1.2m and in December last year. He is still trying to recover R82 000 from the bank.

*Source: IOL, January 05, 2019


Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

scroll top