MENTIS

Week of December 14 2018

MENTIS
news

Week of December 14 2018

Amazon Fires Employees Over Data Leak As It Fights Seller Scams*:

  • Amazon has fired several employees suspected of providing independent merchants with inside information as the company tries to crack down on seller scams
  • Amazon let go of several workers in the U.S. and India who allegedly inappropriately accessed company data that disreputable merchants had misused
  • The dismissals came after Amazon began investigating suspected data leaks and bribes of its employees
  • Some employees in India and China working as customer support have said that their access to an internal database that allows them to find data about specific product performance or trending keywords has been dramatically limited.
  • Amazon has also deleted thousands of suspect reviews, restricted sellers' access to customer data on its platform, and quashed some methods to force the site to bring up certain products higher in search results
  • Amazon told The Hill in a statement that the company is cracking down on people who try to undermine merchants on its website, sometimes employing machine learning to block destructive acts.
  • Amazon is also combating fake reviews of products, scrubbing thousands of reviews from single products in a day in some instances.
  • One person familiar with the matter told the Journal that some of the reviews caught up in the purge were actually legitimate.

*Source: The Hill, December 10, 2018

 

Nearly Half Of The Cloud Databases Aren’t Encrypted*:

  • Palo Alto Networks published an analysis of corporate cloud security on Tuesday, and some of the results weren't pretty: 49% of cloud databases aren't encrypted.
  • Any important database should be encrypted.
  • That's not purely a cloud problem.
  • There are inherent security advantages and a few disadvantages to the cloud, but the bottom line is that no matter where you put data, basic security hygiene is still important.
  • In the same study, Palo Alto found that corporations were failing to meet many industry standards — missing more than half of the CIS AWS Foundations' best practices, around two-thirds of NIST best practices and GDPR requirements, and around 90% of HIPAA and PCI requirements.

*Source: Axios, December 11, 2018

 

Security Breach Of Over 120 Million Taxpayers In Brazil*:

  • Recently, the Tax ID, better known as Cadastro de Pessoas Fisicas (CPF ID) consisting of over 120 million taxpayers in Brazil suffered a security breach.
  • The data available online included the personal details of citizens in Brazil.
  • That sums up to over half of Brazil’s total population.
  • Apparently, this data was exposed by a server which reportedly overlooked basic security controls.
  • However, there is no clarity on the exact period during which this data remained publicly accessible.
  • The security breach was discovered by InfoArmor, an IT Security firm.
  • InfoArmor reportedly stated that, the size of the file available online had changed during their observation, while remaining publicly accessible.
  • According to the firm’s observation, an 82 GB file was apparently replaced with a 25 GB .SQL file.
  • Therefore, there lays a possibility that the Administrator was unaware of this vulnerability and continued to work and upload the data on the vulnerable site.
  • Presently, the top-concern is the privacy of the personal data that was leaked.
  • It is evident that the person who leaked this data had access to the Nation’s official identifications’ database.
  • With this leak, it is quite evident that these details were available to third parties, who made them publicly accessible as the ‘index.html’ file was reportedly renamed to ‘index.html_bkp’.
  • The Brazilian CPF ID is an essential document required to pay taxes, have a loan sanctioned, to operate a business or even to open a bank account in Brazil.
  • In short, the CPF ID an ID to carry out financial transactions and dealings.
  • Since the server remains untraceable, it is evident that public access was granted by those with technical expertise.
  • Therefore, it is presumed that the concerned person knew what they were doing.

*Source: Latest Hacking News, December 15, 2018

 

Rhode Island Sues Google Over The Two Google+ Data Breaches*:

  • Rhode Island general treasurer Seth Magaziner announced that the Employees’ Retirement System of Rhode Island filed a motion to lead a shareholder class action lawsuit against Google parent company Alphabet, Inc.
  • The motion is pending in the U.S. District Court for the Northern District of California.
  • The lawsuit accuses Google of misleading shareholders and federal regulators when it didn’t disclose the two Google+ data breaches while they were ongoing.
  • “Google had an obligation to tell its users and investors that private information wasn’t being protected,” said Magaziner.
  • “Instead, Google executives decided to hide the breaches from its users and continued to mislead investors and federal regulators. This is an unconscionable violation of public trust by Google, and we are seeking financial restitution on behalf of the Rhode Island pension fund and other investors.”
  • Google discovered the first Google+ data breach in March and waited until November to disclose it. Making matters worse, the vulnerability was reportedly live between 2015 and March 2018. Google discovered the first Google+ data breach in March and waited until November to disclose it. Making matters worse, the vulnerability was reportedly live between 2015 and March 2018.
  • Google failed to disclose the breach almost immediately over “fears that doing so would draw regulatory scrutiny and cause reputational damage.”
  • The vulnerability potentially gave third-party developers access to hundreds of thousands of users’ private data.
  • Google disclosed the second Google+ data breach only six days after the company discovered the vulnerability.
  • Approximately 52.5 million users had their public and private profile information potentially exposed to developers.
  • The first data breach led Google to announce it will shut down Google+ for consumers in August 2019. The second data breach expedited that deadline to April 2019.

*Source: Android Authority, December 14, 2018

 

Facebook Could Face Billion Dollar Fine For Data Breaches*:

  • Facebook could be facing a multi-billion dollar fine after a European regulator announced Friday that it is launching an investigation into the company over failure to protect user privacy.
  • The Irish Data Protection Commission, which oversees Facebook's compliance with European law confirmed to CNN on Friday it launched a "statutory inquiry" into Facebook after receiving multiple reports of data breaches affecting the company.
  • News of the inquiry came just as Facebook announced that it had exposed photos from up to 6.8 million users.
  • The incident comes after the company announced in September the biggest security breach in its history, in which hackers accessed the personal information of tens of millions of Facebook users.
  • The inquiry is the result of new powers given to the Irish data regulator as a result of the General Data Protection Regulation (GDPR), a European regulation that came into effect in May.
  • Because Facebook's European headquarters is in Dublin, it must under GDPR inform the Irish data regulator within 72 hours of discovering a breach.
  • Companies found to have run afoul of GDPR could face a maximum fine of $23 million or 4% of their annual worldwide revenue, whichever is higher.
  • In Facebook's case, the company had revenue of almost $40 billion in 2017, which means the company could face a fine of up to $1.6 billion if its revenue for 2018 remains roughly the same.
  • The bug, which involved the exposure of millions of Facebook users' photos and occurred over a 12-day period, was discovered in September.
  • But Facebook reported the breach to its European regulator two months later, on November 22, according to the company.
  • Facebook said it filed the report as soon as it had "established it was considered a reportable breach."
  • Graham Doyle, the regulator's head of communications, said the Irish Data Commission launched an inquiry this week stemming from several breach notifications it has received from Facebook.
  • When Facebook made the announcement of its biggest breach ever in September, the Irish Data Protection Commission expressed concern at the time about the lack of information it said it had received from the company.
  • "We are in close contact with the Irish Data Protection Commission and are happy to answer any questions they may have," a Facebook spokesperson told CNN.

*Source: CNN Business, December 14, 2018

 

223 E-Case Files Accessed During Data Breach In State Courts System*:

  • Singapore has just seen its criminal justice system fall victim to a data breach, as the State Courts have disclosed that they have become aware of an incident affecting a large number of e-case files.
  • According to the officials, their investigation concluded that a loophole in the electronic system allowed access to unauthorised users.
  • According to ZDNet, the issue was first identified on November 1, when authorities were first alerted to a vulnerability in the Integrated Criminal Case Filing and Management System (ICMS).
  • First launched in 2013, the ICMS is used by a wide range of stakeholders in the context of criminal proceedings, including lawyers, the State Courts, the Attorney General, as well as the police and the Singapore Prison Service.
  • In 2017, the ICMS expanded to include the Accused Person online portal.
  • Accused persons can log into the portal by using their unique e-citizen account through SingPass – which is also used to access other online government services.
  • SingPass is widely embraced as having a strong focus on security, as the service allows users to set up two-factor authentication.
  • The Accused Person online portal can be used to review case details by the accused involved and upload relevant documents into their file that are required in the context of criminal proceedings.
  • This means that the system contains sensitive personal data, most notably information on criminal records of those involved in a case.
  • The breach highlights the need to improve data security when sensitive information is at risk, by correctly identifying and classifying personal data as sensitive, as well as by implementing technical safeguards.
  • This includes measures such as data masking – a process through which intelligent masking algorithms replace real data with realistic yet fictional data.
  • In the Accused Person portal case no such safeguards had been reportedly implemented, which resulted in users gaining unauthorised access to e-case files other than their own in at least 223 instances.
  • Although the data accessed was not in any way tampered with, it seems that the loophole enabled access to information such as name, address, gender, and criminal charges in specific cases.
  • The State Courts have notified the persons that were affected by the incident, but it remains unclear whether they have also alerted the country’s Cyber Security Agency – an obligation that stems from the Cybersecurity Act.
  • The breach has also been reported to the police, while the cybersecurity was increased across the system to fix the flaw and ensure that the incident would not be repeated.
  • Even though the volume of the incident was relatively small compared to other data breaches worldwide, like the 2017 Uber breach that saw 57 million user accounts compromised or the two Yahoo data breaches that were uncovered in 2016 and saw a combined 3.5 billion users impacted, the news is still alarming.
  • Especially since they come on the heels of an incident last July that saw roughly 1.5 million patient files compromised after a hacker attack on the SingHealth healthcare database – including personal data on PM Lee Hsien Loong.

*Source: Vulcan Post, December 12, 2018

 

Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

Image CAPTCHA
scroll top