More Than 95,000 Data Breach Complaints Since EU Rules Kicked In*:
- Europe’s data protection regulators have received more than 95,000 complaints about possible data breaches, eight months after the adoption of a landmark EU privacy law, the European Commission said on Friday.
- The General Data Protection Regulation (GDPR) gives new powers to privacy enforcers, allowing them to levy fines of up to 4 percent of global revenue or 20 million euros ($23 million), whichever is higher.
- Last week, the French data protection watchdog slapped a 50 million euro fine on Alphabet-owned Google for failing to properly obtain users’ consent for personalized ads, the largest sanction under GDPR rules to date.
- More penalties could come as Europeans become more aware of their rights, EU digital chief Andrus Ansip, European Commission Vice President Frans Timmermans, EU justice chief Vera Jourova and EU digital economy commissioner Mariya Gabriel said in a joint statement.
- The majority of the complaints focused on telemarketing, promotional emails and video surveillance by closed-circuit televisions.
- Privacy regulators have opened 225 investigations to date.
*Source: Reuters, January 25, 2019
Apple Rushes To Fix FaceTime ‘Eavesdropping’ Bug*:
- Apple has acknowledged a flaw in its FaceTime software that allowed for brief eavesdropping - even if the recipient did not pick up.
- In some cases the target iPhone could send video without the receiver's knowledge.
- The company said it had developed a fix and an update would be rolled out this week.
- In the meantime, Apple's status page shows it has disabled the ability for users to make group calls on FaceTime.
- The flaw, first revealed by the 9to5Mac blog, appears to occur when both users are running version 12.1 of Apple's mobile operating system iOS, or newer.
- It also affects Mac users when they are called from an iPhone.
- The technique involves using the software's group chat function, apparently confusing the software into activating the target's microphone, even if the call has not been accepted.
- The eavesdropping ends when the call is cut after too many rings.
- In addition to audio, 9to5Mac reported that pressing buttons to block the call or turn off the device would result in video being sent to the call-maker, without the recipient's knowledge.
- On social media, concerned users - including Twitter chief executive Jack Dorsey - suggested disabling the FaceTime function altogether, which can be done via the device's settings menu.
- Discovery of the flaw coincided with National Privacy Day in the US, a day heralded by Apple boss Tim Cook.
- New York governor Andrew Cuomo advised his state's residents "to disable their FaceTime app until a fix is made available"
- He said: "The FaceTime bug is an egregious breach of privacy that puts New Yorkers at risk.
- Apple also recently made a big play of its privacy credentials at the recent CES tech expo in Las Vegas.
- The company did not attend but placed a billboard near the event, reading: "What happens on your iPhone, stays on your iPhone."
- The timing of the revelations about the bug is awkward for Apple, which is due to announce its latest earning report on Tuesday.
- Analysts may question Mr Cook about the flaw.
*Source: BBC, January 29, 2019
SWIFT Says Helping Bangladesh Bank Rebuild Network After Cyber Heist*:
- International payments network SWIFT said on Saturday it had signed an agreement with Bangladesh’s central bank to help it rebuild its infrastructure after hackers used it to steal $81 million in 2016 in the world’s biggest cyber heist.
- Unidentified hackers, suspected to be from North Korea, carried out the heist by breaching Bangladesh Bank’s systems and using the SWIFT network to send fraudulent money transfer orders to the New York branch of the U.S. central bank, with which the Dhaka bank has an account.
- SWIFT’s comments came after the New York Fed on Friday agreed to provide “technical assistance” to Bangladesh Bank in its lawsuit against Manila-based Rizal Commercial Banking Corp (RCBC).
- RCBC was used to funnel the money, much of which disappeared into the casinos of the Philippines.
- The firm would continue to lend its support to international efforts to protect the global financial system from future cyber attacks, it added.
- SWIFT - the Society for Worldwide Interbank Financial Telecommunication, a cooperative used by thousands of financial institutions around the world - did not say if it would also help Bangladesh Bank with the court case in New York.
- A person familiar with the technical assistance agreement said the Fed would prepare affidavits and clear employees to testify at hearings or a trial, and also allow Bangladesh Bank to interview employees.
- It would also provide relevant non-privileged documents and information to Bangladesh Bank or to the court.
- Bangladesh Bank lawyer Ajmalul Hossain QC declined to comment on SWIFT’s role in the legal case against RCBC.
- In its suit filed with the U.S. District Court in Manhattan, Bangladesh Bank accused RCBC and dozens of others, including several top executives, of involvement in a “massive” and “intricately planned” multi-year conspiracy to steal its money.
- A 2016 Reuters investigation into the heist found that a series of missteps and miscommunication between the Fed and Bangladesh, little emergency backup, and slow reactions in New York to early warning signs all contributed.
*Source: Reuters, February 02, 2019
India’s Largest Bank SBI Leaked Account Data On Millions Of Customers*:
- India’s largest bank has secured an unprotected server that allowed anyone to access financial information on millions of its customers, like bank balances and recent transactions.
- The server, hosted in a regional Mumbai-based data center, stored two months of data from SBI Quick, a text message and call-based system used to request basic information about their bank accounts by customers of the government-owned State Bank of India (SBI), the largest bank in the country and a highly ranked company in the Fortune 500.
- But the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers’ information.
- It’s not known for how long the server was open, but long enough for it to be discovered by a security researcher, who told TechCrunch of the leak, but did not want to be named for the story.
- SBI Quick allows SBI’s banking customers to text the bank, or make a missed call, to retrieve information back by text message about their finances and accounts.
- t’s ideal for millions of the banking giant’s customers who don’t use smartphones or have limited data service.
- By using predefined keywords, like “BAL” for a customer’s current balance, the service recognizes the customer’s registered phone number and will send back the current amount in that customer’s bank account.
- The system can also be used to send back the last five transactions, block an ATM card and make inquiries about home or car loans.
- It was the back-end text message system that was exposed, TechCrunch can confirm, storing millions of text messages each day.
- The passwordless database allowed us to see all of the text messages going to customers in real time, including their phone numbers, bank balances and recent transactions.
- The database also contained the customer’s partial bank account number.
- Some would say when a check had been cashed, and many of the bank’s sent messages included a link to download SBI’s YONO app for internet banking.
- The bank sent out close to three million text messages on Monday alone.
- The database also had daily archives of millions of text messages each, going back to December, allowing anyone with access a detailed view into millions of customers’ finances.
- We verified the data by asking India-based security researcher Karan Saini to send a text message to the system.
- Within seconds, we found his phone number in the database, including the text message he received back.
- Saini previously found a data leak in India’s Aadhaar, the country’s national identity database, and a two-factor bypass bug in Uber’s ridesharing app.
- SBI claims more than 500 million customers across the globe with 740 million accounts.
*Source: Tech Crunch, January 31, 2019
Play Boy Sues For Renting Out Subscribers’ Personal Information*:
- Playboy Enterprises Inc. violated Michigan privacy law by renting out personal information about its subscribers to data aggregators without their notice or consent, a new complaint alleges.
- The complaint alleges Playboy rents subscribers’ personal information—including full names, titles of the magazines they subscribe to, and home addresses—to data aggregators and cooperatives.
- These companies supplement Playboy’s mailing lists with additional sensitive personal information from their own databases, the lawsuit alleges.
- Playboy then rents the enhanced mailing lists to companies like advertisers, political organizations, and non-profits to identify and target Playboy subscribers by personal details like income, religion, and political affiliation, it alleges.
- Playboy never informed or obtained consent from its subscribers before disclosing the information, the complaint says.
- The lawsuit was filed Jan. 30 in the U.S. District Court for the Eastern District of Michigan by a proposed class of Michigan residents who are Playboy subscribers.
- They allege the company violated the state’s Preservation of Personal Privacy Act, which prohibits sellers of publications from disclosing information that identifies buyers.
- The class also sued Playboy for unjust enrichment, arguing Playboy should pay back the money it made from the rental, exchange, or disclosure of the class’s personal information
- Playboy didn’t immediately respond to a request for comment.
*Source: Bloomberg, February 01, 2019
Metro Bank Hit By Cyber Attack Used To Empty Customer Accounts*:
- Metro Bank has become the first major bank to fall victim of a new type of cyber attack targeting the codes sent via text messages to customers to verify transactions.
- Hackers were able to intercept an additional layer of security offered by Metro Bank, which asks customers to type in a code sent by text message to their phones to confirm transfers and payments.
- The attack, which was first discovered by Motherboard, involved hackers tracking phones remotely and intercepting messages to authorise payments from accounts.
- Other banks are understood to have also been affected by this attack.
- Hackers were able to exploit flaws in SS7, a protocol used by telecoms companies to coordinate how they route calls and SMS messages around the world.
- A Metro Bank spokesman said that a "small number" of the bank's customers had been affected.
- Metro Bank first reported the issue to authorities.
- Other companies were affected by this cyber attack, but have not been made public.
- Telecoms giant BT said that it is aware of the potential of SS7 being used to try to commit banking fraud.
- Metro Bank has had a difficult week after it was forced to admit that the Bank of England found a flaw in its accounts despite having previously claimed that it had spotted the error itself.
- Investors were told that the bank's risky assets would be $900m higher than expected due to the error.
*Source: Telegraph, February 01, 2019