MENTIS

Week of May 6, 2019

MENTIS
news

Week of May 6, 2019

Massive Data Breach Exposes Ages, Addresses, Income On 80 Million US Families*:

  • A team of Israeli security researchers discovered a massive unprotected database with the full names, ages, income brackets and marital status on more than 80 million U.S. households.
  • They however were not able to identify the owner of this database, which is hosted by a Microsoft cloud server and includes a cache of 24GB of data, a potential goldmine for cybercriminals.
  • The researchers were led by Noam Rotem and Ran Locar, who teamed up with vpnMentor, a site that focuses on virtual private networks and web privacy.
  • The team verified the accuracy of some of the data but made an ethical decision to not download the data to help protect the privacy of the individuals who may be affected.
  • vpnMentor is asking anyone who might be able to help them identify the owner of the database to contact them at info@vpnmentor.com.
  • The site suspects that the database is owned by an insurance, healthcare, or mortgage company, although it says that information you’d expect to find in a database owned by brokers or banks is missing.
  • While this is hardly the first time large scale data has been exposed – think Equifax, Facebook and numerous others – vpnMentor believes this is the first time a breach of this size has included peoples’ names, addresses, and income.
  • The potential risk may take many forms.
  • One is a phishing attack in which a hacker can embed dangerous links inside emails that look like they come from legitimate financial institutions or other companies, leading in some cases to ransomware, where you’d have to pay a fee to reclaim your computer.
  • And just knowing your age and income level means an attacker can identify who among the 80 million families are the most vulnerable.

*Source: USA Today, April 29, 2019

 

Credit Card Compromise Up 212 pc As Hackers Eye Financial Sector*:

  • More than one-quarter of all malware attacks target the financial services sector, which has seen dramatic spikes in credential theft, compromised credit cards, and malicious mobile apps as cybercriminals seek new ways to generate illicit profits.
  • The first quarter of 2019 saw a 212% year-over-year spike in compromised credit cards, 129% surge in credential leaks, and 102% growth in malicious financial mobile apps.
  • Banks and other financial services organizations were targeted in 25.7% of all malware attacks last year – more than any of the other 27 industries tracked.
  • Researchers point to two key events that largely shaped the modern financial services threat landscape: the shutdown of cybercriminal forum Altenen and "Collections #1-5," a major global data leak earlier this year.
  • In January 2019, roughly 2.2 billion usernames and passwords were leaked on the Dark Web in an incident dubbed "Collections #1-5," named for the relatively bland file names containing the data.
  • Researchers saw a major increase in leaked credentials during this time frame – credential leaks in the first quarter of 2019 nearly doubled those of any of the previous four quarters.
  • There was also the shutdown of Altenen, a major hub for buying and selling credit card data that was taken down in May 2018 when Israeli authorities arrested its manager.
  • Researchers estimate Altenen facilitated fraud for more than 20,000 credit cards and $31 million in money laundering.
  • Since it was taken down, new sites – including Altenen.nz – emerged in its place, but experts say it's unlikely any of the substitutes will grow to reach the scale of the original.
  • Credential theft is a pervasive and dangerous threat in financial services, Accenture researchers note in a new report on industry threats.
  • In 2018, more than 43,000 breaches across industries involved the use of customer credentials stolen from botnet-infected clients.
  • Credential theft is a rapidly growing threat to enterprise networks, especially if cybercriminals gain access to the username and password of a privileged employee.
  • With this level of access, they don't need malware to achieve their goals.
  • In addition to credential compromise, IntSights researchers saw 9,708 instances of exposed credit card data in the first quarter, marking a 212% increase year-over-year.
  • The number of leaked credit cards continued to rise throughout 2018 and spiked in the first quarter of 2019.

*Source: Dark Reading, April 29, 2019

 

California Consumer Privacy Act: 4 Compliance Best Practices*:

  • The California Consumer Privacy Act (CCPA) — the toughest privacy law in the United States — will go into effect January 1, 2020, with enforcement beginning no later than July 1, 2020.
  • The CCPA, like the existing EU General Data Protection Regulation (GDPR), broadly expands the rights of consumers and requires companies within scope to be significantly more transparent about how they collect, use, and disclose personal information.
  • For compliance leaders, such as chief privacy officers (CPOs) and data protection officers (DPOs), the act represents an opportunity to operationalize privacy and make it a strategic priority for gaining competitive leverage.
  • To prepare for the impending regulation, CPOs and DPOs should secure a budget, develop the key processes, and evaluate tools that will help their organizations build and implement a compliance plan.
  • The plan will need to include a comprehensive data inventory describing which business processes are in the scope of CCPA and where the gaps are in compliance processes.
  • Compliance leaders should adopt the following best practices to help achieve CCPA compliance:
    • Transparency in Policy Language.
      • By January 2020, businesses must provide consumers with specific information pertaining to the new regulation.
      • For example, consider when a consumer downloads a ride-sharing application.
      • The user will receive a privacy prompt asking if they are OK with the company collecting certain information and must hit "accept" or a similar call-to-action button to either designate they understand the policy or that they would like to read the full policy.
      • In addition, the app must also update those prompts to explain how the CCPA affects what rights users have related to privacy protection, and how those rights differ from pre-CCPA rights.
      • To comply with this mandate, organizations must update privacy notices at least annually by describing how CCPA statutes affect data collection and users' privacy options, ensure those notices meet the transparency requirements of any applicable laws, and formally document that process.
    • Looping in Data Processors.
      • Businesses are now required to report consumer data deletion requests from a company's database to its service providers, which are also liable for civil penalties under the CCPA for noncompliance.
      • If a retail company collects user data, it must also ensure it has evaluated and determined that any customer relationship management (CRM) service provider with which it works is compliant with CCPA regulations.
      • Service providers must also ensure they have the requisite privacy processes and mechanisms in place to support companies that use their services.
    • Recourse for Data Requests.
      • Consumers will have the right to obtain, within 45 days, their personal information from a business.
      • Consumers also have the right to request their personal information in a format that allows them to transmit it to another organization.
      • To ensure compliance, organizations will need to review how they currently respond to data access requests, assess how well those processes work, address compliance gaps, and find ways to automate, scale, and simplify manual compliance-related processes.
    • Data Deletion Standards.
      • Consumers may request that businesses delete their personal information.
      • Companies will need processes and mechanisms to respond to consumer deletion requests, identify where the data resides, and demonstrate to the customer that the information has been removed from their databases.
      • Businesses that complied with GDPR by creating comprehensive data governance practices, records of processing, and individual rights procedures will have a head start on dealing with CCPA.
      • However, under the CCPA, all companies that fall under the CCPA jurisdiction — whether or not they are affected by GDPR — will need to enhance their data management practices and expand their individual rights processes by the January 1, 2020, deadline.
      • Companies that get ahead of CCPA compliance will not only minimize the risk of sanctions but be able to carve out a greater competitive edge over companies that lag behind.

*Source: Dark Reading, April 30, 2019

 

Job Recruitment Site Ladders Exposed 13 Million User Profiles*:

  • Ladders, one of the most popular job recruitment sites in the U.S. specializing in high-end jobs, has exposed more than 13.7 million user records following a security lapse.
  • The New York-based company left an Amazon -hosted Elasticsearch database exposed without a password, allowing anyone to access the data.
  • Sanyam Jain, a security researcher and a member of the GDI Foundation, a non-profit aimed at securing exposed or leaking data, found the database and reported the findings to TechCrunch in an effort to secure the data.
  • Within an hour of TechCrunch reaching out, Ladders had pulled the database offline.
  • TechCrunch verified the data by reaching out to more than a dozen users of the site.
  • Several confirmed their data matched their Ladders profile.
  • One user who responded said they are “not using the site anymore” following the breach.
  • Each record included names, email addresses and their employment histories, such as their employer and job title.
  • The user profiles also contain information about the industry they’re seeking a job in and their current compensation in U.S. dollars.
  • Many of the records also contained detailed job descriptions of their past employment, similar to a résumé.
  • Although some of the data was publicly viewable to other users on the site, much of the data contained personal and sensitive information, including email addresses, postal addresses, phone numbers and their approximate geolocation based off their IP address.
  • The database contained years’ worth of records.
  • Some records included their work authorizations, such as whether they are a U.S. citizen or if they are on a visa, such as an H1-B. Others listed their U.S. security clearance alongside their corresponding jobs, such as telecoms or military.
  • More than 379,000 recruiters’ information was also exposed, though the data wasn’t as sensitive.
  • Security researcher Jain recently found a leaking Wi-Fi password database and an exposed back-end database for a family-tracking app, including the real-time location data of children.

*Source: Tech Crunch, May 02, 2019

 

Data Privacy Regulations Are Coming, And The Number 50 Is Worrisome*:

  • When news of the Facebook/Cambridge Analytica scandal broke last year, the ensuing shock waves shouldn’t have been that it happened, but that so few Americans were even aware such data violations actually do happen.
  • While identity theft and data loss have always been the primary security concerns for consumers and organizations, data privacy rarely got mentioned.
  • This, of course, has changed, and Facebook was the perfect poster child to bring data privacy to light.
  • Considering its young billionaire founder, the politics of today, and that its billions of users post personal things on it daily; Facebook was ripe for mainstream attention when it came to data privacy.
  • With Facebook’s high-profile congressional testimony behind us, and politicians and business leaders racing to voice their newfound concern for sound data privacy practices, the inevitable is coming: regulation.
  • Regulation is often a dreaded word for many business executives. It’s even something many have crafted entire careers fighting. But here’s a more radical approach: Stop resisting.
  • Business leaders should not only embrace data privacy regulations, they ought to actively push for a federal law covering all Americans.
  • Before you dismiss this notion, consider the alternative: outright chaos that benefits no one.
  • In 2020, California is set to enact the most stringent data privacy law in America, known as the California Consumer Privacy Act (CCPA).
  • The CCPA is robust — covering many of the concerns people have regarding data privacy.
  • With provisions such as the right to know what type of data is being collected on them, and to whom their data is being sold, the CCPA has individuals cheering and businesses scrambling.
  • But the breadth and depth of the California law shouldn’t be businesses’ main concern.
  • The larger issue is the very real (and scary) possibility of all 50 states enacting their own versions of such a law.
  • Now that should keep the C-suite up at night.
  • Driven by residents’ new-found understanding and concern of how their data is being handled, state leaders are reacting.
  • Several states are currently moving forward or proposing new data privacy laws, with many other states sure to follow suit.
  • Now this is at the state level, which has myriad resources and budgets to put forth such laws.
  • The majority of companies, to put it bluntly, simply don’t have the expertise or resources to effectively handle the data requirements involved in dealing with 50 different data privacy laws.
  • Imagine 50 different laws with each potentially having different opt-in clauses, different rules on what is in fact personal data, and different rights regarding whether a person can request that their data be erased.
  • The data governance, and people and processes alone are too overwhelming to even think about.
  • It would be like a flight attendant asking passengers to select a meal from 50 different options, have him/her prepare each meal and then figure out which passenger should receive which meal.
  • This is essentially what it would look like if each state enacts their own data privacy law.
  • Multiple flavours of data privacy laws would not only slow the pace of business and innovation, but also would achieve chaos and zero results. A tragic loss across the board.
  • There are two proposals currently making the rounds in the legislative branch: the Data Care Act and The Information Transparency and Personal Data Control Act.
  • The Data Care Act covers a broad range of personal data from social security numbers to user passwords and would require user permission before information on them is sold.
  • The Information Transparency and Personal Data Control Act centres mostly on opt-in consent and how information is being shared with third-parties.
  • The impact on privacy if just one of these acts becomes law is that it gives control to individuals over their data and the power of a single regulator to ensure data privacy for all Americans.
  • While it would require a significant amount of work from organizations to become compliant, the goal is to comply with one law – not several. And that makes all the difference.
  • While still far from becoming law, the intent of these acts deserves and requires bi-partisan support.

*Source: Information Week, April 29, 2019

 

Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

Image CAPTCHA
scroll top