Week of November 2, 2018


Week of November 2, 2018

Eurostar Resets Passwords Of Customers After Data Breach*:

UK-based railway service Eurostar now counts itself among the victims of a cyber attack.

The service allegedly suffered a credential stuffing attack and has since reset customer passwords.

Initially, the customers didn’t know what had happened.

In response to a query on Twitter, Eurostar simply said maintenance was the reason for resetting passwords.

However, they made a statement later saying the company had identified what they believe to be an unauthorised automated attempt to access accounts.

In order to avoid any damages, Eurostar asked customers to reset passwords.

The incident likely occurred between October 15, 2018, and October 19, 2018.

After noticing the breach, Eurostar informed all customers affected by this incident.

At the moment, Eurostar hasn’t revealed a specific number of customers affected by the breach.

They’re continuing with investigations, and they have informed the Information Commissioner’s Office (ICO) of the incident.

*Source: Latest Hacking News, November 01, 2018


Canada: New Data Breach Reporting Requirements Come Into Force This Week*:

Businesses have new obligations under breach of security safeguards rules coming into force this week in Canada.

Changes to Canada's federal private sector privacy law will require organizations to report certain breaches of security safeguards to the Commissioner's office and to notify those affected.

The number and frequency of significant data breaches over the past few years have proven there's a clear need for mandatory reporting.

Mandatory breach reporting and notification will create an incentive for organizations to take security more seriously and bring enhanced transparency and accountability to how organizations manage personal information.

The Office of the Privacy Commissioner of Canada has published guidance to help businesses comply with the new requirements as well as a new reporting form.

The final version of the guidance was developed following a public consultation.

The Commissioner's office received 20 submissions from various sectors on a draft version of the guidance.

Under the new regulations for organizations subject to the Personal Information Protection and Electronic Documents Act, which come into force November 1, organizations must:

o Report to the Privacy Commissioner's office any breach of security safeguards where it creates a "real risk of significant harm;"

o Notify individuals affected by a breach of security safeguards where there is a real risk of significant harm;

o Keep records of all breaches of security safeguards that affect the personal information under their control;

o Keep those records for two years.

*Source: Post Online Media, October 30, 2018


New Bluetooth Vulnerabilities Exposed In Aruba, Cisco, Meraki Access Points*:

Wi-Fi access points and other devices using Bluetooth Low Energy (BLE) chips made by Texas Instruments contain vulnerabilities that could allow an attacker to take control of the wireless network.

The vulnerable TI chips are used in Wi-Fi access points made by Aruba, Cisco, and Meraki — vendors that together account for nearly 70% of the enterprise WiFi access point (AP) market.

Researchers at Armis, an IoT security firm, found two new, separate vulnerabilities in TI CC2640/50 and TI cc2540/1 chips.

Dubbed "BleedingBit" by the researchers, the vulnerabilities allow exploits in two different attacks.

The first vulnerability, CVE-2018-16986, is an overflow in the field that stores "advertising packets" sent by devices in the AP's area to let the AP know that the device is there.

If an attacker sends a number of well-formed advertising packets containing code, and then a malformed packet with a "one" in either of those two extra bit places, it results in a stack overflow that could allow execution of all that earlier-delivered code.

What kind of code could be delivered? One possibility is a backdoor that would allow the attacker complete access to the device.

The second vulnerability, CVE-2018-7080, affects only Aruba APs, but can deliver larger payload in a single step.

Aruba included an over-the-air download (OAD) feature through BLE as a tool for use in the development process.

When that feature is left active in a production system, an attacker can obtain the hardcoded password and use the feature to completely rewrite the AP's operating system.

Both Cisco and Aruba have issued security bulletins covering the vulnerabilities.

Because of its position within the systems where it's employed, the BLE chip can provide a very powerful point of entry for an attacker.

The problem with both vulnerabilities is that no one considers BLE a risk surface, so it’s a complete blind spot from an organizational perspective.

*Source: Dark Reading, November 01, 2018


FIFA Reveals Second Hack*:

FIFA, the international governing body of soccer, acknowledged this week that its computer systems were hacked earlier this year for the second time, and officials from European soccer’s governing body fear they also might have suffered a data breach.

While full details of the hack and its consequences have not yet been released, some information has begun to emerge.

A phishing campaign succeeded in convincing Union of European Football Associations (UEFA) staff and officials to give up their network credentials, allowing the attackers to access confidential information.

This second hack came to light after a new group of internal documents was obtained by Football Leaks, the same organization that published documents obtained in the earlier leak.

The first hack helped bring down FIFA officials and shed unflattering light on how decisions are made within the organization.

*Source: The New York Times, October 30, 2018


Girl Scouts Hacked, 2800 Members Get Notified*:

The Girl Scouts of America branch in Orange County, Calif., has reported a security breach which could potentially expose the data of 2,800 members and their families.

An unknown third-party actor gained access to an email account operated by the Girl Scouts of Orange County (GSOC) and used the account to send its own messages.

The account had previously been used to arrange travel for group members, GSOC reports.

As a result, the attacker may have been able to obtain personal data with their account access.

In a letter to members, Christina Salcido, vice president of mission operations for the branch, says the email account contained the names, home addresses, birthdates, insurance policy numbers, and health history of girls in the group.

While the account was only compromised from Sept. 30 to Oct. 1, everyone whose data could have been affected is being notified.

Further, GSOC plans to start using a secure portal for processing travel arrangements and says the emails containing members' data have since been deleted.

*Source: Dark Reading, October 30, 2018


CNIL Publishes Statistical Review Of Data Breaches Since Entry Into Application Of GDPR*:

Recently, the French Data Protection Authority (the “CNIL”) published a statistical review of personal data breaches during the first four months of the EU General Data Protection Regulation’s (“GDPR”) entry into application.

Between May 25 and October 1, 2018, the CNIL received 742 notifications of personal data breaches that affected 33,727,384 individuals located in France or elsewhere.

Of those, 695 notifications were related to confidentiality breaches.

The accommodation and food services sector is the sector in which the highest number of breaches were observed, with 185 notifications.

More than half of the notified breaches (421 notifications) were due to hacking via malicious software or phishing.

62 notified breaches were related to data sent to the wrong recipients, 47 notified breaches were due to lost or stolen devices, and 41 notified breaches were due to the unintentional publication of information.

Most breaches were therefore the result of hacking and intentional theft attributable to a malicious third party, or employees’ unintentional mistakes.

In all other cases, the causes of the breach were unknown or undetermined by the notifying data controller, or the breach was the result of internal malicious actions.

The CNIL advised that businesses should think about data security at the outset of their project, regularly run security updates on operating systems, application servers, or databases, and regularly inform staff of the risks and challenges raised by data security.

The CNIL also reported that it will adopt an aggressive approach when the data controller does not comply with its obligation to notify the CNIL of the breach within 72 hours after having become aware of it.

Failure to comply with that obligation may lead to a fine of up to €10 million or 2 percent of the total worldwide annual revenues.

Conversely, if the CNIL receives the notification in a timely manner, the CNIL will adapt an approach that aims at helping the professionals involved take all the necessary measures to limit the consequences of a breach.

When necessary, the CNIL will contact organizations for the purposes of:

o Verifying that adequate measures have been taken before or after the breach. The CNIL may advise the data controller on any needed improvements. The CNIL may also refer data controllers to the relevant police services or to the web platform to file a complaint.

o Assessing the necessity to notify affected data subjects. For each notification, the CNIL assesses the risks to data subjects and may recommend notifying them of the breach.

*Source: Lexology, October 29, 2018


Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

scroll top