Week of November 9, 2018


Week of November 9, 2018

Oracle and Equifax Among Seven Firms Accused of Violating GDPR by Privacy International*:

Seven companies including Oracle and Equifax have been accused of violating data protection laws by a privacy rights group and referred to data regulators.

Privacy International (PI) has filed complaints against two data brokers, three ad-tech firms and two credit referencing agencies with French authorities, the Irish Data Protection Commission (DPC) and the Information Commissioner's Office (ICO).

PI is accusing the firms of disregarding data protection principles, including purpose limitation (specifying exactly how data is used), data minimisation (data is held no longer than absolutely required), and data accuracy.

The organisation is basing their accusations on more than 50 subject access requests (SARs) files with the companies, as well as information they have provided in their marketing materials and privacy policies.

The group argues that the companies, which also include Acxiom, Criteo, Experian, Quantcast and Tapad, do not have a legal basis for the way they use people's data, and have not attained appropriate consents.

PI also says they do not have the basis for processing sensitive personal data.

The ICO has already issued assessment notices to data broker Acxiom, as well as credit rating agencies Equifax and Experian.

PI has urged the UK data regulator to widen its ongoing investigations to include the other four firms.

A Criteo spokesperson said the firm was requested to fill a questionnaire on privacy in May, and said they invited PI to meet for further discussions.

They added they did not get a response, and instead learned of the complaint two days ago.

An Acxiom spokesperson said the company's associates need to pass data security and privacy tests, and in May the business passed a Direct Marketing Association (DMA) audit around data privacy and compliance.

Oracle, Equifax and Quantcast refused to comment. Tapad was also approached.

*Source: IT Pro, November 09, 2018


HSBC Warns Customers of Data Breach*:

HSBC has locked some customers out their online accounts in response to a data breach that saw unauthorised users gain access to a host of financial and personal information.

In a notice to customers, which has been filed with California's Attorney General's office, the bank says: "HSBC became aware of online accounts being accessed by unauthorized users between October 4, 2018 and October 14, 2018.”

Among the information which may have been accessed is full names, mailing addresses, phone numbers, email addresses, dates of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history.

HSBC has not provided exact details on how many customers are affected but Finextra understands that it is less than one per cent of US online accounts.

The bank also believes that personal information obtained from sources other than HSBC was used.

This may have included passwords from other non-HSBC accounts, aka, “credential stuffing.”

HSBC responded by fortifying their log-on and authentication processes and implemented additional layers of security for digital and mobile access to all personal and business banking accounts.

HSBC has notified those customers whose accounts may have experienced unauthorized access and are offering them one year of credit monitoring and identify theft protection service.

*Source: FinExtra, November 06, 2018


Foreign Smart Cities Face Fines for Breaching GDPR*:

Dr Jacqui Taylor, strategic advisor to the UK Government on smart cities, said that public bodies and companies based abroad could face fines worth millions of pounds if they fail to follow strict rules which protect EU residents from data misuse.

Transgressors can be fined 4 percent of annual global turnover or 20m, whichever is greater.

Cities elsewhere in the world face being “called to account if something goes wrong”, she said, with British citizens able to complain to UK regulator the Information Commissioner if they think their rights have been infringed.

Smart cities across the globe are beginning to collect data from residents and visitors to monitor purchasing, public transport and services use, but there has been controversy about how the data is managed and whether there is enough transparency about what it is used for.

Dr Taylor, the chief executive of web science company Flying Binary, said she had also been advising cities in the Middle East on their responsibilities.

“They took it very seriously because they understood that as a European citizen, if I'm out there, they'll be called to account if something goes wrong, or if I decided that I want a change to how they're managing what their trust model is, because I have that backing of the regulations,” she told the Telegraph.

An example could be where a visitor from an EU country downloads a smart city’s app ahead of visiting in order to access perks such as parking, free Wi-Fi and information about local events.

If they are still in an EU country, they are covered by the law. They may also be covered if their data is collected during a visit, and retained after they leave, although lawyers said the rules on this were less clear.

*Source: The Telegraph, November 10, 2018


Hackers Have Found a New Way to Break Into ATMs and Steal Your Cash*:

As large financial institutions begin to allow customers to withdraw cash with their phones, criminals can now use stolen account information to access hijacked accounts and steal cash, according to Krebs on Security, an internet security news and information site.

Recent incidents in Cincinnati underscore how the scam works.

FBI agents recently made several arrests in the city and are looking for other "yet unknown co-conspirators," according to WCPO in Cincinnati.

The arrests came after Cincinnati, OH. -based Fifth Third Bank began getting customer complaints about text messages claiming that their accounts were locked, according to the report.

When customers clicked on a link to unlock their accounts, it took them to a fake website that asked for sensitive credentials such as passwords.

This is a classic phishing scam where victims are prompted for information such as usernames, passwords, one-time passcodes and PIN numbers.

The bank contacted the FBI after losing $68,000 from 17 ATMs in Illinois, Michigan, and Ohio.

In one case, a man made 19 withdrawals totalling more than $9,000; the same man allegedly made other withdrawals.

He had a total of $14,000 in cash at the time of his arrest.

Ultimately, the scam succeeded in stealing personal information from over 120 customers, and losses at Fifth Third Bank totalled $106,000, according to court records cited in the WCPO report.

On November 7, a grand jury indicted four men who participated in the card less ATM scheme.

Though many customers have likely never heard of card less ATM transactions, that could change as it becomes more popular, giving criminals new opportunities.

In January 2017, a California woman lost $3,000 via a card less ATM operated by Chase Bank, KrebsOnSecurity added.

“In that incident, the thieves didn’t even need to know her ATM PIN,” KrebsOnSecurity wrote. They were able to use the phone number and mobile device they controlled and associate it with the woman’s Chase account using her username and password.

This time last year, card less ATMs were offered mainly by the big banks, and then only at some of their ATMs. Now, many smaller regional and local banks have upgraded their cash machines to enable the new technology.

The KrebsOnSecurity cites a Mastercard poll that claims 78 percent of consumers when asked, would rather use a card less ATM than carry a physical card.

*Source: Fox News, November 10, 2018


Canada Post Leaked Personal Data, Orders of Thousands of Cannabis Smokers*:

The decision to make recreational cannabis legal in Ontario, Canada, has been fraught with problems and now has been tarnished by a data breach at Canada Post.

On Wednesday, the Ontario Cannabis Store (OCS) revealed the security incident on Twitter, saying that an unnamed individual was able to access the order records of 4,500 customers, or roughly two percent of the firm's customer base.

The compromised information included names or the initials of nominated signatories, postcodes, dates of delivery, OCS reference numbers, Canada Post tracking numbers, and OCS corporate names and business addresses.

However, OCS insists that the name of buyers – unless they were accepting delivery – the full delivery address, contents of the order, and payment information were not compromised.

The breach was uncovered on November 1.

Canada Post and OCS have been working together since this date to investigate how the data breach took place, and OCS said a failure by Canada Post to inform customers led to the company taking action.

Canada Post may be in hot water, but over 1,000 complaints have been received by the Ontario Ombudsman relating to OCS, including those describing billing issues, late deliveries, and poor customer service.

A data breach is likely the last thing OCS would want to face when already facing censure over sales – especially when the Ombudsman considered the problem severe enough to issue a press release – and while the regulatory body was only at the stage of monitoring the complaints, the security incident might escalate the situation, whether or not OCS was at fault in this instance.

The OCS is the only legal supplier in the region until April when private retailers are permitted to launch.

The Federal Privacy Commissioner and the Ontario Information and Privacy Commissioner have been informed of the breach.

*Source: ZD Net, November 08, 2018


Hacker Infects 100K Routers in Latest Botnet Attack Aimed at Sending Email Spam*:

A hacker managed to exploit a five-year-old vulnerability in home routers to create a botnet affecting approximately 100,000 home routers.

The botnet was initially discovered in September by researchers from the Netlab team at Qihoo 360, a Chinese internet security company, and it’s likely that the hacker is leveraging this network of compromised routers to send spam emails.

The botnet was built on a 2013 vulnerability on Broadcom’s UPnP SDK.

This SDK, which is used on numerous routers, allows an attacker to conduct a remote attack and execute malicious code without requiring any authentication.

Though this latest botnet, which is known as BCMUPnP_Hunter, isn’t the first to exploit this vulnerability, it is the first to use what appears to be new source code to infect routers.

Most Internet of Things botnets today use code that has been leaked online to carry out their attacks, but researchers claim that they have not seen similar code to that used on BCMUPnP_Hunter, suggesting that the hacker is authoring new code for the attack.

Prior to BCMUPnP_Hunter, a widely reported Russian malware had infected routers worldwide, prompting the FBI to issue a warning to consumers to reset their routers.

In carrying out the attack, Netlab security researcher Hui Wang said in a blog post that the bot “has to go through multiple steps to infect a potential target.”

A proxy is able to communicate with popular mail servers, such as Outlook, Hotmail, and Yahoo! Mail.

Because of this, Wang’s team believes that the attacker is using the botnet to send out spam.

Additionally, the number of affected routers has steadily grown in the past few months, with a potential to infect 400,000 routers.

BCMUPnP_Hunter affects routers worldwide with Broadcom’s UPnP feature enabled, but India, China, and the U.S. are among the largest targets. A fix hasn’t been reported yet to combat this latest botnet infection.

*Source: Digital Trends, November 08, 2018


New Ohio Law Creates Safe Harbour for Certain Breach Related Claims*:

Effective November 2, 2018, a new Ohio breach law will provide covered entities a legal safe harbour for certain data breach-related claims brought in an Ohio court or under Ohio law.

For the claim to be effective, the entity should, at the time of the breach, maintain and comply with a cybersecurity program that:

o contains administrative, technical and physical safeguards for the protection of personal information

o reasonably conforms to one of the “industry-recognized” cybersecurity frameworks enumerated in the law.

The program must additionally be designed to

o protect the security and confidentiality of the information

o protect against any anticipated threats or hazards to the security or integrity of the information

o protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.

In determining the necessary scale and scope of the program, businesses should consider what is reasonable in light of the size and complexity of the covered entity, the nature and scope of its activities, the resources available to them, the sensitivity of the information to be protected, and the cost and availability of tools to improve information security and reduce vulnerabilities.

While this safe harbour will not apply to breach of contract claims or statutory violations in a breach suit, covered entities may raise this affirmative defense against tort claims that allege a failure to implement reasonable information security controls that result in a data breach.

However, the covered entity will bear the burden of demonstrating that its program meets all of the requirements under the law.

This may be hard for businesses to prove since many of the frameworks provide generalizations regarding what is required, but not specifics, and since these frameworks do not tend to have formal certification processes.

Moreover, because such frameworks are often revised to keep up with new technologies and risks, it may be difficult for businesses to conform to the updates within the statute-mandated, one-year time limit from the revision date.

This law is the first in the U.S. to offer an incentive to businesses that take steps to ensure that there are policies and procedures in place to protect against data breaches.

It remains to be seen whether other states will enact similar laws.

*Source: Hunt on Privacy Blog, November 05, 2018


Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

scroll top