Week of October 26, 2018


Week of October 26, 2018

Yahoo To Pay $50 Million, Other Costs For Massive Data Breach*:

Yahoo has agreed to pay $50 million in damages and provide two years of free credit-monitoring services to 200 million people whose email addresses and other personal information were stolen as part of the biggest security breach in history.

The restitution hinges on federal court approval of a settlement filed late Monday in a 2-year-old lawsuit seeking to hold Yahoo accountable for digital burglaries that occurred in 2013 and 2014 but weren’t disclosed until 2016.

Yahoo revealed the problem after it had already negotiated a $4.83 billion deal to sell its digital services to Verizon Communications.

It then had to discount that price by $350 million to reflect its tarnished brand and the spectre of other potential costs stemming from the breach.

Verizon will now pay for one half of the settlement cost, with the other half paid by Altaba Inc., a company that was set up to hold Yahoo’s investments in Asian companies and other assets after the sale.

Altaba already paid a $35 million fine imposed by the Securities and Exchange Commission for Yahoo’s delay in disclosing the breach to investors.

Claims for a portion of the $50 million fund can be submitted by any eligible Yahoo accountholder who suffered losses resulting from the security breach.

The costs can include such things as identity theft, delayed tax refunds or other problems linked to having had personal information pilfered during the Yahoo break-ins.

The fund will compensate Yahoo accountholders at a rate of $25 per hour for time spent dealing with issues triggered by the security breach, according to the preliminary settlement.

Those with documented losses can ask for up to 15 hours of lost time, or $375.

Those who can’t document losses can file claims seeking up to five hours, or $125, for their time spent dealing with the breach.

Yahoo accountholders who paid $20 to $50 annually for a premium email account will be eligible for a 25 percent refund.

The free credit monitoring service from AllClear could end up being the most valuable part of the settlement for most accountholders.

The lawyers representing the accountholders pegged the retail value of AllClear’s credit-monitoring service at $14.95 per month, or about $359 for two years – but it’s unlikely Yahoo will pay that rate.

The settlement didn’t disclose how much Yahoo had agreed to pay AllClear for covering affected accountholders.

The lawyers for Yahoo’s accountholders praised the settlement as a positive outcome, given the uncertainty of what might have happened had the case headed to trial.

Estimates of damages caused by security breaches vary widely, with experts asserting the value of personal information held in email accounts can range from $1 to $8 per account.

Those figures suggest Yahoo could have faced a bill of more than $1 billion had it lost the case.

But Yahoo had disputed those damages estimates and noted many of its accountholders submitted false information about their birthdates, names and other parts of their lives when they set up their email.

The lawyers representing Yahoo accountholders have a big incentive to get the settlement approved. Yahoo will pay them up to $37.5 million in fees and expenses if it goes through.

Oath, the Verizon subsidiary that now oversees Yahoo, declined to comment. A hearing to approve the preliminary settlement is scheduled for Nov. 29 before U.S. District Judge Lucy Koh in San Jose. If approved, notices will be emailed to affected accountholders and published in People and National Geographic magazines.

*Source: Financial Express, October 24, 2018


Major Airline Cathay Pacific Says Up To 9.4 Million Passengers Had Their Data Stolen*:

Major international airline Cathay Pacific revealed today that as many as 9.4 million passengers had their records stolen in a data breach that occurred in March.

Passport information, including identity card numbers, names, dates of birth, and postal addresses may all have been compromised.

The breach also included details about where each passenger had travelled and any comments made by customer service representatives.

The amount of data accessed varied among passengers.

Cathay also noted that 403 expired credit card numbers were accessed and so were 27 credit card numbers with no CVV numbers attached.

The company has no evidence that any personal information has been misused.

The IT systems affected are totally separate from its flight operations systems, and there is no impact on flight safety.

Cathay Pacific has stated that no passwords were compromised in the breach.

The breach also differs from others because Cathay took over six months from the time the breach occurred in March to announcing it in public now.

As the company has a presence in Europe, it might run into trouble with newly passed General Data Protection Regulation (GDPR) rules that require companies to tell customers and law enforcement within three days of discovering a breach.

In addition to the reputation cost, Cathay Pacific may face costly GDPR repercussions due to the amount of time that passed.

The airline is communicating with local police in Hong Kong and other relevant authorities, it said.

*Source: The Verge, October 24, 2018


Facebook Fined Pre-GDPR Maximum Of £500,000 By ICO Over Cambridge Analytica*:

Facebook has been fined £500,000 by the UK's data protection watchdog for its role in the Cambridge Analytica data scandal.

The Information Commissioner's Office (ICO) said Facebook had let a "serious breach" of the law take place.

The fine is the maximum allowed under the old data protection rules that applied before GDPR took effect in May.

The ICO said Facebook had given app developers access to people's data "without clear consent".

In July, the ICO notified the social network that it intended to issue the maximum fine.

Confirming the fine, it said in a statement: "Between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply 'friends' with people who had."

Facebook said it was "reviewing" the ICO's decision.

*Source: BBC News, October 25, 2018


Portuguese Hospital Receives And Contests €400,000 Fine For GDPR Infringement*:

On July 17, 2018, the Portuguese Supervisory Authority (“CNPD”) imposed a fine of 400,000 € on a hospital for infringement of the European Union General Data Protection Regulation (“GDPR”).

The decision has not been made public.

Earlier this week, the hospital publicly announced that it will contest the fine.

According to press reports, the CNPD carried out an investigation at the hospital which revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data through false profiles.

The profile management system appeared deficient – the hospital had 985 registered doctor profiles while only having 296 doctors.

Moreover, doctors had unrestricted access to all patient files, regardless of the doctor’s specialty.

The CNPD reportedly concluded that the hospital did not put in place appropriate technical and organizational measures to protect patient data.

In its defence, the hospital apparently indicated that it uses the IT system provided to public hospitals by the Portuguese Health Ministry.

The CNPD, however, decided that it was the hospital’s responsibility to ensure that the IT system it uses complies with the GDPR.

While Portugal has not “implemented” the GDPR yet, the CNPD applied the GDPR principles to this case and relied on the GDPR to determine the fine.

This is one of the highest fines imposed by the CNPD as of yet.

The current law allocates half of the fine to the CNPD budget – the future implementing law will likely contain a similar provision.

*Source: The National Law Review, October 26, 2018


New DDoS Botnet Goes After Hadoop Enterprise Servers*:

For nearly a month, a new botnet has been slowly growing in the shadows, feasting on unsecured Apache Hadoop servers, and planting bots on vulnerable servers to be used for future DDoS attacks.

First spotted in honeypot data by a NewSky Security researcher while it was still in its infancy, the botnet has matured and expanded in the meantime.

While initially, the botnet consisted of a few command and control servers, in a threat alert sent out today by cyber-security firm Radware, the company says the botnet has now grown to number over 70 servers.

The role of these servers is to scan the internet for Hadoop installations that use a misconfigured YARN module.

YARN, which stands for Yet Another Resource Negotiator, is a core component of the Apache Hadoop data processing framework, often used in large enterprise networks or cloud computing environments.

Once the botnet finds a possible victim, the botnet, which Radware named DemonBot, attempts to take advantage of a YARN misconfiguration to install a "bot" process on the vulnerable Hadoop system.

Radware says DemonBot has grown tremendously in the past month, currently attempting over 1 million YARN exploits per day.

But while the botnet's total botnet count remains unknown, there's also another major mystery that remains to be solved.

Why does this botnet infect resource-rich servers like Hadoop with DDoS bots instead of deploying cryptocurrency-mining malware, which would, without a doubt, generate much more profits and far less legal problems than launching destructive and head-turning DDoS attacks.

All signs point to this botnet being the work of "skids," a term used by cyber-security experts to describe malware authors who cobble botnets or malware strains using readily-available scripts, poor operational security, or without a long-term plan of what they want to achieve.

This is exactly what appears to have happened, according to NewSky Security's Ankit Anubhav, who tweeted earlier this month that this botnet appears to have ties to creators of the Sora botnet, who were also responsible for creating multiple other botnets, such as Owari, Wicked, Omni, Anarchy, and others – all used for DDoS attacks as well.

Servers are vulnerable to infection due to a misconfiguration in Hadoop's YARN component that has been known for at least two years.

According to proof-of-concept code posted on ExploitDB and GitHub, attackers appear to access an internal YARN API that was left exposed to external connections.

The exploit uses the API to deploy and run a custom YARN app inside a Hadoop server cluster – in DemonBot's case, a DDoS-capable malware strain.

This exploit has been very popular in the past few months, also being used by the multi-functional Xbash malware over the summer.

It goes without saying that Hadoop server administrators should probably review YARN configs as soon as possible to make sure they're not shooting themselves in the foot.

*Source: ZDNet, October 25, 2018


Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

scroll top