- The Canadian cooperative bank Desjardins dismissed a bank employee, for swiping the personal data of roughly 2.9 million customers.
- About 40% of Desjardins’ customers are affected by the incident.
- Back in December 2018, the bank had noticed a suspicious transaction and reported it to Laval police (Quebec).
- Since then, the bank had worked closely with the authorities to investigate the incident and find the offender responsible for the transaction.
- The incident was not a hacker attack from outside. It is a case of data abuse from within.
- An internal member of the IT department stole data from 2.7 million private customers and 173.000 business customers and passed the data on to third parties.
- The perpetrator was able to bypass security measures that were designed to prevent a single person from being able to access all customer records.
- Private customers had their personal data stolen, including first and last names, DOBs, social security numbers, addresses, phone numbers, e-mail addresses, as well as details on banking usage and Desjardins products.
- Passwords, security questions and pin codes were not affected.
- For those affected, damages of 300 US dollars each are being claimed. In addition, Desjardins is offering a 5-year credit monitoring service to all affected customers.
- After the data breach, Quebec’s financial services authority has warned that Desjardins’ customers may fall prey to fraudulent emails, text messages, and phone calls
- Companies are mostly afraid of hacker attacks and take immense security precautions in this field to prevent attacks from outside from happening – while they tend to forget to address the dangers that could lurk from within.
- The natural conclusion is that protection can only be sufficiently provided by a sophisticated access and permission management system.
*Source: tenfold-security, July 9, 2019
- Last year’s major breach of Marriott International reservation database could lead the hotel to cough up about $123 million as fine.
- In 2018, Marriott disclosed a large-scale data breach impacting almost 500 million customers and said they detected unauthorized access to a database tied to customer reservations stretching from 2014 to September 10, 2018.
- Once the data breach came to light, customers in US sued global hotel chain Marriott with one class-action lawsuit seeking $12.5 billion in damages.
- ICO said Marriot has cooperated with the regulator’s investigation and after discovering the cyber-attack it has improved its network security.
- Marriott CEO Arne Sorenson said, “we take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect.”
- It should be noted that the announced fine is about 2.4 percent of the company’s total revenue. It is below the possible maximum of four percent that ICO could have imposed under the data protection rules.
- This fine comes immediately after British Airways has been fined $230 million by ICO after the hackers stole customer data in 2018, as per its parent company, International Airlines Group (IAG).
- Elizabeth Denham, the information commissioner stated that the “organizations must be accountable for the personal data they hold.”
*Source: ibtimes, July 10, 2019
- The U.S. Coast Guard has issued an official warning to owners of ships that cybersecurity at sea needs updating and updating it urgently.
- The Coast Guard “strongly encourages” that cybersecurity assessments are conducted to “better understand the extent of their cyber vulnerabilities.”
- This follows an interagency investigation, led by the Coast Guard, into a “significant cyber incident” that had exposed critical control systems of a deep draft vessel bound for the Port of New York in February 2019 to what it called “significant vulnerabilities.”
- The investigation concluded that the malware attack had: “significantly degraded the functionality of the onboard computer system.”
- Ethical hacker John Opdenakker says he was “amazed” to hear that the crew well knew the security risk but “this didn’t result in the problems being addressed.”
- What is more shocking is that the measures which the Coast Guard “strongly recommends” those responsible for these vessels are hardly advanced in nature.
- Indeed, they are of the kind I would expect most computer users to be aware of at home, school, and work.
*Source: Forbes, July 09, 2019
- A set of sophisticated hacking groups, Magecart has been behind some of the bigger hacks of the past few years, from British Airways to Ticketmaster, all with the singular goal of stealing credit card numbers.
- And thanks to poor security hygiene, they’ve managed to hit 17,000 domains in the past few months alone.
- A new report from threat detection firm RiskIQ details how Magecart hackers have found a way to scan Amazon S3 buckets—cloud repositories that hold data and other backend necessities for sites and companies.
- RiskIQ has tracked the activity as far back as early April; it first noticed the technique after seeing several internet supply chain companies get compromised in May.
- The Magecart hackers were casting the widest possible net, altering the code of countless sites that had no ecommerce function at all, in hopes of catching enough sites that do process credit cards to make its efforts worthwhile.
- Because the bucket’s permissions let anyone write code to it, the attackers simply tack their Magecart malware onto the file, then overwrite the script that had been there.
- RiskIQ is working with Amazon to alert the affected administrators to their exposure but wrangling 17,000 domains takes time.
- The Magecart hackers have a singular focus: credit card skimming. But it’s not hard to imagine a group that thinks bigger, or at least with a more anarchical bent.
- Amazon has developed tools to help its cloud customers forestall this type of attack, including an essentially one-click “block public access” option that it rolled out last fall.
*Source: Wired, July 11, 2019
- The Federal Trade Commission has approved a fine of roughly $5 billion against Facebook, in what would be a landmark settlement that signals a newly aggressive stance by regulators toward the country’s most powerful technology companies.
- It would be the biggest fine by far levied by the federal government against a technology company, easily eclipsing the $22 million imposed on Google in 2012.
- It would also represent one of the most aggressive regulatory actions by the Trump administration, and a sign of the government’s willingness to punish one of the country’s biggest and most powerful companies.
- In addition to the fine, Facebook agreed to more comprehensive oversight of how it handles user data, according to the people. But none of the conditions in the settlement will impose strict limitations on Facebook’s ability to collect and share data with third parties.
- Until now, the biggest fines and restrictions against tech companies have come from Europe.
- Last year, the European Union fined Google $5.1 billion for abusing its large market share in the mobile phone industry.
- American regulators and lawmakers of both parties have also taken a more combative stance toward the tech giants in recent weeks.
- The social network reaped more than $55 billion in revenue in 2018 — 10 times the amount of the fine approved by the commission — as the digital advertising industry has consolidated to increasingly drive dollars to a handful of tech companies.
*Source: NY times, July 12, 2019