One Tinder User’s Data Request Turned Into 800 Pages of Info*:
- Earlier this year, a German reporter acted on her rights to request a copy of all personal data captured by the Tinder dating service over a span of nearly four years.
- The massive 800-page report that Tinder sent her contained data primarily from Tinder itself, including complete message histories and geolocation data for every interaction on the app.
- Other data was sourced from linked accounts at Facebook and Instagram.
- The report included over 1,700 messages sent and received by the reporter, who expressed concerns over exactly how secure the data is – either in the face of a security breach or in the event of Tinder ever being sold.
- When Tinder was asked why the service needed access to so much of its users’ personally identifying information, a Tinder representative responded that it was used “to personalize the experience for each of our users around the world.”
*Source: Ars Technica, September 26, 2017
NotPetya Cyberattack on TNT Express Cost FedEx $300m*:
- Falling victim to the Petya cyber-attack cost FedEx around $300m during the last quarter of the financial year, the company has revealed in its latest earnings report.
- Operations of FedEx's TNT Express unit in Europe were disrupted by the attack and the company previously warned that the financial cost of the incident was likely to be significant.
- FedEx CFO said the company is “currently executing plans to mitigate the full-year impact of these issues.”
- Combined with the impact of Hurricane Harvey, the cyber-attack "posed significant operational challenges” according to the CEO of FedEx.
- While no data breach or data loss occurred as a result of Petya, the company previously warned that it may not be able to recover all of the systems affected by the cyber-attack.
- FedEx was one of a number of high-profile victims of the Petya malware epidemic, which originated in Ukraine but spread to bring down IT systems around the world.
- Danish transport and logistics conglomerate Maersk – the world's largest container ship and supply vessel operator – has already revealed how the attack is set to cost it up to $300m.
- The global attack spread a version of the Petya ransomware modified with a leaked NSA exploit – the same EternalBlue Windows flaw which spread WannaCry.
*Source: ZD net, September 20, 2017
Deloitte Hit by Cyber-Attack Revealing Clients’ Secret Emails*:
- Deloitte, which is registered in London and has its global headquarters in New York, was the victim of a cybersecurity attack that went unnoticed for months.
- One of the largest private firms in the US, which reported record $37bn revenue last year, Deloitte provides auditing, tax consultancy, and high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms, and government agencies.
- The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached.
- So far, six of Deloitte’s clients have been told their information was “impacted” by the hack.
- Deloitte discovered the hack in March of this year, but the attackers may have had access to its systems since October or November 2016.
- The hacker compromised the firm’s global email server through an “administrator’s account”; the account required only a single password and did not have “two-step“verification.
- Emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service, which was provided by Microsoft.
- The hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses, and health information.
- The team investigating the attack has yet to establish whether a lone wolf, business rivals, or state-sponsored hackers were responsible.
- A measure of Deloitte’s concern came on 27 April when it hired the US law firm Hogan Lovells on “special assignment” to review what it called “a possible cybersecurity incident”.
- They had an estimated 5m emails in the cloud that may have been accessed by hackers, but Deloitte said the number of emails that were at risk was a fraction of this number but declined to elaborate.
- Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators.
- Though all major companies are targeted by hackers, the breach is an embarrassment for Deloitte, which offers potential clients advice on how to manage the risks posed by sophisticated cybersecurity attacks.
*Source: The Guardian, September 25, 2017
Equifax CEO Steps Down After Massive Data Breach*:
- Equifax, the consumer-data giant targeted in a hack that exposed the personal data of nearly half the US population, said its CEO is out effective immediately.
- Richard Smith will “retire” as chairman of the board and CEO effective Tuesday, according to a statement from the company.
- Last week the company announced that the firm’s CIO and chief security officer were also retiring.
- Equifax reported earlier this month a massive data breach, saying hackers may have accessed the personal details, including names and Social Security numbers, of more than 143 million consumers from mid-May to July.
- The disclosure was met with criticism because of the delay in alerting the public as well as problems with the website Equifax set up for people to check whether their details were at risk.
- The hack is being investigated by the Federal Trade Commission and has prompted promises for inquiries in both the Senate and House of Representatives.
- Equifax officials are also reportedly being investigated by the US Justice Department after selling stock before the company revealed a data breach that exposed the personal information of millions of Americans.
- The three senior executives dumped almost $2 million worth of stock days after the company learned of the breach, Securities and Exchange Commission filings show.
- Equifax was down 3% in premarket trading and shares have tumbled by about 26% since news of the hack broke through Monday's close.
*Source: Business Insider, September 26, 2017
Three-Quarters of Security Incidents Originate Inside the Extended Enterprise*:
- The majority of security incidents arise from within in the extended enterprise and not as a result of hacking groups according to new research.
- The firm surveyed 600 senior business decision makers and 1200 employees across the UK, US, Germany and Australia, and discovered that 42% of IT security incidents happen due to the actions of employees whilst 74% originate from the extended network of workers, customers, and suppliers.
- In contrast, just 26% of attacks that came from parties unknown to the organizations, a figure down from 33% in 2015.
- Internal threats clearly pose the greatest risk to the majority of businesses, but respondents believed most incidents are accidental or inadvertent rather than deliberate in intent.
- Educating employees about how to safeguard critical information, motivating employees to care more about the ramifications of a breach, and increasing investment in Data Loss Prevention (DLP) tools are the biggest priorities needed to minimize the risk of internal security breaches.
- Being a responsible data citizen will also require organizations to look at the way in which partners or suppliers hold and share information.
- On a positive note, organizations are becoming quicker at spotting incidents on the network, with more than half (52%) noticing an issue within an hour, compared to only a third (34%) two years ago.
*Source: Info Security, September 22, 2017
UK Eyes New Data Protection Law, Wants to Keep EU Happy*:
- The UK government published a so-called “Statement of Intent” for the overhaul of its data protection law.
- It is clear that this is a first step to compliance with the EU General Data Protection Regulation (GDPR).
- Even after Brexit, UK data protection law will need to be aligned with EU GDPR rules if a free flow of data is to continue.
- New elements for UK data protection law:
- The definition of “personal data” will be expanded to include IP addresses, cookies, and DNA.
- Banning default opt-out checkboxes for data collection.
- Children older than 13 will be able to consent to data collection, as allowed by the EU GDPR.
- Social media platforms would be required to delete information held about children at the age of 18 upon request.
- “Class action” legal redress is foreseen to allow actions to be brought on behalf of similarly affected individuals by a representative entity.
- Reckless identification outlawed: the paper wants to create a new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymized data.
- Offenders who knowingly handle or process such data will also be guilty of an offence.
- Security researchers may no longer lawfully conduct their investigations as they often have to show re-identification as a “proof of concept” when highlighting security flaws.
- The new UK data protection law will reflect the high sanctions of the EU GDPR with top fines of 4 percent of global annual turnover or £17 million – similar to the EU’s €20 million cap.
- The UK data protection law is expected in full in the coming weeks and is due to be voted on in the current parliamentary term in plenty of time for the May 2018 EU GDPR deadline.
- British Minister for Digital said “the UK is leading the way on modern data protection laws and we have worked closely with our EU partners to develop world leading data protection standards.”
*Source: CPO Magazine, September 05, 2017
Illinois Governor Vetoes Data Privacy Measure*:
- Illinois Governor Bruce Rauner vetoed legislation requiring mobile applications that track user locations to get permission first and to outline how that data will be used.
- He called the measure “an unnecessary and byzantine layer of state regulation" that would harm business and deter technology companies from locating in Illinois.
- Business groups applauded the veto, while supporters of the bill said Rauner "chose big business over protecting Illinois citizens."
- Illinois Public Interest Research Group Director says the recent data breach at Equifax shows what can go wrong when vast amounts of private personal information is collected, stored and shared and sold in the big-data economy.
*Source: Los Angeles Times, September 22, 2017