Uber Reveals 1.2 Million Customers Affected by Data Breach in Australia*:
- In Australia, the company's local arm revealed 1.2 million customers were affected by the data breach.
- The number was given to the Australian Privacy Commissioner, and was an approximate figure because the app does not always record the country code where a customer lives.
- In the UK, the number of Uber accounts affected by the breach has been quoted at 2.7 million.
- As Uber stated in relation to the breach, outside forensic experts have not seen an indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.
- However, some names, email addresses and mobile phone numbers of the 57 million Uber users affected were downloaded by two people outside the company.
*Source: Mashable, December 01, 2017
Data Breach at PayPal's TIO Networks Unit Affects 1.6 million Customers*:
- PayPal Holdings acknowledged that a data breach at recently acquired payments processor TIO Networks compromised the personally identifiable information of roughly 1.6 million customers.
- The disclosure sheds light on the online payments company's Nov. 10 decision to suspend the operations of Vancouver, Canada-based TIO Networks.
- The investigation yielded evidence of an unauthorized access into TIO Networks’ systems, including “locations that stored personal information of some of TIO’s customers.”
- PayPal acquired TIO in July 2017 for $238 million, and it is unclear whether the original data breach occurred prior to or after the purchase.
- In the press release, PayPal did not specify what information was compromised; however, an FAQ section on the TIO Networks website indicated that Social Security numbers were among the PII stolen.
- PayPal has “not found actual proof of data being taken from the TIO network,” but the company “found enough evidence of potential exposure to treat this incident as a data breach.”
- The company says it is actively working to directly notify all potentially affected individuals and their billers, retailers and agents.
- PayPal also has emphasized that its own corporate systems were not impacted by the breach situation and that its customers' data remains secure.
*Source: SC Magazine, December 04, 2017
National Data Breach Notification Law Proposed by Senate Commerce Committee Members*:
- Three Democratic senators introduced legislation Thursday requiring companies to notify customers of data breaches within 30 days of their discovery qne imposing a five year prison sentence on organizations caught concealing data breaches.
- The new bill, called the Data Security and Breach Notification Act, comes in the wake of reports that Uber paid $100,000 to cover up a 2016 data breach that affected 57 million users.
- The scope of the legislation is limited; for instance, if only a last name, address or phone number is revealed in a breach, the law would not apply or if an organization “reasonably concludes that there is no reasonable risk of identiy theft” the incident is considered exempt from the legislation.
- The bill also directs the Federal Trade Commission (FTC) to create security standards for the protection of consumer data, and provides incentives to businesses that adopt new technologies that make consumer data unusable or unreadable if stolen during a breach.
- The idea of a national data breach notification law was gaining traction earlier this year in the wake of the Equifax data breach that affected 145 million people.
- One member remarked that Congress doesn’t “want to upset the technology community with obtrusive regulation,” but the private sector has been poor in instilling confidence that it will act in the public’s best interest.
- Currently, 48 states have their own data breach notification laws, but they differ wildly.
*Source: Cyber Scoop, November 30, 2017
Hacking Back is a Terrible Idea, but Companies are Still Keen to Try It*:
- Tired of being attacked by cybercriminals, some organisations are keen to take the fight back to the hackers – but the risks of ‘hacking back’ are likely to be much greater than any potential gains.
- Hacking back against an assailant, perhaps tracking down the systems they are using and either deleting the information they stole or disabling the computers is currently illegal.
- Over half of respondents in a recent survey said their organisation had the technical ability to identify an intruder, infiltrate their systems, and destroy any data that had been stolen after a cyber-attack.
- If it were legal, over half of executives said they would rather hack back to get the decryptino keys after a ransomware attack than pay criminals to regain access to their data.
- Despite believing they could take the fight back to the hackers, in reality most business don’t have those skills.
- Top concerns about such a strategy include issues around attribution – identifying the actual perpetrator – and the risk of collateral damage.
- In the US, the Active Cyber Defense Certainty Act (currently in draft) would make it legal for a victim of persistent unauthorised intrusions to use “active cyber defense measures” to access the systems of the attacker to gather information for law enforcement or to “disrupt continued unauthorized activity against” their own network.
- Companies hacking back would not be allowed to intentionally destroy information that does not belong to them or “recklessly” cause physical injury or financial loss.
- Companies hacking back could not go near government systems either, and would have to notify the FBI before they did anything.
- It’s hard to see that allowing victims to try to hack back would be anything other than a disaster; hackers don't launch attacks from their own systems – they find some unsecured servers and use them as a staging post.
- Hacking back could also ruin the digital forensics needed by law enforcement agencies to actually catch the criminals involved.
- Improving IT security should be the priority: many cyberattacks only succeed because companies have failed to patch known vulnerabilities in their systems, or have failed to adopt basics like two-factor authentication.
- Giving victims the ability to hack back is only likely to exacerbate the situation.
*Source: ZDnet, December 01, 2017
New Ransomware Tactics Are ‘Unstoppable’*:
- Hackers are growing much more adept at getting people to open email infected with worms.
- New techniques that a researcher unveiled this week show how hackers can strip away any sign that an email is fake, and make it “virtually unstoppable” by normal safeguards such as spam filters on email servers.
- A German security researcher discovered a collection of vicious bugs used to bypass the hurdles set up on more than 30 widely used email clients, like Apple Mail, Mozilla Thunderbird, Yahoo! Mail and Microsoft Outlook 2016.
- He notified major software vendors at least three months ago and about 20 vendors dealt with the problem, but 15 either did not say if they would fix the bug or said they would not.
- Mailsploit is a new way to easily spoof an email address that lets the attacker display an arbitrary sender email address to the recipient.
- Governments are now falling victim to ransomware attacks just as thousands of corporations, small businesses, non-profits and other entities, like hospitals, have worldwide.
- An employee of the Mecklenburg County government in North Carolina recently opened an email routed from another employee’s account and opened it and a malicious attachment, infecting the county’s network.
- In at least two major waves of ransomware attacks this year, tens of thousands of infected computers in at least 150 countries displayed a message saying the hard drives had been frozen and would only be decrypted if a bitcoin ransom was paid.
- Global ransomware damage is likely to rise from $5 billion this year to $11.5 billion in 2019.
- Spoofing emails take many forms, including what appear to be requests from within a corporation to transfer money to an outside account to pay bills.
- While some hackers use stolen personal identifying information to try to hack anyone, then penetrate into their workplace networks, few have targeted governments – possibly because government agencies would not have the capability of making a quick payment even if they wanted to.
- Even the best of us can be fooled by a specially crafted phishing campaign, but ensuring updates are installed in a timely manner can help because malware often takes advantage of known vulnerabilities.
*Source: Government Technology, December 07, 2017
Former Sysadmin Caught Hacking His Ex-Employer by His Replacement*:
- A Kansas City court sentenced a Missouri man to six years in federal prison without parole for hacking his former employer, stealing trade secrets, and for accessing child pornography.
- Jacob Raines worked as IT manager for American Crane & Tractor Parts (AC&TP).
- According to court documents, his former employer brought in a new IT manager to replace Raines after he left.
- When the new manager took over his position, he deleted Raines' old credentials for AC&TP's network and received Raines’ old computer.
- While using this computer, the new sysadmin noticed that someone had logged into the PC and started an FTP transfer, moving files to an off-company server.
- AC&TP notified authorities and an investigation revealed that Raines logged into his former computer three times, with the purpose of stealing some of his former employer’s source code.
- Investigators said Raines didn't try to hide his location, as an IP trace led them back to his AT&T home connection.
- While they found evidence of Raines stealing AC&TP source code files, to their surprise, they also found forensic evidence suggesting Raines had accessed child-abuse images.
*Source: Bleeping Computer, December 03, 2017
How Identity Data is Turning Toxic for Big Companies*:
- Google might be in trouble for collecting the personal data of its users, but many companies have a growing incentive to rid their hands of the data that users entrust them with – the growing costs of holding onto data.
- A major cause is the rising number of cyber-attacks where hackers steal the identity information held by companies, often to sell them on to various black markets.
- The security breach at Equifax – as a primary cause – resulted in around US$4.8 billion being wiped off Equifax’s market value from May to September 2017.
- The latest Breach Level Index (BLI) reports that only a meager 368m out of the 9.2 billion stolen records were concealed from potential hackers through the use of data-encoding technology.
- The rate at which valuable identity information is flying out of the control of firms is alarming – more than 3,500 records per minute.
- Around 23% of the top data-breaches over the past five years contained consumers’ identity information like names, dates-of-birth, addresses and account passwords.
- The volume and sophistication of these cyber-assaults will make executives of firms that hold sensitive data anxious about its safe keeping.
- As well as cyber-attacks, companies are having to contend with growing levels of regulation and the cost that comes along with remaining in compliance.
- One report found that banks spent nearly US$100 billion on compliance in 2016; this skyrocketing spend on compliance leaves little room for product development.
- The EU’s strict General Data Protection Regulation *GDPR will be enforced from May 2018, and already, implementing the necessary steps to adhere to the new regulation is proving to be expensive for organizations.
- Some estimates predict that purchasing the technology to adhere to the GDPR standards and avoid paying the exorbitant fines will cost Fortune 500 companies on average US$1m each.
- At the point where the cost of protecting identity assets outweighs the benefit of storing it, it becomes toxic for the organisation.
- As with any risk, companies must act to mitigate or remove it.
- Models for a decentralised identity are emerging with parallel developments in the creation of a decentralised web.
*Source: The Conversation, December 04, 2017
Morrisons Data Leak: Supermarket Liable for Staff Details Breach*:
- Morrisons has been found liable for the actions of a former member of its staff who stole the data of thousands of employees and posted it online.
- Workers brought a claim against the company after an employee stole the data, including salary and bank details, of nearly 100,000 staff.
- The case is the first data leak class action in the UK, and Morrisons said it believed it should not have been held responsible and would be appealing against the decision.
- The case follows a security breach in 2014 when a senior internal auditor at the retailer's Bradford headquarters leaked the payroll data of employees, posting them online and sending them to newspapers.
- The accused was jailed for eight years in 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data.
- Lawyers said the data theft meant 5,518 former and current employees were exposed to the risk of identity theft and potential financial loss and that the company was responsible for breaches of privacy, confidence and data protection laws.
- Any further hearing about amounts of compensation will not take place until the company's appeal has concluded.
*Source: BBC, December 01, 2017