GDPR Services: 31 stories worth reading from April 2019
Be informed from our GDPR Services about the latest 31 newsworthy cases and funny happenings Worldwide, identified and reported publicly during April, 2019. As these Private Data breaches have a severe negative impact on any business and highly serious legal consequences, consider a few GDPR Service packages from owlpower.eu: ( on-demand GDPR COMPLIANCE ) or a recurrent monthly service of (GDPR COMPLIANCE ADD-ON) together with your dedicated data protection OFFICER package.
- Talos researchers have been tracking 74 different shady Facebook groups.
- Members gather to sell payment card data, email spamming tools and stolen credentials. The post describes their continuing efforts to eradicate these criminals. “Security teams and vendors must work together to actively share information, take action and inform our customers,” they say. Hiding in Plain Sight
- USA – If you are looking for a handy state-by-state compendium of breach notification laws, check out this interactive map from Baker Hostetler.
- You can also view which states require particular elements, such as notifications only of illegal access or those that have specific response time frames. For example, only eight states have laws that also apply to paper records. Breach Notification Law Interactive Map
- Cell phones from Xiaomi have a pre-installed infected — and phony — security app called Guard Provider.
- These were subsequently deleted after researchers notified the vendor. The app ironically could be used to carry out MITM attacks, among others. Xiaomi Vulnerability: When Security Is Not What it Seems
- A new study published by Ben-Gurion University in Israel shows how hackers can tamper with 3D medical scans.
- What makes this significant is that this tampering can be constructed in such a way as to deceive many radiologists. Here is a video of the scans before and after they have been altered. This is the same group of researchers who have found all sorts of side-channel attacks over the years. CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning and video here Injecting and Removing Cancer from CT Scans
- A major breach in VoterVoice campaign data was discovered unsecured online by a researcher.
- It contained 300,000 unique voter email IDs, addresses and phone numbers. The site is used to send messages to elected officials. The vendor claimed it was public information anyway, and ignored several attempts to lock it down. Exclusive: A political “grassroots advocacy” company that lets concerned citizens contact their lawmakers about issues that affect them has exposed hundreds of thousands of people’s data. and here Thousands of ‘take action’ messages to lawmakers exposed by political advocacy giant
- As the UK continues to stumble over its Brexit plans, this post examines what this means for cybersecurity there.
- It isn’t clear if EU cyber standards will apply in the UK and how data sharing governance will happen. UK businesses will need to review their own privacy policies too. Mind the Brexit gap in cyber security
- Bayer was hit by the Winnti malware last year and only went public recently about the situation.
- No actual data theft occurred, and the company was monitoring the Chinese attackers covertly. The malware was removed last month. This group has hit other German businesses recently. Bayer contains cyber attack it says bore Chinese hallmarks
- Georgia Tech has been hit by a second data breach in less than a year.
- This time, more than a million records have been leaked. Details are few however. Data breach exposes up to 1.3M Georgia Tech faculty, students
- Researchers found two separate databases filled with Facebook user and plaintext passwords.
- Both were from third-party providers and found on unsecured online data structures. One had more than 20,000 passwords, the other had millions of records. The researchers had trouble getting in contact with the data owners to lock both of them down. Losing Face: Two More Cases of Third-Party Facebook App Data Exposure
- Current versions of both Microsoft Edge and IE browsers can share confidential data among websites without the user’s knowledge.
- Malicious JScript code makes this possible. Researchers call this a same-origin attack. Microsoft doesn’t yet have a fix for this. Microsoft Edge and Internet Explorer Zero-Days Allow Access to Confidential Session Data
- Sen. Mark Warner (D- Virginia) has received answers from some of the organizations he queried about their security practices.
- The report has been compiled by the Institute for Critical Infrastructure Technology here, a watchdog NGO. Better collaboration, a coherent national strategy, and more proactive cybersecurity practices are all needed. More than half of the records involved in a breach last year had healthcare-related origins. An Analysis of Responses to Senator Warner’s Health Sector Cybersecurity Inquiries
- Personal data of more than 12M pregnant women in India was leaked online for more than a month before it was finally secured.
- The leak included detailed medical records and genetic test results that belonged to a MongoDB database maintained by an unnamed state health agency in Northern India. A researcher contacted the Indian CERT to get this eventually fixed. Large Privacy Breach In India: Millions of Pregnant Women Had Their Details Leaked
- This sounds like a 4/1 joke but as far as I can tell, it actually happened.
- Members of the EU Parliament were voting for various amendments to Internet copyright legislation, and were confused and then wanted to change their votes after they were recorded. MEPs accidentally vote wrong way on copyright law
- It has taken the restaurant chain Buca di Beppo until now to admit it was breached back in May 2018.
- More than 2M payment cards were stolen, thanks to an infected POS system. The company said the breach took until March to discover and then fix the issue. The breach also hit other brands in its conglomerate including Earl of Sandwich and Planet Hollywood stores. You might want to review your credit card statements carefully over this period to find any unauthorized charges. A Month After 2 Million Customer Cards Sold Online, Buca di Beppo Parent Admits Breach
- Toyota has experienced a large data breach that could expose more than 3M customer records.
- It didn’t include payment card data but did include personal details including birth dates and names. Details are sparse but the breach happened at its Japanese HQ. Its AU subsidiary was hacked five weeks ago. Toyota Security Breach Exposes Personal Info of 3.1 Million Clients
HELPS YOU TO MEET GDPR REGULATIONS
Compliant and sustainable long-term GDPR operational behaviour. Have a rock-solid foundation for privacy procedures and GDPR mandate compliance.
Discover trending and viral stories about GDPR Services Worldwide. The remaining Private Data breaches breaches made news headlines. All these happened just in the last month.
- The website bodybuilding.com received a phish back in July last year that eventually triggered a breach this past February.
- The company has more than a million members along with an e-commerce site. It acknowledged the leak of private customer data, although not any payment card numbers were divulged. All users’ passwords have been subsequently reset. DATA INCIDENT
- Indian search vendor JustDial appears to have suffered a massive data data breach.
- It involved a leak of personal details across 100M user records. I say appears because the vendor is disputing the leak, which was found by a security researcher last week and caused by a poorly secured third-party computer. Indian Search Service Justdial Inadvertently Exposed Records of a 100 Million Users
- Researchers have found more than 60M LinkedIn user records on a series of public databases.
- Email IDs are included, along with work history and locations. Once journalists contacted Amazon, they were finally secured. It appears to belong to a third-party LinkedIn developer. Unsecured Databases Leak 60 Million Records of Scraped LinkedIn Data
- Facebook has revealed that it collected another 1.5M users’ contact details this week.
- This was a correction in the number of Instagram users’ data that was previously announced to be in the thousands. The actual number of private data could be at least an order of magnitude higher, since each user’s complete contacts were collected. Facebook said the collection was unintentional and it will delete the data. Facebook says it ‘unintentionally uploaded’ 1.5 million people’s email contacts without their consent
- >Breach is at Chipotle, which hasn’t yet been fully acknowledged by the company.
- Customers have posted on Reddit and Twitter, figuring it out thanks to some of them reporting password reuse. Chipotle says it could be the result of password stuffing, but that is questionable. It has no plans to roll out MFA requirements, however. Chipotle customers are saying their accounts have been hacked
- A notable recent breach.
- First is at the Indonesian eCommerce site Bukalpak. This leaked 13M records back in 2017. Exposed data included email and IP addresses, names and hashed passwords. The company has reset all passwords and now requires MFA on all logins. Bukalapak Meningkatkan Keamanan Akun Pengguna
- India’s third largest IT consultancy Wipro has suffered a breach that is used to attack its customers’ networks.
- At least a dozen customers are affected. It eventually acknowledged the breach and said it is working with an outside investigator. Experts: Breach at IT Outsourcing Giant Wipro
- OneLogin suffered two breaches within a year.
- Here is the tale of how it owned up to its problems and recovered its customers’ trust. The company revealed the breach quickly, described the details of the attack and kept customers informed along the way. This could be used as a template for your own breach response playbook. How OneLogin responded to its breach and regained customer trust
- Microsoft confirmed that for the first three months this year, a hacker compromised one of their support agent’s accounts.
- This means user account data could have been accessed and compromised. Microsoft: Hackers compromised support agent’s credentials to access customer email accounts
- This means user account data could have been accessed and compromised. Microsoft: Hackers compromised support agent’s credentials to access customer email accounts
- Major VPN vendors have been found to be at risk leaking private data.
- The issue is how they store session cookies in log files or memory locations. Palo Alto Networks Global Protect, Cisco AnyConnect and Pulse Secure Connect are at list. Only Palo Alto has fixed their code and users should upgrade to v.4.1.1 asap. VPN applications insecurely store session cookies
- After the Starwood breach, Symantec looked at the security of more than 1,500 hotel websites in 54 countries.
- It found two-thirds of them could be exploited for a similar data leak of guests’ data. The leaks could enable third-party services (such as advertisers) to login to a guest reservation and view personal details. Two in Three Hotel Websites Leak Guest Booking Details and Allow Access to Personal Data
- A new info stealer malware called Baldr has been observed.
- It is a well-crafted combination of Agressor for distribution, Overdot for sales and promotion, and LordOdin for development. It is a new type of stealer that operates as a ‘grab and go’ — meaning it is harder to detect, more opportunistic, and goes after a wider range of potential targets. Say hello to Baldr, a new stealer on the market
- DataCamp, an online learning website specializing in data science courses, suffered a data breach in 2017.
- More than 760k records were exposed, including email and IP addresses, names and hashed passwords. The company notified users via email after the breach was discovered in February, and it claims no payment card data was compromised. A vast majority of these email IDs were already leaked thanks to other breaches. DataCamp Security Update – Frequently Asked Questions
- EU authorities have launched an investigation as to whether various government agencies are complying with GDPR privacy regulations in their contracts with Microsoft purchases.
- The issue is similar to one raised last November about storing customer data on American servers. EU data supervisor probes EU bodies’ software deals with Microsoft
- Those sextortion scammers are getting more sophisticated.
- They have lowered their ransom demands in the hopes of getting more victims to pay and also hidden their malware through multiple layers of encryption, passwords and programming. Big change in the plague of Blackmail, Sextortion Scam attempts
- Tomorrow is an important election in Israel, and there are claims of a major data breach in its voting registry.
- It could be old data that was leaked back in 2006, and authorities are investigating. It is part of an annual hacking campaign by various groups around the world. In the past, these campaigns haven’t had much success. In other news, Twitter has suspended dozens of suspicious accounts run by a Chinese group that has political messages posted in Hebrew. The group believes Jesus has been reincarnated as a Chinese woman living in Queens. Yes, you read that correctly. Hacker’s Claims of Breaching Israeli Voter Registry Under Investigation and Israel Election: Twitter Suspended Dozens Of Hebrew-Language Accounts Run By A Strange Chinese Religious Sect
data protection OFFICER
Identify high-risk problems. Taking access and rights management into serious consideration is the foundation for a safely guarded online presence throughout your domain.
