GDPR Services report 24 Private Data breaches – Week 28, 2019

• MongoDB Database Exposed 188 Million Records: Researchers
  • Security researchers have found yet another unsecured database that left personal data exposed to the internet. In this latest case, a MongoDB database containing about 188 million records, mostly culled from websites and search engines, was exposed, researchers say. Data Apparently Originated in a GitHub Repository

• K12.com, an online education platform, inadvertently exposed the personal information of nearly seven million students
  • The exposed database contained full names, email addresses, birthdates and gender identities, as well as the school that the students attend, authentication keys for accessing their accounts and other internal data. The information was available online for more than one week, and it’s unclear if the database was at any point accessed by malicious actors. Engadget reached out to K12.com for additional information regarding the data exposure and will update this story if we hear back. K12.com exposed 7 million student records for a week

• Huawei continues to have issues.
  • First are reports of strong links between Huawei employees and Chinese intelligence agencies. Huawei says this is extremely common. So why did the company try to hide these credentials? Next are reports about three major vulnerabilities found in its web application products from Swascan. These include out of bounds exploits and command injections. The two companies worked together to fix the issues. Finally, the researchers at Finite State identified other bugs in various firmware images. “In virtually all categories we studied, we found Huawei devices to be less secure than comparable devices from other vendors,”. Huawei staff CVs reveal alleged links to Chinese intelligence agencies and Swascan uncovers Huawei ‘s vulnerabilities (pdf)

• GDPR Services: British Airways has been hit with a massive £183 million (equivalent to $229 million) fine by the U.K. regulatory agency ICO.
  • This was for a data leak that took place from May to September last year. More than half a million customers’ Private Data was compromised, resulting in GDPR violations. Intention to fine British Airways £183.39m under GDPR for data breach

• The FBI and the Immigration and Customs Enforcement agencies have been using driver’s license photos to feed data to thousands of facial recognition searches.
  • This is without the drivers’ consent, according to this report. This means that these photos of many people are collected even though they haven’t been charged with a crime. Given that this is being done without any explicit legal approval, Congress is gearing up for legislation to regulate these activities. Both San Francisco and Somerville, Massachusetts, have banned police and other municipal agencies from using any facial recognition software. FBI, ICE find state driver’s license photos are a gold mine for facial-recognition searches

• Hackers have compromised the credentials of the GitHub account of Canonical.
  • The company maintains one of the most popular Linux distributions, Ubuntu, and this account is used to post updates to portions of the OS and related apps. No source code was affected and the credentials were swiftly removed. Ubuntu-Maker Canonical’s GitHub Account Gets Hacked

• Perhaps one of the more audacious vulnerabilities was found by a researcher on the Mac Zoom video conferencing client.
  • This is used by 4 million people currently. It turns on your video camera by default, and can be easily exploited by a hacker. The post discusses the issues, why Zoom made the decisions it did and how you can minimize your exposure (pun intended). Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!

• Researchers found a phony malware-infested Google Android app on 25 million phones, with half of them in India.
  • Dubbed Agent Smith, it can be very intrusive and stealthy, stealing user credentials. Google has removed the apps from the Play Store. Agent Smith: A New Species of Mobile Malware

• The agency that manages Greece’s top-level internet domain has suffered another breach.
  • It appears to be caused by state-sponsored actors dubbed Sea Turtle. This post describes the current attack, which used DNS hijacking techniques. Hackers breached Greece’s top-level domain registrar and Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques

• A new type of FinSpy mobile implants has been found and linked to the Gamma hacking Group.
  • This malware is an info stealer and its mobile versions have been around since 2012. The latest version can steal data from more smartphone apps on both iOS and Android devices, including recording voice calls. New FinSpy iOS and Android implants revealed ITW

• The Buhtrap hacking group has stepped up its game and is now using a zero-day privilege escalation bug (CVE-2019-1132) for the first time.
  • This post reviews the group’s history and how it has evolved from simple financial crimes into more spying activities. Buhtrap group uses zero‑day in latest espionage campaigns

• Glamoriser hair straighteners have a Bluetooth connection.
  • The smartphone app that connects to the device can be compromised to literally burn down your house with the right code injection. Burning down the house with IoT

Discover trending and viral stories about Private Data breaches Worldwide. The remaining Security breaches made news headlines. All these happened just last week.