Tag: Data breach

TalkTalk fined by ICO

11. August 2017

According to a Press Release from the Information Commissioner’s Office (“ICO”), the TalkTalk Telecom Group (“TalkTalk”) was fined for violating the UK Data Protection Act. More than 21.000 customers could be the victims of scams and frauds.

As a result of an investigation in 2014, the ICO fined TalkTalk 100.000 GPB by failing to protect customer data. The breach was possible because of a lack of security of a portal holding a huge amount of customer data. One company with access to the portal was Wipro, an IT services company in India. 40 employees of Wipro had access to personal data of between 25.000 to 50.000 customers. During the investigation, three accounts were found that had unauthorized access to this portal. The ICO determined that TalkTalk did not ensure the security of the customer data held in this portal. There were different reasons:

  • The portal was accessible via any device. There was no restriction on which devices the portal can be accessed.
  • The search engine of the portal allowed wildcards searches (with * as a placeholder to get many results).
  • The search engine allowed up to 500 results per search.

The access rights were too wide-ranging regarding the high amount of customer data held by the portal. The ICO fined TalkTalk because it breached one of the principles of the UK Data Protection Act by not implementing enough technical and organizational measures.

Category: Personal Data · UK
Tags: , , ,

Nationwide: multistate data breach investigation settled by paying $ 5.5 million

According to Hunton & Williams, on the 9th of August, Nationwide Mutual Insurance Company (“Nationwide”), agreed to pay $ 5.5 million to settle a data breach investigation by attorneys general from 32 states concerning a data breach that exposed personal data of about 1.2 million individuals. They also published the settlement.

In October 2012, Nationwide and its wholly-owned subsidiary Allied Property & Cansualty Insurance Company (“Allied”) experienced a data breach that led to an unauthorized access to and exfiltration of certain personal data of their customers, as well as other consumers. Since Nationwide and Allied provide customers with insurance quotes, inter alia the following personal data are collected: full name, Social Security number, date of birth or credit-related score.

The attorneys general alleged that the data breach occurred when hackers exploited a vulnerability in the companies’ web application hosting software. Further, it is alleged that, after the data was exfiltrated, Nationwide and Allied applied a software patch, that was not previously applied, to address the vulnerability.

Besides the $ 5.5 million Nationwide and Allied agreed to implement a series of steps to update its security practices. Besides other measures that are listed in the settlement a technology officer shall be appointed that should manage and monitor security and software updates to ensure that future patches and other security updates are applied.

The highest sanctions in Europe so far imposed by the Italian DPA

16. March 2017

Ultimately, the Italian police department (in cooperation with Garante – Italian data protection authority) has carried out an investigation, which has revealed a violation of a data protection legislation and specific actions aimed at introducing the legal circulation of money onto the Chinese market.

Four agent companies and one multinational have turned out to split money transfers for remaining sub-threshold under this perspective. Under these circumstances an unlawful massive personal data processing of unaware individuals (payments and senders) has been performed. What is more, some of the records were up to be filed by not existing individuals or even deceased. Other records however, were left blank.

Taking into account all of the gathered facts, which actually indicated that personal data were used in order to unlawfully avoid the money laundering provisions, a wide-ranging Italian data protection authority sanctioning initiative has been launched. As a result, Garante has issued the highest fines ever in Europe.

Given the number of violations of data protection provisions, the Garante has set the whole amount of sanctions up to a total sum of almost 11,000,000 euros (850,000; 1,260,000; 1,590,000 1,430,000 euros for the agent companies and 5,880,000 euros for the multinational company).

It is believed that such a strict data protection authorities sanction will encourage individual data controllers and companies to accelerate their compliance with the upcoming GDPR (May 2018).

Customer passwords from Deutsche Telekom are for sale on the dark web

29. June 2016

Although the company stated this week that is has not been the victim of a cyber attack, account passwords from Deutsche Telekom, a German telecommunication company, are for sale on the dark web.

The respective stolen data was estimated to range from 64,000 records to 120,000 records.

Furthermore, the company hinted that the leaked data was obtained from another source, probably stolen via phishing. In its statement the company said that the sample of records were “real and current”.

The mentioned statement goes on by claiming that the company has 156 million global customers and that it has issued a warning due to the stolen data which suggests that all of its customers change their passwords.

Thomas Kremer, Telekom data privacy head, elaborates: “We want to use the event to promote a regular exchange of passwords”


Twitter: 32 million accounts may have been hacked and leaked

9. June 2016

Hackers may have used malware in order to gain more than 32 million Twitter login-data that are now presumable being sold on the dark web. However, a Twitter spokesman said that “We are confident that these usernames and credentials were not obtained by a Twitter data breach – our systems have not been breached. In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks.”

LeakedSource, a site with a search engine of leaked login credentials, says that the respected data of Twitter contains 32,888,300 records consisting of email addresses, usernames and passwords.

Due to the provided information included in the respected data, for example the fact that passwords are displayed without encryption, LeakedSource stated that the data was collected by malware that has infected internet browsers rather than stolen directly from Twitter. In order to verify that the leaked data is valid, LeakedSource asked 15 users to verify their passwords. All of them confirmed that the passwords were correct.

However, Twitter stated that the hacking of accounts belonging to celebrities was due to the re-use of passwords that were leaked in the LinkedIn and Myspace breaches. A spokesman said that “A number of other online services have seen millions of passwords stolen in the past several weeks. We recommend people use a unique, strong password for Twitter”.

Whether or not the leaked data is valid, it is recommended to change passwords, not only when using the same password for several accounts.

LinkedIn: Hacker selling 117 million e-mail adresses and passwords

19. May 2016

In 2012 LinkedIn was hacked and 6.5 million encrypted passwords were posted online.

This data breach has now turned out to be far more extensive than originally thoght. This is due to the fact that a hacker called “Peace” is trying to sell account information of 117 million LinkedIn users, including their e-mail addresses and passwords.

The hacked data search engine LeakedSource, has also obtained the data. Although the passwords were originally encrypted, so that a series of random digits were attached to the end of hashes, in order to make them harder to be cracked, LeakedSource claims to have cracked 90 percent of the passwords in 72 hours.

The security researcher Troy Hunt, maintaining the breach notification site “Have I Been Pwned?,”talked to some of the victims of this data breach. Two of them confirmed that they were users of LinkedIn and that the password that Hunt shared with them was indeed the one they were using at the time of the data breach.

LinkedIn confirmed this week that the new data is legitimate:

The company’s chief information security officer Cory Scott stated that “Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012,“ and went on “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.“ Furthermore, Scott also suggested that in order to keep their accounts as safe as possible, members visit their safety center to learn about enabling two-step verification, and to use strong passwords.

Category: General
Tags: ,

Data from dating website stolen and sold

28. April 2016

As BBC just reported the data of more than a million members of the dating website www.beauftifulpeole.com has been sold online. The traded data not only included the weight, height, job, and phone numbers of members but further more income, sexual preferences, smoking and drinking habits and relationship status. The firm stated that the data belonged to members, who joined before July 2015 and that no passwords or financial information were included.

The data has now been sold on the online black market, said security expert Troy Hunt, an Australian security expert, who runs the website HaveIBeenPwned.com, where people can verify whether their data has been leaked. Although he does not know exactly where or for how much money the data was sold, he stated that by selling data tens of thousands of dollars can be earned, bearing in mind that the data originally can cost as little as $300.

Chris Vickery, security researcher, told the BBC that the affected company acted quickly after notifying them that he had discovered it. However, the data had then already been sold. He went on by saying that “they published it openly to the world with no protection whatsoever”. This is a contradiction to the company’s statement that the content was from a test server. Therefore, Vickery added that “whether or not it’s in the test database makes no difference if it’s real data”. His analysis is further supported as a second researcher had identified the same weakness on the same day.

However in a statement BeautifulPeople said that “the breach involves data that was provided by members prior to mid-July 2015. No more recent user data or any data relating to users who joined from mid-July 2015 onward is affected”.

David Emm, principal security researcher at Kaspersky Lab commented on the stolen and sold data by summarizing “now it’s public, cybercriminals have the opportunity to use this information to steal personal identities or more” and added “unfortunately, once a breach of this nature has been made, there is not much that can be done.”

Emm went by giving the advise that “organisations need to take action and use more data, analytical insights and triangulation of multiple-identity proofing techniques to minimise the potential effects of identity theft for both the user and the businesses serving them”.


Category: USA

Settlement in lawsuit against Sony Pictures Entertainment

11. April 2016

A multimillion-dollar settlement in a class-action lawsuit against Sony Pictures Entertainment filed by former employees, whose personal data was stolen when a data bleach took place, was appoved by an US District Judge last week.

About 437,000 people were affected by the data breach from the time of the 2014 hack through 2017.  In terms of the settlement Sony agreed to provide theft protection and an optional service covering up to $1 million in losses and furthermore, create a fund to cover any additional losses. As the deadline for workers to sign up for credit protection and reimbursement has not yet passed,  the exact amount of money for setteling is not yet available. However, up until today Sony had to pay $7 million in order to notify the people beingt affected by the breach and to establish a fund to compensate them. Nevertheless, this amount does not take millions of dollars into account that Sony had to pay for credit monitoring services and for attorney fees. Until now, 18,000 people have signed up for the mentioned optional service retailing for $350.

During the data breach sensitive personal data concerning current and former Sony Pictures Entertainment employees was stolen and posted online. The data breach was due to hackers, who broke into the company computers and released thousands of emails, documents and sensitive personal information.