Category: Cyber Security

UK Ministry of Defence Data Breaches put more than 300 Afghans in Danger

23. September 2021

On Monday, 20 September 2021 the UK Ministry of Defence launched an investigation into a recent data breach. The breach has affected more than 250 Afghan interpreters who have cooperated with Western forces in Afghanistan and who have applied for relocation to the UK. The Ministry sent an e-mail to these Afghan individuals who are still in Afghanistan and are reportedly eligible for relocation. The e-mail included all e-mail addresses, names, and some associated profile pictures in copy (“cc”) instead of blind copy (“bcc”), thus exposing the personal information to all recipients. It was reported that some Afghans have sent reply e-mails to all recipients in the mailing list, even sharing details about their current personal situation.

The following Tuesday, Britain’s Defence Minister Ben Wallace apologised for the data breach publicly in Parliament. He explained that he is aware of the compromise of safety of the Afghan interpreters and has suspended an official as a result of the breach. Upon discovery, the Ministry sent out another e-mail advising the affected individuals to delete the previous e-mail and to change their e-mail addresses. Additionally, the Ministry of Defence will offer extra support to those affected by the incident. The Minister also stated that correspondence processes have already been changed.

In the meantime, a second data breach by the Ministry of Defence was uncovered on Wednesday. This time, an e-mail was sent to 55 people requesting them to update their details after the UK officials were unable to contact them. At least one of the recipients is a member of the Afghan National Army. Again, the e-mail was sent with all recipients in “cc” and not in “bcc”.

Military experts and politicians have criticised the Ministry for the data breaches which unnecessarily endanger the safety of Afghans, many of whom are hiding from the Taliban. The investigation into data handling by the “Afghan Relocation and Assistance Policy” team within the Ministry of Defence is still ongoing, a spokesperson of the Ministry has said.

Microsoft informs Azure customers about major vulnerability

31. August 2021

Microsoft notified several thousand customers of its Azure cloud service on Aug. 26, 2021, about a serious security vulnerability that allows unauthorized parties to gain full access to customers’ cloud databases. The vulnerability affects the multi-model NoSQL database CosmosDB, which is one of the cloud service’s key products. Microsoft says it has since closed the gap, but affected customers must take steps themselves to prevent unauthorized access.

As Reuters reports, a research team specializing in security from security firm Wiz discovered the vulnerability in the Azure security infrastructure, which allowed them to gain access to access keys, giving them full access to multiple companies’ databases. The vulnerability was discovered by the researchers on August 9th and reported to Microsoft on August 12th,2021. Wiz later published a blog post explaining the vulnerability. Primary read-write keys allow full access to customer databases. Through a feature called Jupyter Notebook, which was integrated into CosmosDB in 2019, it was possible to gain access to such keys from CosmosDB customers. This made it possible to read, modify and even delete all primary databases. CosmosDB is used by a number of Fortune 500 companies to manage massive amounts of data from around the world in near real-time.

According to Microsoft, the vulnerability was fixed immediately, and no evidence was found that anyone other than Wiz had accessed customer data. Still, Microsoft itself cannot change access keys, so affected customers were emailed on Aug. 26 to change their keys. However, the problem may have affected customers who were not notified. Microsoft has told Wiz that it will pay out $40,000 for reporting the vulnerability.

If you have received a notice from Microsoft and one of your databases is affected that contains personal data, you must assess whether you are required to report this incident to the relevant data protection supervisory authority within 72 hours in accordance with Article 33 of the GDPR. If you believe your organization may be impacted by ChaosDB, please follow the steps described by Wiz in this blog post for detailed instructions on how to protect your environment.

This incident marks the third major security incident involving Microsoft products within 12 months, following the so-called “SolarWinds” hack in December 2020 (please see our blog post) and a large-scale hack of Microsoft Exchange in March 2021 (please see our blog post).

Google Play Store apps soon obliged to provide privacy notices

20. August 2021

On the Android Developers Blog, Google has announced further details for the upcoming new safety section in its Play Store. It aims at presenting the security of the offered apps in a simple way to give users a deeper insight into privacy and security practices of the developers. This should allow users to see what data the app may be collecting and why, even before the installation. In order to achieve this, apps in the Google Play Store will be required to publish the corresponding information in the safety section.

The new summary will be displayed to users on an app’s store listing page. It is intended to highlight details such as:

  • What type of data is collected and shared, e.g. location, contacts, name, email address, financial information,
  • How the data will be used, e.g. for app functionality or personalization,
  • Whether the data collection is optional or mandatory for the use of an app,
  • Security practices, e.g. data encryption,
  • Compliance with the family policy,
  • Validation from an independent source against a global security standard.

To support the safety section, policy changes are being made which should lead to more transparency to users. Thus, all developers will be required to provide a privacy notice. Previously, only apps that collected personal and sensitive user data had to do so. The innovation applies to all apps published on Google Play, including Google’s own apps.

Developers will be able to submit information to the Google Play Console for review in October. However, by April 2022 at the latest, the safety section must be approved for their apps. The reason for this is that the new section is scheduled to be rolled out and visible to users in Q1 2022.

Aside from sharing additional information for developers on how to get prepared, Google has also assured that more guidance will be released over the next few months.

China intensifies data protection of companies

15. July 2021

The state leadership in Beijing is tightening its data protection rules. Chinese driving service provider Didi has now become the subject of far-reaching data protection regulatory measures. Other companies could soon be affected as well.

For months now, Chinese regulators and ministries in China have been issuing a slew of new regulations that not only affect tech companies, but are also directed at how companies handle data in general.

A prime example of China’s “new” data protection policy can be seen in Didi’s public launch on the New York Stock Exchange. The Uber rival only went public for a few days and was urged by the Chinese authorities to remove its app from the app store before the end of the week. The reason for this is reported to have been serious data protection violations by the company, which are now being investigated. The company is said to have processed the collection and use of personal data by the company in a privacy-hostile manner.

Didi was ordered to comply with legal requirements and adhere to national standards. It should also ensure that the security of its users’ personal data is effectively protected.

The announcement had sent shares of the stock market newcomer crashing by more than 5% as of Friday. The news also caused tech stocks to fall on Asian exchanges.

Didi is the nearly undisputed leader among ride-hailing services in China, with 493 million active users and a presence in 14 countries.

Beijing’s new data protection

The actions of Chinese authorities or the Chinese leadership against tech companies speak for a rethinking of the Chinese leadership in terms of data protection.

Initially, there is much to suggest that the state leadership wants to get companies more under control. This is also to prevent third countries from obtaining data from Chinese companies and to prevent Chinese companies from installing themselves abroad.

According to reports, a document from the State Council in Beijing indicates that stricter controls are planned for Chinese companies that are traded on stock exchanges abroad. Capital raised by emerging Chinese companies on foreign stock markets, such as in New York or Hong Kong, will also be subject to more stringent requirements. Especially in the area of “data security, cross-border data flow and management of confidential information”, new standards are to be expected.

However, the aim seems also to better protect the data of Chinese citizens from unauthorized access by criminals or excessive data collection by tech groups and companies.
This is supported by the fact that the Chinese leadership has introduced several rules in recent years and months that are intended to improve data protection. Although the state is not to cede its own rights here, citizens are to be given more rights, at least with respect to companies.

The introduction of the European General Data Protection Regulation also forced Chinese technology companies to meet global data protection standards in order to expand abroad.

China’s data protection policy thus seems to be a contradiction in terms. It is a step towards more protection of the data subjects and at the same time another step towards more control.

British Airways could reach a settlement over the 2018 data breach

7. July 2021

Back in 2018 British Airways was hit by a data breach affecting up to 500 000 data subjects – customers as well as British Airways staff.

Following the breach the UK’s Information Commissioners Office (ICO) has fined British Airways firstly in 2019 with a record fine of £183.000.000 (€ 205.000.000), due to the severe consequences of the breach. As reported beside inter alia e-mail addresses of the concerned data subjects also credit card information have been accessed by the hackers.

The initial record fine has been reduced by the ICO in 2020 after British Airways appealed against it. The ICO announced the final sanction in October 2020 –  £20.000.000 (€ 22.000.000). Reason for the reduction has been inter alia the current COVID-19 situation and it’s consequences for the Aviation industry.

Most recently it has been published that British Airways also came to a settlement in a UK breach class action with up to 16 000 claimants. The details of the settlement have been kept confidential, so that the settlement sum is not known, but the law firm, PGMBM, representing the claimants, as well as British Airways announced the settlement on July 6th.

PGMBM further explains, that the fine of the ICO “did not provide redress to those affected”, but that “the settlement now addresses” the consequences for the data subjects, as reported by the BBC.

The rising threat of Ransomware

28. June 2021

Ransomware attacks are on a steep rise as the global pandemic continues. According to the cybersecurity firm SonicWall, there were more than 304 million attempted ransomware attacks tracked by them in 2020, which was a 62 percent increase over 2019. During the first five months of 2021, the firm detected another 116 percent increase in ransomware attempts compared to the same period in 2020. Another cybersecurity firm called Cybereason found in a recent study interviewing nearly 1,300 security professionals from all around the world that more than half of organisations have been the victim of a ransomware attack, and that 80 percent of businesses that decided to pay a ransom fee suffered a second ransomware attack, often times by the same cybercriminals.

Ransomware is a type of malicious software, which encrypts files, databases, or applications on a computer or network and perpetually holds them hostage or even threatens to publish data until the owner pays the attacker the requested fee. Captivated data may include Personal Data, business data and intellectual property. While Phishing attacks are the most common gateway for ransomware, there are also highly targeted attacks on financially strong companies and institutions (“Big game hunting”).

Alluding to the industry term Software-as-a-Service (SaaS), a new unlawful industry sub-branch has emerged in recent years, which according to security experts lowered the entrance barriers to this industry immensely: Ransomware-as-a-Service (RaaS). With RaaS, a typical monthly subscription could cost around 50 US-Dollars and the purchaser receives the ransomware code and decryption key. Sophisticated RaaS offerings even include customer service and dashboards that allow hackers to track the status of infections and the status of ransomware payments. Thus, cybercriminals do not necessarily have to have the technical skills themselves to create corresponding malware.

Experts point to various factors that are contributing to the recent increase in Ransomeware attacks. One factor is a consequence of the pandemic: the worldwide trend to work from home. Many companies and institutions were abruptly forced to introduce remote working and let employees use their own private equipment. Furthermore, many companies were not prepared to face the rising threats with respect to their cybersecurity management. Another reported factor has been the latest increase in value of the cryptocurrency Bitcoin which is the preferred currency by criminals for ransom payments.

Successful Ransomware attacks can lead to personal data breaches pursuant to Art. 4 No. 12 GDPR and can also lead to the subsequent obligation to report the data breach to the supervisory authorities (Art. 33 GDPR) and to the data subjects (Art. 34 GDPR) for the affected company. Businesses are called to implement appropriate technical and organisational measures based on the risk-based approach, Art. 32 GDPR.

Earlier this month, the Danish Data Protection Authority provided companies with practical guidance on how to mitigate the risk of ransomware attacks. Measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems when faced with ransomware may include providing regular trainings for employees, having a high level of technical protection of systems and networks in place, patching programs in a timely manner, and storing backups in an environment other than the normal network.

New details on alleged spying on allies by the NSA

18. June 2021

It has been known for years that the US National Security Agency (NSA) had been targeting leading politicians. But now new details of the spying operation are coming to light. Several European media investigated the case and found out that the NSA had been using Danish underwater internet cables from 2012 to 2014 to eavesdrop on leading European politicians. It was only through the research that the members of the governments learned of the spying. With regard to this, questions arose, whether Denmark was involved and knew about the operation. Now various European countries demand answers to the allegations.

The media reports revealed that the Danish Defence Intelligence Service (DDIS) had helped the NSA to wiretap European politicians (in German) by allowing the NSA to use the secret Sandagergårdan listening post near Copenhagen. An important internet hub for various underwater cables was then tapped there. The NSA apparently got access to text messages, telephone calls and internet traffic including searches, chats and messaging services.

Following the revelations by former NSA contractor Edward Snowden and a subsequent investigation by a secret internal working group at DDIS, the Danish-US cooperation in the surveillance of European neighboring countries was documented in an internal report of DDIS in 2015. However, the findings have not been disclosed until today. Nevertheless, the Danish government has probably known about the spying operation since 2015 at the latest. More than that, the surveillance apparently also targeted Denmark itself (in German), including the Ministry of Foreign Affairs and the Ministry of Finance.

Danish Defence Minister Trine Bramsen was informed about the spying in August 2020. In the wake of that, some DDIS employees were fired, without a full explanation being released. The government said at the time that an audit had raised suspicions of illegal surveillance by DDIS. In October 2020, the Danish Ministry of Justice ordered a commission of inquiry into the operations at DDIS. Its conclusions are due at the end of 2021.

French President Emmanuel Macron and German Chancellor Angela Merkel, being among those affected by the espionage, made clear that such tactics were not acceptable between allies. Norwegian Prime Minister Erna Solberg and Swedish Defence Minister Peter Hultqvist agreed with the statements. While emphasizing the value of relations between Europeans and Americans, they insisted on explaining the case by the two accused countries. Neither of the intelligence services would comment on the allegations. The Danish Defence Minister only stated in general terms that systematic wiretapping of close allies was unacceptable.

Microsoft Exchange Target of Hacks

29. March 2021

Microsoft’s Exchange Servers are exposed to an ever-increasing number of attacks. This is the second major cyberattack on Microsoft in recent months, following the so-called SolarWinds hack (please see our blog post). The new attacks are based on vulnerabilities that have been in the code for some time but have only recently been discovered.

In a blog post published on March 2nd, 2021, Microsoft explains the hack and a total of four found vulnerabilities. The first vulnerability allows attackers to gain access to a Microsoft Exchange Server, the second vulnerability allows them to execute their code on the system, and the third and fourth vulnerabilities allow the hacker write access to arbitrary files on the server. Microsoft Exchange Server versions 2019, 2016, 2013 and 2010 are affected, and Microsoft released a security update for all of them on March 2nd, even though support for Microsoft Exchange Server 2010 ended in October 2020.

Reportedly, Microsoft was informed about the vulnerability in January. Since then, a growing number of hacker groups have started to use the exploit. The initial campaign is attributed to HAFNIUM, a group believed to be state-sponsored and operating out of China. According to Microsoft, the vulnerabilities have been in the code for many years without being discovered. Only recently has Microsoft become aware of these vulnerabilities and begun working on them. Microsoft shared information on the vulnerability through the Microsoft Active Protections Program (Mapp), where they share information with a group of 80 security companies. The attacks began shortly after Microsoft began working to resolve the vulnerabilities. There are many similarities between the code Microsoft shared through Mapp and the code the attackers are using.

In an article about a recently published One-Click Exchange On-premises Mitigation Tool (EOMT), Microsoft developers describe how admins can secure Exchange servers against the current attacks within a very short amount of time. The tool only serves as an initial protective measure. For comprehensive protection, available security updates must be installed. In addition, it must be checked whether the hackers have already exploited existing gaps to leave behind backdoors and malware. This is because the updates close the gaps, but do not eliminate an infection that has already occurred. Hackers often do not use gaps immediately for an attack, but to gain access later, for example for large-scale blackmail.

Under the General Data Protection Regulation (GDPR), organizations affected by an attack on personal data must, in certain circumstances, report such an incident to the relevant supervisory authority and possibly to the affected individuals. Even after a successful patch, it should be kept in mind that affected organizations were vulnerable in the meantime. Pursuant to Art. 33 of the GDPR, system compromises that may affect personal data and result in a risk to data subjects must be notified to the competent supervisory authority. For such a notification, the time of discovery of the security breach, the origin of the security breach, the possible scope of the personal data affected, and the first measures taken must be documented.

SMS flaw lets hackers take control of individuals’ phones for $16

24. March 2021

Hackers have discovered a new method of gaining access to individuals’ mobile devices via text message rerouting, Vice reports. Apparently, all it takes is $16 to retrieve a person’s messages from a third-party provider and then take over the phone number and, with it, various associated accounts.

All of that is possible due to a text messaging service called Sakari that allows businesses to send SMS reminders, alerts, confirmations and marketing campaigns. The company lets business users import their own phone number in order to be contacted by the businesses. However, the service has a significant security vulnerability. Its use is enabled by purchasing Sakari’s $16 per month plan and then filling out a document saying that the signer has authority to change phone numbers. Although the document points out that the user should not conduct any unlawful, harassing or inappropriate behavior, there is no subsequent call or text notification from Sakari asking the user to confirm the consent to the transfer. That’s why it is largely effortless to simply sign up with another person’s phone number and receive their text messages instead. From that moment on, it can be trivial to hack into other accounts associated with that phone number by sending login requests, as they rely on SMS codes.

This overlooked security flaw shows how frighteningly easy it is to gain access to the tools necessary to seize phone numbers. It requires less technical skill or knowledge than, for instance, SIM jacking. It demonstrates not only the insufficient regulation of commercial SMS tools but also gaping holes in the telecommunications infrastructure, since a hacker only needs to pretend having the user’s consent.

The attack method has implications for cybercrime and poses an enormous threat to safety and security. It enables criminals to harass people, drain their bank account, tear through their digital lives or intercept sensitive information or personal secrets. At this time, it is not clear to what extent this attack method is being applied to mobile numbers.

CTIA, a trade association representing the wireless industry, stated that they immediately launched an investigation into the matter and took precautionary measures. Adam Horsman, co-founder of Sakari, responded to the insufficient authentication of their customers by saying that Sakari added a security feature where a number will receive an automated call in order to confirm the consent given. Moreover, Sakari will verify all existing text-enabled numbers. But Sakari is just one company. And there are plenty of others in this industry. As this method raises serious concerns, it is important for mobile carriers to do more to protect their customers’ privacy and security, such as notifications when registering a new device or a two-factor-authentication.

Data Breach made 136,000 COVID-19 test results publicly accessible

18. March 2021

Personal health data are considered a special category of personal data under Art. 9 of the GDPR and are therefore given special protections. A group of IT experts, including members of the German Chaos Computer Club (CCC), has now revealed security gaps in the software for test centres by which more than 136,000 COVID-19 test results of more than 80,000 data subjects have apparently been unprotected on the internet for weeks.

The IT-Security experts’ findings concern the software “SafePlay” of the Austrian company Medicus AI. Many test centres use this software to allocate appointments and to make test results digitally available to those tested. In fact, more than 100 test centres and mobile test teams in Germany and Austria are affected by the recent data breach. These include public facilities in Munich, Berlin, Mannheim as well as fixed and temporary testing stations in companies, schools and daycare centres.

In order to view the test results unlawfully, one only needed to create an account for a COVID-19 test. The URL for the test result contained the number of the test. If this number was simply counted up or down, the “test certificates” of other people became freely accessible. In addition to the test result, the test certificate also contained the name, date of birth, private address, nationality and ID number of the person concerned.

It remains unresolved whether the vulnerabilities have been exploited prior to the discovery by the CCC. The CCC notified both Medius AI and the Data Protection Authorities about the leak which led to a quick response by the company. However, IT experts and Privacy-focused NGOs commented that Medicus AI was irresponsible and grossly negligent with respect to their security measures leading to the potential disclosure of an enormous amount of sensitive personal health data.

Pages: 1 2 3 4 5 6 7 8 9 Next
1 2 3 9