Category: Cyber security

Massive data attack targeting hundreds of German politicians and celebrities

8. January 2019

Following the hacker attack on hundreds of politicians and celebrities, investigators have arrested a 20-year-old suspect today. The apartment of the suspect had been searched and he has been taken into custody. This was reported by the central agency of the attorney general in Frankfurt am Main (Zentralstelle zur Bekämpfung der Internetkriminalität der Generalstaatsanwaltschaft Frankfurt am Main) and the Federal Criminal Police Office (BKA).

On January 7, prior to the arrest, the household of a 19-year-old IT worker, who is being treated as a witness, was searched and technical equipment was confiscated. He claimed that he knows the hacker.

On Friday, January 4, Germany’s Federal Office for IT Safety (BSI) revealed that it was investigating a data leak concerning hundreds of German politicians, journalists and celebrities published on the platform Twitter. The authorities were working together with the Irish Data Protection Commissioner to stop the spreading of the affected data. The hack targeted all of Germany’s political parties represented in the federal parliament at the moment, except for the far-right Alternative for Germany (AfD).

The data was published via a Twitter account, followed by more than 17,000 people at the time, in the style of an advent calendar over the course of December 2018. It included mobile phone numbers, contact info and private chats. Furthermore, ID cards as well as banking and financial details, for example credit card details, were leaked.

Update regarding the data breach at Marriott

7. January 2019

Marriott International Inc, the world’s largest hotel company, based in the USA, which was hit by a data breach in 2018, has announced new information regarding the breach in which unauthorized access to the Marriott subsidiary Starwood’s reservation database was made (we reported).

Contrary to initial statements, not 500 million records of hotel guests but only 383 million are affected. It should be noted that for a guest who has stayed several times in one of the hotels belonging to the Marriott Group, there is one record for each overnight stay. According to this, not 383 million people were affected, but fewer. However, the Marriott Group cannot give the exact number of people affected.

In addition to the corrected number of victims, Marriott announced that some confidential data such as passport and credit card numbers were unencrypted. About 5,25 million unencrypted and about 20,3 million encrypted passport numbers could be viewed by unauthorized persons. According to the company, the master key for decryption was not copied.

In addition, around 8,6 million encrypted credit card numbers were affected, of which only 345.000 were still valid. Here, too, the master key could not be captured. At the moment, it is still being investigated whether credit card numbers entered in the wrong fields and thus stored unencrypted are affected.

Data Protection Commission announces statutory inquiry into Facebook

17. December 2018

The Irish Data Protection Commission announced in a press release on  December 14, 2018 that it had initiated a statutory inquiry into Facebook.

Due to the frequent, especially in the recent past, data breaches of the American company and the total number of reported data breaches since the GDPR came into force on May 25, 2018, the Irish Data Protection Commission has initiated an investigation into compliance with the relevant provisions of the GDPR against Facebook.

In recent weeks, reports of renewed breaches of data protection by Facebook have continued.

Most recently, it became known that the Italian competition authority AGCM had imposed a fine of 10 million euros on Facebook because the company had passed on data to other platforms without the express consent of the users and that a bug in the programming interface for picture processing led to third-party apps having access to pictures of 6.8 million Facebook users, some of which had not even been published by the users.

Marriott International – data breach affecting 500 million customers

3. December 2018

Marriott International Inc., the world’s largest hotel company, was hit by a data breach affecting up to 500 million customers.

Marriott said it has found a data breach in the Starwood guest reservation database regarding the hotels ‘Westin’, ‘Sheraton’, ‘Le Méridien’, ‘St. Regis’ and ‘W Hotels’. The main brand Marriott does not belong to it. Marriot had bought its competitor Starwood in 2016 and thus obviously their security gap at the same time.

Up to 500 million customers may have been affected by the breach and, of those impacted, roughly two-thirds had their names, addresses, phone numbers, email addresses, passport numbers and duration of stay compromised. It is also possible that payment card information were caught in the breach.

An internal tool alerted a potential data breach on September 8th, 2018. An investigation subsequently initiated revealed that the guest database may have been compromised since 2014. At the moment Marriott could not rule out the possibility that the files needed for decryption had also been stolen. This would mean that the attackers could also use the stolen data to, for example, shop with them.

As a result, Starwood’s IT systems will be phased out.

Since Friday, those affected have also been informed and customer can find out more on the website.

LinkedIn processed 18 million non-user email addresses to target Facebook advertisings

28. November 2018

The business and employment-oriented service LinkedIn processed the email addresses of 18 million non-members and targeted them with advertising on Facebook without permission.

A non-LinkedIn user issued a complaint to the Data Protection Commission that their email address had been obtained and used by the organisation for the purposes of targeted advertising on Facebook. Within Ireland’s Data Protection Commission the concerns grew regarding LinkedIn’s processing of personal data of non-users. Therefore, the office conducted an audit of the multinational LinkedIn Ireland, home to the company’s EU headquarters, and stated that it used million of e-mail addresses of non-users.

Also involved is LinkedIn Corp in the US, which processes data on behalf of LinkedIn Ireland. They targeted – by means of 18 million addresses – the individuals in Facebook. According to the commissioner’s annual report LinkedIn in the US carried out the processing in the absence of instructions from LinkedIn in Ireland (the controller). Said annual report covers the period from January 1st to May 24th 2018. Then the old office of the Data Protection Commissioner ceased to exist due to the General Data Protection Regulation. The new Data Protection Commission came into existence on May 25th 2018.

Facebook: private messages from more than 81.000 people for sale

5. November 2018

According to a BBC report, more than 81.000 Facebook profiles were hacked. Private messages and other information was offered for 10 cents per account.

The BBC had the allegations checked by the IT security company Digital Shadows, who confirmed that over 81.000 of the profiles posted online contained private messenger messages. Furthermore, data from more than 176.000 accounts, including e-mail addresses and telephone numbers were available. This information did not necessarily have to come from a hack, as some of it was also open on public Facebook profiles

The BBC Russian Service also emailed the address that offered the data. The respondent – someone called “John Smith”- wrote that the offered data was neither from profiles involved in the Cambridge Analytica scandal nor of the recent security breach revealed in September. He said that his hacker group could offer data from 20 million users, of whom 2.7 million were Russians. But Digital Shadows doubts this because Facebook should have noticed such a big leak.

Facebook reported that its security has not been compromised. The data might be obtained through malicious browser extensions. According to Facebook executive Guy Rosen, they “have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores”.

 

France: Intelligence agency officer caught selling sensitive police data

9. October 2018

A massive case of misuse of confidential data from security authority surveillance systems has been uncovered in France. After the French customs tracked down an illegal marketplace called “Black Hand” in June, the investigators also found data that was sold by an anonymous user called “Haurus”. Haurus sold for example confidential documents and information from national police databases.

Meanwhile the investigators gleaned the identity of the hacker with the help of specific codes attached to the data. According to French newspaper “Le Parisien”, Haurus is an officer at the “Direction générale de la sécurité intérieure” (DGSI), a French intelligence agency. The DGSI is normally in charge of counter-terrorism, countering cyber-crime and surveillance of potentially threatening groups and organisations.

According to the reports, the agent offered services in exchange for bitcoin. For example, he advertised to track the location of buyer’s gang rivals or spouses based on the telephone number or he offered to tell them, if the French police tracked them. The investigators believe that he used the resources, which the French police uses to track criminals.

Haurus was arrested at the end of September and faces up to seven years in prison and a fine up to 100.000€.

Category: Cyber security · EU
Tags: ,

Facebook may face up to $1.63 Billion Fine in Europe after Data Breach

2. October 2018

Ireland’s Data Protection Commission, the company’s lead privacy regulator in the EU, could fine Facebook Inc. up to $1.63 billion for a data breach disclosed Friday, reports the Wall Street Journal. Hackers compromised the accounts of at least 50 million users, bypassing security measures and possibly giving them full control of both profiles and linked apps.

The Commission is now requesting more information on the scale and nature of the data breach in order to find out which EU residents could be affected. Facebook announced that it would respond to follow-up questions. The incident results in the latest legal threat Facebook is facing from U.S. and European officials over its handling of user data and is a severe setback to their efforts to regain trust after a series of privacy and security breaches.

The way in which this data breach is handled by data protection authorities could mark one of the first important tests under the GDPR, which came into force in May earlier this year. The handling could provide conclusions regarding the application of breach-notifications and data-security provisions by companies in the future.
The law requires companies to notify data protection authorities of breaches within 72 hours, under threat of a maximum fine of 2% of worldwide revenue. Furthermore, under the GDPR companies that fail to safeguard their users’ data risk a maximum fine of €20 million ($23 million), or 4% of a firm’s global annual revenue for the prior year, whichever is higher. Taking the larger calculation as a basis Facebook’s maximum fine would be $1.63 billion.

Teenager hacked Apple’s internal network

22. August 2018

A 16-year-old boy from Melbourne, Australia broke into Apple‘s internal computer systems and downloaded 90GB of data, as reported by Australian newspaper The Age. The teenager acquired possession of “authorised keys“ and had access to Apple’s network for approximately a year.

Last year Apple reported the incident to the FBI who then pointed it out to the Australian Federal Police (AFP). They found the sensitive documents in a computer folder named “hacky hack hack“. Apple succeeded to keep this incident out of media until the court proceedings last week.

The 16-year-old boy has pleaded guilty. According to his lawyer, the teenager broke into the network because he is a huge apple fan who wants to work for the company in the future. A verdict is expected at the end of September.

Apple is now trying to reassure its customers. According to a spokesman of the company, no personal data was compromised.

Pages: Prev 1 2 3 4 5 Next
1 2 3 4 5