Category: Data Breach
25. April 2019
Since May 2016 Facebook uploaded email-contacts without respectively against the will of 1,5 million users.
Facebook itself discovered the mistake in March 2019 and according to it’s own statement has now corrected it. The data was uploaded unintentionally and not shared with third parties. The data will be deleted and Facebook will contact the concerned users.
Facebook was able to read the email-contacts of 1,5 million users, but the concerned amount of data subjects is a lot higher due to that many users have thousands of contacts. Facebook denied that e-mails have been accessed by its employees. It expects a fine of three to five billion dollar in the USA.
29. March 2019
The President of the Polish Supervisory Authority (Personal Data Protection Office, UODO) imposed the first fine for the amount of PLN 943,000, which is around € 220,000.
A Warsaw-based company received this fine for not being compliant with GDPR, particularly for failure to meet the information obligation of Article 14. The fined company commercially processes data from more than six million entrepreneurs, which it obtained from publicly available sources, such as the Central Electronic Register and Information on Economic Activity (CEIDG). The company’s database is often used by banks to verify the creditworthiness of the data subjects. According to the Polish Authority, the company did not provide the data subjects with the information requested in Art. 14 para 1-3 GDPR (e.g. the source of their data, the purpose of the data processing, the data subject’s rights under GDPR), hence the data subjects had no possibility to object to further processing of their data or to request their rectification or erasure.
Out of the six million data subjects only 90 000 were informed by the company via e-mail (more than 12 000 of them objected to the processing of their data). For the remaining subjects (whose e-mails were unknown) the company only presented the information clause on its website and therefore failed to comply with Art. 14 GDPR.
“The controller was aware of its obligation to provide information. Hence the decision to impose a fine of this amount on this entity”, said Dr Edyta Bielak-Jomaa, President of UODO. The company claimed that information by registered mail would be associated with disproportionate costs and thus relies on the vaguely worded exception of Art. 14 (5) GDPR, which states that the provision of such information proves impossible or would involve a disproportionate effort. The supervisory authority however, finds this explanation insufficient as they could have called the data subjects or inform them by regular mail.
22. February 2019
Recently around 2.7 million sensitive phone calls were uncovered by Swedish technology news site Computer Sweden. In total, 170,000 hours of conversation were available online on an unencrypted web server. The server had no login mechanism so the recorded calls could be accessed freely.
Sweden operates a national health advice line (1177), which is run by Swedish company Medhelp. For out-of-hour calls they subcontract with a Thailand-based firm called Medicall. According to repords, most of the uncovered calls were made outside the regular times and therefore answered by Medicall. A request from the BBC left Medicall unanswered.
The uncovered data is extremely private as People usually call 1177 seeking medical advice, talking about their symptoms, their kids’ illnesses and giving out their social security number.
The Swedish Data Protection Authority is currently investigating the case.
12. February 2019
After TechCrunch initiated investigations that revealed that numerous apps were recording screen usage, Apple called on app developers to remove or at least disclose the screen recording code.
TechCrunch’s investigation revealed that many large companies commission Glassbox, a customer experience analytics firm, to be able to view their users’ screens and thus follow and track keyboard entries and understand in which way the user uses the app. It turned out that during the replay of the session some fields that should have been masked were not masked, so that certain sensitive data, like passport numbers and credit card numbers, could be seen. Furthermore, none of the apps examined informed their users that the screen was being recorded while using the app. Therefore, no specific consent was obtained nor was any reference made to screen recording in the apps’ privacy policy.
Based on these findings, Apple immediately asked the app developers to remove or properly disclose the analytics code that enables them to record screen usage. Apples App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity. In addition, Apple expressly prohibits the covert recording without the consent of the app users.
According to TechCrunch, Apple has already pointed out to some app developers that they have broken Apple’s rules. One was even explicitly asked to remove the code from the app, pointing to the Apple Store Guidelines. The developer was given less than a day to do so. Otherwise, Apple would remove the app from the App Store.
According to the British news website The Register, 620 million accounts from hacked websites are for sale on dark web. For less than $20.000 in Bitcoin, people can buy the stolen accounts on Dream Market, located in the Tor network. Criminals should also be able to buy the copied user data individually. The data comes from hacks from the years 2016 to 2018. Some were already known others now became acquianted.
Among the sixteen hacked websites are the video messaging application Dubsmash (162 million accounts), the diet and exercise app MyFitnessPal (151 million accounts) and the family-tree-tracking service MyHeritage (92million accounts).
As reported by The Register, the account records appear to be legit. The data leak contains e-mail addresses, names and passwords but it does not contain any bank or credit card information and the passwords are encrypted and must therefore be decoded before they can be used.
Depending on the affected side, there are also a few other categories of personal information such as social media authentication tokens. It can be expected that the vendees will use the data for credential stuffing attacks. In such attacks, attackers try out lists with email password pairs at various online services to hack accounts. These attacks are made possible because many users reuse the same password across many websites.
The seller told The Register that they possess one billion accounts in total and that their aim is to make “life easier” for hackers. The seller said “I don’t think I am deeply evil, I need the money. I need the leaks to be disclosed […] I’m just a tool used by the system. We all know measures are taken to prevent cyber attacks, but with these upcoming dumps, I’ll make hacking easier than ever.”
Update: 127 million more stolen accounts appeared a few days ago. Affected sites include architecture, interior and designe website Houzz (57 million records), live-video streaming site YouNow (40 million records) and travel booking site Ixigo (18 million records). This data is sold by the hacker for a total of $14,500 in Bitcoin.
31. January 2019
Healthcare insurer Aetna will have to pay a 935,000$ fine after letters had been sent to nearly 12.000 patients in 2017, disclosing highly sensitive information on the windows of the envelopes.
The information revealed that the recipients were taking HIV-related medications.
In addition, the insurance company will have to complete privacy risk assessments annualy for three years.
The patients have received compensation through a private class action settlement.
18. January 2019
An 87 gigabyte dataset with stolen login information has appeared on the Internet. This affects 773 million e-mail addresses and over 21 million passwords.
According to initial information, the data do not originate from a single hack, but have been gathered from various hacks. The data set contains information from 12,000 domains and various web services.
The existence of the data set was made public by the Australian IT security expert Troy Hunt on his homepage, who calls it Collection #1. The expert writes that he was first made aware of the record by acquaintances and that the data was originally available from a file hosting provider, where it can no longer be found.
You have the option of checking for yourself whether your data is affected. To check this, simply enter your own address in the search field and click on “pwned?”. The verification service published by the Australian security researcher Troy Hunt is considered trustworthy by the Federal Office for Information Security (BSI). If you are affected, we recommend that you change your password as soon as possible.
15. January 2019
Massachusetts’ data breach law has been significantly amended by the legislation signed by Gov. Charlie Baker on 10th January becoming effective as of 11th April this year. An overview of the key changes can be found following.
The amended law requires companies to provide certain additional information when notifying the Massachusetts Attorney General and the Office of Consumer Affairs and Business Regulation about a breach of security or the reasonable believe of the existence such a breach. This information include, but are not limited to “the nature of the breach of security or unauthorized acquisition or use”, the types of personal information compromised (e.g. social security numbers), “the number of residents affected by the incident at the time of notification”, the person responsible for the breach – if known -, and whether the entity maintains a written information security program according to Massachusetts 201 CMR § 17.03.
A further update concerns the notice of the affected individuals. The amended law explicitly sets out a rolling notification to individuals under certain circumstances and prohibits therefore a company from delaying notice to affected individuals referring to the ground that the total number of individuals affected has not yet been determined. “In such case, and where otherwise necessary to update or correct the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.”
If the company experiencing a data security incident is owned by another entity, the particular notification to the affected individual must specify “the name of the parent or affiliated corporation”.
Another significant change to the data breach law refers to the requirement of providing an offer of complimentary credit monitoring for “a period of not less than 18 months” (42 months, if the company is a consumer reporting agency) when a Massachusetts resident’s Social Security number has been compromised, or is reasonably believed to have been compromised, in a data security incident. Also, Companies must certify their credit monitoring services to the Massachusetts attorney general and the Director of the Office of Consumer Affairs and Business Regulation in order to demonstrate compliance with the respective Massachusetts state law. Companies must eventually provide the credit monitoring services at no costs to the affected residents and are prohibited from asking them to waive their right to a private action as a condition for the reception of such services.
However, when these amendments become effective, beside Connecticut and Delaware, Massachusetts will have become one of those states providing a credit monitoring obligation when residents’ Social Security numbers are concerned by a breach of security. In fact, according to Public Act No. 18-90 that substitutes Senate Bill No. 472, Connecticut recently increased the required period of credit monitoring to be provided to the affected individuals from 12 to 24 months.
8. January 2019
Following the hacker attack on hundreds of politicians and celebrities, investigators have arrested a 20-year-old suspect today. The apartment of the suspect had been searched and he has been taken into custody. This was reported by the central agency of the attorney general in Frankfurt am Main (Zentralstelle zur Bekämpfung der Internetkriminalität der Generalstaatsanwaltschaft Frankfurt am Main) and the Federal Criminal Police Office (BKA).
On January 7, prior to the arrest, the household of a 19-year-old IT worker, who is being treated as a witness, was searched and technical equipment was confiscated. He claimed that he knows the hacker.
On Friday, January 4, Germany’s Federal Office for IT Safety (BSI) revealed that it was investigating a data leak concerning hundreds of German politicians, journalists and celebrities published on the platform Twitter. The authorities were working together with the Irish Data Protection Commissioner to stop the spreading of the affected data. The hack targeted all of Germany’s political parties represented in the federal parliament at the moment, except for the far-right Alternative for Germany (AfD).
The data was published via a Twitter account, followed by more than 17,000 people at the time, in the style of an advent calendar over the course of December 2018. It included mobile phone numbers, contact info and private chats. Furthermore, ID cards as well as banking and financial details, for example credit card details, were leaked.
7. January 2019
Marriott International Inc, the world’s largest hotel company, based in the USA, which was hit by a data breach in 2018, has announced new information regarding the breach in which unauthorized access to the Marriott subsidiary Starwood’s reservation database was made (we reported).
Contrary to initial statements, not 500 million records of hotel guests but only 383 million are affected. It should be noted that for a guest who has stayed several times in one of the hotels belonging to the Marriott Group, there is one record for each overnight stay. According to this, not 383 million people were affected, but fewer. However, the Marriott Group cannot give the exact number of people affected.
In addition to the corrected number of victims, Marriott announced that some confidential data such as passport and credit card numbers were unencrypted. About 5,25 million unencrypted and about 20,3 million encrypted passport numbers could be viewed by unauthorized persons. According to the company, the master key for decryption was not copied.
In addition, around 8,6 million encrypted credit card numbers were affected, of which only 345.000 were still valid. Here, too, the master key could not be captured. At the moment, it is still being investigated whether credit card numbers entered in the wrong fields and thus stored unencrypted are affected.
Pages: Prev 1 2 3 4 5 6 7 8 9 10 11 Next 
