The CyberWire Pro Privacy Briefing for 1.15.20

Summary

By the CyberWire staff

Western Australian bank P&N suffered a data breach in the course of a server upgrade, ZDNet reports. The bank says the information was stolen, not merely exposed, and that names, addresses, email addresses, phone numbers, customer numbers, ages, account numbers, and account balances were among the data at risk. Records of the banks interactions with customers may also have been compromised. Elad Shapira, Head of Research for Panorays says, “The cyber incident at P&N Bank illustrates how organizations can be susceptible to data breaches through their third parties. In this case, the bank was performing a server upgrade when attackers stole data through a hosting provider.... Cyberattacks such as this one, demonstrate why it’s not enough for organizations to assess their own systems; they must also assess the risk posed by connecting with third parties.”

A ransomware attack should now be treated as a data breach until proven otherwise. Ransomware operators are increasingly stealing files before they encrypt them, and they're threatening to release those files publicly as a way of pressuring the victims to pay. The Nemty ransomware gang is the latest to do so. According to BleepingComputer, Nemty will follow the example set by Maze and Sodinokibi. The extortionists say they've set up a site where they can dump files stolen from victims who don't pay quickly enough.

Hackers are also moving immediately to extortion when they obtain medical information. HealthIT Security reports that patients of the Center for Facial Restoration, located in Florida, are being shaken down for the return of their stolen medical data. The clinic itself is also the target of extortion.

The news may originate in Norway, but Consumer Reports thinks it should be taken seriously everywhere: popular dating apps are sharing "intimate details" of their users. The sharing isn't salacious; it's commercial. The data are going to big advertising platforms who use the information so obtained not for the delectation of their watchstanders, but rather to enable them to serve up ads targeted with rifleshot accuracy at the frisky or lovelorn.

Selected Reading

Chrome's privacy protections start arriving later this year (CNET) Google's online ad business benefits from harvesting your personal data, but its browser team is pushing to make the web private by default.

Nemty Ransomware to Start Leaking Non-Paying Victim's Data (BleepingComputer) The Nemty Ransomware has outlined plans to create a blog that will be used to publish stolen data for ransomware victims who refuse to pay the ransom.

49 million user records from US data broker LimeLeads put up for sale online (ZDNet) Data from an exposed LimeLeads Elasticsearch server ends up on a hacking forum.

Experts warn Grindr, other dating apps may pose national security risk (NBC News) NBC News analyzed four popular dating apps, including Tinder and Hinge, finding each collect a range of personal information.

Hackers Demand Ransom From Patients After Breaching Florida Clinic (HealthITSecurity) Hackers breached the server of The Center for Facial Restoration and stole complete medical records of some current and former patients, then demanded a ransom payment from the provider and patients.

Opinion: LifeLabs finally got around to telling me my data was (possibly) hacked (Burnaby Now) I’m a Lifelabs customer who gets blood work regularly tested. This morning (Saturday), I received an email that started out this way: “You may have heard that LifeLabs recently experienced a . . .

Two-thirds of UK healthcare organisations breached last year (ComputerWeekly) The majority of healthcare organisations in the UK experienced a cyber security incident during 2019, with almost half the result of viruses and malware introduced on third party devices

Popular Apps Share Intimate Details About You With Dozens of Companies (Consumer Reports) Consumer Reports shares details of a new study that finds that popular apps share intimate details, such as your sexual preferences and religious beliefs, with a wide variety of companies.

Microsoft's new tool detects & reports pedophiles from online chats (HackRead) The perks of the internet are quite obvious and known to all but as they say “with every blessing comes a curse,” similarly, the digital boom has brought along various concerns, online child exploitation being one.

Trump slams Apple for refusing to unlock iPhones of suspected criminals (CNBC) "We are helping Apple all of the time on TRADE and so many other issues, and yet they refuse to unlock phones used by killers, drug dealers and other violent criminal elements," Trump tweeted.

Apple Said It Is Helping In The Pensacola Shooting Investigation, But It Won't Unlock The Shooter's iPhones (BuzzFeed News) "We reject the characterization that Apple has not provided substantive assistance in the Pensacola investigation," the company said in a statement.

Apple Denies FBI Request to Unlock Shooter’s iPhone—Again (Threatpost) Refusal to unlock the phones of a Florida shooter could set up another legal battle between Apple and the Feds over data privacy in the case of criminal investigations.

Nemty Ransomware to Start Leaking Non-Paying Victim's Data (BleepingComputer) The Nemty Ransomware has outlined plans to create a blog that will be used to publish stolen data for ransomware victims who refuse to pay the ransom.

49 million user records from US data broker LimeLeads put up for sale online (ZDNet) Data from an exposed LimeLeads Elasticsearch server ends up on a hacking forum.

Dating apps Tinder, Grindr and OkCupid accused of leaking sensitive data to advertisers (The Telegraph) Dating apps have been accused of sending sensitive personal information to advertisers in a potential breach of European data laws.

Hackers Demand Ransom From Patients After Breaching Florida Clinic (HealthITSecurity) Hackers breached the server of The Center for Facial Restoration and stole complete medical records of some current and former patients, then demanded a ransom payment from the provider and patients.

P&N Bank discloses data breach, customer account information, balances exposed (ZDNet) The Australian bank says a cyberattack took place during a server upgrade.

Unsecured database exposes passport scans of thousands of British consulting professionals (Computing) Passport scans and other personal data was stored on an Amazon Web Services S3 bucket by a company called CHS Consulting

Opinion: LifeLabs finally got around to telling me my data was (possibly) hacked (Burnaby Now) I’m a Lifelabs customer who gets blood work regularly tested. This morning (Saturday), I received an email that started out this way: “You may have heard that LifeLabs recently experienced a . . .

Two-thirds of UK healthcare organisations breached last year (ComputerWeekly) The majority of healthcare organisations in the UK experienced a cyber security incident during 2019, with almost half the result of viruses and malware introduced on third party devices

Census Bureau kicks off 2020 ad campaign amid fears around privacy and hacking (Washington Post) The Census Bureau on Tuesday unveiled an ad campaign to persuade every household in America to fill out the once-a-decade survey, which begins next week in remote parts of Alaska.

The FBI Can Unlock Florida Terrorist’s iPhones Without Apple (Yahoo) The FBI is pressing Apple Inc. to help it break into a terrorist’s iPhones, but the government can hack into the devices without the technology giant, according to experts in cybersecurity and digital forensics.

Israeli Court to Hear Amnesty Bid to Revoke NSO Export License (New York Times) Amnesty International will ask an Israeli court on Thursday to order Israel to revoke the export license of NSO Group, whose software is alleged to have been used by governments to spy on journalists and dissidents.

Amnesty suit asking Israel to revoke NSO Group's license heads to court - CyberScoop (CyberScoop) Amnesty International is urging an Israeli court to restrict the business of NSO Group, a spyware vendor accused of helping governments spy on dissidents.

Israel must stop NSO Group from exporting its spyware to human rights abusers (Amnesty) NSO's spyware has been used in malicious attacks against human rights activists around the world.

Equifax to pay $380.5 million in data breach settlement in the US (Computing) Equifax settles class-action lawsuit over 2017 data breach that spilt personal data of 147 million Americans (and more than 15.2 million Brits)

Banner Health Agrees to Pay $6 Million for Data Breach (Orthopedics This Week) Phoenix-based Banner Health has agreed to pay $6 million to victims of its 2016 data breach. Banner Health will pay an additional $2.9 million for legal costs.