At a glance.
- Twitter suffers major social engineering incident.
- EU limits data sharing with the US.
- TikTok and privacy risks.
- Property management firm inadvertently exposed personal information.
- Casting agency leaks clients' data.
Twitter's big Wednesday afternoon hack.
Twitter sustained a major hack late yesterday afternoon, around 5:30 US Eastern Daylight Time. The incident embarrassed the company with takeovers of high-profile, verified accounts. The attack seems to have involved extensive and effective social engineering, perhaps, according to Motherboard, a bribed insider. The Wall Street Journal and others list Bill Gates, Kanye West, Joe Biden, Barack Obama, Elon Musk, Uber, and Apple Inc. among the owners of the affected, blue-checked accounts. Reuters reports that Twitter took the "extraordinary" step of suspending many verified accounts until it could get a handle on the problem. RiskIQ said this afternoon that it had linked some four-hundred crytpocurrency-related domains to the operation so far.
Colin Bastable, CEO of Lucy Security, commented in an email that "It appears to be a highly targeted attack on a Golden Key Holder – a highly authorized Admin with access to the Twitter Authenticated “Blue Check Mark” users via the User Admin console. Many of these Twitter accounts use third party solutions to manage, schedule and push out tweets – we believe that a spoof email pretending to be from one of these third parties could have been used to spearphish the Admin, or perhaps that Admin opened a spoof internal Twitter email with a payload designed to harvest his credentials."
The incident's extent and preparation seem disproportionate to its ostensible objective, a hackneyed, grubby Bitcoin advance fee scam in which an impersonator offers to return the mark's donation many times over. The wallet set up to receive donations accumulated about $100,000, but that sum probably doesn't represent the actual take, given the common criminal practice of salting their wallets with their own funds, the better to lend plausibility to the whole greasy imposture. The story is still developing, but here's one serious possible privacy angle: the noise about Bitcoin could be misdirection designed to conceal the attackers' real goal of accessing account details or direct messages. For now, however, the prudent reaction to the news is to withhold judgment about its source and purpose until more is known, but also to bring a heightened awareness of possible privacy issues to one's use of Twitter.
EU court limits data sharing with the US on grounds of protecting rights to privacy.
The European Court of Justice today ruled that Privacy Shield, the US-EU agreement that had enabled relatively easy transatlantic data transfer, was inadequate to protect European citizens' privacy rights. The Court did leave in place "Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries." The Wall Street Journal sees the initial effect of the ruling (informally called "Schrems II") as introduction of substantial uncertainty over data storage and transfer. The decision came in a case brought by Maximillian Schrems, "an Austrian national residing in Austria," who objected to Facebook's transfer of data to the US, where he believed it would be subject to surveillance that contravened his rights to privacy under GDPR. Privacy hawks in Europe have supported Herr Schrems' position, and have welcomed the Court's decision.
IAITAM warns of TikTok privacy risk.
The International Association of Information Technology Asset Managers, Inc. (IAITAM) has warned that "allowing employees to use TikTok on any devices (including personal cell phones and tablets in a work-from-home context) with direct access to corporate data is 'not consistent with maintaining data integrity'." IAITAM drew particular attention to TikTok's "open-ended permissions," and compared the risk to earlier issues surrounding Fitbit and Pokémon Go.
New Zealand property management firm exposes database.
Cybernews reports that a database apparently belonging to LPM Property Management was exposed in an unsecured Amazon Web Services S3 bucket. More than thirty-one-thousand files were exposed, almost all of them images associated with landlords and tenants who had used or applied for LPM's services: passports (expired and active, from New Zealand and other countries), drivers licenses (with ID numbers, donor statuses, addresses, dates of birth, and full names), documents showing evidence of age, pictures of applicants, and maintenance requests showing pictures of damaged property.
US casting agency exposes talent files of aspiring actors.
The Safety Detectives reported this afternoon that MyCastingFile.com, a US talent broker that connects aspiring actors with roles, left an unsecured Elasticsearch server exposed to the Internet. It contained a database of some 260,000 users, with profiles that included such personal information as full names, residential and email addresses, phone numbers, work history, date of birth, height, weight, hair length and hair color, clothing fitting information, face and body photos, skin color, ethnicity or race, geolocation, and information about the actors' cars (make, model, color, and year of manufacture).