Oracle, Salesforce face €10 billion suit alleging GDPR violations. Boston University discloses exposure to Blackbaud ransomware incident. HM Passport Office exposes a password. On a flip chart. In a window.

Oracle and Salesforce face suit alleging GDPR violations. Boston University discloses exposure to Blackbaud breach. "Passw0rd1."

Summary

By the CyberWire staff

At a glance.

Oracle, Salesforce face €10 billion suit alleging GDPR violations.
Boston University discloses exposure to Blackbaud ransomware incident.
HM Passport Office exposes a password. On a flip chart. In a window.

Salesforce and Oracle face GDPR suit.

The lawsuit, seeking up to €10 billion, is to be filed in both England and the Netherlands. The plaintiffs, in an action organized by the Privacy Collective (an organization the Register characterizes as backed in this instance at least by commercial litigation funder Innsworth Advisors) will maintain that Oracle's Bluekai and Salesforce's DMP ad-tech subsidiary misused data by aggregating customer information from various websites. The companies are then said to have assembled the data into more readily marketable profiles, and this is said to violate GDPR.

Another university discloses its exposure to the Blackbaud breach.

Boston University is notifying affected students, faculty, and donors that their personal data may have been exposed in the Blackbaud ransomware attack, the university's student newspaper, the Daily Free Press, reports.

Try to set a good example.

Graham Cluley is in medium dudgeon over a password practice seen through the window of Her Majesty’s Passport Office in Ebrington Street, Plymouth, England. The Plymouth Herald broke the story when local passersby contacted the paper to say that, as they walked past the office they could see a flipchart with the password "Passw0rd1" propped up by the window. The Herald asked the Home Office what was up with that, and received confirmation that staff in the office does indeed use this particular password, but they "fiercely refuted any security breach had taken place" because "Passw0rd1" was used only to gain initial access to the system. At that point, before anyone could access anything that mattered, they'd have to use a second, much more secure and ostensibly less publicly available password.

Leave aside for the moment that the Home Office's statement is really more "denial" than "refutation." There are several problems here. The first is the obvious guessability of "Passw0rd1," which really isn't improved much, as Cluley points out, by changing the "o" to a zero and adding a numeral one at the end, which is low cunning amounted to functional imbecility. If you're using passwords, set a good example and at least try to make them strong. A second problem is the two-step authentication process. What's gained by having a preliminary login step that might as well be no authentication at all? And third, of course, is writing your password in a big schoolhouse hand on a flipchart, and then putting that flipchart in plain view of a window. That's beyond vulnerability to shoulder surfing.

It's also a reminder of how easy it can be to collect openly and overtly: if you leave your credentials available to any passing flaneur, your security program is less than fully successful.

Selected Reading

Smart Lock vulnerability can give hackers full access to Wi-Fi network (HackRead) The vulnerability exists in the August smart lock Pro + Connect model which hasn’t been fixed despite continuous alerts from Bitdefender security researchers to the vendor.

BU community data stolen in Blackbaud cyber attack (Daily Free Press) Boston University sent an email Saturday notifying potentially affected members of the community about a data security breach from May.

Plymouth Passport Office’s pitiful password privacy (Graham Cluley) If you're going to lean a flipchart against a window, you had better make sure you haven't scrawled any passwords on it first…

Zoom Faces More Legal Challenges Over End-to-End Encryption (Threatpost) The video-conferencing specialist has yet to roll out full encryption, but it says it's working on it.

Oracle and Salesforce targeted in €10bn GDPR lawsuit backed by profit-making litigation fund (Register) Case to be filed in the Netherlands and London

Calif. Justices Clarify Rules On Facebook Data Subpoenas (Law360) The California Supreme Court laid out a road map Thursday for trial courts to determine when Facebook and other third parties must hand over private user information in criminal proceedings, but held off on deciding whether the federal Stored Communications Act shields Facebook from such subpoenas.

Analysis: Did Barclays Go Too Far in Monitoring Employees? (BankInfo Security) The latest edition of the ISMG Security Report analyzes why Barclays is being investigated for allegedly spying on its employees. Also featured: How the pandemic is

Cancer Patients Agree To $8M, Monitoring In Data Breach Deal (Law360) Patients of cancer treatment center operator 21st Century Oncology sought approval Wednesday of a settlement that would provide at least $12.5 million in benefits and up to $3.75 million to class counsel to end multidistrict litigation over a data breach that compromised millions of patients' personal information.

Wawa Aims To Toss Financial Institutions' Data Breach Suit (Law360) Wawa Inc. has called on a Pennsylvania federal court to toss a consolidated proposed class action from three credit unions over a data breach at the convenience store chain, saying they can't pursue negligence claims since losses related to the incident are governed by contracts dealing with credit and debit card transactions.