At a glance.
- H&M receives record fine under GDPR.
- Phishing in the voting pool.
- Grindr bug exposed accounts to hijacking.
- Magecart hits Boom! Mobile.
- UHS makes progress toward recovery.
H&M fined by Hamburg DPA for GDPR violations.
The Data Protection Authority (DPA) of Hamburg has fined fashion retailer H&M Germany €32.5 million for General Data Protection Regulation (GDPR) violations regarding improper handling of sensitive human resources data, reports Cooley’s cyber/data/privacy insights. Information from informal “Welcome Back Talks” with employees returning from vacation or sick leave, which included sensitive details about employees’ health issues and religious practices (classified by GDPR as Special Categories of Personal Data), was saved and stored digitally without employee knowledge, and then shared by store managers throughout the country to make human resources decisions. In October 2019, the data were accidentally released outside of the managerial group, triggering an investigation by the Hamburg DPA. H&M took full responsibility for the violations, agreeing to revamp their protections and compensate the affected employees. The fine, the largest ever issued for a GDPR infraction involving employee data, serves as a reminder that companies will be held accountable for privacy violations even when intent is not malicious and the offender attempts to make amends.
Phishing scammers target US voters.
A phishing scam is taking advantage of US voters’ desire to ensure that their voter registration is complete in time for the upcoming presidential election, reports Threatpost. Posing as representatives from the US Election Assistance Commission, the operatives send an email to the victim claiming their voter registration application is incomplete because their personal information cannot be verified. A link leads the victim to a spoofed ServiceArizona website that harvests the sensitive data. Oddly, though the scam seems to target Arizonans, it appears that the email has been sent to residents of other states. Experts are unsure whether the goal is data theft or election meddling.
Grindr security flaw left accounts open to hijacking.
A security researcher found a vulnerability in popular dating app Grindr’s password reset function that would allow easy access to user accounts, TechCrunch reports. When a user requests a password reset, they receive an email with a token that will allow them to create a new password. French researcher Wassime Bouimadaghene discovered that this token was being stored in the computer’s browser, essentially meaning that all anyone needs to gain access to the sensitive account data of any of Grindr’s 27 million users is a user’s email address. Grindr stated that they have fixed the issue and that it did not appear anyone had taken advantage of the flaw.
Boom! Mobile hit with Magecart.
Malwarebytes warns that Boom! Mobile’s site has been injected with Magecart paycard data-stealing malware. The researchers attribute the activity to a known criminal gang RiskIQ identified last November as "FullzHouse," so called for its propensity to collect fullz—relatively complete files on victims, the information in which are well-suited to identity theft without much further collection.
People tend to associate Magecart with threats to online retailers, but it casts a wider net than that. We heard from Ameet Naik, security evangelist at PerimeterX, who emailed remarks to the effect that skimming isn't confined to e-commerce sites:
“While Magecart attacks typically target e-commerce retailers, any business collecting credit card numbers and other personal information online is vulnerable. Shadow Code vulnerabilities lurk in third-party and open source libraries commonly used in web applications. Businesses must ensure they have continuous visibility into client-side scripts on their websites in order to detect and stop such digital skimming attacks. Consumers must continue to remain vigilant about credit card theft and notify their card issuer about any suspicious activity.”
Universal Health Services reports progress in dealing with its ransomware attack.
Universal Health Services (UHS) yesterday issued a public update on the status of its recovery from the September 27th ransomware attack it sustained. "The UHS IT Network has been restored and applications are in the process of being reconnected," the company wrote. "The recovery process has been completed for all servers at the corporate data center and connectivity has been re-established for all U.S.-based inpatient facilities." Their corporate systems are back, and service is being restored to individual facilities on a rolling basis, with over half of them having been brought back online yesterday.
"As we conduct our IT remediation work, we continue to have no indication that any patient or employee data has been accessed, copied or misused," UHS said, adding that operations in the UK were unaffected by the incident.