At a glance.
- Scanning and scraping voter data.
- ICO gives a COVID discount.
US voter data vulnerabilities exploited.
As if the US presidential election weren’t messy enough, federal agencies confirm that an Iranian advanced persistent threat (APT) group harvested voter data over the course of several weeks in September and October, Yahoo reports. They used the stolen info to launch a fake intimidation email campaign in which they posed as members of the right-wing group the Proud Boys to threaten putative Democrat voters (although their aim wasn't entirely precise). The joint advisory report issued by the Department of Homeland Security, Federal Bureau of Investigation, and Cybersecurity and Infrastructure Security Agency details the threat actors’ methods, which included “attempted exploitation of known vulnerabilities, directory traversal, Structured Query Language (SQL) injection, web shell uploads, and leveraging unique flaws in websites." The APT used an Acunetix scanner to scour websites for vulnerabilities, which they then exploited by sending GET requests to voter databases. The attack brings to light some potential privacy holes in the US election system, and the advisory report makes several suggestions for improvement, including security patches and regular internal scans to catch these vulnerabilities before hackers do.
Marriott’s GDPR penalties drastically reduced.
When Marriott Hotels UK purchased the Starwood Hotels group in 2016, they were unaware that a threat actor had already been infiltrating Starwood’s customer data systems for the past two years. In fact, the breach went unnoticed until 2018; all the while the threat actor had access to the data of 339 million customers, including passport numbers and arrival and departure info. As Yahoo reports, the Information Commissioner’s Office (ICO) found Marriott at fault for not detecting the issue earlier and not having adequate security measures in place to protect the data. In July of 2020 the ICO stated Marriott would be fined £99 million, which would have been one of the largest penalties delivered since the establishment of the EU’s General Data Protection Regulation (GDPR). But as TechCrunch reports, the ICO has now lowered the fine to just £14.4 million. As an explanation for the decrease, the ICO cites Marriott’s diligent response to the incident, and the damaging effects the pandemic has had on the hotel’s business. It should be noted however that although the GDPR was introduced as a way to more firmly penalize organizations for cybersecurity flaws, very few large fines have actually been collected. British Airways, which suffered its own massive breach over the summer, saw its penalties similarly reduced earlier this month. Some analysts believe the ICO grossly miscalculated the penalties and is using the pandemic as an excuse to cover up its mistakes.