At a glance.
- Hammer time.
- Swedish insurance company leaks customer data.
- California dreamin': risk disclosure and regulatory exposure.
- Cannabis community data exposure.
Best tool for wiping a USB drive: a hammer.
Is a deleted file truly deleted? Researchers at Abertay University in Dundee, Scotland conducted a study to explore that question, and it seems the answer is usually no. The Courier reports, a group of cybersecurity scholars led by Masters candidate James Conacher examined one hundred secondhand, supposedly wiped USB drives that were put up for sale on eBay. At first glance, ninety-eight of them appeared to be empty, but after further investigation, only thirty-two actually were; the files on the others had not been properly deleted. Though the files were no longer visible on the index, they were still present and retrievable by using forensic tools readily available to the public. Among the remaining files were sensitive documents like tax returns and bank statements, data that could easily be exploited if discovered. Abertay cybersecurity Professor Karen Renaud recommends that those planning to sell USB drives should use specialized software to safely erase the contents. If you’re not planning to sell it, but still want to make sure the data don’t fall into the wrong hands, she suggests the highly sophisticated solution of smashing it with a hammer.
Swedish insurance company inadvertently leaks client data.
Folksam Group, one of Sweden’s leading private insurance companies, confirmed that they accidentally shared the private data of up to one million clients with Facebook, Google, Microsoft, LinkedIn, and Adobe. BNN Bloomberg reports, the unintended disclosure, which included sensitive information like social security numbers, was the result of improper data handling when composing personalized offers for Folksam clients. Folksam states that they immediately halted the practices that led to the leak and requested that the external parties delete the exposed data.
The CCPA’s impact on investment risk disclosure.
As businesses work toward making their customer data practices compliant with the California Consumer Protection Act (CCPA), they also need to make sure they are disclosing any possible risks in their data practices to their shareholders, JD Supra reports. The Securities and Exchange Commission Regulation S-K states that public companies must inform shareholders about any company issues that might make their investment risky. The World Privacy Forum agreed that businesses need to be more transparent about the risks involved in privacy compliance, not just concerning data breaches, but also the possible difficulties a business might face if found in violation of compliance regulations. The most direct penalty would of course be fines, but investors should also be concerned about less obvious risks like loss of business due to a breach, as well as the costs of adapting business models to maintain compliance. It goes without saying that these risks are higher for companies that collect customer data as part of their business model, and higher still if the data they collect is especially sensitive.
Cannabis community suffers data exposure.
SecurityDiscovery's Bob Diachenko discovered and disclosed a data exposure incident at GrowDiaries, which he describes as "a community website where cannabis growers can journal and share updates about their plants." Some 3.4 million user records were accessible in an unprotected database. 1.4 million of the records included email and IP addresses; the remaining 2 million included user posts and passwords. The passwords were indeed hashed, but they were hashed with the deprecated and readily crackable MD5 algorithm. Vinay Sridhara, CTO of Balbix, offered some comment by email:
“This breach is yet another example of a company leaving a server and critical information unsecured without any password protection, an unfortunate trend that has been the cause of many recent leaks. About 1.4 million records were exposed by this data leak, including usernames, email and IP addresses, and MD5-hashed account passwords. The encrypted passwords are particularly worrisome because MD5 has various known security flaws, enabling an attacker to easily hack and access them. Online sites such as GrowDiaries that require users to create accounts and that collect personal data should at the very least implement basic cyber hygiene.
"Organizations must understand that analyzing and improving cybersecurity posture is no longer a human-scale task. With the expanding attack surface and the growing number of IT assets - devices, apps, and users - it is essential to monitor them across 100+ attack vectors, especially keeping in mind common risks like weak passwords and encryption issues that are not monitored by traditional vulnerability management tools. Companies must adopt security platforms that leverage artificial intelligence and machine learning to enable security teams to proactively manage risk and avoid breaches.”