Breach at Animal Jam, data exposure at Public Health Wales. Facebook's "Vanish Mode."

Summary

By the CyberWire staff

At a glance.

Animal Jam breached.
Facebook's "Vanish Mode."
"Human error" cited in Public Health Wales breach.

Animal Jam breached.

It’s all fun and games until player data is stolen. Children’s gaming platform Animal Jam was the victim of a data breach that compromised 46 million player accounts, Bleeping Computer reports. This sounds huge, but it’s actually only a fraction of the popular game’s more than 130 million registered players, as a new account is created every 1.4 seconds. The breach was discovered by Animal Jam’s creator WildWorks after a cybercriminal, crediting infamous hacker ShinyHunters, released the data for free on underground forum raidforums.com. As the game is designed for kids ages seven to eleven, most of the data belongs to the adults who create the accounts for their children. As WildWorks detailed in an alert on their website, the stolen data included usernames (which are not players’ legal names), hashed passwords, and billing addresses. WildWorks is being very transparent about the incident and is drafting a report for the Federal Bureau of Investigation’s Cyber Task Force.

We heard from two industry sources on the Animal Jam breach. Saryu Nayyar, CEO of Gurucul, wrote to express approval of how WildWorks handled the incident. “The data breach at Animal Jam is concerning mostly because many of the accounts belong to children. Fortunately, there does not appear to be any financial information exposure and little of the released data appears to be directly useful. However, the attackers could use the exposed email addresses to launch social engineering against the young users," she said, and then added, "WildWorks has set a fine example by responding quickly and transparently. Parents should monitor their kid's email for related attacks, and take the opportunity to teach them about managing their passwords and how to identify malicious emails.”

“ShinyHunters did it again, fresh off of their leak of a massive Mashable database," said Point3 Security's VP of strategy, Chloé Messdaghi. "It’s important for all to understand that it’s never appropriate to target kids’ data, and the services that make this available need to be stopped. A lot of companies use communications apps such as Slack without 2FA, which seems to be the case with Animal Jam." She thinks complacency over multi-factor authentication could have contributed to the breach. "Instead," she said, "companies assume they’re not targets, or mistakenly believe that using a password that’s too short is sufficient. This just underscores that any shared service - GitHub, Citrix, whatever – needs to be protected with multi-factor authentication apps or preferably a token, and just how important password managers are. All employees should have password managers and be required to use multifactor authentication. The reality is these people have lots and lots of stolen data, and it’s highly categorized and organized for cross referencing, making targeted attacks easier than ever before." Why would criminals be interested in a children's game? Identity theft. And the victims might be unaware of their loss for years. "The end result might be that some kids go for a social security number at age 4, 10 or even later, or go for their first school loans when applying for college, only to learn they’ve maxed out their credit.”

Vanish Mode is Facebook’s latest trick.

Facebook has released its long-awaited Vanish Mode setting for its products Instagram and Messenger, reports TechCrunch. Messaging competitor Snapchat is known for the fact that all user messages are deleted as soon as they’ve been viewed. Now Instagram and Messenger users can replicate this disappearing act by activating Vanish Mode. Though this auto-delete feature does improve security, in a sense, by shortening the shelf-life of a user’s data, the new setting isn’t actually any more secure than Messenger’s already end-to-end encrypted Secret Conversations mode. Facebook’s motivation is not so much security as it is marketability, as the goal is to attract Snapchat's user base.

Public Health Wales exposes COVID-19 test data.

Public Health Wales, an agency of the National Health Service of Wales, released a statement confirming they suffered a breach that released the private data of 18,000 Welsh residents who had tested positive for COVID-19. The breach was the result of an accidental disclosure; due to human error, a database containing personally identifiable information was uploaded to a public server. The upload occurred on August 30 and the data was public for only twenty hours before the error was discovered and it was taken down, but in that time records show the database was viewed more than fifty times. Tracey Cooper, Chief Executive of Public Health Wales, stated that an investigation carried out by the Head of Information Governance and the Information Sharing and Governance Manager at the NHS Wales Informatics Service indicated that the “the pressures of work” might have been partially at fault for the incident, as employees are overwhelmed with data due to the pandemic. In response, Public Health Wales has created an Incident Management Team to improve data handling procedures, and all future uploads will be handled by senior staff.

Saryu Nayyar, CEO of Gurucul, expanded on the role fatigue, stress, and operator mistakes can play in data exposure. “Human error is, unfortunately, a common root cause for data exposure, as it was here in the Public Health Wales case," she said. "However, it also appears there were issues with policies and procedures that made the human error possible. Information Security is not a set it and forget it process. Organizations need to continually review and revise their tools and procedures to keep them effective. Process needs to be in place to minimize the risk of human error, and tools like behavioral analytics need to be deployed to recognize and mitigate risk before it leads to exposures like this one.”

Chloé Messdaghi, VP of Strategy at Point3 Security, notes that the Public Health Wales disclosure was light on specifics. "More than 18,000 who tested positive for COVID-19 have their data exposed," she said, "but this notice doesn’t inform about what personal data has been leaked and is now out there – leaving those impacted and their families hanging. They did apologize but we can only hope they’ve been more forthcoming with the victims than with the public."

She also points out that "human error" is a large explanatory category. “Also not shared is how this occurred. They said it’s the result of human error but that’s a pretty vast array of possibilities. Was it because someone didn’t know what they’re doing? Is the current staffing stretched too thin, or hobbled by WFH constraints and processes? Was there a leak related to an entry afforded by an unsecured home network? Is employee burnout a factor? Did someone receive incorrect instructions? Was a server left unprotected? Was there a third party involved in the leak?" An after action review might yield useful lessons from the incident.

Selected Reading

Legal Services Biz Can't Skip Out On Data Breach Suit Yet (Law360) A California federal judge has refused to dismiss a proposed class action against legal services company Epiq Systems Inc. over a recent data breach, but signaled he may be willing to dismiss it in the future depending on what discovery reveals.

()

BBQ Chain Didn't Protect 3M Credit Card Nos., Customers Say (Law360) Two customers have sued Dallas-based Dickey's Barbecue Pit in California federal court over a data breach, saying the restaurant chain failed to prevent cyberthieves from stealing their credit card numbers and belatedly revealed that their personal identifying information is being sold on the black market.

Why Scotland Buying Israeli Phone-Hacking Kit is Dangerous (Bella Caledonia) The expulsion of democratically elected members of the Hong Kong Legislative Assembly exposes once again the intolerance of dissent under Beijing’s authoritarian state capitalism. China is now a m…

Ticketmaster Hit With £1.25 Million GDPR Fine Over 2018 Data Breach (Forbes) The ICO has fined Ticketmaster following a 2018 data breach that affected as many as 9.4 million Ticketmaster customers across Europe, including 1.5 million in the UK.

Three voters demand €10m fine for IT firm behind huge data breach (Times of Malta) Three of the 337,384 Maltese voters whose data was leaked in a massive security breach in April, have filed a complaint with the Data Protection Authority requesting that the IT company that held the data be fined up to €10 million. Their complaint comes a month after more than 620 claimants...

6 Cybersecurity Tips When You Work From Home (Forbes Advisor) As of September 2020, nearly 60% of full-time and part-time workers in the U.S. were doing their jobs remotely at least some of the time during the coronavirus pandemic. And many of them would like to keep doing so. This work-from-home pivot makes some employers’ IT professionals nervous, though.

Don’t give your personal info to fake PlayStation 5 pre-order websites, warns Kaspersky (Hindustan Times Tech) They had ‘Playstation’ in their names and gave interested (and unaware) users a chance to pre order the PS5 console.

Public Health Wales Statement on Data Breach (Public Health Wales) Public Health Wales has today accepted in full the recommendations of an independent investigation into a data breach which resulted in the publication of the personally identifiable data of 18,105 Welsh residents who had tested positive for COVID-19 between February and August 2020.

Animal Jam kids' virtual world hit by data breach, impacts 46M accounts (BleepingComputer) The immensely popular children's online playground Animal Jam has suffered a data breach impacting 46 million accounts.

46M records stolen from kids gaming service Animal Jam published on dark web (SiliconANGLE) Some 46 million records stolen from children’s gaming service Animal Jam have found its way onto the dark web following a hack of the company in October.

Data Breach Alert (Animal Jam) WildWorks has learned that a database containing some Animal Jam user data was stolen in connection with a recent attack on the server of a vendor WildWorks uses for intra-company communication.

()