At a glance.
- Data breaches and exposures could be used for targeting packages.
- Denmark's tax authority sustains a data exposure.
- Prison inmates' data leaked.
PII and targeting packages.
Espionage services are interested in personally identifiable information because PII are useful in developing targeting packages, a dossier that indicates how one might approach an individual to recruit, compromise, or otherwise neutralize them.
That's one of the concerns expressed over the exposure of an Israeli voter database by a Likud party app. The Jerusalem Post reports that the data obtainable from the app could have compromised information on Israeli intelligence officials. The Post cites Harel Menashri, currently Head of Cyber at the Holon Institute of Technology and formerly one of the founders of Shin Bet’s cyber unit, as pointing out the potential implications of the data exposure. Again, it’s the fact of the exposure and not any evidence that a foreign intelligence service has the data, but there’s a non-negligible chance that they do. Thus in assessing risk one takes into account the opposition’s capabilities--they might have the information, and it’s best to plan on the assumption that they do.
The concerns in Israel are analogous to those in the US over the Equifax breach: the prospect of the opposition using the data to develop targeting packages for individuals of interest. The US Justice Department expressed other concerns as well, including the possibility that the stolen PII might be sold, or might be used to train artificially intelligent systems.
In the case of the Equifax breach, however, it’s not merely that the US thinks it possible that some foreign government has the data. US authorities believe they have solid evidence that China’s People’s Liberation Army is in possession of the information. That evidence was enough to warrant indicting Wu Shiyong, Wang Qian, Xu Ke, and Liu Lei on nine charges: computer fraud conspiracy, computer fraud and abuse (intentional damage), computer fraud and abuse (unauthorized access), conspiracy to commit economic espionage, economic espionage, conspiracy to commit wire fraud, and three separate counts of wire fraud.
The Equifax breach doesn't, as the Star-Tribune points out, represent the first time China has hacked to obtain PII. The OPM, Anthem, and Marriott breaches have all been linked to the PLA, as have a larger number of smaller incidents.
Denmark's tax portal leaks citizens' data.
ZDNet reports that the Danish government's online tax portal "TastSelv Borger" exposed data belonging to 1.26 million citizens due to a software bug. The data exposed were taxpayers' ten-digit national identification numbers (CPR numbers), which consist of a citizen's date of birth, a unique identifier, and a digit indicating the citizen's gender. These are necessary for many critical functions like opening a bank account and obtaining a phone number.
Denmark's Agency for Development and Simplification (UFST) discovered that for the past five years the tax portal would add a user's CPR number to the URL anytime the user changed their account details. This URL was subsequently logged by analytics services belonging to Adobe and Google. The UFST believes the data were only accessed by these two companies, but ZDNet says local privacy advocates are requesting a more comprehensive audit of the portal.
Jailbreak. (No, not that kind of jailbreak. And no, not that kind, either).
vpnMentor announced yesterday that they'd discovered an improperly configured AWS S3 bucket that was leaking some thirty-six-thousand files belonging to JailCore, a US correctional facility management and compliance cloud-based application shop. The data exposed included inmates' personally identifiable information as well as certain medical data, notably records of prescriptions. The data exposure affected jails and prisons in Florida, Kentucky, Missouri, Tennessee, and West Virginia. vpnMentor calls particular attention to the risk of identity theft the exposure poses.