At a glance.
- Google takes down Chrome extensions that uploaded personal data.
- Data exposure cases: plastic surgery and international education.
- Nine-year-old boy’s identity stolen.
- Too many lovelorn Brits access their exes’ social media accounts.
Google takes down more than five-hundred malicious Chrome extensions.
Researchers at Cisco's Duo worked with independent security researcher Jamila Kaya to investigate Chrome extensions that seemed to behave suspiciously. They confirmed that some seventy of them were indeed dodgy enough to be worth reporting to Google. Google confirmed that the extensions were malicious, and it went on to find a total of five-hundred extensions that were engaged in malvertising and click fraud. The privacy issues arise, as Ars Technica points out, when the extensions collect data from users’ browsers. Google has taken the extensions down, but they were downloaded millions of times from Chrome’s web store.
Unsecured databases expose sensitive personal information.
Two organizations have fallen afoul of improperly secured, Internet-accessible databases. Both cases involve user configuration errors, not flaws in the storage tools themselves.
vpnMentor found that plastic surgery technology company NextMotion had improperly configured an AWS S3 bucket so that it was accessible from the Internet. The researchers found some nine-hundred-thousand individual files containing data on thousands of patients. Some of the personal data included:
- “Invoices for treatments,”
- “Outlines for proposed treatments,”
- “Video files, including 360-degree body and face scans,” and
- “Patient profile photos, both facial and body.”
The other exposure, this one discovered by independent researcher Bob Diachenko, involved the not-for-profit Institute for International Education (IIE). The organization used the Drupal content management system which stored data in MongoDB databases. Security Discovery reports that the data included sensitive student information (transcripts, passports, dossiers, medical information, etc.). The IIE secured the data within a week of notification.
Go to the hospital, get your identity stolen.
A nine-year-old boy was hospitalized a few years ago, and unfortunately his personal information was compromised in a breach of Health Share of Oregon, of which his family was a member. Identity thieves were able to open a credit card in the boy’s name. US Bank, which KATU 2 says issued the fraudulent card, closed the account at the (foreseeable) insistence of the child’s mother.
Revenge of the jilted.
The Mirror reports that almost one in five Britons have logged onto their ex’s social media accounts to keep tabs on them. To be sure, breaking up is hard to do, but don’t make it harder by sharing your account credentials with your current fling, even if it’s a steady sweetheart. Hold off at least until the two of you decide that only death will part you.