At a glance.
- DISA breach exposes up to 200,000 individual's personal data.
- Stalkerware app exfiltrates data to an unsecured Alibaba cloud bucket.
- Local governments suffer ransomware attacks, data breaches.
US Defense Information Systems Agency (DISA) discloses a data breach.
The US Defense Information Systems Agency (DISA) disclosed that between May and July of 2019, one of its systems sustained a “data breach” that may have compromised personal data. According to Fifth Domain, DISA wrote affected personnel (who may number up to two-hundred-thousand) that their names and Social Security Numbers may have been compromised. Which systems were breached is unclear, as is whether the incident was an attack or a data exposure.
Reuters emphasizes that DISA provides telecommunications services to the White House and other high-level US Government organizations. That’s true enough but possibly misleading, as DISA does far more than provide executive communications. The agency is a combat support organization whose mission is to “conduct DODIN [Department of Defense Information Network] operations for the joint warfighter.” Most Service Members, Defense employees, and contractors touch DISA networks. DISA is headquartered at Fort Meade, Maryland, but it's not part of the more famous tenants of that suburban Baltimore post, the National Security Agency and US Cyber Command.
You'll know what your kids are up to (but so will anyone else who cares to peek into the cloud).
TechCrunch reports that KidsGuard, an app designed to monitor what children (also spouses, employees, etc.) do with their phones, exfiltrates data to a leaky Alibaba cloud storage bucket. KidsGuard is a legal tool that, as its name implies, is marketed to parents interested in keeping a handle on their wards' and offsprings' online shenanigans. It's manufacturer, ClevGuard, says KidsGuard can access "all the information" on a target device, and that includes real-time location, text messages, browser history, photos, videos, app activities, and recordings of phone calls.The exposure of exfiltrated data seems to be the result of a misconfiguration, and not a deliberate choice on the vendor's part. Apps like KidsGuard have come to be known as "stalkerware" for the relative ease with which they're repurposed to snoop on people who decidedly aren't underage children.
Local government data exposures, ransomware incidents, expose citizens' information.
A number of local governments and schools are dealing with databreaches and ransomware attacks. (Ransomware attacks are now often accompanied by data theft.) The South Adams School District in Berne, Indiana, disclosed that it sustained a ransomware attack at midweek. The Oklahoma Department of Education is suing the Dove Public Charter Schools, alleging that Dove illegally obtained the names and addresses of Oklahoma minors, which the schools then provided to a third party in an effort to recruit new students. Oklahoma News 9 reports that Dove says it obtained the information from the State Department of Education's Wave database, and that, while this was proper, it hadn't realized that sharing data with a third party wasn't. And in the UK the BBC says that the Redcar and Cleveland Council is still working to recover from the ransomware attack it sustained two weeks ago. Also in the UK, the Somerset West and Taunton Council inadvertently shared some nine-hundred citizens' data, the Somerset County Gazette reports.