At a glance.
- RigUp data exposed in misconfigured cloud database.
- More Iranian citizens' data being sold in the dark web.
- Nepal ISP suffers data breach.
- UK's ICO will defer some large GDPR fines.
- Zoom grapples with privacy issues.
- Protecting customer data now a stronger motivation than compliance as companies adopt encryption.
Data held by RigUp found exposed.
vpnMentor told Security Magazine that RigUp, a "labor marketplace and services provider" that serves the US energy sector, exposed some 70,000 files containing personally identifiable information. It was, in the now familiar oversight, left open to the Internet in an unsecured Amazon Web Services (AWS) S3 bucket. The data exposed included employee and candidate resumes, personal photos (including some private family photos), documents related to insurance plans and policies, professional IDs, profile photos, and scans of various professional certificates.
Another criminal operation steals Iranians' PII.
HackRead writes that another collection of personally identifiable information belonging to Iranian citizens has turned up for sale in a dark web souk. This breach affects some 45,000 people, and it takes the form of "8.17 GB worth of data with 45,221 files." The files on offer contain such information as copies of national identification cards, birth certificates, passports, and debit cards. The data appear to have been taken from at least two websites, one an online advertising platform, the other a site belonging to an exchange that trades in alt-coin and other currencies.
Major Nepal ISP discloses a data breach.
More than 160,000 customers of Vianet Communications were affected by a data breach that hit the Nepal Internet service provider. Vianet disclosed the breach, which it called a "major hack" yesterday. The attackers tweeted a link to the data they'd stolen; that link has since been taken down by Vianet and the Nepal Telecommunications Authority. The data that were taken includes phone numbers, physical addresses and email addresses. The incident, Republica reports, is under investigation by the Cyber Bureau of Nepal Police.
ICO to take it easy on GDPR violators during the pandemic.
SC Magazine says that the UK’s Information Commissioner’s Office (ICO) is deferring the large fines for data breaches it imposed last year on British Airways and Marriott International, respectively £183 million for British Airways and £99 million for Marriott International. The extension recognizes the economic stress the COVID-19 pandemic has imposed, especially on the travel industry. It is a deferral and not forgiveness; the companies are expected eventually to pay up, and investigations of data breaches in violation of GDPR aren’t being closed.
Zoom fixes some privacy and security issues, but finds itself unwelcome in more enterprises.
Zoom continues to suffer from the pyrrhic commercial triumph the company enjoyed when demand for its teleconferencing services exploded in February and March. It’s fixed some security issues—Yahoo says Zoom has added a new security menu in its latest versions, and ZDNet reports that the company has removed meeting IDs from its toolbar—but on balance it’s still been a bad week, what CIO Dive calls a “no good, very rotten week.”
According to BuzzFeed, Google has banned its employees from using the teleconferencing app on grounds of its questionable security. And as the US Congress continues to figure out how it will conduct as much business as possible online (and the Washington Post has a summary of some of the measures under consideration), the Senate at least is fighting shy of Zoom. Reuters reports that Senators are being told not to use Zoom’s services.
Protecting customers' private information.
A Ponemon Institute study sponsored by nCipher has some interesting, arguably encouraging news. The 2020 Global Encryption Trends Study concludes that protecting customers' privacy has surpassed compliance as the largest single driver in businesses' adoption of encryption.