At a glance.
- Bank of America traces PPP data loss to SBA test server.
- Data exposure reported in Ohio's unemployment relief program.
- Home Chef breached.
- Phishing for LogMeIn credentials.
- Silent Night banking Trojan.
- Privacy and security issues with centralized contact tracing.
Bank of America traces PPP data loss to a leaky Small Business Administration test server.
Bank of America earlier this week warned that data related to its processing of payments made under the US Small Business Administration's Paycheck Protection Program, intended to alleviate economic distress during the COVID-19 pandemic, had been inadvertently exposed. ZDNet reports that the Bank of America says the data exposure stemmed from a misconfigured Small Business Administration test server. ZDNet does note that last month some applicants for PPP loans who used Bank of America's site "reported instances where they viewed another customer's details when logging in at a later date to review their application status." It's unclear whether those reports are connected with the Small Business Administration's issues with its test server.
Ohio's pandemic unemployment relief program may have suffered a data breach.
The Dayton Daily News reports that the state of Ohio has informed some 120,000 unemployed Ohioans that their personal data were exposed to inspection of third parties. Deloitte Consulting, responsible for developing the state’s pandemic unemployment program, acknowledged inadvertently giving "multiple unemployment-compensation seekers unauthorized access to other applicants’ personal information, including their Social Security numbers." Deloitte is offering affected applicants a year of credit protection.
Home Chef confirms a data breach.
Some two weeks after data the seller claimed were taken from Home Chef appeared for sale in criminal souks, TechCrunch says the Chicago-based meal delivery company has confirmed it was in fact breached. BleepingComputer first reported the dark web offerings yesterday. Home Chef said that not all customer accounts were affected, but the information lost includes email address, name and phone number, encrypted passwords, and the last four digits of credit card numbers. "Other account information," Home Chef adds, "such as frequency of deliveries and mailing address may also have been compromised." Affected customers are being notified.
Phishing for LogMeIn credentials.
Abnormal Security reports that an ongoing phishing campaign is targeting LogMeIn customers. They're using a bogus security update as the phishbait to lure victims to a malicious site that impersonates a log-in page.
Silent Night represents the latest evolution of the ZeuS banking Trojan.
Malwarebytes today released a report on the recent evolution of the ZeuS banking Trojan, which the researchers call with some justification "the most famous banking Trojan ever released." They've observed a new family built on the old ZeuS framework. It emerged in November of last year, and it's currently being hawked in Russian-speaking criminal-to-criminal markets as "Silent Night." The seller and developer (nom-de-hack "Axe") says it took him much time and many pains to pull together, and he's charging a premium. A "general build" goes for $2000 a month, a "unique build" for $4000. The researchers regard this version as clean and well-made, but not particularly innovative. They expect it to become a product catering to high-end criminals.
Contact tracing: privacy and security concerns.
People in the UK have been asked to let the National Cyber Security Centre (NCSC) know about any problems they've found with the NHSX-sponsored contact-tracing app, and they've reported, ComputerWeekly reports, three classes of significant issues: those involving the registration process for app users, the application of the Bluetooth communication standard, and how the data are encrypted. Some of the issues involve developer missteps (inevitable with such compressed development cycles), but many of them involve design choices or even simple failures to communicate.