At a glance.
- Smart speakers and privacy.
- Oversharing in social media as a threat to privacy.
- Two English schools breached.
- Data breach litigation.
- Update on RockYou2021.
Hey Siri, stop listening.
Sharing personal data with smart speakers like Google Assistant, Amazon’s Alexa, and Apple’s Homepod (voiced by Siri) is the trade-off for the convenience they provide, but how is that data handled? Boxcryptor investigates. According to Google Assistant’s privacy policy, user data (like websites visited and videos watched) is being processed even when the user is not actively using the device. When it comes to Alexa, the queen of the smart speakers, all voice commands are transmitted to Amazon’s cloud to be stored in encrypted form. Apple’s Homepod also automatically stores the user’s contact list, but all data is encrypted and protected by anonymous ID. Overall, the surest way to protect yourself is to manually delete any stored data, including voice recordings and calls, and turn off the device’s microphone when not in use.
Don’t give away social media phishbait.
The key to a successful phishing campaign is including details that convince the target that the attacker is actually a trusted contact, and the seemingly harmless information we post on social media platforms like Instagram, LinkedIn, and Facebook can put those details right at an attacker’s fingertips. As Rachel Tobac, chief executive officer of SocialProof Security, told the Wall Street Journal, “About 60% of the information I need to craft a really good spear phish is found on Instagram alone.” Phishers use powerful software tools to collect and correlate this data. Some of Tobac’s advice: Never use your work email address in your social media account, and make sure you’re not unwittingly displaying private details like office badges or work documents in photos. Avoid geotags, and switch up your profile pic from platform to platform so an attacker can’t connect them.
Two UK schools hit by cyberattacks.
As the CyberWire noted yesterday, the UK’s National Cyber Security Centre recently warned of a surge in cyberattacks targeting the education sector. Now the BBC reports that two UK schools were forced to temporarily shut down after suffering a malware attack that encrypted the personal records contained in the School Information Management System. Skinners' Kent Academy and Skinners' Kent Primary School have advised parents to check their bank accounts for any suspicious activity, though officials are still uncertain exactly which data were compromised.
Data breach litigation round-up.
Three notes on courts.
- Lexology reports that the Tripartite Alliance Limited, which oversees the Tripartite Alliance for Fair and Progressive Employment Practices, was fined $29,000 for a 2020 data breach that exposed the employment dispute-related data of two thousand individuals and eight thousand companies.
- Diagnostic testing laboratory Peachstate Health Management, LLC agreed to a $25,000 settlement for “systemic noncompliance” with the Security Rule of the Health Insurance Portability and Accountability Act, JD Supra reports. After a data breach involving a Peachstate merger partner, the US Department of Health and Human Services concluded that Peachstate failed to efficiently secure electronic personal health information.
- Becker’s Hospital Review reports that US health insurance company Humana is facing a federal lawsuit for withholding information from victims of a breach that resulted in the exposure of data belonging to approximately 65,000 health plan members.
RockYou2021 may not be as bad as some feared.
The RockYou2021 leak aroused alarm this week, driven by the sheer quantity of the data released online. But Specops Software has looked into the matter and concluded that it’s not as bad as many feared. “The data is confirmed to be no more than a compilation of various words and phrases found on Wikipedia and other previously seen leaked lists, and not actually a mass reveal of previously unknown breached passwords. While a hacker could choose to use any of the 8.4 billion words and phrases on this list in a brute force attack, organizations are at no greater risk today than before this ‘leak’ was reported,” Specops Software wrote us.