At a glance.
- Attackers send media personal information obtained in the Waikato DHB hack.
- Pizza chain orders in India exposed in data breach.
- How personal information can be used in unemployment fraud.
- Differential privacy and the bugs that can come with it.
Private patient information released in Waikato DHB incident.
Reuters reports that the group claiming responsibility for the cyberattack against the Waikato District Health Board has begun releasing to news media what seems to be private patient information. The media have declined to publish it, and have turned the material over to the authorities. Officials in New Zealand have also been relatively tight-lipped about the incident, but it's widely taken to have been a ransomware attack. RNZ says the government has stated that it won't pay any ransom. Health Minister Andrew Little said, "Ransomware attacks are a crime. The New Zealand Government will not pay ransoms to criminals because this will encourage further offending."
The national Privacy Commissioner has directed all District Health Boards to address the vulnerabilities the attackers exploited against the Waikato DHB. "If we find that any DHB does not have adequate security," Commissioner John Edwards said, "we may issue compliance notices under the Privacy Act 2020, and if necessary, follow up with prosecutions."
The attack has induced widespread outages in Waikato's health systems, with both patient treatment and payroll processing suffering disruption. The facilities affected by the incident have been moving to manual backups in an attempt to reduce patient care backlogs. The public, Reuters says, has been "asked to look for alternative avenues for treatment for non-critical conditions."
Pizza chain data breach affects 180 million orders.
CNBC reports that thirteen terabytes of data taken from Domino Pizza franchises in India have appeared on a dark web site. The researcher who discovered the breach, Rajshekhar Rajaharia, tweeted, "Again!! Data of 18 Crore orders of #Domino's India have become public. Hacker created a search engine on Dark Web. If you have ever ordered @dominos_india online, your data might be leaked. Data include Name, Email, Mobile, GPS Location etc."
Jubilant Foodworks, which owns the master franchise for Domino's in India, acknowledged the breach, but stressed that customers' paycard data were not exposed. The other personal details, however, as CNBC observes, are troubling enough from a privacy point of view. (Besides, if they got your order details, presumably they know the toppings you specified, and who wants that?)
Stolen personal information and its use in unemployment fraud.
Threat intelligence shop Kela outlines the ways in which personal information can easily be used to commit unemployment fraud. From spotty data to what the underworld calls "fullz," that is, relatively complete data sets on individuals that enable criminals to impersonate them, compromised personal information can be used in bogus applications for assistance.
NIST offers advice on differential privacy.
The US National Institute of Standards and Technology (NIST) has blogged about differential privacy bugs. The post is the first in a projected series on the topic. Differential privacy is a method of enabling analysis of data without exposing private information the data contain. The method involves adding enough noise to the results of data analysis that the private data themselves are obscured, but not so much noise that the quality of the results are themselves degraded. The two classes of bugs NIST discusses are "Adding the wrong amount of noise" and "Incorrectly calculating the sensitivity of a function." They're tough to avoid, because they can escape the net of traditional testing techniques.