At a glance.
- Not all data are equally sensitive.
- Zombie accounts as a threat to privacy.
- Ancestry.com and the marketing use of yearbook pictures.
- Data leak in Devon.
- SEPA refuses to pay ransom.
Marriott data breach case dismissed.
The lawsuit against hotelier Marriott in connection with a recent data breach has been dismissed, as the court found the plaintiff lacked standing to sue, Lexology reports. The plaintiff in Rahman v. Marriott International, Inc. alleges that a data breach, in which two employees of a Russian Marriott franchise gained unauthorized access to customer data, shows that Marriott violated the California Consumer Privacy Act. The National Law Review reports that the incident impacted 5.2 million Marriott customers, but Marriott pushed for dismissal due to the fact that the compromised data, which included names, email addresses, and birth dates, weren't sensitive enough to warrant injury. The federal court agreed, as precedent has established that “sensitive” data typically includes social security numbers or financial information.
Night of the Living Data.
Your “zombie” accounts -- the ones you created just to, perhaps, obtain a trial subscription or get a one-time coupon, and then never accessed again -- could be leaving you open to data theft, Forbes reports. If a breach occurs, any information in that account is fair game to cybercriminals. While the data growing dust there might not be very valuable, any smart threat actor knows there’s a good chance a user might have recycled those credentials for a more sensitive, active account. A Digital Guardian survey found that 70% of users have at least ten online accounts protected by passwords, and 30% have created so many they’ve lost count, making it hard to keep track of all of the places they’ve left data behind. In addition to dropping the bad habit of recycling passwords, experts recommend users use their browser’s password manager to track down and close “undead” accounts.
Ancestry.com sued for unauthorized use of yearbook photos.
Law360 reports that Ancestry.com, the world’s largest genealogy company, is being sued for using old yearbook photos for marketing purposes without the subjects’ permission. Ancestry.com has moved to dismiss the suit, asserting that the plaintiffs have no claim to injury because the photos were public property and readily available outside of Ancestry.com’s usage. The plaintiffs are asking the court to sustain, claiming that Ancestry.com profited from their photos and that the subjects of the pictures have the right to determine how their likenesses are used.
East Devon District Council Accidentally leaks member passwords.
The East Devon District Council in England experienced a data breach that compromised the passwords of the council members, reports DevonLive. The breach, which was discovered in November, occurred when the Council’s IT provider, Strata, decided to add Outlook 365 passwords to the councillors’ profiles, which are accessible to the other members of the council. Strata, who assigns the passwords and does not let members change them, justified its decision by assuring that the general public did not have access to the passwords and that there was little chance a councillor might misuse the data of a fellow member. Councillor Paul Millar, who discovered the breach when he realized he could see another member’s password, stated “Lessons have been learnt and we need to implement the changes needed to ensure this never happens again.”
Industry reaction to SEPA's decision against paying ransom.
Computing reports that criminals have responded to refusal by the Scottish Environmental Protection Agency (SEPA) to pay ransom by releasing some four-thousand stolen files online. The ransomware attack, since claimed by the Conti gang, was detected on Christmas Eve, and has been described as an "ongoing" incident. The criminals took 1.2GB of data, including not only business information (such as procurement data and project details) but employee information as well. SEPA continues to resist paying the ransom. "We've been clear that we won't use public finance to pay serious and organised criminals intent on disrupting public services and extorting public funds," Computing quotes SEPA head Terry A'Hearn as commenting.
Saryu Nayyar, CEO of Gurucul, sees the incident as providing more motivation for organizations to defend their data:
"The ransomware attack against the Scottish Environmental Protection Agency (SEPA) is following a now-familiar pattern. The attackers steal data and deploy ransomware. The victim refuses to pay the ransom and uses their business continuity plans to get back to work. The attackers then publish their stolen data, with or without attempting extortion before releasing the data. Here, Scotland's government declined to deal with criminals and relied on their own process to recover and much of the stolen data was already publicly available. But the attack highlights the scope of organizations cybercriminals will attack and the need to maintain cyber defenses across all levels of government and civilian spaces."
Chloé Messdaghi, VP of Strategy at Point3 Security, notes the general futility of hoping that gangs can be relied upon to keep their promises after the ransom is paid:
"When government agencies experience a ransomware cyberattack, they typically have one of two options: 1) pay up and (hopefully) get your data/access back; or 2) don’t pay and see what happens. If the ransomware is slowing down or disrupting business or services for any significant amount of time, the option to pay seems unavoidable. However, if it’s NOT causing any substantial disruption, and the data that’s been taken isn’t detrimental, payments usually aren’t made. And in this case, it sounds like the Scottish government and police force supported the decision of SEPA.
"Another thing to remember is that when these criminals go after publicly funded agencies, the monies to fund a ransom may not even be there. It’s like stealing a wallet with no money in it. And if SEPA had decided to pay the ransom, they’re now engaging and dealing with criminals. Criminals don’t follow the rules, so there’s really no guarantee that they would both release the data back to SEPA, or that they won’t just turn around and sell it to another criminal group.
"Understanding risk management in these situations is key. When an attack occurs, recognizing the damage or disruption that’s possible – for both customers and the organization – will help to make a decision as to whether it’s worth the ransom."