At a glance.
- Legal consequences of a data breach.
- Chqbook user data leaked in underground forum.
- Mozilla moves against supercookies in Firefox.
- Asylum-seekers' personal data leaked.
- GDPR questions asked and answered.
- LifeShield home security camera vulnerabilities patched.
- Consumer data offered for sale on the dark web.
Preparing for the legal consequences of a data breach.
The State of Security examines the legal fallout faced by an organization after a data breach, and what the organization can do to prepare. With the recent introduction of data privacy laws like the General Data Protection Regulation in the EU, and Nevada’s Consumer Protection Law, New York’s Privacy Act, and the California Consumer Privacy Act in the US, organizations need to educate themselves on the penalties and potential lawsuits that could result from transgressions. The Securities and Exchange Commission offers a disclosure guidance agreement advising companies on data handling best practices. If a breach occurs, a timely, collaborative response from public relations, legal counsel, and insurance personnel can mitigate the damage and avoid hefty fines.
Chqbook user data leaked on underground forum.
Indian fintech startup Chqbook is the latest to fall prey to the notorious hacking group ShinyHunters, reports Inc42 Media. The threat actor published over two million stolen credit card scores, as well as personally identifiable information including permanent account numbers, loan details, and for some users even passport numbers and street addresses. Though “neobank” Chqbook previously denied they had experienced any attack, rumors of a breach have been circulating since last month, and the leak makes it harder to deny. Indian companies Juspay, Clickindia, WedMeGood, and BigBasket were also recently exposed in data dumps credited to ShinyHunters.
Mozilla takes the bite out of supercookies.
Security Week details how developer Mozilla is enhancing the user privacy policies of its browser Firefox. By focusing on isolation, Mozilla aims to crack down on trackers like supercookies, which are often stored in Flash storage, ETags, and HSTS flags in order to make them nearly impossible to detect or remove. The revamped network architecture of Firefox 85 will isolate network connections and caches to only the website being visited, effectively rendering cache-based supercookies useless.
Asylum seekers’ private data leaked.
Australia’s information and privacy commissioner has found the Department of Home Affairs guilty of accidentally exposing the personal data of over nine thousand asylum seekers in detention, the Weekly Times reports. A database including individuals’ full names, dates of birth, and reasons for detention was mistakenly published on the department’s website and in an online archive. The department is being required to pay compensation for non-economic loss to almost 1300 victims, ranging from $500 to over $20,000 per person depending on the severity of the damages. Some of the victims’ counsel have also requested that their visa requests be reconsidered, but this falls outside of the commissioner’s powers.
Reflections on GDPR, on the occasion of Data Protection Day.
In honor of Data Protection Day, Computing asked Dr. W. Kuan Hon, director of the Privacy, Security & Information Law team at European law firm Fieldfisher, to shed light on some lingering questions regarding the EU’s General Data Protection Regulation (GDPR). Hon explains the GDPR’s stance on erasure of personally identifiable information and proper procedures for removal of former subscriber data. She also discusses the Schrems II decision and its impact on regulations regarding international data transfer and the use of software or infrastructure providers based outside of the EU.
Home security cameras found susceptible to inadvertent live-streaming.
Bitdefender says it's found that a local attacker could induce LifeShield home security cameras to "leak local credentials from the cloud for each vulnerable device," "perform local command injection after authentication," or "access the RSTP feed while on the same network." ADT, which now owns the LifeShield brand, was quick to patch the devices when Bitdefender disclosed the problem. Thus the users may for the most part be out of the woods, but the incident is a cautionary tale about the risks of home security systems.
Asaf Karas, co-founder and CTO of Vdoo, commented about the design lessons the incident might teach:
“Out of the thousands of device firmware that Vdoo continuously analyzes, command injection vulnerabilities are by far the most common we are seeing given device vendors’ tendencies to invoke the shell to configure a device. In many cases, these commands are executed with root privileges and not as an unprivileged user, making things worse.
"In this case, this command injection is only exploitable post-authentication. However, the lack of encryption when transmitting credentials over the network, along with a logical flaw that sends the plaintext password (not even a hash) makes this vulnerability far more impactful, given that it is possible for a local network attacker to relatively easily retrieve these credentials. This shows that securing devices requires meticulous care and security by design throughout the different device layers.”
Retail customers' data for sale on the dark web.
In dark web criminal-to-criminal souks, data thieves are offering information stolen from Tesco, Deliveroo, and McDonald's, Yahoo reports. The information on offer is sufficiently detailed in some cases to facilitate identity theft. The three companies are taking steps on behalf of their customers to contain the damage.
Trevor Morgan, product manager with comforteAG, shared some Data Security Day thoughts on the incident:
"In the wake of an investigation revealing a cache of personally identifiable information (PII) for sale on the dark web, Which? appropriately calls for both businesses and individuals to pay closer attention to cybersecurity. The reality is that effective technologies and best practices are readily available which can thwart incidents like this, preventing peoples’ highly sensitive data from being exposed and leveraged by threat actors.
"On this Data Privacy Day, businesses need to give serious and sober thought about how data-centric security, which protects the data itself rather than the borders and perimeters around it, can be a powerful tool in their cybersecurity arsenal. In the reported incident affecting customers of Tesco, Deliveroo, and McDonald's, had this data been tokenized prior to being breached, any sensitive data within the data set would have been effectively obfuscated. Businesses cannot keep risking situations like this when the answer is abundantly clear—you can implement effective and cost-efficient data-centric security, but you must have the desire and incentive to start that journey toward comprehensive data protection."