At a glance.
- ACLU shares data with Facebook.
- UK census as phishbait.
- Old stolen Facebook data resurface.
- What they found under all that permafrost.
ACLU shares user data with Facebook.
Last week in a privacy policy update, the American Civil Liberties Union (ACLU) disclosed that it shares data with Facebook, a platform it often criticizes for its privacy practices, Fortune reports. The data, which are collected from ACLU website visitors who join distribution lists, make a purchase, or submit a donation, includes info like names, email addresses, phone numbers, and ZIP codes. The ACLU’s privacy statement asserts that when the ACLU shares this data with third parties, it does so securely and with assurance from the third party that it will only use it “for the purpose of carrying out the functions we have engaged it to perform.” The organization explained that it shares user data with Facebook because members are more likely to get their news from social media than from newsletters.
However, as the ACLU is known as a defender of user privacy freedoms, industry insiders are taken aback by the admission. “These relationships fly against the principles and public statements of the ACLU regarding transparency, control, and disclosure before use, even as the organization claims to be a strong advocate for privacy rights at the federal and state level,” said Ashkan Soltani, a technology consultant who performed a privacy audit for the ACLU last year. The organization defended its actions by stating, “The ACLU must often work with companies that we are actively challenging to improve their own policies and practices.”
UK census phishing scam.
The UK is conducting its nation-wide census this year, and with the pandemic compelling many households to complete their census online, threat actors are finding ways to steal the data, Naked Security reports. The census is conducted every ten years, and information collected includes private data like number of individuals in each household, ages, nationality, employment, and even health. To facilitate online completion, the Office for National Statistics is sending instructions, complete with unique, 16-character access codes, to each household via snail-mail, then following up with reminder letters if the party does not submit their data as requested. Cybercriminals are taking advantage of the process by sending fraudulent census letters in an attempt to steal the target’s data. Victims are directed to a site that looks very much like the authentic census site, complete with similar questions, but instead of asking for the access code, visitors are instructed to enter their postcode. In one example, a tell-tale sign that the letter wasn’t on the up-and-up was the inclusion of a url ending in “.com” (instead of the appropriate “.gov.uk”), a domain that can be easily purchased by almost anyone.
Stolen Facebook data resurfaces.
Insider reports that data belonging to 533 million Facebook users were released -- again -- on an underground forum, this time for free. Hackers originally harvested the data back in 2019 by exploiting a system vulnerability. The issue was detected and subsequently fixed, but the threat actors held onto the data. It appeared earlier this year as the backend of a bot that sold Facebook user phone numbers on an underground forum. Now, like warmed-up leftovers, the data have resurfaced on the same forum, this time available for free to anyone with basic data skills. As the Record by Recorded Future details, the posted data include profile names, email addresses, location information, and most notably, phone numbers for all users, which is not always public on user profiles. “Bad actors will certainly use the information for social engineering, scamming, hacking and marketing,” tweeted Alon Gal, co-founder of Israeli intelligence company Hudson Rock. “I have yet to see Facebook acknowledging this absolute negligence of your data.” The Washington Post reports that, when asked for comment, a Facebook spokesperson tweeted, “We found and fixed this issue in August 2019.” Which they certainly did. The data are old, and the breach was plugged almost two years ago, but these old records have filtered to the bottom feeders at the bottom of the criminal ecosystem.
Saryu Nayyar, CEO of Gurucul, sees the leak as a reputational problem for Facebook:
“This is a huge blow to Facebook. Leaking the personal data of 533 million Facebook users is a data breach of massive significance and consequence. The fines alone could literally cripple the company. 11 million of the users whose data was exposed are in the UK. Under GDPR penalties, Facebook faces a maximum fine of £17.5 million or up to 4 % of their total 2020 global turnover - whichever is higher. The UK fine alone could set Facebook back $3.4 Billion. “
“Further, over 32 million records are US users. The California Attorney General can seek civil penalties of $2,500 per violation of the CCPA (California Privacy Protection Agency). So, depending on how many of those users are in California, Facebook could be looking at additional fines in the billions.”
“All in all, a very bad situation for Facebook and as usual, completely avoidable. The data breach occurred because of a vulnerability that the company patched in 2019. Facebook obviously needs to improve the company's maintenance processes to reduce risks from known vulnerabilities.”
Purandar Das, CEO and Co-Founder of Sotero, sees the incident as suggestive of how data are collected for marketing, and how much of that can be turned to criminal use when compromised: “This makes you wonder as to how much of that information ends up in the legitimate marketing industry. It only takes a few vendors to integrate this data into the broader data set the marketing industry uses. Mobile numbers and Facebook handles are typically in pretty high demand. Of course, the unscrupulous scammers will use every bit of information they can get in their scams.”
Garret Grajek, CEO of YouAttest, wrote to point out that commodity attacks of the kind that could arise from the widespread distribution of the data aren't going to be confined to big, splashy enterprises:
“What is easy to miss when we see a breach of this magnitude of a global corporation is that the hackers are NOT targeting the large brand names like Facebook. There is no question that Advanced Persistent Threat (APT) hacks are devised and targeted at the "brass ring" enterprises like Facebook - but we have to remember that the hackers are running scans across all of our systems.”
“To this end, we all have to be diligent that we are monitoring our system and implementing best practices. As the Cyber Kill Chain details, hackers will be executing reconnaissance on our systems and enumerating our assets. Once this occurs, the hacker will then penetrate our systems and attempt lateral movement and privilege escalation. It is in these steps where a comprehensive and updated identity governance practice can spot an attacker who is attempting to change account privileges to enable the compromised accounts to move around the enterprise, find crucial PII/PHI data, and then exfiltrate it.”
“Products and practices that can identify and then alert the enterprise about account breaches are crucial to meeting not only compliance, but to achieving enterprise security.”
MedData loses patient protected health information.
Health IT Security summarizes the compromise of patient protected health information held by MedData. Databreaches.net revealed that the data had been stored in GitHub’s Arctic Code Vault, which is a decommissioned mine 250 meters below the permafrost of an Arctic mountain. Databreaches.net explained, "When Med-Data investigated the exposure on GitHub, they discovered that a former employee had saved files to personal folders in public repositories (yes, more than one repository). The improper exposure had begun no later than September, 2019, although it might have begun earlier."
MedData serves a number of medical organizations, including Memorial Hermann, the University of Chicago Medical Center, Aspirus, and OSF Healthcare. Saryu Nayyar, CEO of Gurucul, notes the oddness of where the data wound up:
“The revelation that personal information involved in a 2020 breach has wound up in a code archive, on film, stored in a repurposed coal mine in Norway, is fascinating. While it seems unlikely that this information will ever be accessed from the archive, that it happened at all points to the unintended permanency of data stored on the internet. The lesson here for any organization is that their data, especially sensitive data, needs to be protected before it gets into the wrong hands. The saying "the internet never forgets" is especially true here, where this breached data will be around for a millennium.”