At a glance.
- Updates on Facebook data leak incident.
- Atlantic Media discloses employee data breach.
- Britain's Home Office is collecting a great deal of personal data.
- More web shells are being used to collect paycard data.
Facebook data leak updates.
As the fallout from the massive Facebook data leak continues, Reuters reports that the social media giant has stated it has no plans to contact the 533 million users whose information was stolen by a threat actor and has been circulating on the dark web. When asked why, a Facebook spokesperson explained that the company does not know exactly which users would need to be contacted, and that impacted users would have no way of rectifying the situation. Meanwhile, Politico reports that dozens of EU officials, including Justice Commissioner Didier Reynders, Luxembourg Prime Minister Xavier Bettel, and ironically, Germany's chief federal privacy regulator Ulrich Kelber were among the users impacted in the breach. A spokesperson for the European Commission said the data leak “only reaffirms the importance of GDPR [General Data Protection Regulation] in protection of fundamental rights, in particular where data of millions of Europeans is at stake.” The EU's Cyber Emergency Response Team is conducting an investigation to determine if the breach might impact government operations.
Atlantic Media suffers employee data breach.
The Atlantic disclosed yesterday that a cybercriminal gained unauthorized access to the servers of Atlantic Media, a shareholder and former corporate owner of the popular US magazine. The good news: no subscriber or client data were exposed. The bad news: former and current employee tax documents, which include sensitive identifying data like social security numbers, were potentially compromised. The company will be notifying all impacted parties by mail.
Is the Home Office building a “super database”?
Not your home office, of course, but Whitehall's Home Office. Computing reports that the UK’s Home Office, the ministerial department responsible for immigration and security, has been allegedly maintaining a “super database,” collecting data such as race or ethnicity, criminal record, health, and identification numbers. Documents obtained through a Freedom of Information request by Privacy International, a London charity that defends privacy rights, show that the database contains the data of about 650 million people, including children under the age of thirteen. It’s unclear exactly who is providing the information, as most of the data sources were redacted. The two sources identified -- data analytics firm Dun & Bradstreet and fraud prevention firm GB Group -- declined to disclose any details of their work. A Home Office spokesperson stated that any data collected are necessary for the operation of the department, are stored securely, and are processed in compliance with data protection laws and the Human Rights Act 1998. This is not the first of the Home Office’s actions that has privacy advocates concerned. About a month ago it was determined that under 2016’s controversial Snooper’s Charter, the Home Office was working with two unnamed UK internet providers and the National Crime Agency to test a surveillance tool for collecting the browsing history of all UK internet users. And just last week it was discovered that the Home Office has allegedly been considering ways to force Facebook to decrypt its messaging apps in order to give law enforcement agencies access to the contents of user messages.
VISA warns of increased use of web shells.
VISA warns that cybercriminals are making more general use of web shells in their scraping of credit cards. BleepingComputer reports that the global payments processor is seeing more such shells deployed on compromised servers to help criminals exfiltrate stolen card data. Ameet Naik, security evangelist at PerimeterX, commented that the money to be from such crime renders it hardly surprising that the crooks would learn from the best and keep up with the latest hacking trends:
“Digital skimming or e-skimming attacks are a lucrative source of revenue for cybercriminals and even nation states. Stolen credit card numbers are worth millions of dollars on the dark web and we continue to see a proliferation of such attacks on e-commerce sites. These attacks not only hurt shoppers but also increase costs for online businesses which are stuck bearing the costs of the fraudulent purchases.
"Attackers are always looking for creative ways to exfiltrate the stolen data ranging from web shells on compromised servers to leaving behind images with encoded information on the web server. Many of these techniques are designed to evade detection and bypass common security controls such as content security policy (CSP). Website owners must continue to be vigilant about these attacks and monitor their sites continuously using client-side security solutions. Consumers must stay alert for signs of compromise while shopping online and monitor their credit reports regularly.”