At a glance.
- Irish DPC investigates Facebook data incident.
- Apple and the white hats.
- Bots during the pandemic.
- Updates on university data breaches.
Irish watchdog investigates Facebook data dump.
The online community has been rocked by the recent data dump that exposed the Facebook profile data of over half a million users from over one hundred countries. Ireland’s Data Protection Commission (DPC) just announced that it is opening an investigation into the breach, pursuant to the Data Protection Act 2018, as the DPC believes that Facebook could be in violation of the General Data Protection Regulation (GDPR). The DPC’s decision to launch the inquiry comes after the commission questioned Facebook Ireland about the incident, which the Washington Post asserts seems to imply the DPC was dissatisfied with Facebook Ireland’s answers. European Commissioner for Justice Didier Reynders stated on Twitter, “Today I spoke with Helen Dixon @DPCIreland about the #FacebookLeak. The Commission continues to follow this case closely and is committed to supporting national authorities. We also call on @Facebook to cooperate actively and swiftly to shed light on the identified issues.” Computing notes that if Facebook is found to be in violation of the GDPR, the social media giant could be fined up to 4% of its $86 billion revenue.
Apple's squabble with white-hat hackers.
In 2016, the US Federal Bureau of Investigation (FBI) asked Apple to unlock an iPhone used by terrorists responsible for a California shooting incident that resulted in over a dozen deaths. Apple refused, stating that unlocking the phone would be a violation of their security policies. So the FBI quietly turned to Azimuth Security, a small Australian cybersecurity vendor, and their team of white-hat hackers discovered a backdoor exploit (now patched) that gave the investigators access to the device. The Washington Post reports that now, in a twist of fate, Apple just happens to be currently embroiled in a legal dispute with Corellium, a new Florida-based company founded by one of the Azimuth hackers who aided the FBI. Corellium creates “virtual iPhones" that help researchers test Apple’s iPhone operating system. Apple sued the firm in 2019, stating their operations are equal to copyright infringement, but a judge dismissed the case this past December, stating that Corellium’s products are legal because they’re used for research purposes, not competition. However, Apple is refusing to back down, asserting that Corellium’s work is in opposition with Apple’s security measures, and another trial is scheduled for this summer.
New report examines bot activity in the age of COVID.
DarkReading explores a report released by cybersecurity firm Imperva that examines shifts in bot activity over the past year. Focusing on “bad” bots—used for price-gouging or harvesting data useful in credential stuffing or password spraying attacks—the report explores how the COVID-19 pandemic impacted bot activities. For instance, ticket scalping bots were rendered useless as stay-at-home orders compelled the public to avoid large events. Meanwhile, quarantine led to an increase in demand for products like masks and gaming consoles, making those products hot commodities for hoarding bots. The report also warns that websites like TurboVax, designed to help users find vaccine appointments, could become a new bot target: "These helpful bots were created with good intentions, but it’s not far-fetched to imagine others creating similar tools in order to sell the appointment to the highest bidder for the opportunity to jump the queue.” That said, Imperva’s director of strategy Edward Roberts clarified that while malicious exploitation of these sites is possible, it’s more likely that these bots will concentrate on helping rather than harming the public in this unprecedented time.
Updates and comment on university data breaches.
Universities continue to sustain data breaches. ZDNet describes an incident at the Swinburne University of Technology that affected the personal information of some fifty-two-hundred staff and a hundred students. The data came from a compromised event registration site. Australian authorities are investigating. In the US, the University of Colorado continues to deal with a breach that, according to KKTV, affected about three-hundred-ten-thousand persons' records. CBS Denver says the University attributes the data exposure to a third-party breach at Accellion. The University of California has warned its own staff, students, and alumni that their data may have been exposed in the Accellion breach. SecurityWeek has an account of how the Accellion breach affected the University of California system.
Purandar Das, CEO and Co-Founder of Sotero sent us comments on the growing risk of ransomware and data exposure to universities:
“The escalation of attacks on educational institutions is an interesting one. First off, these are not new or unique. They are continuation of the attacks on organizations in general. There may be a couple of reasons behind the recent rise. One, they may be a result of some of the vulnerabilities in third party software that has impacted many organizations across a range of industries. Second, this is the peak admission season for colleges and universities., This is when their systems are stressed and they are also coming into possession of new student information. Think of the millions of high school students and their parents that are becoming a part of this world along with their sensitive information ranging from Social security numbers, credit card info, bank account information and financial assets. Makes for ripe pickings.
"Like other industries there are always copycat attacks after the first one succeeds. Keep in mind, hacking is a well-organized industry that trades information and tools. Schools like other organizations use a huge network of vendors and partners to keep their institutions running. Their environments are extremely complex and sprawling by design and need. This leads to more opportunities for hackers and criminals to target. Also, the pandemic forced educational institutions to adapt and embrace new technology rapidly. Forced massive adoption of new technology and products leads to vulnerabilities. What educational institutions do very well is keep their educational and grading systems protected very well. They need to take the same learnings and extend that thought, design and budget to protecting their student’s private information. The continued loss of information will eventually lead to one or both outcomes. Loss of trust from students and their parents in an institution or regulatory moves to ensure that institutions treat information with the respect that it deserves.”