At a glance.
- Australian court finds that Google "partially misled" users about data collection.
- UK's ICO summarizes 2020 privacy actions.
- Impersonation scams rise at universities.
- Geico discloses data exposure incident.
Australian court rules that Google misled customers about data collection.
An Australian federal court has found that Google had “partially” misled users about collection of their data, the Guardian reports. The Australian Competition and Consumer Commission (ACCC) brought the issue to the court’s attention, stating that Google collected Android and Pixel phone users’ location data even when users expressly stated they did not want that data collected. Leaving the “Web & App Activity” setting in its default “on” position allowed Google to access the users’ location, even if users selected “no” when asked if they wanted to share their location history. Justice Thomas Thawley stated “Google’s conduct would not have misled all reasonable users in the classes identified; but Google’s conduct misled or was likely to mislead some reasonable users within the particular classes identified.” Chair of the ACCC Rod Sims was satisfied with the ruling, stating, “We think today’s result is a very clear message to the digital platforms that they have to be upfront with consumers about what is actually happening with [their] data, how it is being used, and how consumers can protect their data.” Google apparently disagrees, as a spokesperson stated that they will pursue an appeal.
ICO reports on 2020 data privacy penalties.
The UK Information Commissioner’s Office (ICO) has released a report on the fines it issued to organizations in 2020 for security incidents that violated the Privacy and Electronic Communications Regulations and the Data Protection Act, and CRN notes some of the highlights. A total of seventeen penalties were issued over the course of the year amounting to over £42m. The largest fine, £20 million, went to British Airways for a 2018 data breach that exposed half a million customers’ data. (The fine was originally set at a staggering £183m, but was reduced due to the impact of the pandemic.) Marriott received the second largest penalty, £18.4 million, and Ticketmaster LTD came in a distant third with a fine of £1.25 million. The marketing industry was the sector hit hardest, with a total of nine penalties issued.
University impersonation scams on the rise.
The Record by Recorded Future reports that students at the University of Maryland, Baltimore County have been targeted by a phishing scam that preyed on students’ hope of being hired by using a potential job as bait. The scammers began by sending targets a fraudulent job application from payroll solutions company Paylocity, requesting basic contact info and professional details. They then followed up with an email stating that the candidate had gotten the job and that the next step was to complete the hiring paperwork which required the target to disclose their private data. UMBC’s chief information security officer Mark Cather explained that attackers target universities because “it’s a smaller, more trusted network.” Indeed, in March the US Internal Revenue Service issued a warning to educational institutions of tax refund scams targeting individuals with ‘.edu’ email addresses. Other attacks impersonate academic department heads, complete with legitimate signatures and personal details, demonstrating the attackers are doing their homework when it comes to researching the targeted institution. Ransomware attacks against schools have also recently increased drastically, with thirteen attacks against schools this March compared to just five in March 2020.
Cybercriminals target Geico customers.
TechCrunch reports that Geico, the second largest automobile insurer in the US, has discovered that hackers have been stealing customers’ driver’s license information from their sales website. This type of data is often prized by cybercriminals seeking to file for fraudulent unemployment benefits, as license numbers are required as a form of identification by US benefits authorities. The company did not disclose how many individuals were impacted, but they did notify the California state attorney general’s office of the issue, as is required when a breach affects more than five hundred residents. Engadget adds that the data was exposed from January 21 to March 1 and that Geico has secured the website as they investigate the cause of the incident.
Geico's redacted disclosure statement says that only driver's licence numbers were compromised, but we received a good bit of comment from the security industry that suggests this may be less than fully reassuring.
Mark Bower, senior vice president with comforte AG, wrote to point out that the insurance sector necessarily handles more sensitive information than most, with an accordingly greater risk to their customers of fraud should the insurers become the subjects of a breach:
“Insurance companies deal with more sensitive data than many other financial firms, including data acquired from quoting new prospects, handling multi-party claims, and deep risk analytics. Consequently, personal data is pervasive across the insurance supply chain, and at risk of compromise if not protected end-to-end, from agents through operational claims platforms and on to corporate risk analytic platforms, with modern data-centric approaches as used by leading insurance firms. Driver’s license data is particularly sensitive and its disclosure may result in fraudulent insurance or a line of credit, significantly impacting consumer trust for affected individuals. While it’s not clear yet how this data was leaked, the breach shows that even industry leaders can succumb to data compromise from gaps in data-security effectiveness leading to breach notification.”
Timothy Chiu, Vice President of Marketing, K2 Cyber Security, draws a lesson from the incident: organizations should check their application security. He wrote:
“This most recent data breach of personal information leaked by Geico is a good reminder to organizations to check for some of the most common application security issues in their public facing web applications. In this case, it appears a misconfiguration contributed to the issue, and misconfiguration of a site is one of the most common issues causing a vulnerability. The other two most common problems leading to web application compromise are unpatched software and vulnerabilities in application code. The best way to defend against attacks against existing and undetected vulnerabilities is to keep your software up to date, and deploy RASP (Runtime Application Self-Protection) technology to actively monitor the application during runtime. “
James Herbert, Solution Engineering Manager at OneLogin, sent a call for access management:
“Companies need to understand that access management is the fundamental control to help IT professionals achieve security, compliance and privacy requirements for their organization’s valuable data in the cloud. In order to protect against the vast quantities of stolen identity information readily available to threat actors, follow these practical tips: activate Multi-Factor Authentication (MFA) and apply contextual risk analysis to detect suspicious behavior to adequately verify a user before providing any sensitive information. Security and access by design remain the key to reducing today’s threat landscape.”
Saryu Nayyar, CEO of Gurucul, really doesn't care for the way the insurance company is handling the incident:
“This is infuriating. Geico is essentially skirting blame for this breach, and worse - making the victims take responsibility for protecting their driver's license number from being used to fraudulently apply for unemployment benefits. In the notice of breach letter Geico states, "fraudsters used information about you – which they acquired elsewhere..." What information exactly and from where? Geico either doesn't know or won't say. In response they are offering 1 year of free identify-theft protection, but that doesn't address the unemployment benefits fraud that they admit is the imminent threat. Geico customers must monitor state unemployment communications and contact the agency if they experience a problem. Do you know how hard it is to contact any US state unemployment agency during a pandemic? It's a nightmare and overwhelmingly time consuming. There are better ways to protect customers from fraud. Security analytics can detect and stop fraudsters before they drive off with your PII.”
Jon Clemenson, Director, Information Security at TokenEx, would riff on Spiderman's Uncle Ben: with big data comes big responsibility:
"If a business is collecting sensitive data from its customers, as in Geico's case a driver's license with names and birthdates etc., they are obligated to protect it. Any intrusion into Geico's systems will put its customers at risk. We recommend businesses implement a proactive and data-centric security approach to guard against exfiltration events like this for their customers. Maintaining a sound security posture includes integrating tools throughout the technology stack - businesses must consider solutions like tokenization, which anonymize sensitive data to reduce risk and simplify compliance. While Geico works to determine exactly what led to this breach, we look at this news as a reminder to all businesses that it's simply not enough to protect credit card or transaction data. To safeguard your customers from identity theft or fraud, you must protect all sensitive data that you have collected."
And, finally, Rajiv Pimplaskar, Vice President at Veridium, sees the incident as an instance of the vulnerabilities that bedevil commercial websites:
"The customer data theft from Geico is a stark reminder of security bugs and vulnerabilities with typical websites. According to Verizon’s Data Breach Investigations Report, approximately 81% of data breaches occur due to poor passwords or compromised credentials. Traditional Two-factor Authentication (2FA) is also vulnerable to "man-in-the middle” or MITM attacks. Companies can and should embrace passwordless methods like "phone as a token" or FIDO2 to improve security and reduce dependence on passwords. Also an added benefit is that such technologies are easier to use which improves the overall user experience."