At a glance.
- Pizza chain sustains a data breach.
- Facial recognition and privacy.
- SonicWall addresses zero-days.
- Energy provider customer data compromised.
Extra credit card data, hold the anchovies.
Business Standard reports that data pertaining to 180 million Domino’s Pizza India orders, including one million credit card numbers, were stolen by threat actors and posted on the dark web. Alon Gal of cybercrime intelligence firm Hudson Rock tweeted that in addition to the credit card info, the thirteen terabytes of stolen data included customer phone numbers, emails, and street addresses, and was offered for sale for $550,000. Rajshekhar Rajaharia, the cybersecurity researcher who uncovered the MobiKwik data leak last month, says the same hacker claims to be in possession of the Domino’s data. A Domino’s spokesperson stated, “No data pertaining to financial information of any person was accessed and the incident has not resulted in any operational or business impact.”
Imperfect facial recognition tech could hinder more than help.
WIRED explores the controversial world of facial recognition software and its impact on anonymity. At one time, this technology was an elite tool only available to government agencies, but now it can be found in smart devices like phones and doorbells, and is used by law enforcement and even schools. In the US, this can be especially problematic because there is currently no federal legislation directing the use of face algorithms, and the software is far from infallible, especially when it comes to identifying faces of color. Just last week, the American Civil Liberties Union sued a Michigan police department for arresting the wrong suspect after their facial recognition software erroneously matched his face with that of a shoplifter. Local governments in almost twenty US cities have instituted laws limiting local government access to the technology, and the city of Portland, Oregon has even gone so far as to forbid the use of facial algorithms by private businesses. WIRED found that facial recognition has been a hot topic among congressional lobbyists, with a marked increase in filings over the past three years, but whether this will result in legislation on a national level remains to be seen.
SonicWall patches zero-day vulnerabilities.
Cybersecurity firm SonicWall announced that it has detected and released patches for three zero-day vulnerabilities in its email security products. Their official statement discloses that there is evidence the vulnerabilities have already been exploited at least once by threat actors. All clients using the outdated SonicWall Email Security hardware appliances, virtual appliances or software installation on Microsoft Windows Server have been advised to upgrade to the appropriate patched versions.
James McQuiggan, security awareness advocate at KnowBe4, commented on SonicWall's now-patched vulnerabilities:
“It is essential to have repeatable and documented change management programs to update all organization systems and infrastructure. When it involves internet-facing devices, they must have the least amount of time vulnerable to attack, as those systems are always a target for cyber criminals.
"When patches and updates become available and organizations don't patch those susceptible, internet-facing systems, it creates a high-risk target. It provides cyber criminals an easy way to access the organization. It is like leaving a car unlocked at night in the middle of the street in a bad part of town. It is an easy target for someone to steal the vehicle or the contents inside.”
US energy provider discovers exposed customer data.
Bleeping Computer reports that the leading energy supplier in the New England region of the US inadvertently exposed personal customer data stored in an unprotected cloud server. During a security review last month, Eversource Energy found that a cloud storage folder containing the unencrypted data of 11,000 eastern Massachusetts customers was misconfigured, allowing public access to its contents. Customers have been notified that their names, street addresses, phone numbers, and social security numbers were among the compromised information. Though there is no evidence the data was accessed by a bad actor before the issue was detected and the folder secured, utilities providers like EDP Renewables North America, the Enel Group, and a water treatment facility in Oldsmar, Florida have recently been targeted by cybercriminals.