At a glance.
- Pennsylvania COVID-19 tracing data exposed.
- NHS vaccine passport and privacy.
- Billing data compromised at DigitalOcean.
- Cavemen untroubled by data exposure, but on the other hand they also ate mastodons...
- Reaction to the First Horizon breach disclosure.
Pennsylvania COVID-19 tracing data exposed by contractor.
The Pennsylvania Health Department disclosed that Insight Global, a Georgia-based company contracted by the department to conduct COVID-19 contact tracing, potentially exposed the private data of approximately 72,000 Pennsylvania residents, AP News reports. A spokesman for the health department stated that Insight Global “disregarded security protocols established in the contract and created unauthorized documents” that exposed private information including phone numbers and email addresses, genders and sexual orientations, and COVID-19 diagnoses and exposure status. The company confirmed that Insight Global employees established an unsecure “unauthorized collaboration channel” using Google accounts to share the private data. Though the company says they were unaware of the security violations, former employees claim they warned supervisors of the improper data handling, but nothing was done. “All necessary steps are being taken to secure any personal information, and we intend to learn and grow from this,” Insight Global said in an official statement. The company is notifying impacted individuals, and the health department says it plans to drop Insight Global when their contract ends in three months.
NHS’s vaccine passport raises privacy concerns.
UK Transport Secretary Grant Shapps announced that a vaccine passport function will be added to the National Health Service’s (NHS) existing app, Computer Weekly reports. Shapps stated, “I’m working internationally with partners across the world to make sure that that system can be internationally recognised,” and he will be chairing a G7 meeting next week covering transport policy. ProPrivacy digital privacy expert Attila Tomaschek warned that NHS could encounter some roadblocks regarding data handling and privacy: “Beyond the obvious privacy concerns surrounding the development of massive stores of personal health data, NHS numbers, passport numbers and individuals’ travel histories, there is also a major concern that the data collected by the vaccine passport scheme may be used beyond the scope and timeline of the pandemic by the government or even other third-party agencies.” He explained that misuse of the collected data, perhaps to create individual risk “scores” as the Chinese government has done, was not outside of the realm of possibility, and advised UK officials to tread carefully to ensure citizens’ data privacy rights are not violated.
DigitalOcean breach compromises billing data.
TechCrunch reports that US cloud infrastructure provider DigitalOcean suffered a data breach impacting customers’ online billing profiles. The company informed customers that an unauthorized individual “gained access to some of your billing account details through a flaw that has been fixed.” The exposed data included billing address, last four digits of payment card, expiration date, and name of the card-issuing bank, but does impact DigitalOcean account login credentials. Though the company has not confirmed exactly what flaw led to the exposure, they did state that under 1% of billing profiles were impacted.
We heard from Trevor Morgan, product manager with comforte AG, who commented on the measures available to protect organizations against breaches of this kind:
"The recently disclosed Digital Ocean breach brings to the front and center the issue of data privacy and an enterprise’s obligation to keep peoples’ personally identifiable information (PII) safe and secure. Privacy laws in many national jurisdictions mandate a minimum level of data protection, so for multi-national corporations breaches can have the double penalty of regulatory scrutiny (and potential associated fines) along with loss of customer trust. The good news is that data-centric security measures can protect organizations against breaches like this, by protecting the data itself through methods such as tokenization and format-preserving encryption. Tokenization replaces sensitive data with meaningless placeholders, meaning that even if the data falls into the wrong hands."
Cut carbs, not privacy protocols.
Researchers at vpnMentor disclosed that they identified a data breach impacting the website of Paleohacks, a health and lifestyle brand revolving around the paleo diet trend. The company neglected to properly secure an Amazon Web Services storage bucket containing the private data of more than 70,000 users. The exposed data included hashed passwords, IP addresses, and dates of birth, and some records even contained password reset tokens, which an attacker could use to change the account password and lock the rightful account owner out of their profile.
Reaction to the First Horizon Bank breach.
The data breach First Horizon Bank disclosed to the US Securities and Exchange Commission has drawn some comment from the security industry. We heard from Rajiv Pimplaskar, CRO of Veridium, who sees the breach as an instance of the risk the financial services sector faces from its dependence upon traditional credentials:
"The First Horizon data breach is a stark reminder of the imminent dangers within the financial services industry due to the reliance on usernames and passwords. According to the Verizon Data Breach Investigations Report (DBIR), over 80% of data breaches occur due to credential theft resulting from passwords. Passwords are often weak or reused and can be easily stolen, guessed or brute forced.
“Traditional Two Factor Authentication (2FA) using a One Time Password (OTP), which is typically a 6 digit PIN sent over SMS, is also susceptible to a Man In The Middle (MTTM) attack. The National Institute of Science and Technology (NIST) confirms this and indicates that while OTP over SMS is better than just the password alone, it is still not good enough. A more modern approach is to leverage passwordless authentication methods such as “Phone as a Token” and / or FIDO2 security keys.
“The authentication method as well as the user journey can be intelligently adapted based on the situational risk based on the nature of the transaction, geolocation, and user behavior. Both methods are more secure and ensure a tighter trusted relationship between the registered user and their authentication credentials reducing the possibility of credential theft and mitigating against potential data breaches. Such technologies can be deployed for both consumers as well as internal employees and also offer much less friction for the end user improving their experience and productivity in the process."