At a glance.
- Report: data exposure at the Philippines' Office of the Solicitor General.
- Netherlands government halts COVID-19 tracking app over privacy concerns.
- Further consequences of the Accellion breach.
Accidental data exposure at Phillipine Office of the Solicitor General.
The Rest of the World reports that UK security company TurgenSec discovered 345,000 documents related to current legal cases from the Office of the Solicitor General (OSG) of the Philippines exposed online in a misconfigured storage server. The OSG is responsible for representing the government in any litigation that goes before the Philippine Supreme Court or Court of Appeals, meaning the exposed records contained highly sensitive legal information. TurgenSec explained the exposure "is of particular concern as it may have the potential to disrupt [or] undermine ongoing judicial proceedings." Indeed, the security firm found that the names of documents mentioned words like “rape,” “trafficking,” “execution,” and even “Duterte,” referring to the Philippine President. Philstar.com reports that on Sunday, Justice Secretary Menardo Guevarra confirmed that the OSG is investigating the breach, stating that the office “is now looking into the matter and the DOJ will be ready to assist, if necessary." A third-party informant notified TurgenSec of the exposed data in February, and though the company received no response when it attempted to notify the OSG, the files were removed as of April 28. This is not the first time the Solicitor General has experienced cybersecurity issues. In 2016, an election attack exposed the data of 55 million voters, and this past December the OSG website was hacked by threat actors who opposed the OSG’s decision to revoke news station ABS-CBN’s broadcasting license. A TurgenSec spokesperson stated, “I wouldn’t be surprised if [the people responsible for defacing the Solicitor General’s website] hacked it using information from this data breach, which seems to have been public for quite a while.”
Dutch government shuts down COVID-19 app amid privacy concerns.
Dutch Health Minister Hugo de Jonge announced late Wednesday that the ministry would disable its coronavirus warning app, CoronaMelder, for forty-eight hours in order to investigate data privacy concerns for Android users. Security Week explains that the app uses “exposure notification” technology developed by Google and Apple, creating randomized codes that are exchanged by phones when the users are close enough for long enough to be potentially exposed to the virus. The worry is that other apps on Android devices could also potentially access the covid tracker’s data, and the ministry temporarily shut down the app in order to verify that the leak has been remedied. Though there is no evidence that there has been any unauthorized access to the data, Google said it has been “rolling out a fix for an issue where random Bluetooth identifiers used by the Exposure Notification framework on Android were temporarily accessible to a limited number of pre-installed applications,” and it expects the fix “to be available to all Android users in the coming days.” De Jonge stated, “The privacy of users is always a priority. While Google must solve the problem, I can limit the consequences. That’s why we’re taking this decision.” As most EU nations also use contact tracing apps with the same technology, the European Commission is notifying other members of the EU of the security flaw.
The ramifications of the Accellion breach.
The Wall Street Journal explores the far-reaching consequences of last December’s breach of cloud service provider Accellion. Threat actors infiltrated the company’s file transfer application, and as Accellion boasts hundreds of clients across various sectors, the domino effect is still being felt, even by those not directly connected to Accellion. For instance, US grocery leader Kroger reported in February that attackers gained access to almost 1.5 million customers’ data as a result of the breach. Then in March, Western Union discovered that the data of over 15,000 of its customers who transferred money at Kroger stores had also been compromised. Some victims found themselves facing hefty ransom demands from threat actors, like the ones who requested $17 million for the safe return of data stolen from the University of Colorado, and countless individual customers of impacted businesses were faced with the possibility of identity theft. The breach sheds light on the complicated issue of cyber provisions in contracts between vendors and their clients, and the difficult task of weighing the security risks of these partnerships.