At a glance.
- "Alexa, please protect my data."
- University tests parents’ patience after ransomware attack.
- Data exposure at WestJet.
"Alexa, please protect my data."
It’s no secret that smart home devices like thermostats, security cameras, and lighting systems have access to a treasure trove of users’ private data. In an effort to find out exactly how much data these gadgets are collecting, TechShielder analyzed the terms and conditions of ten of the most popular smart home products based on customer reviews. According to their findings, the most invasive device is Amazon Echo Dot (affectionately known as Alexa), followed by Chromecast with Google TV, Samsung’s SmartThingsHub, the Nest Protect smoke and CO alarm, and Ring Indoor Cam. They found that in addition to the basic identifying information (name, address, email, and so on) that’s necessary to verify a user, 90% of the devices analyzed also collect financial payment data. 70% record users’ voices by default, while 50% have access to photos and videos, and 40% store live video footage of users’ homes. As well, 70% collect data on users’ purchasing habits and 50% save browsing histories. All of this paints a vivid picture of a user’s identity and behaviors that, in the wrong hands, could leave them at risk of identity theft. To reduce vulnerability, VPN expert Lasse Walstad recommends using a strong wi-fi password, regularly updating the device and the home’s router, enabling Wi-Fi Protected Access 2, and installing a VPN that conceals the device’s IP address and encrypts user data.
University tests parents’ patience after ransomware attack.
Whitworth University, a private college located in the US state of Washington, suffered a ransomware attack that has left its network in disarray for the past month. School officials say they first detected the attack on July 29 and that an investigation is ongoing, but it wasn’t until Wednesday that they issued a letter to the school community notifying them about the incident. “This process does take time,” the letter reads. “Please know that your security and the protection of your personal information is of the utmost importance to us.” At this point it’s still unclear exactly what data might have been accessed by the intruders, but officials have pledged to notify any impacted individuals as soon as possible. They added they hope to have university systems operating at 95% capacity by August 31. Officials have neglected to comment on claims that Lockbit ransomware group – the same cybercrime outfit that carried out last year’s massive attack on IT firm Accenture – is behind the attack. With students returning from summer break in mere weeks, parents have expressed their frustration at the lack of information regarding the breach. Roy Berg, father of a Whitworth student, told the Spokesman.com that he has been attempting to reach the school via phone to no avail, and that the university website is down. Berg stated, “All of my kid’s financial information, his Social Security number, his federal loan information – was that all hacked? We don’t know.”
Data exposure at WestJet.
Canadian airline WestJet has reported a data security incident with its app in which customers were able to see others’ personal information. The Toronto Star reports, “App users took to Twitter to express their concern with the situation, claiming that when they logged in to the WestJet app, they were able to see personal details and account information associated with complete strangers.” It’s unclear how the data came to be exposed. WestJet has expressed regrets, says it’s working on the problem, and is notifying affected customers.
Erfan Shadabi, cybersecurity expert with comforte AG, observed that the travel industry collects a lot of information on its customers that goes far beyond the payment details one normally thinks of:
“The reported data security incident involving WestJet Airlines underscores just how much personal data outside of payment information that the travel industry collects from their customers. Airline apps are hugely popular, and members provide quite a bit of personal data about who they are and what their personal preferences happen to be in order to check in faster, log and store their travel details, and collect valuable loyalty points. This incident calls into question just how secure all that personal and potentially sensitive data really is.
“A business in any industry which offers up a customer app needs to take data privacy and security very seriously. The first thought is to ensure that any housed data is walled off and secure. But what happens if a breach occurs (even one involving a third-party partner) and that data falls into the wrong hands? Only data-centric security methods can protect against that type of situation. Data-centric security protects the data itself instead of the “walls” around it using technologies such as tokenization or format-preserving encryption. If companies adopt a data-centric strategy, then they won’t have to worry about their customers’ private information no matter where it travels. Unfortunately, this doesn’t seem to be the case in this incident. That doesn’t mean other businesses can’t learn from the situation.”