At a glance.
- Of pottery and privacy.
- Plex data breach exposes video streamer data.
- Block faces lawsuit for Cash App breach.
- $1.2 million settlement under California Consumer Privacy Act.
- Oktapus criminal campaign compromises 9931 accounts in more than 130 organizations.
Of pottery and privacy.
The Government Legal Department (GLD) in the UK has disclosed that documents containing private data were accidentally published on GOV.UK. PublicTechnology.net explains that a document detailing extravagant department credit card expenditures (including an expensive employee pottery-making excursion ) was intentionally posted on the site for public viewing, but the names of civil servants, which data privacy laws regulate should not be disclosed, were inadvertently included on the document. Shadow attorney general Emily Thornberry told the Sun: “I don’t know what’s worse, the attorney-general breaching her own data-protection rules by mistake or her civil servants spending their working days painting pottery. Either way, it’s yet more evidence of a zombie government, lurching aimlessly from one calamity to the next.” GLD says it is “investigating this regrettable incident under data-protection rules and reviewing the process which resulted in the names of some staff members being released accidentally on a public website.”
Plex data breach exposes video streamer data.
Plex, one of the largest media server apps on the web, has notified customers of a data breach that may have exposed user account information including usernames, email addresses, and passwords to an unnamed third party. The Verge notes that although account passwords were hashed, the streaming media platform is still advising users to reset their passwords just in case. With approximately 20 million customers, Plex allows users to stream self-uploaded videos, audio, and photos, and a paid subscriber service gives customers access to premium content. The investigation has not yet yielded any evidence the intruder accessed users’ private media libraries or financial information. “We’ve already addressed the method that this third-party employed to gain access to the system, and we’re doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions,” Plex’s notification reads.
Block faces lawsuit for Cash App breach.
Block, Inc., owner of payment platforms Cash App and Square, has been hit with a class action lawsuit tied to the 2021 data breach of Cash App Investing that resulted in the theft of the data of 8.2 million users. Forbes explains that the breach was carried out by a former employee who maintained access to Cash App data even after their departure from the company, and the plaintiffs allege that the theft was the result of inadequate security measures. “Defendants [Block] disregarded the rights of Plaintiffs and Class members by intentionally, willfully, recklessly, and/or negligently failing to take and implement adequate and reasonable administrative and data security measures to ensure that Plaintiffs’ and Classmembers’ PII was safeguarded from access by former employees,” the suit alleges. The compromised data included users’ full names, brokerage account numbers, stock activity, and for some users, brokerage portfolio value, holdings, and trading activity. According to the plaintiffs, two Cash App Investing customers, the impacted users were subjected to “a wide range of fraudulent activities” on their Cash App accounts as a result of the breach. One of the plaintiffs claims he endured unauthorized transactions in his Cash App account totaling nearly $400 that he was never able to recoup. However, the suit is lacking evidence that directly connects those thefts to the 2021 breach. Block has not yet responded to a request for comment about the suit. As Gizmodo notes, Block’s founder is Jack Dorsey, previous owner of Twitter, which is currently facing scrutiny after a whistleblower released a report about the social media giant’s own alleged negligence in regards to user data security.
Sephora agrees to $1.2 million settlement under California data protection law.
The Wall Street Journal reports that cosmetics firm Sephora has agreed to a $1.2 million settlement in the first enforcement case to be brought under the California Consumer Privacy Act. Ilia Kolochenko, founder of ImmuniWeb and a member of the Europol Data Protection Experts Network, sees this as a warning sign for businesses:
“Whilst being good news for consumers, this is an alarming trend for businesses. Contrasted to the EU, in the United States, there is still no nationwide and overarching privacy legislation on the federal level, pushing individual states to legislate on the matter and fill the gap. If the trend persists, in a decade, we will have 50 heterogeneous privacy and data protection regimes, making business in the US impossible both for domestic and foreign companies. Although most state privacy laws in the US are comparatively more permissive than GDPR, some states have enacted harsher laws, narrowly focused on specific areas of data protection, for instance, the BIPA in Illinois safeguards the biometric data of residents and is famous for costing $650M to Facebook in settlement for alleged violations. Contrariwise, in other states, there is no privacy legislation whatsoever, leaving consumers without any protection. Such polarized and incongruent enforcement from one state to another undermines the predictability and certainty of the legal landscape. That being said, federal legislation that would finally harmonize the American data protection regime is urgently needed.”
Oktapus criminal campaign compromises 9931 accounts in more than 130 organizations.
Group-IB reports that phishing attacks against employees of Twilio and Cloudflare that impersonated Okta's Identity and Access Management services formed part of a campaign that compromised 9931 accounts in more than one-hundred-thirty organizations. Most of the victims were in the United States, and were Okta users. "The initial objective of the attackers was clear: obtain Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations," Group-IB explained. "With this information in hand, the attackers could gain unauthorized access to any enterprise resources the victims have access to." The attacker showed a mixture of sophistication and inexperience, making extensive use of simple, commodity tools in a convincing way, but with static pages and a phishing kit ill-configured for mobile devices.
The campaign appears to have been designed for supply chain attacks, with three notable successes:
- "Marketing firm Klaviyo was breached and personal information connected to cryptocurrency-related accounts, reportedly including names, addresses, emails, and phone numbers, was stolen. This information could be used in order to steal cryptocurrency."
- "Email platform Mailchimp was breached to gain access to data from crypto-related companies and disrupt operations. Mailchimp was used by technology firm DigitalOcean to send confirmation emails, password resets, email-based alerts. By initiating and redirecting password resets the customers of DigitalOcean could have been compromised."
- "Phone number verification provider Twilio was breached, which allowed the attacker to attempt to re-register Signal accounts to new mobile devices."
The researchers developed some information on the threat actor behind what appears to be a criminally motivated operation. "Subject X," as Group-IB calls him, is thought to be a 22-year-old software developer working from the US state of North Carolina. Group-IB has shared what it knows with law enforcement.
Lior Yaari, CEO and co-founder of Grip Security, commented on the implications of the incident for identity and access management:
“The attack demonstrates how fragile identity and access management is today and why the industry should think about removing the burden of logins and passwords from employees who are susceptible to social engineering and sophisticated phishing attacks. The best proactive remediation effort companies can make is to have users reset all their passwords, especially Okta, because the extent and cause of the breach are still unknown. Identifying all the users of a SaaS app is not always easy for a security team, especially those where users use their own logins and passwords. Shadow SaaS discovery is not a simple problem, but there are solutions out there that can discover and reset user passwords for Shadow SaaS.”