At a glance.
- Is it ever wise to sign in with Facebook or Google?
- FTC hits Drizly CEO with cybersecurity sanctions.
- More on the Medibank breach.
Is it ever wise to sign in with Facebook or Google?
Many apps and websites give users the option of signing in with Google or Facebook as a way to expedite the login process. On the surface it might seem like an easy sign-in shortcut, or a way to grant access to content you’ve already saved elsewhere, but are there hidden risks involved? As the Washington Post discusses, by agreeing to sign in through another site, users could be unwittingly giving Big Tech access to their personal information. What’s more, scammers often use this one-click sign in as an easy way to break into their victims’ Google or Facebook accounts.
Just this month Facebook warned a million Facebook users that criminals had planted fake log-in buttons in four hundred malicious apps in an effort to trick users into sharing their Facebook login credentials. And a Washington Post reader says that when attempting to share their resume on a job portal called iCIMS, they unknowingly handed over access to their entire collection of Google Drive files. iCIMS, for its part, says it’s not using this access to look at users’ files, claiming that allowing full access to Drive was the only way to share files. Google says there are ways platforms and users can tailor access to just what is necessary, but it’s clear most users and websites aren’t taking the time to wade through the fine print. Sure, sometimes it’s advantageous to allow a platform access to your Google or Facebook data, but it can be hard to determine when, exactly, that is. Jen Caltrider, who leads the Privacy Not Included project at nonprofit Mozilla, asks, “How do you know when it is legit and when it is not? I am a privacy researcher and sometimes I’m not 100 percent sure.”
FTC hits Drizly CEO with cybersecurity sanctions.
Following allegations that alcohol delivery company Drizly’s weak cybersecurity practices led to the compromise of the personal data of 2.5 million customers, the Federal Trade Commission has decided to bring individual sanctions against Drizly CEO James Cory Rellar. As the Washington Post explains, unlike sanctions directed only at the company itself, these penalties will follow Rellar throughout his career, requiring him to establish a security program at any company of more than 25,000 people he might head in the future. As well, the FTC is requiring Rellas and Drizly to destroy unnecessary data, implement new data controls, and implement employee cybersecurity training. The decision signals the FTC’s commitment to being tougher when it comes to overseeing the tech industry, and is no-doubt buoyed by the Democratic party’s push to punish individual company leaders for cybersecurity failings. FTC chair Lina Khan and Commissioner Alvaro M. Bedoya said in a joint statement, “Today’s settlement sends a very clear message: protecting Americans’ data is not discretionary. It must be a priority for any chief executive. If anything, it only grows more important as a firm grows.”
More on the Medibank breach.
We’ve been following the ongoing investigation of the recent Medibank data breach, in which a hacker claimed to have stolen 200GB of customer data from the Australian insurance provider, releasing the data of one hundred customers as evidence. An anonymous source close to the company has revealed that the attack was the result of a cybercriminal gaining access to the credentials of a Medibank employee with high-level system access. The Guardian reports that the credentials were then sold on a Russian-language hacker forum to another group of threat actors, who then infiltrated Medibank’s network. Fergus Hanson, director of the Australian Strategic Policy Institute’s International Cyber Policy Centre, explains, “That’s how these hackers could basically write some software to script out the data.” It’s still unclear when, exactly, the credentials were stolen, and whether multi-factor authentication was compromised or bypassed.
Meanwhile, today Medibank discovered the policy records of another thousand customers had been stolen, and the company says it expects the number of customers impacted by the breach to increase. As CRN Australia explains, the hackers sent the company the one thousand records, which include personal and health claims data as well as some Medibank and international student customer data. "Given the complexity of what we have received, it is too soon to determine the full extent of the customer data that has been stolen…As we continue to investigate the scale of this cybercrime, we expect the number of affected customers to grow as this unfolds," the company said in a statement.
Medibank CEO David Koczkar has apologized for the incident and promised full transparency, and Insurance Business asks whether the company’s cybersecurity providers and insurer should do the same. According to Garrett O’Hara, Sydney-based APAC Field CTO for cloud cybersecurity services firm Mimecast, the answer is no. “The logic is that if attackers know there is cyber insurance and who that cyber insurance provider is then the attacker will know if the attacked company is going to be advised to pay,” said O’Hara. The hackers could use such information to look into the insurer’s history of payment in order to better negotiate a ransom deal. O’Hara added, “That said, it can be useful to keep some structural and investigation details under wraps to potentially avoid further problems in the future, including a secondary cyberattack.”