At a glance.
- Your fantasy football draft just got riskier.
- Yet another reason to lock the bathroom door.
- New Zealand insurance provider suffers third-party data breach.
- Notes on Play ransomware.
Your fantasy football draft just got riskier.
Last week, fantasy sports platform and sports betting company DraftKings disclosed that a November credential stuffing attack compromised the personal data of nearly 68,000 customers. According to DraftKings, the account credentials used to carry out the attack were acquired from a source outside of their company. The compromised data includes names, addresses, phone numbers, email addresses, profile photos, financial info including the last four digits of payment card, information about prior transactions, and account balance. The company has refunded $300,000 of funds fraudulently withdrawn as a result of the attack. Though DraftKings has not confirmed how the funds were stolen, Bleeping Computer reports that a threat actor was selling pilfered account credentials on an online marketplace for $10 to $35, along with instructions on how to drain the breached users’ account balances. Once DraftKings discovered the attack, they locked the impacted accounts and reset all user passwords.
Gal Helemski, co-founder & CTO/CPO of PlainID, suggests a zero-trust approach as essential to defending against threats of this kind:
"In attacks such as this, identity is the solution for finding the adversary and eliminating it from systems. Organizations must adopt a “Zero Trust” approach, which means trusting no one – not even known users or devices – until they have been verified and validated. Access policies and dynamic authorizations are a crucial part of the zero-trust architecture, as they help to verify who is requesting access, the context of the request, and the risk of the access environment.
"Instead of pouring more money into a shotgun approach to security, organizations need a more focused strategy oriented on purchasing the highest reward tools. Identity and authorization are where the smart money should be going. If we assume hackers are already in the network, it makes sense to focus budgets on technologies that restrict movement inside the network."
Yet another reason to lock the bathroom door.
Or at least close it. Technology Review recounts the cautionary tale of how photos of unsuspecting robot vacuum owners ended up on an online forum. It turns out the pics were taken by development versions of iRobot’s Roomba J7 series vacuum, and were then sent to Scale AI, a company that uses audio, photo, and video data to train artificial intelligence. Scale AI depends on contract workers to label the data they collect, which is how the images in question – which include a shot of a vacuum peering up at its owner as she uses the toilet – ended up in a Venezuelan gig worker social media chat room. It’s actually not unusual for internet-connected devices to capture such images and send them to the cloud; the issue here is that the photos were not adequately secured.
iRobot says all of the pics came from “special development robots with hardware and software modifications that are not and never were present on iRobot consumer products for purchase,” but were given to “paid collectors and employees” who signed written agreements allowing the the data to be sent back to the company and used for training purposes. While robot vacuums might seem harmless, the characteristics that make them so useful – their advanced cameras, artificial intelligence, and ability to roam around a home unattended – are also what make them particularly invasive. As well, the data they collect is extremely valuable to manufacturers, as it’s used to develop and train ever-smarter suckers, as well as robots of other kinds.
Justin Brookman, director of tech policy at Consumer Reports and former policy director of the Federal Trade Commission’s Office of Technology Research and Investigation, explains, “It’s not expected that human beings are going to be reviewing the raw footage.” Jessica Vitak, an information scientist and professor at the University of Maryland’s communication department and its College of Information Studies, adds, “It’s much easier for me to accept a cute little vacuum, you know, moving around my space [than] somebody walking around my house with a camera.”
New Zealand insurance provider suffers third-party data breach.
MAS Insurance, New Zealand’s largest insurance provider for medical professionals, is recovering from a cyberattack on its after-hours call service. MAS disclosed last week that the company’s third-party supplier of after-hours call-center services “notified us of a breach of their systems through a cyber-attack.” MAS chief executive Martin Stokes warned, “If you have ever used this after-hours service, it is possible they hold some personal data of yours.” MAS has suspended use of the third-party’s services, but is working with them to investigate and resolve the situation. While MAS insures over 80% of Kiwi medical professionals, it also provides car, house, and life insurance for non-medical professionals. As the NZ Herald notes, the incident is the latest in a wave of personal data breaches impacting New Zealand health-related insurers and government organizations. Other recent victims include insurance provider Accuro, who revealed earlier this month that customer data was also compromised by a third-party data breach, and Health NZ/Te Whatu Ora, which suffered a cyberattack a that blocked access to approximately 14,000 files relating to cardiac, inherited disease, and bereavement care.
Play ransomware: an emerging threat to personal data.
H-Hotels, a hospitality firm in Germany, has disclosed that its systems have been disrupted by a cyberattack. H-Hotels in its disclosure states that as far as it can determine, no customer data have been compromised.
The operators of Play ransomware have claimed responsibility for the incident, and in other attacks they've apparently been able to obtain personal data, even if in the H-Hotels incident customer data seem not to have been stolen. Nick Tausek, Lead Security Automation Architect at Swimlane, commented on Play's track record:
“Even though the Play ransomware gang is a relatively new group, it has solidified its reputation as a significant threat, claiming responsibility for devastating attacks against Argentina’s Judiciary of Córdoba in August and Belgium’s city of Antwerp several weeks ago. Now, it has claimed responsibility for attacks against a major European hotel chain, H-Hotels, that has caused communications outages at the height of the travel and holiday season. More significantly, the gang has claimed to have stolen the personal data of hotel customers, potentially exposing victims to further fraud and scams.
"While Play had previously focused on attacking local governments that have limited cybersecurity infrastructure in place, it is important to note that the group was able to infiltrate an extensive protection network, signifying that Play has developed capabilities to launch more professional attacks.
"To mitigate the chances of similar attacks in the future, it is imperative that organizations adopt low-code security automation to help detect and respond to threats in real-time by allowing complete visibility into IT environments. Endpoint security tools that integrate low-code security automation give organizations a cohesive protection strategy that protects customers and employees as well as keeps essential communications systems up and running.”