At a glance.
- USPSIS found using social media for surveillance.
- German identity thieves pose as Europol.
- Report shows abuses of education tech software.
- Data breach at Sephora.
USPSIS found using social media for surveillance.
An investigation conducted by the United States Postal Service's Office of Inspector General (USPS OIG) has determined that the United States Postal Inspection Service (USPSIS) was “not legally authorized” to use social media searches to identify users who might be connected with protest movements. USPSIS, the country’s oldest police agency, is the law enforcement arm of the post office, but as such is only authorized to investigate cases with some connection to postal services. Vice reports that last year, a Yahoo investigation revealed that USPSIS’s Internet Covert Operations Program (iCOP) was searching social media for terms like “protest,” “attack,” and “destroy,” as well as using controversial facial recognition system Clearview AI, in an effort to conduct surveillance of users affiliated with protests. The subsequent USPS OIG probe determined that iCOP’s searches “did not include any terms related to the mail, postal crimes, or security of postal facilities or personnel,” and though USPSIS has implemented several changes to iCOP (now called the Analytics Team) since Yahoo’s report, they are still lacking the necessary oversight to prevent similar future abuses.
German identity thieves pose as Europol.
Avast reports that the German Federal Criminal Police Office (BKA) is warning of a scam in which fraudsters are posing as Europol or alleged international investigation teams and telling victims that their identities have been stolen. The fraudulent calls, which appear to come from a legitimate Europol or police phone number, start with an automated greeting telling targets they should press number 1 to speak to a Europol employee. They are then connected to a person who requests the victim’s first and last name, street address, identification card number, and in some cases, bank account info. "The way the lady spoke on the phone was believable and serious,” one victim stated. The BKA is urging the public not to give out any personal data over the phone and to remember that Europol does not have the power to penalize anyone for refusing to hand over such information.
Report shows abuses of education tech software.
A report requested last year by a group of US Senators has found that educational technology companies Gaggle.net, Bark Technologies, GoGuardian, and Securly Inc. misused surveillance technology and artificial intelligence in monitoring student activity. The report shows that the tech resulted in disciplinary action and involvement with law enforcement, and the institutions and parents involved were not properly informed about data being collected by the software. Making matters worse, Nextgov.com adds, some of the companies did not effectively understand how the monitoring tech disproportionately targets students from marginalized communities. “Absent federal action, these surveillance products may continue to put students’ civil rights, safety and privacy at risk,” the report reads. The findings support some legislators’ concerns about the lack of regulation over the use of AI in the private sector, especially given that the pandemic has led to an unprecedented increase in virtual learning. The senators stated, “We strongly support measures that will protect students and ensure student safety, and we share the urgency that school districts are facing to identify ways to keep students safe…It is crucial that the tools school districts select will keep students safe while also protecting their privacy, and that they do not exacerbate racial inequities and other unintended harms.”
Data breach at Sephora.
Multinational cosmetics retailer Sephora is notifying Asia-Pacific customers that their data might have been exposed in a recent data breach. According to the notification email, an intruder gained unauthorized access to the personal data of “some customers” in Australia, Hong Kong, Indonesia, Malaysia, New Zealand, the Philippines, Singapore and Thailand, and the compromised data includes name, date of birth, gender, email address, encrypted password, and “beauty preferences.” Arkose Labs CEO Kevin Gosschalk commented to Infosecurity Magazine, "There is an ongoing onus on Sephora to safeguard its customers against future cybercrime associated with their password vulnerabilities. Our reality is that cybercrime is a well-funded and connected business where fraudsters have access to sophisticated tools and resources to launch attacks. This breach is yet another incident that provides them with the exact ammunition they need. The longer-term solution will come from eliminating the economic incentives behind these attacks through the use of integrated strategies that detect fraud in real time and block attacks from being successful.”
Arti Raman, CEO and Founder, Titaniam, again sees the importance of attending to encrypting data-in-use as well as data in transit and data-at-rest:
“Data leaks like the recent incident at cosmetics giant Sephora are becoming more and more common. Our privacy remains a fundamental human right, and those who need our data to function, such as retailers, take on a responsibility to protect our data the moment they ask for it.
"Historically, organizations have relied on data-in-rest encryption, but it has serious weaknesses. If the file or information is being worked on, or is accessed using privileged credentials, this protection is rendered useless, and hackers can still steal the underlying data.
"Moving to more advanced encryption mechanisms such as encrypting data-in-use and combining encryption with granular externally controlled keys provides unprecedented immunity. Should adversaries find publicly accessible databases, such as Amazon’s S3 data store in the latest Sephora breach, files will remain undecipherable and unusable – making digital blackmail significantly more difficult if not impossible.”
Oran Avraham, CTO of Laminar, wrote to express the risk of ungoverned, shadow data in public clouds:
“The recent incident with Sephora should serve as a reminder of the dangers of ungoverned data stores in the public cloud. This unknown or “shadow” data, has been cited as a top concern by 82% of security professionals in a recent survey — and rightfully so. All of this data is at increased risk for exposure, causing revenue and reputational harm to corporations at a time when regulatory censure and fines are increasing.
"Organizations must begin relying on cloud-native security tools that allow visibility into all of the data living on the public cloud environment. Having full data observability lets data protection teams understand where shadow data stores are, who owns them and what actions are needed to protect sensitive data.”
Adrian Knapp, CEO & Founder, Aparavi, argues that the incident shows the value of conducting a data assessment:
“Breaches of personally identifiable information (PII), like that which Sephora just experienced, can be reduced by better data management. With poor data management, companies are left with information hiding in the dark, not knowing how much data they possess or what that data contains, bringing risk to themselves and their customers.
"A data assessment can help shine a light on dark data and reveal potential threats to your organization. This process scans your entire file system and explores the deepest crevasses of your company. The assessment can also read the data in unstructured files and reveal content. By doing an audit, organizations can avoid a backlog in data management and limit the unstructured data that could be subjected to a ransomware attack, providing a more efficient and secure data environment.”
Neil Jones, director of cybersecurity evangelism, Egnyte, draws some lessons about backups, policy, and the importance of paying attention to security during data migration:
"The recent data exposure that impacted nearly 500,000 Sephora Beauty Inside cardholders provides us with several key lessons: 1) Customers' PII that's stored in backup files is just as valuable as live production data to potential cyber-attackers. 2) Amazon S3 bucket security policies need to be regularly reviewed and updated, including audits or spot-checks of content that's posted in the buckets. 3) When your company undergoes a significant data migration, data files need to be reviewed closely, to ensure that unauthorized users aren't able to access data in the source repository or the destination repository. The silver lining to this incident is that the responsible disclosure process worked effectively, and Sephora took quick action to rectify the issue."