At a glance.
- New poll sheds light on American password hygiene.
- Update on Spain's Pegasus scandals.
- Data breach reported by IKEA Canada.
New poll sheds light on American password hygiene.
Just in time for World Password Day, a survey conducted by insights and analytics company Ipsos on behalf of Google shows that 84% of Americans are highly concerned about the safety and privacy of their personal data on the web. More than a third of respondents said they’ve been impacted by a data breach. Ipsos reports that while 92% of those respondents changed their password after being exposed, in general many Americans still engage in behaviors that could put their online information at risk.
About two thirds of respondents admit to reusing the same password for multiple online accounts, and one third say they’ve shared their password with someone else. One-fifth use passwords that would be easy to guess, with over half incorporating personal information like names or birth dates into their passwords. On the bright side, 73% of respondents say they use multi-factor authentication, and about 44% use password manager services. The pandemic, and the resultant surge in online activity, does not seem to have had much impact on password hygiene, as the majority of respondents say their behavior hasn’t changed.
Update on Spain’s Pegasus scandals.
As we’ve previously noted, digital rights group Citizen Lab recently discovered that the phones of dozens of pro-independence supporters in Spain’s Catalonia region were infected with Pegasus spyware. According to Gabriel Rufián, a leading member of a Catalan pro-independence party, Spain’s top intelligence official Paz Esteban admitted during a closed-door meeting that Spain’s National Intelligence Center (CNI) had hacked into the cellphones of “some” of the targeted politicians, Security Week reports. However, Esteban says the CNI had the required judicial authorization for the surveillance. Rufián stated, “They (the CNI) admit to the spying, but say that it was carried out against far fewer people than those cited by Citizen Lab.”
When the surveillance first came to light, the Catalan separatists suggested that CNI was likely behind the hacking. Spanish officials insisted that CNI is not authorized to tap phones without judicial authorization, but admitted that secrecy laws prevent the agency from confirming whether or not it uses Pegasus. Although CNI and Spain’s ombudsman have said they will investigate the hackings, Esteban Beltrán, Amnesty International's Spain director, says, “This committee, characterized for its secrecy and obscurantism, cannot be considered the appropriate venue to investigate the alleged violence of human rights.”
Further complicating matters, earlier this week the Spanish government found that the cellphones of both Prime Minister Pedro Sánchez and Defense Minister Margarita Robles were also infected with Pegasus last year. The revelations have the Spanish people questioning how widespread the spying is and just who might be behind it. Citizen Lab senior researcher John-Scott Railton stated, “Being a victim does not preclude you from being a perpetrator when it comes to Pegasus.”
Report: IKEA Canada sustains a data exposure incident.
IKEA Canada has disclosed that an employee improperly accessed customer records in the course of an unspecified search, and that the data of up to 95,000 customers may have been exposed. Global News reports that the company has submitted a data breach report to the Office of the Privacy Commissioner of Canada.
Erfan Shadabi, cybersecurity expert with comforte AG, sees the incident as highlighting the need for both exfiltration controls and, of course, encryption:
“The data breach incident that IKEA Canada disclosed about an employee who 'searched' and viewed sensitive customer information accentuates the threat posed by the 'inside job.' When we hear of careless handling of sensitive information, we begin to wonder just how secure our own data is within the many different data ecosystems housing and processing it. Employees are usually granted a certain level of trust with enterprise data, even if they don’t have access and rights to all information within the organization. Working from the inside with an implied level of trust means that the inside job has more time to develop and execute an effective exfiltration strategy.
"The answer to counter this threat is to recognize how vulnerable businesses are from the inside and to adopt security stances like Zero Trust, which denies implicit trust to users, devices, and other entities regardless of their location within the network.
"Also, protect all sensitive enterprise data with more than just perimeter security, even if you feel that the impenetrable vault you’ve stored it all in is foolproof. Make sure that data-centric protection such as tokenization or format-preserving encryption effectively obfuscate sensitive information in case internal or external threat actors find their way into your data ecosystem.”
Erich Kron, security awareness advocate at KnowBe4, thinks IKEA Canada actually detected an incident that a lot of organizations would have simply not noticed:
“Privacy is a difficult challenge for any organization, especially when it comes to internal employees who often need some of this information to perform their legitimate tasks. In this case, it appears the data was not stolen by cybercriminals, but accessed by an internal source. IKEA quickly assembled the facts, assessed the issue and took measures to ensure the data remained contained within the organization’s control.
"To their credit, IKEA did spot the kind of data access that many organizations would not have noticed, and by furnishing the information to the Office of the Privacy Commissioner of Canada, allowed potential victims to take steps needed to protect themselves. Like with their store layouts, spotting when and where data may have been accessed, especially by an internal employee, can lead down an ever-twisting path full of false flags and pointless distractions, often resulting in nothing useful being found.
"Organizations should be careful to periodically confirm the type of data employees can access and should limit it to the least amount needed to perform their job. In addition, penetration tests should be performed to look for vulnerabilities within the network and Data Loss Prevention (DLP) controls enabled to reduce the chance of sensitive data being removed from the network.”