At a glance.
- Scrubs & Beyond data exposure institute.
- Twitter's CSAM-detection system found to be lacking.
- NHS impacted by Capita attack.
- FTC orders Microsoft to pay $20 million for COPPA violations.
Scrubs & Beyond data exposure institute.
Leading healthcare uniforms purveyor Scrubs & Beyond has disclosed it suffered a data leak that exposed customers’ personally identifiable information and sensitive financial data. HackRead explains that researchers discovered an unprotected server on the web, lacking any form of security authentication and accessible to anyone with knowledge of how to use tools like open-source intelligence search engine Shodan. The database contains over 100,000 customer records equaling 400 GB of data, which are continually being added to. Though it was discovered on May 25, the researchers have received no response from Scrubs & Beyond, and the server currently remains exposed. The compromised data include customer’s full names, email addresses, mobile phone numbers, street addresses, internal credentials, and most alarmingly, credit card details like card numbers, CVV codes, and expiration dates.
Paul Bischoff, Consumer Privacy Advocate at Comparitech, advises customers to look to their credit cards. "Scrubs & Beyond customers should consider replacing their credit cards before cybercriminals have a chance to use them," he said. "The exposed database was still being updated even after the exposure was disclosed, which means the credit card data is most likely still valid. Criminals will pounce on this opportunity. At minimum, keep an eye on your transaction history for suspicious charges. Small charges of just a few dollars or cents can indicate a criminal is testing the card's validity. Customers should also be on the lookout for targeted phishing messages. Criminals can use private information from the database to make their messages more convincing. Never click on links or attachments in unsolicited emails." Those interested in what stolen cards fetch nowadays on the the dark web may consult Comparitech's blog on the topic.
Chris Hauk, Consumer Privacy Champion at Pixel Privacy, wrote, "Unfortunately, this breach has resulted in easy access to the personal information of company customers. I am also concerned about Scrubs & Beyond's reaction to the breach, as they were contacted several times about the data's exposure. Scrubs & Beyond customers will want to stay alert for any changes in their financial and credit status, staying alert for any newly opened unauthorized accounts."
Twitter’s CSAM-detection system found to be lacking.
Researchers at the US’s Stanford Internet Observatory say they’ve found evidence that in recent months Twitter failed to prevent dozens of known images of child sexual abuse from being posted on the platform, the Wall Street Journal reports. Twitter staff were informed, and it appears the problem was rectified in May, but nonetheless the discovery raises questions about the platform’s detection system and enforcement. David Thiel, chief technologist of the Stanford Internet Observatory and a co-author of the report, says from March 12 to May 20 in a data set of approximately 100,000 tweets the researchers detected over forty images that were previously flagged as child sexual abuse material (CSAM). “This is one of the most basic things you can do to prevent CSAM online, and it did not seem to be working,” Thiel said. It’s especially concerning given that Twitter owner Elon Musk said that cracking down on the sharing of such images was a top priority, and the company reported a 112% increase in suspensions of accounts found to have posted CSAM. Further complicating matters, Twitter recently announced it’s increasing prices for access to its application programming interface (API), which has allowed researchers to detect such failures, and Stanford Internet Observatory stated last week the new costs had forced them to stop using Twitter’s API. “This is a significant blow to platform transparency,” Thiel said. Although Musk and Twitter have not yet commented on the researchers' findings, Musk previously called the Stanford Internet Observatory a “propaganda machine” for its research on content moderation during the 2020 presidential election.
NHS impacted by Capita attack.
As we noted previously, London-based outsourcing firm Capita suffered a March cyberattack that exposed the data of at least ninety of the organizations it serves. Pulse Today reports that England’s National Health Service (NSH) is the attack’s latest casualty. NHS England disclosed the breach to the Information Commissioner’s Office after Capita notified them that the attackers accessed a document containing ‘limited optometry information’ for two patients, as well as two files containing names and NHS numbers of deceased and de-registered general practitioner patients. The NHS said in a statement, “The files identified archived records that related to individuals who had died more than 10 years ago or who have not been registered with a GP in England for more than 10 years. No health data or other patient data was included in the lists or accessed as a result of the incident. An independent cyber security expert, appointed by Capita, has not found any evidence that the information has been made available more widely.’ It’s worth noting that NHS England recently announced it’s considering making changes to its contract with Capita due to issues with Capita’s performance.
FTC orders Microsoft to pay $20 million for COPPA violations.
The US Federal Trade Commission (FTC) announced yesterday that it will be fining Microsoft $20 million for allegedly violating the Children’s Online Privacy Protection Act (COPPA) by collecting the data of children who signed up for its Xbox gaming system without parental consent. Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, explained, “Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids. This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.” As well, Microsoft has been ordered to improve its privacy protections for underage users by extending COPPA protections to third-party gaming publishers with whom Microsoft shares children’s data and making it clear that children’s images and other biometric and health data submitted to the game system are covered by the COPPA Rule. As AP News notes, Microsoft’s corporate vice president for Xbox Dave McCarthy published a blog post yesterday explaining other steps the company will take to improve its age verification systems and to educate users and parents about privacy issues. The FTC will now seek federal court approval before the settlement can go into effect.