Privacy Roundup #0134 • September 2017
September 2017 was dominated by the Equifax catastrophe, a cascade of cloud misconfigurations and supply chain attacks, and fresh fights over surveillance at the border and online.
1. Equifax discloses a breach affecting roughly 143 million Americans
Equifax revealed that attackers had accessed the names, Social Security numbers, birth dates and addresses of approximately 143 million people. The credit bureau had discovered the intrusion on 29 July yet waited weeks to inform the public.
2. Equifax Argentina portal protected by 'admin' as both username and password
Researchers found that an Equifax employee portal in Argentina used the credentials 'admin' and 'admin' and exposed thousands of records in plain text. The national identity numbers of at least 14,000 Argentinians sat behind that trivial login.
3. Equifax confirms up to 400,000 British consumers were caught in the breach
Equifax acknowledged that names, dates of birth, email addresses and telephone numbers of up to 400,000 people in the United Kingdom may have been accessed. The company blamed a file of British data that had been mistakenly stored in the United States.
4. Experian website hands out credit freeze PINs to anyone with basic personal data
A flaw in Experian's online service let anyone retrieve a consumer's credit freeze PIN using only widely breached information such as name, address and Social Security number. The weakness undermined the very protection that consumers were rushing to use after the Equifax disclosure.
5. SEC reveals its EDGAR filing system was hacked for illegal trading
The Securities and Exchange Commission disclosed that hackers had breached its EDGAR corporate filing database and may have profited from non-public information. The intrusion dated back to 2016, and the agency only revealed it after Chairman Jay Clayton briefed Congress.
6. Deloitte breach exposed the firm's entire email system and admin accounts
A source told Krebs on Security that the Deloitte breach compromised all administrator accounts and the firm's complete internal email database. The intrusion reached back to autumn 2016 and touched correspondence from government agencies and major corporate clients.
7. Hackers backdoored CCleaner, infecting more than two million users
Attackers planted a backdoor inside legitimately signed versions of the popular CCleaner utility, which were distributed from the official servers for nearly a month. Roughly 2.27 million users downloaded the tainted software, which gathered system data and could fetch further payloads.
8. Viacom leaves the keys to its kingdom in an exposed AWS S3 bucket
A researcher found a publicly accessible Amazon S3 bucket holding Viacom's server passwords, provisioning manifests and the access keys for its entire cloud account. Anyone who reached the data first could have seized control of the media giant's infrastructure.
9. Misconfigured server exposes four million Time Warner Cable customer records
Communications provider BroadSoft left two Amazon S3 buckets open to the public, spilling around four million Time Warner Cable customer records. The exposed data included usernames, email addresses and billing details stretching back to 2010.
10. Instagram API bug exposed the contact details of six million accounts
A bug in Instagram's developer interface let attackers harvest the phone numbers and email addresses of roughly six million accounts, including celebrities and politicians. The stolen details were collected into a dark web database that sold lookups for ten dollars each.
11. BlueBorne flaws put billions of Bluetooth devices at risk
Security firm Armis disclosed BlueBorne, a set of eight Bluetooth vulnerabilities that let attackers take over devices without any pairing or user action. The flaws affected an estimated 8.2 billion devices running Android, iOS, Windows and Linux.
12. United States bans Kaspersky software from federal agencies
The Department of Homeland Security ordered federal agencies to identify and remove Kaspersky products within ninety days, citing fears of ties to Russian intelligence. The directive marked a sharp escalation in concerns over the security supply chain.
13. Facebook reveals Russian-linked company bought thousands of election ads
Facebook disclosed that a Russian company had purchased around 3,000 politically themed adverts during the 2016 United States campaign. The ads amplified divisive social messages and raised pressing questions about political advertising and transparency.
14. Senator Franken presses Apple over Face ID privacy on the iPhone X
Senator Al Franken wrote to Apple asking how the new Face ID system would store and protect facial recognition data. He sought guarantees that faceprints could not be extracted, used for other purposes or handed to law enforcement.
15. Lenovo settles FTC charges over Superfish adware preloaded on laptops
Lenovo agreed to settle charges with the Federal Trade Commission and 32 state attorneys general over VisualDiscovery software that acted as a man in the middle on encrypted connections. The company agreed to pay 3.5 million dollars and to submit to two decades of security audits.
16. EFF and ACLU sue over warrantless device searches at the border
The Electronic Frontier Foundation and the ACLU filed suit on behalf of eleven travellers whose phones and laptops were searched without a warrant at the United States border. The case sought to require probable cause before officers could rifle through travellers' digital lives.
17. DHS rule allows monitoring of immigrants' social media activity
The Department of Homeland Security published a rule expanding immigration files to include social media handles, aliases and search results. Civil liberties groups warned the change would chill free expression and sweep up permanent residents and naturalised citizens alike.
18. Whole Foods investigates a payment card breach across its restaurants
Whole Foods disclosed that point of sale systems at its taprooms and table service restaurants had been infected with card stealing malware. The breach touched nearly one hundred locations, although the chain's primary checkout systems were not affected.
19. European Court of Human Rights limits employer monitoring of staff messages
The Grand Chamber ruled in Barbulescu v Romania that an employer had violated a worker's privacy by monitoring his instant messages and dismissing him. The judgment held that workplace surveillance must be limited, proportionate and preceded by clear notice.
→ edri.org
20. Sonic Drive-In breach may have exposed millions of payment cards
Sonic Drive-In confirmed a breach of its payment systems after a fresh batch of around five million stolen card accounts surfaced on a dark web marketplace. The fast food chain operates roughly 3,600 outlets, and investigators traced the leaked cards to malware planted at affected drive-in locations.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: