Privacy Roundup #0135 • October 2017
October 2017 was dominated by historic breach revelations, broken cryptography and the first reckoning over surveillance and Russian influence operations.
1. Yahoo says all three billion accounts were hit in the 2013 breach
Yahoo revised its 2013 breach figure upwards to cover every single account it ever held, roughly three billion in total. The new estimate, confirmed by Verizon, tripled the previous count and stood as the largest breach disclosure on record.
2. Kaspersky software linked to theft of NSA hacking tools
The Wall Street Journal reported that Russian government hackers had stolen classified NSA material from a contractor's home computer that was running Kaspersky antivirus. The claim deepened a standoff that had already led Washington to order Kaspersky software removed from federal systems.
3. Disqus discloses a 2012 breach of 17.5 million accounts
The commenting platform Disqus revealed that a database snapshot from 2012 holding 17.5 million user records had been stolen and was now circulating. The exposed data included email addresses, usernames and, for about a third of accounts, salted SHA1 password hashes.
4. Krebs reveals Equifax exposed Americans' salary histories
Brian Krebs showed that an Equifax service called The Work Number let anyone with a Social Security number and date of birth pull detailed salary and employment records. The exposure was especially alarming because those exact data points had been stolen in the firm's own breach weeks earlier.
5. Accenture left client data exposed on public cloud storage
Researchers found four Accenture cloud storage buckets configured for public access, exposing credentials, decryption keys and customer data. The largest server held more than 137 gigabytes of data, including a database with nearly 40,000 plain text passwords.
6. IRS suspends its identity contract with Equifax
The IRS froze a 7.2 million dollar contract that used Equifax to verify taxpayer identities, citing fresh security concerns. The suspension followed congressional anger over awarding a no-bid deal to a firm still reeling from a breach affecting 145 million Americans.
7. Hyatt reports a second payment card breach in two years
Hyatt disclosed that card-stealing malware had infected payment systems at 41 hotels across 11 countries between March and July. It was the chain's second such breach in two years, with properties in China bearing the brunt of the attack.
8. KRACK attack breaks WPA2 Wi-Fi encryption
Researchers disclosed KRACK, a key reinstallation attack that undermines the WPA2 protocol securing virtually every modern Wi-Fi network. An attacker within range could decrypt traffic and, on some devices, inject data, prompting an industry-wide patching scramble.
9. ROCA flaw weakens RSA keys in millions of chips
The ROCA vulnerability in Infineon's cryptographic library allowed attackers to recover private RSA keys from public ones across millions of smartcards, security tokens and hardware modules. The flaw forced national identity card schemes, including Estonia's, to scramble for fixes.
→ www.infosecurity-magazine.com
10. Pizza Hut warns customers of a payment card breach
Pizza Hut told around 60,000 customers that hackers had accessed names, addresses and payment card details during a 28-hour intrusion on its website at the start of the month. The chain drew criticism for waiting two weeks to notify people, by which point some reported fraudulent charges.
11. Google launches an Advanced Protection Program for high-risk users
Google introduced a hardened account mode built around physical security keys for journalists, campaign staff and other likely targets. The programme also restricted third-party access to Gmail and Drive and tightened account recovery to blunt phishing.
12. Microsoft kept quiet about a 2013 hack of its bug database
Former employees told Reuters that a sophisticated group had broken into Microsoft's secret database of unfixed vulnerabilities in 2013. The company never disclosed the breach publicly, even though attackers could have weaponised the knowledge of flaws not yet patched.
13. Domino's Australia blames a supplier after customer data leaks
Domino's Australia confirmed that customer names, email addresses and order suburbs had leaked and were being used to send convincing phishing emails. The chain blamed a former supplier's system and notified the privacy regulator, while declining to email affected customers directly.
14. EFF warns that expanding E-Verify would be a privacy disaster
The Electronic Frontier Foundation argued that a bill mandating nationwide E-Verify would force employers to collect and transmit highly sensitive identity data. The group warned of error rates and the steady drift towards a national worker tracking system.
15. Whole Foods says its payment card breach is resolved
Whole Foods confirmed that unauthorised software had copied payment card details at taprooms and restaurants inside many of its stores. The compromised systems were separate from the main grocery checkouts, and the exposure window ran from March to late September.
16. Privacy International launches the Surveillance Industry Index
Privacy International released a relaunched Surveillance Industry Index documenting more than 520 companies and 1,500 brochures from the surveillance trade. The accompanying report charted an industry concentrated in a handful of wealthy, arms-exporting states.
17. Bad Rabbit ransomware spreads across Russia and Ukraine
A fast-moving ransomware strain named Bad Rabbit hit media outlets, transport systems and other organisations through fake Adobe Flash updates. Researchers tied its code to the earlier NotPetya outbreak and watched it spread across corporate networks within days.
18. Lost USB stick exposes Heathrow Airport security plans
An unencrypted memory stick found on a London street held 2.5 gigabytes of restricted Heathrow security material, including patrol timetables, CCTV maps and the Queen's transit route. The airport launched an investigation into how the unprotected drive ended up in public.
19. Hilton settles two data breaches with state attorneys general
Hilton agreed to pay 700,000 dollars to New York and Vermont to resolve claims over two 2015 card breaches and a slow notification. The settlement also required the chain to overhaul its security programme and notify consumers promptly in future.
20. Facebook, Google and Twitter face Congress over Russian ads
The three platforms testified for the first time before the Senate Judiciary Committee about Russian disinformation during the 2016 election. Facebook conceded that content from a Russian troll farm may have reached 126 million Americans, while Google and Twitter disclosed their own figures.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: