Tech Letter

Fresh Technology Insights

Category: Data Breach (page 1 of 3)

Australia sues Facebook for breaching the privacy of over 300K Australians in the Cambridge Analytica scandal

Facebook could face millions of dollars in fines over allegedly breaching the privacy of over 300,000 Australian citizens caught up in the Cambridge Analytica scandal.

Josh Taylor, The Guardian »

The Australian information commissioner Angelene Falk has alleged Facebook committed serious and repeated interferences with privacy in contravention of Australian privacy law because data collected by Facebook was passed onto the This is Your Digital Life app by Cambridge Analytica for political profiling, which was not what it was collected for.

Data included people’s names, dates of birth, email addresses, city location, friends list, page likes and Facebook messages for those who had granted the app access to the messages.
Guardian Today: the headlines, the analysis, the debate – sent direct to you
Read more

“We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed,” Falk said.

“Facebook’s default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy.”

More » Office of the Australian Information Commissioner, Reuters, News.com.au, Seeking Alpha

Have I Been Pwned holds more records than the population of Earth

The popular security website Have I Been Pwned (HIBP) “is a database of usernames or email addresses that have been exposed in data breaches. At the time of writing, it contains 9,543,096,417 records, which happens to be more than the population of Earth, showing the extent of such breaches.”

More » The Register

Personal information belonging to 144,000 Canadians breached at federal departments and agencies over the past two years

Catharine Tunney, CBC »

Federal departments or agencies have mishandled personal information belonging to 144,000 Canadians over the past two years, according to new figures tabled in the House of Commons — and not everyone who was swept up in a privacy breach was told about it.

The new figures were included in the federal government’s answer to an order paper question filed by Conservative MP Dean Allison late last month. The nearly 800-page response didn’t offer an explanation for the errors, which range in seriousness from minor hiccups to serious breaches involving sensitive personal information.

[…]

The Canada Revenue Agency leads the pack in breaches, with more than 3,005 separate incidents affecting close to 60,000 Canadians between Jan. 1, 2018 and Dec. 10, 2019.

The department blames the breaches on misdirected mail, security incidents and employee misconduct.

Even the keepers of Canada’s official secrets aren’t immune. The Canadian Security Intelligence Service, the Communications Security Establishment and the RCMP all reported missteps as well.

The Department of National Defence said most of its 170 breaches, which affected more than 2,000 people, were due to inappropriate access to, or use or disclosure of, personal information.

Four things you can do today that helps protect your privacy and security

1. Scrub your email

2. Ditch old passwords

3. Update your software

4. Upgrade your browser

More » Mozilla

US Homeland Security Dept has purchased access to at least one database to track the locations of millions of mobile phones and is using the info in immigration and border controls and possibly other secret government surveillance programs

If the headline surprises you, you haven’t been paying attention. This has been going on for years. Ask Snowden.

What I’d like to know is how much tracking is DHS doing outside it’s borders?

US Department of Homeland Security (DHS) acknowledges tracking millions of smartphone users within the USA, despite a Supreme Court order limiting it’s authority to do so. DHS will not state how the data is being used.

Byron Tau and Michelle Hackman, Wall Street Journal »

The Trump administration has bought access to a commercial database that maps the movements of millions of cellphones in America and is using it for immigration and border enforcement, according to people familiar with the matter and documents reviewed by The Wall Street Journal.

The location data is drawn from ordinary cellphone apps, including those for games, weather and e-commerce, for which the user has granted permission to log the phone’s location.

More » Apple Insider

4.7 million B.C. residents may have been impacted by the data breach at LifeLabs

Statistics Canada states British Columbia had a population of 5.071 million last year.

This is what happens when companies prioritize profit over their duty to look after customer’s personal information.

Kendra Mangione, CTV News »

The massive cyberattack targeted a laboratory testing company with locations across Canada – primarily in B.C. and Ontario.

The company’s website claims more than a million Canadians use its services, and more than 112 million tests are performed by its labs each year.

Earlier Friday, Alberta’s privacy commissioner said nearly 22,000 Albertans may have been part of the estimated 15 million Canadians that could have had their data compromised.

D’oh

LifeLabs president and CEO Charles Brown called the hack a “wake-up call,” and said “We all need to up our game to protect our customer data.”

Read the whole article at CTV »

Companies and their officers have a duty of care they are not meeting. This will happen again and again until businesses do much more than just speak about security. The number of breaches shows that self-regulation and self-policing often does not work. Stronger legislation, that include public accountability, hefty fines, and perhaps even criminal penalties need to be legislated to prevent this from happening.

Amazon’s Ring doorbell sends customer’s personal data to Facebook and Google

BBC »

The Electronic Frontier Foundation found the Ring app was “packed” with third-party tracking, sending out customers’ personally identifiable information.

Five companies were receiving a range of information, including names, IP addresses and mobile networks, it said.

Ring said it limited the amount of data it shared.

The company told Gizmodo: “Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimise the customer experience and evaluate the effectiveness of our marketing.”

But the EFF said Ring was failing to protect users’ privacy, noting only one of the trackers it had found was mentioned in the company’s privacy policy.

US Army bans soldiers from using TikTok » The app is considered a “cyber threat”

 Justine Calma, The Verge »

United States Army soldiers can no longer use TikTok on government-owned phones following a decision to ban the app. The move comes amidst ongoing worries that the video app owned by Beijing-based company ByteDance could compromise national security or be used to influence or surveil Americans.

“It is considered a cyber threat,” Army spokeswoman Lt. Col. Robin Ochoa told Military.com, which broke the news on December 30th. The army reportedly used TikTok to recruit members prior to the ban.

Both the Navy and Defense Department sounded alarms on TikTok earlier this month. The Navy previously told its members not to add the app, and to delete it from government-issued devices if it was already installed. The Defense Department also instructed employees to “be wary of applications you download, monitor your phones for unusual and unsolicited texts etc., and delete them immediately and uninstall TikTok to circumvent any exposure of personal information,” according to military.com.

More » CNN

Related » US Navy Bans TikTok From Military Devices » Security Boulevard (Dec 27, 2019)

More » BoingBoing, The Next Web, SecurityAngle

Related » TikTok eyes global headquarters outside of China as US scrutiny mounts – Tech in Asia (Dec 24, 2019)

More » WSJ

NY Times journalists answer » What’s the worst that could happen to your smartphone data?

NY Times »

None of us really has a choice to participate in tracking or not — the system just serves up location data, usually without us noticing. So for people who do want a bit of privacy — worshipers, young people visiting Planned Parenthood, those visiting a queer space, survivors hiding from an abuser — they no longer have a real choice about their privacy. Because the tracking touches everyone, can we really give up after concluding it’s fine for us? When we participate in this system, we’re tacitly endorsing it.

[…]

Your imagination can run wild with possibilities. It runs from tracking kids to tracking the nation’s top security officials and using the intelligence for some kind of blackmail.

For us, it was talking to one group that was so concerned they didn’t want to be named. We expected them to be worried, but in conversations with them, they were downright scared. When we showed them all the device pings collected in the center of their building during a gathering, they were horrified that people could know exactly who and how many people were in the building and when. The idea that their community members were followed in the data and we could figure out where they all lived — it wasn’t an abstract threat anymore. It was real and personal for them, especially since they felt like a target already.

Chinese government-linked hacker group has been hacking and bypassing two-factor authentication

Cyber security researchers at Dutch firm Fox-IT has found evidence showing a Chinese government sponsored hacking group APT20 has been bypassing two-factor authentication (2FA) in a recent wave of attacks against government entities and managed service providers.

Catalin Cimpanu, ZDNet »

According to researchers, the hackers used web servers as the initial point of entry into a target’s systems, with a particular focus on JBoss, an enterprise application platform often found in large corporate and government networks.

APT20 used vulnerabilities to gain access to these servers, install web shells, and then spread laterally through a victim’s internal systems.

While on the inside, Fox-IT said the group dumped passwords and looked for administrator accounts, in order to maximize their access. A primary concern was obtaining VPN credentials, so hackers could escalate access to more secure areas of a victim’s infrastructure, or use the VPN accounts as more stable backdoors.

« Older posts

© 2020 Tech Letter

Theme by Anders NorenUp ↑