San Diego School District Data Breach Hits 500k Students*:
- A phishing attack against California’s San Diego Unified School District has led to hackers scooping up Social Security numbers and addresses of more than 500,000 students and staff.
- The district became aware of the breach Oct. 2018.
- The actual breach occurred between January 2001 and November 2018, a spokesperson said.
- The district reported that it was first alerted to “multiple reports of phishing emails,” which were used to gather log-in information of staff members throughout the district.
- Hackers then used that log-in data to access the social security numbers and first and last names of student and staff, as well as their date of birth, mailing address, home address and phone number.
- “The data file contained information on students dating back to the 2008-09 school year, or more than 500,000 individuals,” according to a notification on the San Diego Unified School District’s website on Friday.
- The San Diego Unified School District serves more than 121,000 students and is the second largest school district in California.
- Other accessed information included:
- Student enrolment information like schedule, discipline incident information, health information, attendance records, transfer information, legal notices on file, and attendance data
- Student and selected staff State Student ID Number
- Student and staff parent, guardian and emergency contact personal identifying information (including first and last name, phone numbers, address, email address, employer information)
- Selected staff benefits information
- Selected staff payroll and compensation information (including viewable pay checks and pay advices, deduction information, tax information, direct deposit financial institution name, routing number and account number, salary and leave information)
*Source: Threat Post, December 24, 2018
Uber: €400,000 Penalty For Breach Of Data Security Of Users*:
- In November 2017, the company UBER revealed in the press that a year ago, two individuals had stolen the personal data of 57 million users of its services.
- Following this revelation, the G29 (Group of European CNILs) created a working group to coordinate the investigation procedures of different data protection authorities.
- The investigation highlighted the different stages of the attack.
- The attackers first managed to access identifiers stored in clear on the collaborative development platform "GitHub".
- They then used these credentials to remotely access a server on which the data is stored.
- They have downloaded information about 57 million users, including 1.4 million users in France.
- The restricted training of the CNIL considered that this attack would not have succeeded if some basic safety measures had been put in place.
- In particular, she emphasized that:
- the company should have expected its engineers to connect to the collaborative development platform "GitHub" through a strong authentication measure (for example, an identifier and a password and a secret code sent to a phone)
- it should not have stored unencrypted within the source code of the platform "GitHub" identifiers to access the server
- for access to the "Amazon Web Services S3" servers containing user data, she should have set up a system for filtering IP addresses.
- In these circumstances, the restricted formation considered that the company had failed in its obligation of security of the personal data.
- It sentenced Uber France SAS, the parent company of Uber Technologies Inc. and Uber BV, to a fine of € 400,000.
- Given the date of the facts, the RGPD was not yet applicable.
- Given the large number of people concerned and the need to raise the awareness of operators, the restricted training has also decided to make public this decision.
- Other European authorities have also imposed sanctions in connection with these facts.
- On 6 November 2018, the Dutch Data Protection Authority fined UBER 600,000 for failure to notify the data breach.
- On November 26, the British authority imposed a £ 385,000 penalty for failing to secure the data.
*Source: CNIL, December 20, 2018
Amazon And Facebook Reportedly Had A Secret Data Sharing Agreement*:
- Back in 2015, a woman named Imy Santiago wrote an Amazon review of a novel that she had read and liked.
- Amazon immediately took the review down and told Santiago she had “violated its policies.”
- Santiago re-read her review, didn’t see anything objectionable about it, so she tried to post it again.
- “You’re not eligible to review this product,” an Amazon prompt informed her.
- When she wrote to Amazon about it, the company told her that her “account activity indicates you know the author personally.”
- Santiago did not know the author, so she wrote an angry email to Amazon and blogged about Amazon’s “big brother” surveillance.
- Santiago, who is an indie book writer herself, told that she’d been in the same ballroom with the author in New York a few months before at a book signing event, but had not talked to her, and that she had followed the author on Twitter and Facebook after reading her books.
- Santiago had never connected her Facebook account to Amazon, she said.
- Spokesperson Julie Law told by email at the time that the company “didn’t comment on individual accounts” but said, “when we detect that elements of a reviewer’s Amazon account match elements of an author’s Amazon account, we conclude that there is too much risk of review bias.
- This can erode customer trust, and thus we remove the review. I can assure you that we investigate each case.”
- If Amazon was sucking up data from Facebook about who knew whom, it may explain why Santiago’s review was blocked.
- Because Santiago had followed the author on Facebook, Amazon or its algorithms would see her name and contact information as being connected to the author there, according to the Times.
- Facebook reportedly didn’t let users know this data-sharing was happening nor get their consent, so Santiago, as well as the author presumably, wouldn’t have known this had happened.
- Amazon declined to tell the New York Times about its data-sharing deal with Facebook but “said it used the information appropriately.”
*Source: Gizmodo, December 19, 2018
- NASA servers were compromised in October, Bob Gibbs, Assistant Administrator for NASA's Office of the Chief Human Capital Officer, announced in a Tuesday memo to employees.
- As SpaceRef reports, the NASA server compromise happened on Oct. 23 and the servers targeted contained personally identifiable information (PII) for both current and former NASA employees.
- The personal data included Social Security numbers and "other PII data."
- Although NASA's cybersecurity team quickly contained the breach, it remains unclear exactly how much data was accessed.
- There is no time frame given for when this will be known, just that "NASA and its Federal cybersecurity partners" are examining the breach and will at some point in the future be able to conclude just how many people are affected.
- For now, all we know is the personal data on the servers is for employees of the NASA Civil service, those separate from the agency, and for anyone transferring between Centers for the period lasting July 2006 to October 2018.
- Any individuals who are found to be affected by the breach will be offered identity protection services to help counteract any use of their data by a third-party.
- Gibbs also confirmed that no agency missions were jeopardized by this server breach, this is purely an employee data problem.
- However, it's worrying that an agency capable of transporting humans into space and allowing them to live outside Earth's atmosphere for extended periods of time, can't secure its own servers down on the ground.
*Source: PC Mag, December 19, 2018
2018: A Banner Year For Data Breaches*:
- A pair of software vulnerabilities and a resulting privacy scandal spelled curtains this year for Google’s consumer social media effort, Google+
- First, a software bug in an API for the site was discovered by Google’s own internal security team this spring that allowed outside developers to access private Google+ profile data – for three years.
- Google decided not to disclose it, which led to plenty of bad publicity after the WSJ reported it in October.
- As if that weren’t bad enough, a second API bug surfaced in November that allowed apps requesting permission to view users’ Google+ profile information to gain full permissions, even when the user was not public.
- Marriott in November revealed that up to 500 million guests’ data had been exposed and available for the taking – since 2014.
- Hackers gained access to the Starwood reservation database to lift a social engineer’s dreamboat package: guest information, including name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.
- For some, the data included encrypted payment card numbers and payment card expiration dates.
- Starwood, which includes hotels like St. Regis and Sheraton, was bought by Marriott in 2016.
- Under Armour:
- Fitness apparel firm Under Armour in March said 150 million users of its popular MyFitnessPal app were compromised after hackers accessed user names, email addresses and hashed passwords.
- The company received kudos for its speedy notification process – it started notifying victims four days after discovering the compromise.
- However, it also received criticism for some of the passwords being hashed in SHA-1, a notoriously weak encryption mechanism.
- Girl Scouts, Orange County:
- In October, The Orange County, Calif. branch of the Girl Scouts of America said it was hacked.
- An attacker gained access to an email account used by the troop, which the malefactor then used to send out emails of his or her own.
- While GSOC didn’t elaborate on the type of emails, presumably this was part of a phishing effort.
- The deeper issue is that the account has been used to coordinate travel for members in the past, according to GSOC, so it’s possible that the adversary rifled through the inbox and found personal information for as many as 2,800 girls and their families.
- In May, a Facebook software bug switched the “suggested audience” for posts to “public” for 14 million users.
- The glitch meant Facebook users who thought they were sharing content with just friends or small groups actually made their posts available to the general public.
- In September, Facebook said that hackers had exploited a flaw in its “View As” feature that left the access tokens of almost 50 million Facebook accounts ripe for the taking.
- And in December, Facebook disclosed a bug that enabled third-party apps to access unpublished photos of 6.8 million users.
- NASA in December admitted that it was hacked by an unauthorized intruder back in October, and that personally identifiable information for thousands of employees was compromised, including Social Security numbers.
- The server in question was apparently an HR database:
- Those affected are NASA Civil Service employees who were hired or those who left, and those that received transfers.
- NASA isn’t sure of the scope yet, but the amount of information exfiltrated is potentially significant.
- The compromised records are from July 2006 to October 2018, i.e. 12 years’ worth of data.
- In August, wireless carrier T-Mobile alerted millions of its customers to a breach of its website that resulted in subscriber names, zip codes, phone numbers, email addresses and account numbers being stolen.
- The alert went to 77 million customers, but only 3 percent of subscribers were affected, totalling about 2.3 million.
- Ticketfly, the events ticketing company, joined its rival, Ticketmaster, in breach land in June.
- Customers who went to Ticket fly’s homepage during the incident found a picture posted with the title “Ticketfly Hacked By IsHaKdZ” that said [sic]: “Your Security Down I’m Not Sorry… Next time I will publish database ‘backstage.'”
- According to a report, the hacker notified Ticketfly about a vulnerability enabling the data breach, and then asked for one bitcoin (around $7,500 at the time) in exchange for the information.
- What that information consisted of hasn’t been confirmed by the company.
- Expedia-owned travel site Orbitz in March said that both its consumer and partner platforms were compromised, leading to the disclosure of 880,000 payment cards
- The consumer side of the Orbitz business platform was open to attack during the first half of 2016, while the partner platform was open to attacks for almost a year, between Jan. 1, 2016 and Dec. 22, 2017, according to Expedia.
- The data exposed included payment card information such as names, phone numbers, email and billing addresses.
- Passwords are notably absent from the list.
- Crowdsourced query site Quora in December found itself asking the question of “what happened?” in the wake of a massive data breach that impacted up to 100 million of its users.
- The incident has the dubious honour of being the biggest breach on our list
- The hack exposed user names, email addresses, hashed passwords, direct message content and imported data from any networks that users linked to their accounts, like Facebook or Twitter.
- It also gave the information thieves access to a veritable treasure trove of social engineering and profiling fodder, such as questions, answers, answer requests, comments, up votes and down votes.
*Source: Threat Post, December 24, 2018