Andrew Orr join host Kelly Guimont for Security Friday news, some ballot measures that passed, and even a security minded gift option.
data breach
Mattel Revealed it Suffered a Data Breach on June 28
Toy company Mattel suffered ransomware attack on June 28, 2020. It revealed this in a 10-Q form filed with the Securities and Exchange Commission (SEC).
On July 28, 2020, Mattel discovered that it was the victim of a ransomware attack on its information technology systems that caused data on a number of systems to be encrypted. Promptly upon detection of the attack, Mattel began enacting its response protocols and taking a series of measures to stop the attack and restore impacted systems. Mattel contained the attack and, although some business functions were temporarily impacted, Mattel restored its operations.
Marijuana Website ‘GrowDiaries’ Exposed User Data
GrowDiaries is a social media platform for marijuana growers. Two of its servers leaked user data like usernames and passwords.
Security Friday, Safari, Watch Pulse Oximeter – TMO Daily Observations 2020-09-18
Andrew Orr and Jeff Butts join host Kelly Guimont to discuss Security Friday news, Safari updates, and the latest feature of Apple Watch.
Security Friday, Encrypted Email – TMO Daily Observations 2020-08-21
Andrew Orr and Jeff Butts join host Kelly Guimont to discuss Security Friday news and how to encrypt email on iOS devices.
Security Friday: Instagram, Packet Loss, and Fortnite – TMO Daily Observations 2020-08-14
Andrew Orr and Bryan Chaffin join host Kelly Guimont to discuss Security (read: Facebook) news, Apple Card id protection, and Fortnite. Extended edition brought to you by intellectual laziness.
Security Friday - Apple Security, TikTok – TMO Daily Observations 2020-07-24
Andrew Orr joins host Kelly Guimont for Security Friday to discuss Apple’s new security research, a privacy app, and other security news.
DNA Company ‘GEDmatch’ Hacked in Data Breach
First, over a million DNA profiles from GEDmatch were leaked. Then, email addresses from the breach were used in a phishing attack against users of genealogy website MyHeritage.
As a result of this breach, all user permissions were reset, making all profiles visible to all users. This was the case for approximately 3 hours. During this time, users who did not opt in for law enforcement matching were available for law enforcement matching and, conversely, all law enforcement profiles were made visible to GEDmatch users.
If GEDmatch sounds familiar, it was the DNA database used to identify the Golden State Killer.
Security Friday: Wiping Devices, Password Project – TMO Daily Observations 2020-06-05
Andrew Orr joins host Kelly Guimont to discuss Security Friday news, how to wipe your devices, and Apple’s open source password project.
Amtrak Data Breach Affects Guest Rewards Accounts
Discovered on April 16, 2020, Amtrak suffered a data breach that affects its Amtrak Guest Rewards accounts.
The attack vector involved was compromised usernames and passwords, which may suggest the use of credentials previously leaked or stolen, or the use of brute-force methods.
Amtrak says that some personal information was viewable, although the company has not specifically said what data may have been compromised. However, Amtrak was keen to emphasize that Social Security numbers, credit card information, and other financial data was not involved in the data leak.
Marriott Hit by Second Data Breach Affecting up to 5.2M People
Hotel chain Marriott International has suffered a second data breach, exposing the personal data of up to 5.2 million guests.
The breach, which began in mid-January 2020 and was discovered at the end of February 2020, saw contact details, including names, addresses, birth dates, gender, email addresses and telephone numbers exposed. Employer name, gender, room stay preferences and loyalty account numbers were also exposed.
Marriott has also said that at present it does not believe passports, payment details or passwords were exposed in the data breach.
It sounds like login credentials of two employees were stolen, likely through a social engineering attack.
Security Friday – TMO Daily Observations 2020-03-05
Andrew Orr joins host Kelly Guimont for Security Friday! Hardware flaws, This Week in Who Has Your Data, and the latest in ending encryption.
Someone Hacked J.Crew Last Spring and we Only Find Out Today
According to a notice [PDF] from J.Crew, someone hacked the company last year. For some reason we’re only finding out about it today, a year later.
“The information that would have been accessible in your jcrew.com account includes the last four digits of credit card numbers you have stored in your account, the expiration dates, card types, and billing addresses connected to those cards, and order numbers, shipping confirmation numbers, and shipment status of those orders,” J.Crew’s data breach notification explains.
You know, sometimes when I write about this stuff, like Facebook doing every bad thing under the sun with our data, I stop and think: “Am I just a cynical a**hole?” Then, when yet another idiot company has a data breach, I realize, no I’m just reporting reality. These companies deserve to be named and shamed.
Cathay Pacific Fined £500,000 For Major Data Breach
Cathay Pacific was fined £500,000 by the UK ICO, the largest fine available pre-GDPR, for a data breach affecting 9.4million users.
Security Friday: Data Breaches, DNS – TMO Daily Observations 2020-02-21
Andrew Orr joins host Kelly Guimont for Security Friday, discussing a new data breach and keeping your ISP from selling your web history.
Defense Information Systems Agency Suffers Data Breach
Between May and July 2019 sensitive data like Social Security Numbers were stolen from servers belonging to the Defense Information Systems Agency (DISA), a U.S. defense agency. Earlier this month it notified victims.
The Defense Information Systems Agency has begun issuing letters to people whose personally identifiable information may have been compromised in a data breach on a system hosted by the agency. While there is no evidence to suggest that any of the potentially compromised PII was misused, DISA policy requires the agency to notify individuals whose personal data may have been compromised.
Chinese Military Charged With Equifax Data Breach
Four Chinese military hackers have been charged with breaking into Equifax’s network and stealing the data of tens of millions of Americans.
The accused hackers exploited a software vulnerability to gain access to Equifax’s computers, obtaining log-in credentials that they used to navigate databases and review records. The indictment also details efforts the hackers took to cover their tracks, including wiping log files on a daily basis and routing traffic through dozens of servers in nearly 20 countries.
Reminder that Equifax executives did insider trading based on the breach. They are criminals.
Anonymized Data May Be Less Anonymous Than You Thought
Students at Harvard built a tool to analyze datasets from data breaches. They could identify an individual despite promises of anonymized data from companies.
Lawyers Will Get Most of Your $125 Equifax Settlement
Remember when you signed up to get a US$125 Equifax settlement after its 2017 data breach? Lawyers will get most of it.
267 Million Facebook IDs, Phone Numbers Exposed
A database that contained over 267 million Facebook user IDs, phone numbers, and IDs was discovered on the web. It wasn’t password-protected.
Comparitech partnered with security researcher Bob Diachenko to uncover the Elasticsearch cluster. Diachenko believes the trove of data is most likely the result of an illegal scraping operation or Facebook API abuse by criminals in Vietnam, according to the evidence.
Diachenko immediately notified the internet service provider managing the IP address of the server so that access could be removed. However, Diachenko says the data was also posted to a hacker forum as a download.
Database of 1.2 Billion Records Found With Scraped Data
A database filled with 1.2 billion records of data was found on the dark web back in October. I hesitate to call this a data breach because:
While the collection is impressive for its sheer volume, the data doesn’t include sensitive information like passwords, credit card numbers, or Social Security numbers. It does, though, contain profiles of hundreds of millions of people that include home and cell phone numbers, associated social media profiles like Facebook, Twitter, LinkedIn, and Github, work histories seemingly scraped from LinkedIn, almost 50 million unique phone numbers, and 622 million unique email addresses.
In other words this is all data that people have willingly put on their social media profiles. While it can be used for nefarious purposes (especially phone numbers) this is less of a breach and more of a database of scrapes. Nevertheless I’m using our “data breach” tag.
Today in Data Breaches, "Think Different" Reminiscing – TMO Daily Observations 2019-10-01
John Martellaro and Bryan Chaffin join host Kelly Guimont to discuss the Zynga breach and look back at the 1997 Think Different ad campaign.
'Words With Friends' Data Breach Affects 218 Million
A hacker going by the handle ‘Gnosticplayers’ claims to have hacked Words With Friends and accessed a database with over 218 million users.
DoorDash Data Breach Affects 4.9 Million People
Another day, another data breach. This time it’s DoorDash and “unusual activity involving a third-party” affecting 4.9 million.