databreach
Latest
Yahoo loses its bid to reject data breach lawsuit
Yahoo (and by extension, its parent/Engadget owner Verizon) now has no choice but to face the majority of claims in a US lawsuit over the internet giant's multiple data breaches. California Judge Lucy Koh (of Apple-versus-Samsung fame) has denied Verizon's bid to dismiss numerous claims in the suit, including breach of contract and negligence. The plaintiffs' claims demonstrated that they would have "behaved differently" if they'd known about Yahoo's email security woes, Judge Koh said, and that Yahoo's attempts to limit liability were "unconscionable" given how much it knew about its security problems and how little it did.
Pennsylvania sues Uber over 2016 data breach
Uber may be trying to clean up its image with new services like Uber Health, but its past mistakes keep coming back to haunt it. Back in 2016, Uber was the target of a cyberattack, which exposed the personal information of 57 million people. It took Uber over a year to actually report the attack; the company instead chose to pay the hackers a $100,000 extortion fee. Now, the state of Pennsylvania is suing Uber for failing it immediately disclose the breach.
UK and Australia are monitoring their domains with Have I Been Pwned
A lot of people have used Troy Hunt's Have I Been Pwned to see if their email addresses are attached to any services that have experienced data breaches. Large organizations can also use it to search their domain names as a group and now, the service counts the UK and Australian governments among them. As Hunt explained in a blog post: "Amongst those verified domain searches are government departments and they too are enormously varied; local councils, legal and health services, telecoms and infrastructure etc...The thing is, loads of government departments within different countries have all been running these searches independently and that means an awful lot of duplication of effort has been going on."
Equifax finds another 2.4 million people affected by its data breach
Last month, reports surfaced that more information than previously thought may have been exposed in Equifax's massive data breach and today, Reuters reports, the has company confirmed it. Along with the 145.5 million individuals already reported to have been affected by the breach, Equifax says another 2.4 million were as well. However, their exposed data was limited to names and partial driver's license information. The company said that in most cases, home addresses as well as driver's license states, issue dates and expiration dates weren't included in the stolen data.
1Password now lets you see if your password has been leaked
If you have a 1Password membership, you can now check to see if your passwords have been compromised by data breaches and leaked on the internet. It's just a proof of concept feature for now, but 1Password says that in future releases, it will be added to Watchtower within 1Password apps. The feature is an integration of Troy Hunt's Pwned Passwords service that includes over 500 million leaked passwords.
Equifax breach may have exposed more data than first thought
The 2017 Equifax data breach was already extremely serious by itself, but there are hints it was somehow worse. CNN has learned that Equifax told the US Senate Banking Committee that more data may have been exposed than initially determined. The hack may have compromised more driver's license info, such as the issuing data and host state, as well as tax IDs. In theory, it would be that much easier for intruders to commit fraud.
Alphabet enters the cybersecurity business with Chronicle
Google parent company Alphabet has a new business and it's all about cybersecurity. Chronicle is an independent business under the Alphabet umbrella and it's aimed at helping companies find, track and stop cyber attacks. With two branches -- a cybersecurity and analytics platform, as well as a malware intelligence service called VirusTotal -- Chronicle will use its massive processing power and data storage capabilities to assist businesses in retrieving information more quickly than they can on their own as well as spot patterns based on years of data. "Add in some machine learning and better search capabilities, and we think we'll be able to help organizations see their full security picture in much higher fidelity than they currently can," said Chronicle CEO Stephen Gillett in a blog post.
Florida phishing attack exposes data for 30,000 Medicaid recipients
Large-scale medical hacks are horrible in themselves, but sometimes it's the ease of the hacks that's scary -- and Florida knows this first-hand. The state's Agency for Health Care Administration has warned that a phishing attack compromised data for as many as 30,000 Medicaid recipients. One of its staffers fell for a "malicious phishing email" on November 15th, giving hackers access not only to identifying info like names, addresses and Medicaid ID numbers, but also diagnoses and medical conditions. A would-be fraudster would theoretically have almost everything they could want.
India's massive citizen database was reportedly breached
India's government Aadhaar database, which holds personal information of over one billion Indian citizens, was allegedly breached, BuzzFeed News reports. Along with demographic info, the database also contains biometric data like fingerprints and iris scans. Indian publication The Tribune reported earlier today that it was able to access any registered citizen's demographics after it was granted admin access by an anonymous individual. In just 20 minutes, a reporter was given an administrator ID and a password after contacting the individual through WhatsApp and transferring what amounted to less than $8. Afterwards, the reporter was able to plug in anyone's Aadhaar number and get their name, address, postal code, photo, phone number and email. For an additional $5, the reporter was also able to get software that allowed them to print an Aadhaar card with anyone's number.
Forever 21 breach exposed customer credit card info for months
If you shopped at a Forever 21 store this year, there's a chance your credit card information may have been stolen, CNET reports. The retail store confirmed this week that between April 3rd and November 18th of this year, a number of point of sale terminals at stores across the US were breached. While it hasn't provided any numbers on how many customers were affected, Forever 21 did say that in most cases, card numbers, expiration dates and verification codes, but not cardholder names, were obtained by hackers. However, in some cases names were also obtained.
Russian hackers steal $10 million from ATMs through bank networks
The recent rash of bank system hacks goes deeper than you might have thought -- it also includes stealing cash directly from ATMs. Researchers at Group-iB have published details of MoneyTaker, a group of Russian hackers that has stolen close to $10 million from American and Russian ATMs over the past 18 months. The attacks, which targeted 18 banks (15 of which were American), compromised interbank transfer systems to hijack payment orders -- "money mules" would then withdraw the funds at machines.
Uber paid off a 20-year-old Florida man to destroy hacked data
More details are coming to light about Uber's huge data breach. Reuters is reporting that a 20-year-old Florida man was behind the 2016 extortion-oriented cyberattack and was paid through the firm's bug bounty program. We know that the individual, whose identity Uber refuses to disclose, received $100,000 for destroying the info, which exposed the personal data of roughly 57 million customers and drivers. The ride-hailing firm then kept quiet about the breach for more than a year. You can bet Congress and the five states investigating Uber will be paying close attention to any new nuggets of info.
Ex-NSA worker pleads guilty to taking data involved in Russian hack
The NSA hasn't been having the best week when it comes to security, but it's getting at least some closure. A former employee, now known as Nghia Pho, has pleaded guilty to bringing home classified data that was later stolen in a hack linked to Russian intelligence. Pho is expected to face prison time when he's sentenced on April 6th, but prosecutors have capped the maximum penalty to 8 years (versus the typical 10) and are open to calls for a lighter sentence given the non-malicious nature of the case.
Federal employees stole data from Homeland Security
Three employees of the inspector general's office for the Department of Homeland Security (DHS) are accused of stealing a computer system that contained around 246,000 employees' personal data. That information included names, social security numbers and dates of birth, USA Today reports, and one of the suspects is also said to have had in their possession around 159,000 agency case files. The data breach was reported to DHS officials in May and acting DHS Secretary Elaine Duke decided in August to notify the employees whose information was included in the stolen data.
Washington state sues Uber over data breach
The lawsuits are continuing to pile on top of Uber after it revealed that it covered up a hack in fall 2016. Washington state's Attorney General has sued Uber for allegedly violating its local data breach notification law. Companies are supposed to notify the AG within 45 days if a breach affects 500 or more Washington residents, but that clearly didn't happen when Uber paid hackers to keep quiet. The state is demanding penalties of up to $2,000 for each person whose data was exposed, which should lead to a penalty in the "millions of dollars."
Uber may have to answer to Congress about data breach coverup
Five states are already investigating Uber's breach that exposed data on 57 million of its users, which the company hid for a year. But now the ridesharing titan will have to explain its actions to Congress. Five Democratic and Republican Senators sent a series of letters to Uber asking why it didn't inform customers sooner, whether it's working with law enforcement and how it will help the users affected.
Hacker in massive Yahoo breach expected to plead guilty
While it's doubtful that the US will catch the Russians accused of participating in the massive 2014 Yahoo breach, a third culprit appears ready to cooperate. Reuters has discovered that Canadian citizen Karim Baratov is slated to appear for a "change of plea" hearing on November 28th, indicating that he's likely to plead guilty to helping Russian officers (Dmitry Dokuchaev and Igor Sushchin) swipe 500 million Yahoo accounts. His attorney has declined to comment, but he has already waived his right to avoid extradition to the US.
SEC knew about weak security years before hack
The hack that compromised the US Securities and Exchange Commission was a shock and more than a little damaging, but could it have been prevented? Unfortunately the answer is very likely yes. The Hill has combed through the SEC's internal evaluations, and it's now clear that the Commission had been warned about digital security issues for years. An inspector general audit warned about "weaknesses" in the SEC's security measures back in 2013, and multiple warnings appear to have sometimes fallen on deaf ears. A June 2016 inspector general report said the SEC hadn't "fully addressed" some problems from previous audits, and was at "increased risk" of intruders taking sensitive data.
Uber's new chief knew about hack months before the public
Uber may have come clean about the grievous hack that exposed data for 57 million users, but it apparently took its time getting to that point. Wall Street Journal sources have learned that new CEO Dara Khosrowshahi was informed about the data breach two weeks after he took the reins on September 5th, or more than two months before informing the public. There were reasons for the delay, according to the tipsters, but it still meant leaving people out of the loop.
Image-sharing site Imgur was hacked in 2014
Imgur, a popular picture-sharing site, revealed today that it suffered a data breach in 2014, claiming it was just notified of it on November 23rd. In a blog post, Imgur said hackers stole email addresses and passwords of 1.7 million user accounts -- a small fraction of its 150 million total users. No other personal information was allegedly exposed, since Imgur says it has never asked for people's real names, addresses or phone numbers.
