databreach
Latest
Retail's response to Apple Pay and Google Wallet already hacked
If the retailers backing the CurrentC mobile payment system hope to topple NFC-based technology like Apple Pay and Google Wallet, they may need to improve their safeguards for your data. CurrentC is now warning people in its beta program that "unauthorized third parties" (read: hackers) swiped some of their email addresses. While that appears to be the only information at risk, the loss isn't an auspicious sign for a service that's still months away from launch -- especially one that touts privacy and security as "top priorities." It's not clear who's responsible, either, although the platform's architect, the Merchant Customer Exchange, says that it's still investigating the breach. Whatever happened, it's safe to say that the incident underscores one of the main concerns of middleman-based payment systems like CurrentC. Handing sensitive info to in-between providers, no matter how careful they are, leaves you that much more vulnerable to theft.
Windows 10 has new ways to protect you against internet data breaches
There are plenty of online services that use two-factor authentication to reduce the chances of someone hijacking your account after a data breach, but what about the operating system on your PC or phone? You'll get that safeguard if you use Windows 10, according to a Microsoft security brief. The new OS will optionally treat a device (including something nearby, like your phone) as one authentication factor when signing into a local or internet account, and a PIN code or biometric reader as the second. If hackers find your login data sitting on a server, they won't get to use it unless they also have your gear -- and in some cases, they may need a fake fingerprint as well.
South Korean data breaches leave every citizen's ID at risk
There are big data breaches, and then there are massive, nation-changing data breaches. South Korean officials have warned that hacks targeting the country's national ID number system were so damaging that the government may not only have to revamp how it issues ID numbers, but hand out new ones to every citizen. That could cost the equivalent of $650 million by itself, and businesses might have to spend billions of dollars upgrading their systems to match -- you need that ID for many basic tasks in South Korea, so it's not just a question of a simple software fix.
Attackers hit Yahoo using the Shellshock bug, but your data is safe
Looks like it didn't take long for the Shellshock security flaw to claim its first major victim. Yahoo has confirmed to both Future South Technologies and SecurityWeek that hackers used the command line exploit to breach at least two of its servers. Future South's Jonathan Hall found that the Romania-based intruders were using Shellshock to slowly hijack servers (including those of other companies) and build up an "arsenal" for hitting increasingly valuable targets, particularly Yahoo Games.
5 million Gmail passwords published, but don't panic
You might need to change your email password in the very near future. A member at a Russian Bitcoin forum has posted almost 5 million Gmail passwords, around 60 percent of which are reportedly still working. It's not clear how the poster managed to scoop up all this account info, but Google tells Cnews that it comes from a long stretch of hacking and phishing attempts that stole data from individual users. Gmail's servers weren't breached, the search giant says, and much of what's there is old. That's somewhat comforting, but you may want to check if your account is one of the unfortunate targets -- you don't want to give thieves easy access to your most sensitive info.
Data breaches compromised the info of US undercover investigators
Data theft is normally pretty bad all on its own, but a recent breach at US Investigations Services (a background check company) may have created some extra-strong headaches for the US government. Reuters understands that the intrusion exposed personal information of 25,000-plus Department of Homeland Security workers, including "some undercover investigators." There's no certainty that the attackers stole those agents' information, but there's a real chance that their identities are out in the wild -- a big problem if suspects can double-check identities and avoid getting caught. The concern is exacerbated by the nature of the attack, which USIS believes might have been "state-sponsored."
UPS says malware attack compromised customer info at 51 of its stores
Have you done any business with UPS recently? You'd better check out the company's website: some of its stores may have leaked your personal data. After receiving a security advisory from the US Government, the company discovered that 51 UPS Stores were infected with malware, potentially compromising customer data for more than 105,000 transactions. UPS has already removed the offending software, of course, but the damage may have already been done. Now the company is trying to make good.
Fandango finalizes a truce with the FTC after exposing your movie ticket data
Fandango slipped up in a big way between 2009 and 2013: its mobile apps would send your movie ticket purchases without a basic security measure, leaving credit card info and other data vulnerable to theft. However, the company is about to make amends for playing fast and loose with your personal info. The FTC has just approved a settlement with Fandango that will require the movie service to follow the straight and narrow. As agreed to in March, Fandango has to implement new procedures that address security concerns in apps before they reach the public; it will also have to get independent security reviews every other year for the next 20 years. The remedy won't help much if someone swiped your banking details while you were watching a summer blockbuster, but it should at least reduce the chances of a movie-related breach in the future.
Hackers target grocery chains for customers' credit card info
You know why you should always keep a close eye on your credit card activity? Because hackers can target any kind of establishment, whether they're huge corporations, mom-and-pop shops or, in this case, grocery chains. American chains SuperValu and Albertsons have just revealed that digital brigands recently broke into their computer networks and, worse, were able to access the portions where customers' credit or debit card details are stored. SuperValu owns Cub Foods, Farm Fresh, Hornbacher's, Shop 'n Save, and Shoppers Food and Pharmacy -- 180 outlets of which were compromised -- while Albertsons is one of its former properties. The security breach happened entirely on SuperValu's end, though, as it still provides Albertsons with IT services despite selling it back in 2006.
Search engine turns the tables on hackers by exposing their info
Want to see a textbook definition of irony? Look no further than Indexeus, a search engine that primarily exposes the info of malicious hackers caught up in the very sort of data breaches that they inflict on others. As it was originally structured, people had to "donate" $1 for every record they wanted to purge from the engine's index; in other words, they had to pay to avoid the wrath of their fellow thieves. This was ostensibly to create "awareness" of susceptibility to attacks, but critics have complained that it amounts to extortion.
Navy sailor pleads guilty to hacking from an aircraft carrier
You may think that the US Navy's biggest digital threats come from the outside, but that's not always the case. Former Navy serviceman (and leader of the hacking group Team Digi7al) Nicholas Paul Knight has pleaded guilty to charges that he and co-defendant Daniel Kreuger conspired to steal identities from numerous internet sites, including a Navy personnel relocation system. Knight was caught after investigators realized that someone in Digi7al was posting on Twitter from the Navy's internal network -- as it turns out, the sailor was breaking into databases while he was a system administrator aboard the aircraft carrier USS Harry S. Truman.
Health care outlets pay $4.8 million after 6,800 patient records leak on the web
Want to know why health care institutions can be antsy about making their patient data available online? Here's why: Columbia University and the New York and Presbyterian Hospital have paid a total of $4.8 million to settle charges after they inadvertently leaked the records of 6,800 patients to the web in 2010. The organizations allegedly didn't do enough to identify systems that had sensitive info, leaving them unprepared when a physician switched off a personal server that was keeping the records private. Both outlets are overhauling their policies in the wake of the settlement, so a repeat incident is less likely. Still, the breach is a not-so-friendly reminder that there are big risks to putting medical histories on networked computers -- your data is only as safe as the system it's on. [Image credit: Presidencia de la Republica del Ecuador, Flickr]
Target CEO steps down in aftermath of customer data breach
The fallout from Target's massive customer data breach continues: following the departure of the retailer's chief information officer in March, CEO Gregg Steinhafel has stepped down. The executive feels he's "personally accountable" for the lax security that let the breach happen, and is bowing out after "extensive discussions" with the board of directors. He'll hang on as an advisor while Target looks for a replacement, and CFO John Mulligan will run the company in the interim.
White House advisors call for an internet privacy bill of rights
Nintey days ago, President Obama ordered a review about internet privacy, data use and other concerns sparked by the NSA spying revelations. Following a public consultation, the report has now been released by White House counselor John Podesta. Though flawed -- there's no mention of NSA spying activities, for instance -- it's already being lauded by consumer advocacy groups. The 85-page document notes that while the mountains of data collected by government and corporations like Google and Apple are incredibly useful, much more needs to be done to protect civil rights.
US Attorney General wants law requiring notifications after data breaches
Large-scale data breaches have become all too common as of late, and US Attorney General Eric Holder wants to do more than just catch the thieves. He has asked Congress to create a federal law requiring that companies notify their customers after detecting serious intrusions. Holder's proposal would exempt firms from reporting low-risk breaches, but it would also punish companies that either don't send a quick alert or haven't been doing enough to protect data in the first place. The would-be law isn't strictly necessary when 45 states have notification requirements in place, but it would hold corporations to a similar standard across the country.
Five hackers indicted for largest known financial data breach in US history
There are your everyday run-of-the-mill hackers, and then there are the hackers who set the bar for everyone else. Though we'd hardly call them exemplary individuals, the five culprits recently indicted for the largest known financial hack in US history would certainly belong in the latter category. Comprised of four Russians and a Ukrainian, the quintet's unsavory accomplishments include breaking into networks belonging to major corporations like Nasdaq, Dow Jones, 7-Eleven and JCPenney -- siphoning more than 160 million credit card numbers and bringing about millions of dollars in losses. They did so with SQL injection attacks to install malware that let them crack passwords and snag other sensitive data. Two of them -- Vladimir Drinkman and Dmitriy Smilianets -- have been arrested, while the rest -- Alexandr Kalinin, Roman Kotov and Mikhail Rytikov -- remain at large. All five could be behind bars for decades if found guilty. For the nitty gritty as to just how and which companies were affected, hit up the source link below. It's enough to make you want to change your password several times over.
Yahoo confirms server breach, over 400k accounts compromised
Online account security breaches are seemingly commonplace these days -- just ask LinkedIn or Sony -- and now we can add Yahoo's name to the list of hacking victims. The company's confirmed that it had the usernames and passwords of over 400,000 accounts stolen from its servers earlier this week and the data was briefly posted online. The credentials have since been pulled from the web, but it turns out they weren't just for Yahoo accounts, as Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com login info was also pilfered and placed on display. The good news? Those responsible for the breach said that the deed was done to simply show Yahoo the weaknesses in its software security. To wit: We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in Web servers belonging to Yahoo Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage. In response, Yahoo's saying that a fix for the vulnerability is in the works, but the investigation is ongoing and its system has yet to be fully secured. In the meantime, the company apologized for the breach and is advising users to change their passwords accordingly. You can read the official party line below. At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday, July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.
Vlingo co-founder explains data-collection issues
With Carrier IQ and O2's most recent data-snooping, people's vigilance about what information cellphones transmit is increasing. Using a Galaxy Note, AndroidPit found that every four minutes, Vlingo's voice-recognition app was sending a packet of data to an unencrypted server. The packet contained your GPS co-ordinates, IMEI (unique device identifier), contact list and the title of every song stored on your device -- without proper warning in the privacy policy you agree to when starting up the app. We spoke with co-founder John Wynn, product marketing head TJ Leonard and communications manager Erin Keleher, who gave us a full and frank discussion about what's going on and the steps it's taking to remedy the situation, which we've got for you after the break.
PlayStation Store, Qriocity returning to Japan this week, completing global PSN restoration
Sony's 'Welcome Back' campaign may have drawn to a close a bit early, but the PlayStation Network won't make its full return to Japan until later this week. As of July 6th, Japanese gamers will once again be able to access the PlayStation Store and Qriocity, bringing an end to a nearly three-month suspension enacted after April's widespread data breach. These services have already been reintroduced across other parts of the globe, but Sony encountered notably stiffer resistance in its homeland, where authorities demanded assurance of the PSN's security before allowing it to relaunch within their borders. The PlayStation Store remained down throughout Sony's negotiations with government officials, but company spokesman Satoshi Fukuoka says those discussions have advanced far enough for full services to resume. The PSN's long-awaited return to Japan will also signal its full global restoration, meaning that Sony may finally be able to put the saga to rest -- and try to forget about that $170 million it lost in the process.
Sony promises global PSN restoration by week's end, except in some parts of Asia
It looks like Sony's long, PSN nightmare is finally coming to an end -- almost. Today, the company announced that it will restore PlayStation Network and Qriocity services in the Americas, Europe and most of Asia by week's end. The only exceptions are Hong Kong, South Korea and Japan, where users will have to await further details before regaining full access. Speaking to the Wall Street Journal, spokeswoman Yuki Kobayashi added that Sony is in the process of finalizing an agreement to protect credit card owners in these three countries, where authorities have taken a particularly cautious approach to the data breach. This means that the company won't see global restoration by the end of May, as previously hoped, but Kobayashi said the plans were delayed simply because Sony needed more time to fully secure its infrastructure (sound familiar?). You can read a lengthier explanation in the press release after the break.
