It gets worse.
2 Likes
Oxfam Australia
In January 2021, Oxfam Australia was the victim of a data breach which exposed 1.8M unique email addresses of supporters of the charity. The data was put up for sale on a popular hacking forum and also included names, phone numbers, addresses, genders and dates of birth. A small number of people also had partial credit card data exposed (the first 6 and last 3 digits of the card, plus card type and expiry) and in some cases the bank name, account number and BSB were also exposed. The data was subsequently made freely available on the hacking forum later the following month.
Data lost/hacked was:
Bank account numbers, Dates of birth, Email addresses, Genders, Names, Partial credit card data, Payment histories, Phone numbers, Physical addresses
Number of lost client records:
1,834,006 (1 in about every 14 Australians it would seem to equate to)
Information courtesy of http://haveibeenpwned.com/
Oxfam in their press release declined to state how many clients had been affected…I think the excuse is weak but here is what they said and judge for yourself how advising how many had been affected would allow what Oxfam suggests could be the fallout:
“In the interests of ensuring the ongoing security of our database and our supporters’ privacy and protection and to reduce the risk of attempts by scammers to target Oxfam supporters, we are not releasing details of the number of people who may have been impacted”
Yeah right!! More likely they don’t want their supporters to know how many of them are affected…bum covering is my opinion. Adding the words “ongoing security” in the light of loss of the security seems a weird choice…perhaps they should have used “future security” because it hasn’t been ongoing due to the loss of control.
5 Likes
I signed up for Firefox Monitor a while back. It emails whenever my email shows up on a hacker site. I received one about the Oxfam breach this morning.
It is a good service, no cost.
5 Likes
It uses haveIbeenpwned for the breach info, which is also a free service. Troy Hunt still is the one behind the pwned service.
From Firefox Monitor FAQs
“ How does Firefox Monitor know I was involved in these breaches?
Firefox Monitor gets its data breach information from a publicly searchable source, Have I Been Pwned. If you don’t want your email address to show up in this database, visit the opt-out page”
3 Likes
It seemingly does not make sense.
Possibly something has been lost in translation i.e. someone, somewhere deep in the bowels of cybersecurity made a recommendation and that text is what it has become.
Does mandatory disclosure need to cover this? i.e. take away the choice from the victim organisation to reveal the scale of the breach. (This breach is pretty small in the overall scheme of things.)
One thing that bugged me:
purchased through our former shops
So let me get this straight … the shops don’t exist any more but they were keeping the transaction info “just in case” … and hackers copied that info.
This is a fundamental problem with Big Data, and government is part of the problem, not part of the solution.
PS The link that you included at the top of your post was its own mini data breach. 
I hate those opaque links. Here’s a clean link: Oxfam Australia was the victim of a data breach
2 Likes
Fixed it, was a simple copy and paste of Troy’s info in the first place so not sure how the data was added. Noting that the post to the Firefox Monitor FAQ didn’t include the garbage.
1 Like
A link from @Fred123’s article in Secrecy, privacy, security, intrusion about the hack of the Airlines Frequent Flyer data
3 Likes
A data breach of a slightly different kind: Hackers say they've gained access to surveillance cameras in Australian childcare centres, schools and aged care - ABC News
Just a lazy 150,000 surveillance cameras worldwide.
I tear my hair out with the idiocy of the concept of a camera company having remote access to the camera after the camera is sold …
The hackers claim to have peered inside women’s health clinics, psychiatric hospitals, prisons, police stations and gyms in the US.
Great. No security fail there.
4 Likes
No system should ever be considered unhackable. If you considered your database as a hackable target, there is no way you’d ever design that level of access behind a single door. Terrible security decision. Even if you require post-sale access to the cameras, surely they should be accessed through separate servers
4 Likes
Once upon a time Computer Science 101 taught systems programmers that the number 1 job of any operating system was to protect itself from users and their applications. It took lots of compute power and some OS were more successful than others. Consequently Applications Programming 101 taught that the application had to protect itself from the user. Back when it was noticed few applications tested the inputs for the unexpected, relying on every user to be using the application for its intended purpose.
There was networking and remote access, mostly proprietary, and then ‘the internet’ happened.
Unfortunately in the name of function and the processors available in the times, those ‘101’ lessons got lost, and by the time anyone remembered they might have been necessary foundations it was too late. It evolved into ‘look what we can do now’ rather than ‘we can do this securely and safely’.
4 Likes
Or require some action on the part of the customer to enable remote access on a temporary basis.
Or both.
Or anything else that you can think of.
But open slather by default (or even mandatorily)? There should be a law against it …
3 Likes
Hence one of the easiest ways for malicious actors to get where they are not supposed to be - via such fun tricks as buffer overflows and command line injections.
Thanks once again to XKCD for an easy explanation.
5 Likes
