CHOICE membership

Some more Data Breaches of 2016, 2017, 2018 & 2019


#33

ANU have only recently detected a data breach which occurred in 2018 that has exposed up to 19 years of records of Personnel, students, and visitors. Data that has been accessed/stolen/breached depending on what the affected person provided ANU may “include names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, and passport details. Student academic records were also accessed”.

If you have or had any association with ANU it may be advisable to contact them to ascertain what of your data may have been compromised and to be wary of any possible unlawful use of your data eg identity theft, accessing your accounts.

For an ABC article on the breach see:

It concerns me that a University with what you would hope was smart IT staff would store information of such a personal and vital nature in a way that allowed it to be accessed and read without some serious encryption making it unreadable. I understand that access to some data needs to be readily available at short notice but 19 years worth is a bit beyond the pale (why wasn’t anything not immediately needed not archived and stored in encrypted form).


#34

I got an email from the “Vice-C” advising of this. Prior to this I had no idea they had my email - but it must have been through a rather tenuous non-study communication. At least I am fairly sure they don’t have much of my data.


#35

Encryption is only helpful if the hacker accesses the data at a level below the normal level of access. At the normal level of access by definition the data has to be accessible in plain text otherwise there would typically be no point having it.

For example, the Westpac attack (being discussed here: Real-time payments are on the way but maybe is missing here) basically looks like a screen scraping attack - and no amount of encryption will help. They may need rate limiting and/or they may need a CAPTCHA.

At the other end of the scale, if the attackers are able to bypass the web and application tiers and get direct access to an SQL database then having some fields stored encrypted in the database will help (under the potentially bold assumption that the attackers have been able to get or access the SQL database but not get the encryption key).

Insufficient information about the ANU attack has been made available.

(Regulations may require credit card numbers to be stored encrypted.)


#36

I agree that there will be information that needs to be readily accessible and as such may not be encrypted (but should be well secured by good security eg password access, 2 factor authentication, firewalls, and similar) but 19 years of data is somewhat less excusable. In some of my work areas data that didn’t require immediate access needed an appropriate authorisation and then the data was retrieved from offline storage and made available. Once the data was no longer needed it was scrubbed from the live systems and again resided on offline storage.

Even if they decided to store historical data in live systems, they should have had systems in place that made that data unreadable unless the correct authorisation was input to decrypt the data. That would/should entail that the authorisation was not stored in such a way that it could be accessed from the same live system. Air gap and/or even SDP is highly recommended and Air gapping perhaps should be required for the password/phrase storage :smile:.

Some businesses store some data in hash & salted form so things like passwords are very difficult to crack and then they encrypt the other data so that the only way to gain access to the reversible data is by use of the secured password/passphrase. Keyloggers or other measures may have been put in place to get the access credentials but regular and thorough checks and audits of systems and access should have been undertaken to reduce this threat to an absolute minimum and to ensure if breached that the breach was quickly detected.

In the ANU breach (unfortunately similar to many others) the breach occurred well into the past and was only detected 2 weeks ago. Sorry this is not good security from such a “elite” education facility and one that should employ very competent IT security staff, it might be excused somewhat in a less well resourced business but this not some novice organisation. The statements attributed to the Vice Chancellor Professor Schmidt do not inspire me that sufficient regard was made previously to the need to proactively secure the data ie “The university has taken immediate precautions to further strengthen our IT security and is working continuously to build on these precautions to reduce the risk of future intrusion,” he said.

“The chief information security officer will be issuing advice shortly on measures we can all take to better protect our systems, and I strongly encourage you all to implement those measures.” (why wasn’t this addressed long ago)

“I assure you we are taking this incident extremely seriously and we are doing all we can to improve the digital safety of our community. We are all affected by this and it is important we look after one another as our community comes to terms with the impact of this breach.” (they should be taking it seriously but I guess they have to make the statement in case people don’t understand that they do take it seriously because they got breached some time ago and only just found out)

The horse has bolted so now they secure the gate…too late…


#37

Yes. It could have been archived, which creates an effective airgap in many cases.

I think data hoarding is a problem. The data was presumably being kept “just in case” rather than that there was a real ongoing business need for such ancient data.

Particularly as they had a fairly recent previous data breach.


#38

“unforeseen human error” causes an email that I “may have received” yet “will have received” and they foresee that this “unforeseen human error” is a “one-off occurrence”

It’s also “not the result of any breach of data or confidentiality”. We’ll have to take their word on that I guess.

gold …

I haven’t subscribed to anything from Flight Centre for many years - looking at my records, I unsubscribed in 2012 … The apology email suggests only previous subscribers, not current, received the errant email … interesting …

Not surprising but still worth the reminder that many organisations terms and conditions cover their retention of data; unsubscribing doesn’t necessarily take you off their books (I’d suggest rarely if ever), even if you have never actually done any actual business with them other than subscribe to one of their newsletters/etc …


#39

Unless the government radically steps in on behalf of its citizens we had all better get used to it.


#40

This is where ‘Sign in with Apple’ looks interesting for iOS/iPadOS/OSX devices. Apple states their plan is when you sign in, their server will generate a random email address, and forward emails to your actual email address. That way as soon as you sign out that forwarding stops, and if there’s a data breach on any of those sites they only get the dummy email. Presuming Apple themselves never have a data breach of course.


#41

While hopefully affecting no one in Australia this data breach should cause some IT security teams especially in Aust Govt to look hard at their systems and continually review the proceeses. Bulgaria had it’s entire Adult population Tax Office data exposed publically.

From an article of the breach “Five million of the country’s seven million citizens had their personal data exposed in a hack of the country’s national tax agency. The information leaked in the attack includes social security information and income in addition to full names, birthdates and addresses dating back as far as 2007. That’s not only everything an identity thief would want, but also enough data to comb through and isolate the most lucrative targets. The hacker released half of the database to reporters, and then posted the other half to several public forums”.

To read that article see:

Also see:

They caught them (maybe all maybe not) but that’s after the fact and too late to stop use of the data by anyone who wishes to do so.


#42

And this one regarding Capital One with over 100 million customers involved.


#43

From the linked article:

There was then a demand to release Wikileaks founder Julian Assange.

? I don’t reckon that it’s the Bulgarian government that is holding Julian Assange.

Under the GDPR, the National Revenue Agency could be issued with a fine of up to €20 million for failing to adequately safeguard the data of Bulgaria’s citizens.

How does that work? If you are a Bulgarian taxpayer then

a) your tax office just allowed your personal information to be plastered all over the internet, and

b) you get to pay the fine (indirectly).

It needs to come out of the pockets of the Bulgarian members of parliament and the relevant employees of the tax office.


#44

I didn’t say that they demanded the release of Julian Assange, it was part of the article from PrivSec :slight_smile: I don’t mind attribution were it is my text but I certainly didn’t write that part.

The other article made reference to Assange as well but pointed to a part of an email the hacker sent that was a variation of a quote that is sometimes said to be attributed to Julian ie “The state of your cybersecurity is a parody”.

But I agree that he isn’t being held by the Bulgarian Govt, any individual or business. Nor would that Govt have much say in getting him released, though they can appeal to the other EU member States and the EU Courts to try and achieve some outcome.

They did catch who they believe was the hacker and another person whom they believe was also involved. Whether these are the only culprits I guess only time may tell. Those caught have been charged with Terrorism offences.

As for the penalty, the same way it works here if our Govt/Govts are fined in the secret FTA courts. The Govt pays it out of their General Revenue accounts and the taxpayer foots the bill. Just in this case this is an obligation of a State/Country in the EU to conform to the legislation. Yes the Taxpayers cop the bill in the end. If the taxpayers get mad enough they may vote the Govt out and if they have to continue to pick up the bill for faulty Govt IT security it may bring that reality home sooner for the Govt. I agree it would be nice to make the ones who failed to protect the information pay the cost but do we make our Pollies pay the bill when they stuff up not securing our data or allow a breach of a FTA? Or do we make the ATO pay us for the lost Billions they allow to go out the country by allowing Businesses and Individuals to send it to Tax havens? Sadly, no we don’t and we pick up the bill and pay the price for those failures.


#45

My bad. Sloppy markup. I edited the post to make it clearer.


#46

A data breach in the UK has released very sensitive data about 1 million people and includes non changeable bio-metric data …their fingerprints are part of this data but it also includes face recognition data. While this probably doesn’t affect Australians it shows how even businesses that are tasked with handling this information are not dealing with the task in a proper manner.

As they say in the linked article data breaches are occurring at “shocking regularity”. To read more see:


#47

Somewhat more detail in the link on the link: https://www.vpnmentor.com/blog/report-biostar2-leak/

Not shocked at all though - and that’s the point that never seems to get through to our legislators.

From the actual report:

unencrypted passwords

OMG. It’s 2019 and people are still using plaintext-stored passwords. This should be illegal. Heads should roll. Haven’t they heard of hashing (with salting)?

That allowed the actual passwords to be readily analysed too. Weak passwords like “abcd1234”.

OMG. It’s 2019. Haven’t they heard of enforced password complexity?

Not that it matters much if you are going to publish the plaintext password on the internet.


#48

I listened to a podcast called ‘Cyber Hacker’ recently. Dumb name but really interesting stuff. The advice he gave for businesses is have emergency briefs planned, because it’s inevitable that any business with data will have a breach, regardless of security measures.


#49

From a ‘security’ company. I suspect it is going to lose a lot of customers in the near future. I see that the VPNMentor article mentioned hashing but not salting - tsk tsk!

I was also wondering if there is a standard format for storing fingerprint data, until I came to this sentence:

Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes.

Just… what? Seriously, what were they thinking?

I recommend Security Now. It’s part of the TWIT network - and similarly, the advice is not ‘if you get hacked…’ but ‘when you get hacked…’.


#50

This news article reports on a iPhone spyware infection that may go back to 2016 or so. Who was affected? No one is really sure of how many. Data that was compromised if a phone was affected included “WhatsApp, iMessage and Telegram text messages, Gmail, photos, contacts and real-time location — essentially all the databases on the victim’s phone”.

To read the article see:


#51

Fixing that for you: “data that was compromised if a phone was affected” is everything on the phone. :slight_smile:

China again?


#52

China again? I think the assumption was that it was but it could be US or really any other country these days that has a desire to know.