CHOICE membership

Some more Data Breaches of 2016, 2017, 2018 & 2019


#22

an emergency call centre has been set up to handle customer enquiries, including the Takata recall.

It comes after reports hackers broke into the medical files at Melbourne Heart Group, a tenant at the Cabrini Hospital, and demanded a ransom after scrambling the data of about 15,000 patients.

The Melbourne Heart Group confirmed it had been unable to access patient data for weeks,

What, no backups? :scream:


#23

A few more huge lists of data have found in the public internet. One contains about 2.2 billion accounts/email addresses and has been labeled Collection #2 which is a follow on from the nearly 800 million in Collections #1 (the Collections listings are also growing https://www.troyhunt.com/the-race-to-the-bottom-of-credential-stuffing-lists-and-collections-2-through-5-and-more/).

Another one includes nearly 800 million publicly listed details from an unsecured database that includes/included dates of birth, phone numbers among other information including email addresses of people from a company that is called “Verifications.io” (archived site which is still available). This company provides a service which allows subscribers to upload lists of email addresses to validate them (see https://securitydiscovery.com/800-million-emails-leaked-online-by-email-verification-service/ & now haveIbeenpwned now lists it).

All the privacy policies that businesses have tell us how they will protect our information and then you get failures to adequately secure what they require you to provide…it becomes almost laughable (if it wasn’t so serious).


#24

It seems to have become the default position to obtain your personal information whether websites need it or not. It is impossible to get past the landing page on some websites without registering and providing your details.

We were looking to provide a room for uni student accommodation. We contacted a large Australian organisation that does this to ask if what we had was suitable. They would not provide an answer unless we registered, so we had a look at the online form they had on their website. The questionnaire was quite intrusive, and asked for details they had no need to ever need to know. They also wanted our bank details, drivers licence numbers, etc, etc. And they weren’t using https either.

I rang their local director to discuss this overreach of data collection at just the early inquiry stage. I was told that they would not proceed without this information. So I asked about the security of their data and their facility. The director told me that within their organisation access to the data was restricted on a need to know basis. When I asked whether the data was encrypted, or and what security there was on the data servers, she repeated the previous statement. In other words there was no security and our enquiry about letting the room stopped then and there.

I can understand that at some point it may be necessary for sites to get your details such as if you are actually buying stuff, but I disagree with that data collection as a ‘toll’ you have to pay to just to get onto the site or get a $ price.

I think there is a need to extend data privacy laws to restrict personal information collection by businesses and web sites to a verifiable needs basis.

Perhaps with less unnecessary data collection, there wouldn’t be so many breaches and/or the quantum of data stolen would be significantly smaller?


split this topic #25

A post was split to a new topic: Katmandu significant data breach - credit card details potentially accessed


#26

This one has been transferred to its own thread due to the significance of the breach.


#28

I have encountered a recruitment firm that was extremely intrusive in the amount of information they wanted from me as a job applicant. I told them no, and walked away. They were asking for information before they had any position that suited me!


#29

I had a similar experience - I had to ‘prove who I was’ to establish an account, by giving them information I am sure they had no legal means to verify, like driver licence number etc - this was all so I could do an online combined psych/aptitude test. I questioned them on whether any professionals were involved in the interpretation of the results and was told it’s all done by the software … no thanks …


#30

It really is simply a case of ‘when’, not ‘if’ …

Earlier this month, KrebsOnSecurity heard independently from two trusted sources that Wipro — India’s third-largest IT outsourcing company — was dealing with a multi-month intrusion from an assumed state-sponsored attacker.

Both sources, who spoke on condition of anonymity, said Wipro’s systems were seen being used as jumping-off points for digital fishing expeditions targeting at least a dozen Wipro customer systems.

The security experts said Wipro’s customers traced malicious and suspicious network reconnaissance activity back to partner systems that were communicating directly with Wipro’s network.

On April 9, KrebsOnSecurity reached out to Wipro for comment. That prompted an email on Apr. 10 from Vipin Nair , Wipro’s head of communications. Nair said he was traveling and needed a few days to gather more information before offering an official response.

On Friday, Apr. 12, Nair sent a statement that acknowledged none of the questions Wipro was asked about an alleged security incident involving attacks against its own customers.

“Wipro has a multilayer security system,” the company wrote. “The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks. We constantly monitor our entire infrastructure at heightened level of alertness to deal with any potential cyber threat.”

the spin continues here … don’t get dizzy …

https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/


#31

Some local reportage on the Wipro hack:

It appears the company is big in Australia.


#32

I decided some time ago that any website demanding a registration and details without first allowing me to peruse it, is not worth my time or the privacy invasion.