CHOICE membership

Some more Data Breaches of 2016, 2017, 2018 & 2019


#22

an emergency call centre has been set up to handle customer enquiries, including the Takata recall.

It comes after reports hackers broke into the medical files at Melbourne Heart Group, a tenant at the Cabrini Hospital, and demanded a ransom after scrambling the data of about 15,000 patients.

The Melbourne Heart Group confirmed it had been unable to access patient data for weeks,

What, no backups? :scream:


#23

A few more huge lists of data have found in the public internet. One contains about 2.2 billion accounts/email addresses and has been labeled Collection #2 which is a follow on from the nearly 800 million in Collections #1 (the Collections listings are also growing https://www.troyhunt.com/the-race-to-the-bottom-of-credential-stuffing-lists-and-collections-2-through-5-and-more/).

Another one includes nearly 800 million publicly listed details from an unsecured database that includes/included dates of birth, phone numbers among other information including email addresses of people from a company that is called “Verifications.io” (archived site which is still available). This company provides a service which allows subscribers to upload lists of email addresses to validate them (see https://securitydiscovery.com/800-million-emails-leaked-online-by-email-verification-service/ & now haveIbeenpwned now lists it).

All the privacy policies that businesses have tell us how they will protect our information and then you get failures to adequately secure what they require you to provide…it becomes almost laughable (if it wasn’t so serious).


#24

It seems to have become the default position to obtain your personal information whether websites need it or not. It is impossible to get past the landing page on some websites without registering and providing your details.

We were looking to provide a room for uni student accommodation. We contacted a large Australian organisation that does this to ask if what we had was suitable. They would not provide an answer unless we registered, so we had a look at the online form they had on their website. The questionnaire was quite intrusive, and asked for details they had no need to ever need to know. They also wanted our bank details, drivers licence numbers, etc, etc. And they weren’t using https either.

I rang their local director to discuss this overreach of data collection at just the early inquiry stage. I was told that they would not proceed without this information. So I asked about the security of their data and their facility. The director told me that within their organisation access to the data was restricted on a need to know basis. When I asked whether the data was encrypted, or and what security there was on the data servers, she repeated the previous statement. In other words there was no security and our enquiry about letting the room stopped then and there.

I can understand that at some point it may be necessary for sites to get your details such as if you are actually buying stuff, but I disagree with that data collection as a ‘toll’ you have to pay to just to get onto the site or get a $ price.

I think there is a need to extend data privacy laws to restrict personal information collection by businesses and web sites to a verifiable needs basis.

Perhaps with less unnecessary data collection, there wouldn’t be so many breaches and/or the quantum of data stolen would be significantly smaller?


split this topic #25

A post was split to a new topic: Katmandu significant data breach - credit card details potentially accessed


#26

This one has been transferred to its own thread due to the significance of the breach.


#28

I have encountered a recruitment firm that was extremely intrusive in the amount of information they wanted from me as a job applicant. I told them no, and walked away. They were asking for information before they had any position that suited me!


#29

I had a similar experience - I had to ‘prove who I was’ to establish an account, by giving them information I am sure they had no legal means to verify, like driver licence number etc - this was all so I could do an online combined psych/aptitude test. I questioned them on whether any professionals were involved in the interpretation of the results and was told it’s all done by the software … no thanks …


#30

It really is simply a case of ‘when’, not ‘if’ …

Earlier this month, KrebsOnSecurity heard independently from two trusted sources that Wipro — India’s third-largest IT outsourcing company — was dealing with a multi-month intrusion from an assumed state-sponsored attacker.

Both sources, who spoke on condition of anonymity, said Wipro’s systems were seen being used as jumping-off points for digital fishing expeditions targeting at least a dozen Wipro customer systems.

The security experts said Wipro’s customers traced malicious and suspicious network reconnaissance activity back to partner systems that were communicating directly with Wipro’s network.

On April 9, KrebsOnSecurity reached out to Wipro for comment. That prompted an email on Apr. 10 from Vipin Nair , Wipro’s head of communications. Nair said he was traveling and needed a few days to gather more information before offering an official response.

On Friday, Apr. 12, Nair sent a statement that acknowledged none of the questions Wipro was asked about an alleged security incident involving attacks against its own customers.

“Wipro has a multilayer security system,” the company wrote. “The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks. We constantly monitor our entire infrastructure at heightened level of alertness to deal with any potential cyber threat.”

the spin continues here … don’t get dizzy …

https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/


#31

Some local reportage on the Wipro hack:

It appears the company is big in Australia.


#32

I decided some time ago that any website demanding a registration and details without first allowing me to peruse it, is not worth my time or the privacy invasion.


#33

ANU have only recently detected a data breach which occurred in 2018 that has exposed up to 19 years of records of Personnel, students, and visitors. Data that has been accessed/stolen/breached depending on what the affected person provided ANU may “include names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, and passport details. Student academic records were also accessed”.

If you have or had any association with ANU it may be advisable to contact them to ascertain what of your data may have been compromised and to be wary of any possible unlawful use of your data eg identity theft, accessing your accounts.

For an ABC article on the breach see:

It concerns me that a University with what you would hope was smart IT staff would store information of such a personal and vital nature in a way that allowed it to be accessed and read without some serious encryption making it unreadable. I understand that access to some data needs to be readily available at short notice but 19 years worth is a bit beyond the pale (why wasn’t anything not immediately needed not archived and stored in encrypted form).


#34

I got an email from the “Vice-C” advising of this. Prior to this I had no idea they had my email - but it must have been through a rather tenuous non-study communication. At least I am fairly sure they don’t have much of my data.


#35

Encryption is only helpful if the hacker accesses the data at a level below the normal level of access. At the normal level of access by definition the data has to be accessible in plain text otherwise there would typically be no point having it.

For example, the Westpac attack (being discussed here: Real-time payments are on the way but maybe is missing here) basically looks like a screen scraping attack - and no amount of encryption will help. They may need rate limiting and/or they may need a CAPTCHA.

At the other end of the scale, if the attackers are able to bypass the web and application tiers and get direct access to an SQL database then having some fields stored encrypted in the database will help (under the potentially bold assumption that the attackers have been able to get or access the SQL database but not get the encryption key).

Insufficient information about the ANU attack has been made available.

(Regulations may require credit card numbers to be stored encrypted.)


#36

I agree that there will be information that needs to be readily accessible and as such may not be encrypted (but should be well secured by good security eg password access, 2 factor authentication, firewalls, and similar) but 19 years of data is somewhat less excusable. In some of my work areas data that didn’t require immediate access needed an appropriate authorisation and then the data was retrieved from offline storage and made available. Once the data was no longer needed it was scrubbed from the live systems and again resided on offline storage.

Even if they decided to store historical data in live systems, they should have had systems in place that made that data unreadable unless the correct authorisation was input to decrypt the data. That would/should entail that the authorisation was not stored in such a way that it could be accessed from the same live system. Air gap and/or even SDP is highly recommended and Air gapping perhaps should be required for the password/phrase storage :smile:.

Some businesses store some data in hash & salted form so things like passwords are very difficult to crack and then they encrypt the other data so that the only way to gain access to the reversible data is by use of the secured password/passphrase. Keyloggers or other measures may have been put in place to get the access credentials but regular and thorough checks and audits of systems and access should have been undertaken to reduce this threat to an absolute minimum and to ensure if breached that the breach was quickly detected.

In the ANU breach (unfortunately similar to many others) the breach occurred well into the past and was only detected 2 weeks ago. Sorry this is not good security from such a “elite” education facility and one that should employ very competent IT security staff, it might be excused somewhat in a less well resourced business but this not some novice organisation. The statements attributed to the Vice Chancellor Professor Schmidt do not inspire me that sufficient regard was made previously to the need to proactively secure the data ie “The university has taken immediate precautions to further strengthen our IT security and is working continuously to build on these precautions to reduce the risk of future intrusion,” he said.

“The chief information security officer will be issuing advice shortly on measures we can all take to better protect our systems, and I strongly encourage you all to implement those measures.” (why wasn’t this addressed long ago)

“I assure you we are taking this incident extremely seriously and we are doing all we can to improve the digital safety of our community. We are all affected by this and it is important we look after one another as our community comes to terms with the impact of this breach.” (they should be taking it seriously but I guess they have to make the statement in case people don’t understand that they do take it seriously because they got breached some time ago and only just found out)

The horse has bolted so now they secure the gate…too late…


#37

Yes. It could have been archived, which creates an effective airgap in many cases.

I think data hoarding is a problem. The data was presumably being kept “just in case” rather than that there was a real ongoing business need for such ancient data.

Particularly as they had a fairly recent previous data breach.


#38

“unforeseen human error” causes an email that I “may have received” yet “will have received” and they foresee that this “unforeseen human error” is a “one-off occurrence”

It’s also “not the result of any breach of data or confidentiality”. We’ll have to take their word on that I guess.

gold …

I haven’t subscribed to anything from Flight Centre for many years - looking at my records, I unsubscribed in 2012 … The apology email suggests only previous subscribers, not current, received the errant email … interesting …

Not surprising but still worth the reminder that many organisations terms and conditions cover their retention of data; unsubscribing doesn’t necessarily take you off their books (I’d suggest rarely if ever), even if you have never actually done any actual business with them other than subscribe to one of their newsletters/etc …


#39

Unless the government radically steps in on behalf of its citizens we had all better get used to it.


#40

This is where ‘Sign in with Apple’ looks interesting for iOS/iPadOS/OSX devices. Apple states their plan is when you sign in, their server will generate a random email address, and forward emails to your actual email address. That way as soon as you sign out that forwarding stops, and if there’s a data breach on any of those sites they only get the dummy email. Presuming Apple themselves never have a data breach of course.


#41

While hopefully affecting no one in Australia this data breach should cause some IT security teams especially in Aust Govt to look hard at their systems and continually review the proceeses. Bulgaria had it’s entire Adult population Tax Office data exposed publically.

From an article of the breach “Five million of the country’s seven million citizens had their personal data exposed in a hack of the country’s national tax agency. The information leaked in the attack includes social security information and income in addition to full names, birthdates and addresses dating back as far as 2007. That’s not only everything an identity thief would want, but also enough data to comb through and isolate the most lucrative targets. The hacker released half of the database to reporters, and then posted the other half to several public forums”.

To read that article see:

Also see:

They caught them (maybe all maybe not) but that’s after the fact and too late to stop use of the data by anyone who wishes to do so.


#42

And this one regarding Capital One with over 100 million customers involved.