CHOICE membership

Some more Data Breaches of 2016, 2017, 2018 & 2019


#43

From the linked article:

There was then a demand to release Wikileaks founder Julian Assange.

? I don’t reckon that it’s the Bulgarian government that is holding Julian Assange.

Under the GDPR, the National Revenue Agency could be issued with a fine of up to €20 million for failing to adequately safeguard the data of Bulgaria’s citizens.

How does that work? If you are a Bulgarian taxpayer then

a) your tax office just allowed your personal information to be plastered all over the internet, and

b) you get to pay the fine (indirectly).

It needs to come out of the pockets of the Bulgarian members of parliament and the relevant employees of the tax office.


#44

I didn’t say that they demanded the release of Julian Assange, it was part of the article from PrivSec :slight_smile: I don’t mind attribution were it is my text but I certainly didn’t write that part.

The other article made reference to Assange as well but pointed to a part of an email the hacker sent that was a variation of a quote that is sometimes said to be attributed to Julian ie “The state of your cybersecurity is a parody”.

But I agree that he isn’t being held by the Bulgarian Govt, any individual or business. Nor would that Govt have much say in getting him released, though they can appeal to the other EU member States and the EU Courts to try and achieve some outcome.

They did catch who they believe was the hacker and another person whom they believe was also involved. Whether these are the only culprits I guess only time may tell. Those caught have been charged with Terrorism offences.

As for the penalty, the same way it works here if our Govt/Govts are fined in the secret FTA courts. The Govt pays it out of their General Revenue accounts and the taxpayer foots the bill. Just in this case this is an obligation of a State/Country in the EU to conform to the legislation. Yes the Taxpayers cop the bill in the end. If the taxpayers get mad enough they may vote the Govt out and if they have to continue to pick up the bill for faulty Govt IT security it may bring that reality home sooner for the Govt. I agree it would be nice to make the ones who failed to protect the information pay the cost but do we make our Pollies pay the bill when they stuff up not securing our data or allow a breach of a FTA? Or do we make the ATO pay us for the lost Billions they allow to go out the country by allowing Businesses and Individuals to send it to Tax havens? Sadly, no we don’t and we pick up the bill and pay the price for those failures.


#45

My bad. Sloppy markup. I edited the post to make it clearer.


#46

A data breach in the UK has released very sensitive data about 1 million people and includes non changeable bio-metric data …their fingerprints are part of this data but it also includes face recognition data. While this probably doesn’t affect Australians it shows how even businesses that are tasked with handling this information are not dealing with the task in a proper manner.

As they say in the linked article data breaches are occurring at “shocking regularity”. To read more see:


#47

Somewhat more detail in the link on the link: https://www.vpnmentor.com/blog/report-biostar2-leak/

Not shocked at all though - and that’s the point that never seems to get through to our legislators.

From the actual report:

unencrypted passwords

OMG. It’s 2019 and people are still using plaintext-stored passwords. This should be illegal. Heads should roll. Haven’t they heard of hashing (with salting)?

That allowed the actual passwords to be readily analysed too. Weak passwords like “abcd1234”.

OMG. It’s 2019. Haven’t they heard of enforced password complexity?

Not that it matters much if you are going to publish the plaintext password on the internet.


#48

I listened to a podcast called ‘Cyber Hacker’ recently. Dumb name but really interesting stuff. The advice he gave for businesses is have emergency briefs planned, because it’s inevitable that any business with data will have a breach, regardless of security measures.


#49

From a ‘security’ company. I suspect it is going to lose a lot of customers in the near future. I see that the VPNMentor article mentioned hashing but not salting - tsk tsk!

I was also wondering if there is a standard format for storing fingerprint data, until I came to this sentence:

Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes.

Just… what? Seriously, what were they thinking?

I recommend Security Now. It’s part of the TWIT network - and similarly, the advice is not ‘if you get hacked…’ but ‘when you get hacked…’.


#50

This news article reports on a iPhone spyware infection that may go back to 2016 or so. Who was affected? No one is really sure of how many. Data that was compromised if a phone was affected included “WhatsApp, iMessage and Telegram text messages, Gmail, photos, contacts and real-time location — essentially all the databases on the victim’s phone”.

To read the article see:


#51

Fixing that for you: “data that was compromised if a phone was affected” is everything on the phone. :slight_smile:

China again?


#52

China again? I think the assumption was that it was but it could be US or really any other country these days that has a desire to know.


#53

The article talks about the possibility that it was targeting a certain “ethnic group”. If China wanted to target its citizens while they are overseas or expatriates now with permanent residence overseas and it did so via a tainted web site then there are going to be some web sites that are better than others. It is more difficult to apply that logic to the US or Australia, for example.

However the article is intentionally vague on this point.


#54

Given that it only affected ‘thousands’, China seems like an unlikely culprit. I can imagine the US targeting its citizens of Middle Eastern origin when they are overseas - especially since there are certain constitutional limits on its targeting of them while in the US. Many other countries (including Australia) may similarly have a population they want to ‘keep an eye on’.

As for using a particular website, Google? Amazon? NineMSN? Fox? Of course, if you’re targeting a particular ethnic group then you would more likely look for ISISandFriends or some such.

And of course, the easiest way to learn about iPhone exploits is to provide the code to the manufacturer. Just saying.


#55

Turns out that the iPhone attack was indeed apparently Made in China, which wanted to keep an eye on its Uighur population.

Microsoft has announced that it also affected Windows and Android. The latter is interesting, as Google made the initial disclosure.


split this topic #56

A post was merged into an existing topic: Privacy and Security - In the Public Record


#57

Used by various universities

University of Adelaide, UNSW Sydney, the University of Sydney, Macquarie University, the University of Technology and Griffith University.

and in total

159,000 students from 453 societies and clubs

exposing

things like name, phone number, date of birth, addresses, student number.

coughidentitytheftcough

On a global scale this breach is tiny but it is likely to be biassed towards exposing details of Australians.


#58

Not so much a breach as an unauthorised release of sensitive information by a Canadian (Cameron Ortis – the now ex leader of the Royal Canadian Mounted Police force’s own intelligence unit). While no information is known outside of officialdom about what data was transferred it may affect Australia, NZ, the USA, the UK as part of the 5 Eyes group.


#59

It may be worse than that i.e. even “officialdom” don’t know at this stage.

Seems like very early stages of this story - much more potentially to be learned - but possibly all kept secret as the trial progresses, so we won’t learn anything.


#60

If you are Ecuadorian or have a partner who is you may be concerned about this latest breach that has occurred. Potentially every person in or who has been a citizen of Ecuador may have had their Ecuadorian data leaked.

The breach occurred because the data was stored on an unprotected server in Miami and contained the details of 20 million Ecuadorians including 7 million minors, seeing as how the entire population of Ecuador is around 16 million they are assuming the data may contain details of deceased citizens as well. Without knowing more about what was stored this could also include on that basis the details of Ecuadorian citizens who have left the country at some time. The leaked information was quite detailed about every person in the database.

To read an article about the breach/leak see:

If you have Ecuadorian citizenship you may want to contact the Ecuadorian authorities to see if you have been affected.

https://www.fiscalia.gob.ec/fiscalia-lidera-operativo-por-presunta-violacion-a-la-intimidad/

Información de contacto:

Dirección de Comunicación Social

Teléfono: 3985800 Ext. 173123


#61

Wow. That’s awesome (in a bad way).

Stored overseas in a potentially hostile country too.

That’s why we don’t want #censusfail. That’s why we don’t want MyHealthRecord.


#62

Seems rather ironic … potentially even an entity using incisors and canines with force on the metacarpus of another that once provided sustenance? :rofl: I can imagine some might even be tempted to use a word beginning with ‘k’ …