Google Personal Data Requests Are On The Rise

Google’s latest Transparency Report is out, and the results have raised concerns with privacy advocates from around the world.

This time last year, Google received 44,943 requests relating to 76,713 user accounts from the governments around the world. This year’s figures have increased to 48,941 requests relating to 83,345 accounts. The company acceded to 65 percent of requests made.

The US government was, predictably, the biggest requestor, with the German, British and French governments also featured prominently.

Note that these figures specifically do not include FISA (Foreign Intelligence Surveillance Act) requests, as such requests are subject to a six-month reporting delay.

Of interest, a key component of FISA is set to expire at the end of 2017, and Google is working with Congress to try and pass a reform that will improve netizens’ privacy protections.

The core argument is that processing requests from foreign governments is too slow, and could be replaced by an update to the US Electronic Communications Privacy Act (ECPA). According to Richard Salgado, Google’s Director of Law Enforcement and Information Security:

“ECPA should also be updated to enable countries that commit to baseline privacy, due process, and human rights principles to make direct requests to US providers.

Providing a pathway for such countries to obtain electronic evidence directly from service providers in other jurisdictions will remove incentives for the unilateral, extraterritorial assertion of a country’s laws, data localization proposals, aggressive expansion of government access authorities and dangerous investigative techniques. These measures ultimately weaken privacy, due process, and human rights standards.”

It’s too soon to say whether Google’s efforts will bear fruit, but if they do, it would be a big step in the right direction, and an unqualified win for privacy watchdog groups everywhere.

Interestingly, Apple also released its annual Transparency Report, which revealed a six percent drop in government requests, compared to last year’s figures. At the same time, though, the number of FISA requests Apple received soared from 2750-2900 related to 2000-2249 accounts to 13,250-13,499 related to 9000-9249 accounts.

Regardless of what happens to FISA in congress later this year, the main takeaway is that governments around the world are making an increasing number of requests for personal data of our biggest tech companies, which is a disturbing trend that is sadly not unexpected.

Sonic Drive-In Latest Company With Credit Card Breach

<img class=”alignleft size-full wp-image-7004″ src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/Sonic.jpg” alt=”” width=”300″ height=”225″ />Another week, another data breach, and this time, popular fast food chain Sonic found itself in the crosshairs.

The breach came to light when a Brian Krebs, a journalist for Infosec, spotted a large batch of credit card data for sale on an underground website.

IBM’s “X-Force” division confirmed Krebs’ findings, and later that same day, Sonic confirmed the report, offering all of its customers two years of free fraud and identity theft protection.

At this point, the company has released no details on how many of their 3600 locations were impacted, or how many customers might have been affected. However, Krebs noted that the cache he saw contained some five million records, which at least gives us some indication as to the scope and scale of the attack.

Given the relative lack of information about the incident so far, the best thing you can do if you frequent any Sonic location is to monitor your credit and debit card statements closely and take advantage of the free credit monitoring service offered.

It’s no great surprise why hackers are so interested in credit card data. Each record sells for between $25 and $50, so that cache of five million records represents a significant payday.

The fear, as pointed out by numerous security experts of late, is that given how easy it has been for hackers to breach company POS systems, the hackers will up the ante and begin introducing ransomware to the payloads they install on these systems.

Without a functioning POS system, business grinds to a complete halt, so the thinking is that most businesses facing this kind of attack would pay the ransom immediately, making the hackers’ payday even sweeter.

While this type of attack hasn’t been seen yet, most experts agree that it’s just a matter of time, making it one more thing to worry about. This is all the more reason to make sure your own POS terminals are as secure as you can possibly make them. You definitely don’t want to be next!

Literally Every Yahoo Email User Was Hacked In 2013 Breach

Late last year, Yahoo announced that it was the victim of the largest data breach in history. It impacted, by their initial estimates, fully one third of their user base, some one billion users.

As it turns out, Yahoo’s estimates were wildly inaccurate. Literally every person who had a Yahoo account in 2013 was impacted, making the total in the neighborhood of three billion accounts (yes, that’s billion, with a “B”).

If you’re a Yahoo user, and have had your account since 2013 or before, then your account was impacted, regardless of if you received a notification from the company.

You may be tempted to simply delete your account, especially if it’s one you no longer use on a regular basis, but don’t. Yahoo’s policy is to recycle defunct accounts after thirty days, meaning your account can be hijacked by anyone if you delete it.

The best bet is to change your password immediately and enable two-factor authentication to provide an added layer of protection.

Also, if you’re in the habit of using the same password across multiple websites, be sure to change any that share your Yahoo.com account’s password. One of the first things a hacker will try is to use compromised credentials on other accounts. If you don’t take immediate action, you’re essentially handing the hackers the keys to your digital kingdom and opening yourself up to identity theft, compromised bank accounts and credit cards and more.

In fact, this would be a great time to simply get out of the habit of using the same password across multiple web properties. It’s a bad habit, and if it’s one you’ve developed, then it’s time to make a change. True, it’s not as convenient, and having to remember multiple passwords can sometimes be annoying, but isn’t your digital security worth it?

Hackers May Have Accessed Corporate Document Filings At The SEC

The hackers of the world have been busy recently, but this latest report from the SEC shows that not only has the number of their attacks been increasing, but also that the level of sophistication continues to grow by leaps and bounds as well.

Specifically, the SEC reported that hackers may have gained access to their “EDGAR” (Electronic Data Gathering, Analysis, and Retrieval) system. This is a database that handles and lists corporate filings and disclosures, and the hackers may have used the data they mined from that system to illegally profit from stock market trades.

Essentially, they pried open the database and got a sneak peek at sensitive corporate filings before they were made available to the public. Armed with that knowledge in advance, they knew exactly which companies were going to appreciate in value, and which companies were going to take a hit to their stock prices, which made it child’s play to make profitable trades.

It gets worse, though. The SEC is also looking into instances where phony filings records may have been injected into the database with the specific intention of creating a stock price appreciation or tumble for specific companies.

This, then, isn’t a typical attack at all, where hackers attempt to breach a system to get at customer lists or credit card information to resell on the dark web. This is much more refined and complex, and in addition to making unknown sums of money for its architects, it has the effect of undermining confidence in the entire economic system as a whole, which makes it doubly dangerous.

Of course, as part of the SEC’s official statement, they say that the issue has been identified and patched, and that they’re cooperating fully with law enforcement officials. Both of those are good things, but unfortunately, they will do little to restore consumer confidence any time soon.

The lesson, of course, is this: no one is immune, and your company could be next.

Did Equifax Send Concerned Users To A Phishing Site?

By now, you’ve probably heard that Equifax recently suffered a massive data breach which left them with a considerable amount of egg on their faces.

The investigation into that matter is ongoing, and the company issued a video-based mea culpa to its customers, but unfortunately, the situation for the company just got worse. Here’s the basic timeline of events and where things stand so far:

• The first successful breach against Equifax occurred between May 2017 and July 29, when the intrusion was discovered.
• The secondary breach was just discovered this month, but actually occurred in March of 2017, before the main breach. The company maintains that the earlier attack had nothing to do with the most recent one, although a variety of anonymous sources claim that this is not the case.
• In both cases, Equifax retained the services of security company Mandiant to assist them with the investigation into the breaches
• As part of the company’s formal response to the breaches, they set up a website, “equifaxsecurity2017.com” which was designed as a portal that Equifax customers could use to see if they’ve been impacted by either breach.
• Unfortunately, the company recently sent out a tweet to its customers directing them to “securityequifax2017.com” which is a phishing site, almost certainly set up by the same hackers that attacked the company in the first place.

Equifax representatives quickly caught the mistake and deleted the tweet, but of course, the damage had already been done. As of today, Google Chrome now flags the phishing site as deceptive, but it is likely that at least some of Equifax’s customers clicked the link embedded in their tweet and found themselves on a bogus site.

The attack on Equifax, even considering the impact of the errant tweet, certainly wasn’t the largest hack we’ve seen in 2017 in terms of scope and scale. But it, taken together with the recent hack of the SEC’s EDGAR system, has done tremendous damage to the confidence in our economic system as a whole. Damage is done far beyond the physical size of the attacks and the total number of records impacted.

It’s too soon to say whether this represents a trend, with hackers pursuing some type of agenda-based strategy in preference for simple theft, but recent events could very well be interpreted in that way. Time will tell.

In any case, the answer to the question asked in the headline is yes. For a brief time, Equifax did indeed direct its users via Twitter, to a bogus site.

The IRS Awards Security Contract To Equifax Even After Hack

<img class=”alignleft size-full wp-image-7010″ src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/TheXIRS.jpg” alt=”” width=”300″ height=”225″ />You’ve probably heard about Equifax’s recent troubles. More than 145 million consumer data files were exposed, including names, addresses, social security numbers and more.

The problem was viewed as so serious that Equifax’s CEO stepped down and congressional hearings were launched, but then, a funny thing happened. Equifax got awarded a no-bid government contract worth millions ($7.25 million, to be exact) to help the IRS verify taxpayer identities in order to prevent fraud.

One might wonder how this happened, especially since the company recently got raked over the coals for profiting from the very hack they tried to prevent. During the congressional hearing on the matter, Senator Elizabeth Warren pointed out that Equifax stood to make millions by selling credit monitoring services to the very customers whose data they were supposed to be protecting, so it’s a fair question.

The answer lies in the fact that the IRS regards this service as being critical, and one that cannot stand interruption of any kind. Based on their research, they have concluded that Equifax is the only company capable of providing it.

That conclusion seems strange, given that there are, in fact, two other similar credit reporting agencies, but in any case, the contract was awarded to Equifax in spite of their recent troubles.

The move is understandably raising eyebrows in various sectors, with government watchdog groups and privacy advocates both crying foul.

Unfortunately, in the immediacy, there’s little to be done. This is a case where the wheels of government just don’t turn quickly enough to keep pace with current events. Until another company can be approved to get the job done, Equifax is the only game in town, as far as the government is concerned. Needless to say, this is not exactly what one would call confidence-inspiring.

Be Careful – Fake Amazon Emails Could Hold Locky Ransomware

For a time, it seemed we had reached the high-water mark where Locky Ransomware was concerned. After the big, global attack earlier this year, interest in that particular strain of ransomware seemed to wane as hackers went off in search of the “next new thing” to deploy against the unwitting public.

Unfortunately, rumors of Locky’s death may have been highly exaggerated. A massive new email campaign is underway, using Amazon as a cover, and the infected emails come bearing Locky as a “gift” to anyone who opens them and downloads the attachment.

While no one knows who is behind the Locky software itself, this new email campaign is being run through a large botnet-for-hire called Necurs, which is currently made up of more than five million devices from all over the world.

These devices have been sending out a million emails an hour that appear to come from Amazon and contain downloadable attachments with their malicious payload.

The hackers are being quite savvy about the operation too, timing the sending of their emails so that they arrive during normal working hours, which makes them seem more legitimate. As ever, anyone unfortunate enough to download the attachment contained in one of these emails will soon find all the files on their system encrypted, and get a notification that they must pay a ransom in BitCoin if they want the unlock code to get their files back.

It gets even worse, though. This latest attack does more than just install Locky. It also installs a program called “FakeGlobe,” which appears to be another variant of ransomware that’s designed to trigger after files are unlocked. So, even if you pay the ransom, you may find yourself immediately facing newly encrypted files and having to pay a second one.

As ever, the keys to avoiding scams like these are vigilance, employee education and a robust backup and file recovery plan, in the event that someone in your organization does open one of these emails.

Uber Paid To Hide Massive Data Breach From Public

It has recently come to light that the company was hacked in 2016 in a massive breach that exposed the personal information of more than 57 million Uber users and drivers. A wide range of data was stolen. Where users were concerned, names, email addresses and phone numbers were compromised.

As bad as that is, the problem was even worse for more than 600,000 of the company’s drivers who had their driver’s license numbers hacked, too.

Standard protocol is that when a breach like this occurs, the company will engage law enforcement officials as appropriate, hire a third-party security firm to help with the forensic investigation and notify their consumers.

Unfortunately, that’s not the path Uber chose to take. Instead, they paid the hackers $100,000 in exchange for keeping quiet about the hack and deleting the stolen data.

The company kept the incident under wraps for more than a year, but eventually, word of the attack leaked out, and the fallout has been catastrophic. Uber’s CEO Dara Khosrowshahi has asked for the resignation of the company’s Chief Security Officer, Joe Sullivan, and one of his deputies, Craig Clark, both of whom worked to keep the attack quiet.

In a formal statement, Khosrowshahi had this to say:

“None of this should have happened, and I will not make excuses for it. While I cannot erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

As is common in the aftermath of events like these, Uber is offering its impacted customers a free year’s worth of credit monitoring services and will likely force password changes for its app users. More than a year too late, but it’s something.

File this away under how not to handle a data breach.

Breach Of Health Data Gets California Company $2M Fine

Cottage Health System, a company that operates five hospitals in the Santa Barbara area of California, is the latest firm to have been hit with a hefty fine for losing control of PHI and PII for patients that it serves.

In this case, more than 55,000 patients were impacted between 2013 and 2015.

Cottage Health discovered the breach late in 2013. The company received a voicemail message informing company officers that there was a large file containing PHI of an unspecified number of its patients available online, without encryption or password protection that could prevent unauthorized access. In 2015, the company suffered a second, much smaller breach that impacted 4,596 of its patients.

As a result of the investigation that followed, the California Attorney General determined that the Cottage Health System had violated California’s Confidentiality of Medical Information Act, as well as several federal HIPAA regulations.

Under the terms of the agreement, in addition to a $2 million fine, the company has been required to upgrade its data security practices, including:

• Training employees on the collection, storage and proper use of PHI and PII
• Maintaining a reasonable set of policies and protocols surrounding incident tracking reports, risk assessment, data retention, internal audits and incident management plans, subject to external review
• Encrypting all PHI and PII in transit
• Assessing all hardware and software used in Cottage Health’s network for potential vulnerabilities, and upgrading as appropriate
• And conducting periodic testing to identify and address additional vulnerabilities.

This most recent incident serves as a painful reminder to any company involved in the handling of PHI and PII. According to Elizabeth Hodge, a health care attorney of the law firm Akerman, LLP:

“Even if the Office for Civil Rights slows down its enforcement activities going forward, covered entities and business associates should still anticipate enforcement activity by state attorney’s general enforcing their respective state laws.”

A Million Imgur Users Affected By Breach

Do you use the image hosting service, Imgur? If you do, there’s a slight chance that you’ll be prompted to change your password the next time you log on. That’s because the company’s servers were breached in 2014, and the hackers made off with 1.7 million usernames and passwords, which represents just a tiny fraction of the company’s 150 million users.

Although the breach happened a few years ago, the company only found out about it on Thanksgiving Day of this year. Their response was immediate and decisive. The company called people in over the holiday and notified their impacted users just 25 hours and 10 minutes after discovering the details of the incident.

Contrast that to Uber’s handling of their most recent hack. They kept their impacted users in the dark for more than a year, and worse, paid the hackers $100,000 to keep the incident quiet. It’s easy to see why security professionals around the world have lauded Imgur for their handling of the hack.

Three key things to note in relation to the breach:

  • Not much information was stolen during the hack because Imgur doesn’t ask its users for much in the way of personal information in the first place. However, if you use your Imgur password on other systems, you could be at additional risk.
  • At the time of the breach, Imgur was using SHA-256 encryption, which is fairly robust and impractical for most hackers to crack due to the amount of computational power required.
  • In 2015, the company switched to an even more secure algorithm, Bcrypt, so if the company is breached again in the future, it’ll be even harder for the hackers to glean anything useful from any data stolen.

All that to say, if you’re looking for a benchmark to compare yourself to if you’re ever hacked, Imgur’s example would be an excellent one to follow.