Cybersecurity news headlines 15-30 October

Cybersecurity news headlines 15-31 October, 2018

To continue our October addition of cybersecurity news headlines, we have the headlines from 15-31 October, 2018. In this addition, we report on US voters’ personal information being for sale, a Tumblr security bug that could have leaked users’ personal information, a huge data breach involving airline Cathay Pacific, and Facebook finally being fined for the Cambridge Analytica scandal. We also summarise Microsoft’s tech-support scam research, which shows that people still fall for those scams.

If you did not have the time to keep up with the news this month, here’s what you missed in cybersecurity 15-31 October, 2018.

Personal information of US voters for sale

Two cybercrime intelligence firms have found that the information of 35 million US voters is being sold on a hacking forum. The two companies, Anomali Labs and Intel 471, have reviewed a sample of the database and have determined that the data is very likely to be valid. According to researchers, the data contains full names, addresses, phone numbers and voting-related information. However, it should be mentioned that some states make voter information generally available for the public. But the records are not permitted to be used for commercial purposes or published online.

The data for sale contains information on voters from 19 US states, with prices ranging from $150 to $12,500. The total sum for information on all 19 states is $42,200. It is estimated that more than 35 million records could be for sale.

It was first believed that the data comes from previous data breaches but the seller claims that the data is refreshed every Monday, indicating that he/she has continued access to the source, which is rather alarming news. Anomali Labs also notes that some states would require that the seller travels to in-state locations to receive the updates.

“This suggests the information disclosure is not necessarily a technical compromise but rather a likely targeted campaign by a threat actor redistributing possibly legitimately obtained voter data for malicious purposes on a cybercrime forum,” Anomali Labs say.

People still fall for tech-support scams, Microsoft says

Microsoft’s Global Tech Support Scam Research 2018 reveals that while the percentage of consumers who reported experiencing tech-support scam decreased compared to 2016, scammers were still successful in tricking nearly one in five consumers into continuing with a fraudulent interaction. Each month, Microsoft receives around 11,000 complaints from people who have fallen victim to a tech-support scam, with scammers pretending to be from reputable tech-companies, such as Microsoft, Dell or Apple. Tech-support scammers try to gain remote access to the victim’s computer in order to steal files and personal information (including banking data), and install questionable software or even malware. By the end of the session, victims are requested to pay hundreds of dollars.

Nevertheless, Microsoft notes that consumers have developed a healthy scepticism about unsolicited contact from technology and software companies. If encountering unsolicited contact from a supposed tech-company, 38% of consumers would try to block the company from making contact in the future, while 33% would look up the issue online. Microsoft’s report also reveals that Gen Z, Millennials and men are more vulnerable to tech-support scams. Millennials and Gen Z are more likely to engage in risky online activities, including exchanging email to access content, downloading films, music and videos, as well as using torrent sites.

“The youngest generations rated themselves highest on web and computer expertise suggesting that overconfidence in their online abilities could cause them to be less cautious and thereby more susceptible to scams,” the report says.

The report also notes that Millennials and Gen Z are more trusting than older generations of reputable companies making unsolicited contact, which could come from lack of experience or naivete.

While not all engagement in tech-support scams end in victims losing money, they can also affect victims in a different way. After experiencing a scam, 52% of users had spent time checking and repairing their PC. In addition, three-in-four users who engaged in the scam (had contact with scammers and followed their instructions, at least initially) reported feeling moderately or severely stressed due to the interaction.

The number of users falling for a tech-support scam is slowly going down, possibly because of increased use of pop-up ad-blockers, but they still remain a problem. In order for tech-support scams to continue to go down, awareness of such scams needs to go up. One of the most important things to remember is that Microsoft will never proactively reach out to you to provide technical support. Any communication with Microsoft, or any tech company for that matter, has to be initiated by you. Those pop-ups and redirects claiming your computer is infected and that you need to call tech-support will always be scams. There are no exceptions. You should also never allow remote access to your computer, unless you fully trust the party providing the service. If you cannot confirm that the person is from a legitimate company of whom your are a customer of, do not allow him/her to connect to your computer.

If you believe you have become a victim of a tech-support scam, you need to contact law enforcement. And if you have provided your banking information or it was stolen by scammers, your bank needs to be contacted so that appropriate action can be taken. You can also report it to Microsoft by filling in this form.

Tumblr security bug could have leaked private information

A security researcher participating in Tumblr’s bug bounty program discovered a bug that could have been used to leak Tumblr users’ personal information. According to Tumblr’s post about issue, the bug was found in the “Recommended Blogs” feature on the desktop version of Tumblr. As the names implies, the feature displays a short, rotating list of blogs that users might find interesting. The feature is only available to logged-in users. If debugging software had been used in a certain way, it would have been possible to view certain account information associated with the blog.

While according to Tumblr the bug was rarely present, when it was, it was possible to view certain information, such as email address, protected (hashed and salted) Tumblr passwords, self-reported location, previously used email addresses, last login IP address, and the name of the blog associated with the account.

The bug was patched within 12 hours of the Tumblr engineering team becoming aware of it. The social networking site also investigated how the community may have been affected, and found no evidence that the bug had been abused. There is also nothing that suggests account information had been accessed.

In the past couple of months, we have seen far too many similar incidents. Tumblr’s security incident is also somewhat similar to Facebook’s, but the latter is much more severe as Facebook’s bug was actually exploited, resulting in data of at least 30 million users accessed.

Cathay Pacific data breach involving 9.4 million people

Hong Kong-based airline Cathay Pacific revealed that it had suffered a data breach, possibly involving 9.4 million people. According to the airline, they noticed unauthorized access to some passenger data. While Cathay Pacific reports that immediate action was taken to contain the event, approximately 9.4 million customers had their data accessed. The breach was initially noticed in March 2018 and in early May 2018, it was confirmed that personal data was indeed accessed.

Reportedly, accessed data includes passenger names, nationalities, dates of birth, phone numbers, emails, home addresses, 860,000 passport numbers, 245,000 identity card numbers, frequent flyer programme membership numbers, customer service remarks and travel history. Furthermore, the airline says 403 expired credit card numbers and 27 credit card numbers with no CVV were accessed. However, passwords were not compromised.

The Hong Kong Police have been informed and the company is in the process of notifying relevant authorities and affected passengers. Affected members of the Marco Polo Club, Asia Miles or registered users will be contacted individually, while other are advised to register an inquiry.

Cathay Pacific has reassured users that no personal information has been misused, but the decision to contact affected customers has been made in an abundance of caution. The airline will also offer ID monitoring to affected passengers, while those who had their card data accessed are encouraged to contact their respective banks.

Facebook fined £500,000 for Cambridge Analytica scandal

Earlier this year, social media giant Facebook found itself in a whole lot of mess when it was revealed that political consultancy firm Cambridge Analytica had gathered and misused data of 87 million Facebook users. The whole scandal is a bit more complicated but the gist of it is that Facebook failed to ensure the security of its users by allowing an unauthorized party to harvest user data. Not only did the data of 87 million Facebook users get harvested, Cambridge Analytica has reportedly helped Donald Trump win the US presidential elections in 2016.

When the story initially broke, it gained a lot of attention not only by the general public but by the government as well, with Facebook’s CEO Mark Zuckerberg being asked to testify before US Congress. UK’s data privacy watchdog Information Commissioner’s Office (ICO) had launched their own investigation into the scandal as data of 1 million British citizens was also harvested. ICO has now officially issued Facebook a fine of £500,000 ($640,000), which is the maximum penalty under UK’s Data Protection Act 1998. While £500,000 may seem like a lot of money, for a company that made more than £31 billion (around $40 billion) in revenue last year, it’s a tiny drop in the ocean.

Interestingly enough, and luckily for Facebook, had the scandal broke out two months later, Facebook would have faced a possible fine of £1.26 billion. Because the incident came to light in March 2018, it fell under UK’s Data Protection Act 1998. In May 2018, EU’s General Data Protection Regulation (GDPR) come into affect, and it’s much more strict when it comes to users’ security. Under GDPR, Facebook would have faced a possible fine of €20 million or 4% of its annual global revenue, whichever is higher.

British Airways data breach bigger than initially thought

Back in September, we reported on a customer British Airways hack. Customers who made bookings from August 21 to September 5 via their website or mobile app had their personal and financial information stolen. Initially, it was reported that around 380,000 payment cards had been stolen in addition to personal information. However, the airline has released an update on the situation, stating that an additional 185,000 customers may have been affected. Names, billing addresses, email addresses, card payment information (card number, expiry date and CVV) of 77,000 customers is believed to have been accessed. A further 108,000 payment cards without CVV were possibly stolen. Only people who made a booking between April 21 and July 28, 2018 are thought to be impacted.

According to the airline, there is no conclusive evidence that said data was removed from the airline’s systems. Nevertheless, as a precaution, potentially affected customers are being informed. They are advised to contact their banks or card providers. According to the above linked statement, customers who had not been contacted by Friday 26 October do not need to take any action.

British Airlines also said that the initially reported number of affected card details was wrong, instead of 380,000 card details, 244,000 were affected. There have also been no verified cases of fraud so far. The airline promises to reimburse customers who suffer financial loss as a result of the data theft. In addition, it’s offering credit card monitoring to any affected customer concerned about the data theft.