Cybersecurity news headlines (August 15 – August 31)

The second half of August has been quite unfortunate for certain companies due to serious data breaches that possibly exposed sensitive information of customers. Tech giant Apple, airline Air Canada and telecommunication company T-mobile were among them. There was also a rather bizarre hack that locked Instagram users out of their accounts, and Google was revealed to store people’s locations even when Location History is turned off. If you’re interested to find out more, here are the news stories that made headlines August 15-31.

Google revealed to track users when Location History is turned off, gets sued as a result

Facebook and its handling of users’ data had been a regular story in our previous cybersecurity news headline articles. However, it seems that it is now Google’s turn in the spotlight. While it’s no secret that the tech giant collects a tremendous amount of information about its users (which is a price we all pay for using its services for free), many people were caught off guard by the fact the Google stores location data even when users have turned location history off.

An investigation by Associated Press has revealed that Google services on Android devices and iPhones store location data, even after users have turned off a setting that allows the company to do so. If you have Location History turned on, Google services will store your location in order to make your experience better. According to the company, Location History allows Google to recommend places you’d like to visit, helps users rate places easier, etc. Or so they say. Privacy enthusiasts, on the other hand, believe this is just another way to boost advertising revenue.

Location History can be turned off, and Google had reassured users that visited places are not stored if the setting is off. However, this has been proven to be untrue. And Google no longer claims to not store location. After news broke out about this, Google changed their Privacy Policy and now clearly state that the company does track users’ movements even if Location History is off.

In a completely predictable turn of events, Google is being sued. A San Diego man has filed a lawsuit against Google over privacy violations, as Google continued to track him even after he turned the feature off.

“Google affirmatively—and misleadingly—represented to both Android and Apple device users that turning off “Location History” would result in Google ceasing to track, record, and use an individual’s location information,” the complaint, which can be accessed here, says.

If the plaintiff is permitted to go ahead with the lawsuit, it could mean serious trouble for Google as hundreds of other people could join the man in suing Google.

Attackers steal $13.5 million from Indian Bank

It has been revealed that India’s second largest cooperative bank Cosmos Bank has been breached by hackers, who stole over ₹940 million ($13.5 million) in three attacks over a span of three days.

According to reports, two of the attacks saw ₹805 million ($11.4 million) withdrawn in 14,849 ATM transactions across 28 countries. In the first attack, hackers withdrew ₹780 million ($11 million) in 12,000 ATM transactions via the VISA card system. Two hours later, the second attack took place, which resulted in ₹25 million ($400,000) stolen in 2,849 ATM transactions via the RuPay debit card system.

Despite the fact that Cosmos Bank detected the attacks, they were unable to prevent a third one, which took place two days after the initial two. Hackers used the bank’s SWIFT inter-banking system to make three transactions to a bank account in Hong Kong, resulting in another ₹139 million ($2 million) stolen.

The theft is under investigation by the police, but the bank did reveal that a proxy switch was created and that the fraudulent payment approvals were passed by the proxy switching system. The bank also reassured its customers that funds from accounts were not taken, so customers were not affected by the thefts.

Apple servers get hacked, 90GB of data stolen

As Apple has come to realize, no system is unhackable. It has been revealed that the tech giant has had its mainframe broken into multiple times, had 90 gigabytes of files stolen and users accounts accessed. All done by a 16-year-old high school student from Melbourne, Australia.

The teenager, who cannot be named for legal reasons, had infiltrated the company’s systems successfully multiple times, until security personnel discovered the unauthorized access and contained it. However, by the time he was noticed, the teenager had already managed to steal 90GB of information.

Once the breach was noticed, law enforcement was immediately contacted, who referred the matter to Australian Federal Police. The high school student’s home was raided, and two Apple laptops, a mobile phone and a hard drive were recovered. According to law enforcement, stolen information was saved in a folder named “hacky hack hack”. It has also been reported that the boy boasted about his successful infiltration on the messaging app WhatsApp.

The matter has not been disclosed in detail because the defendant is a minor and Apple did not want the method used to hack the servers revealed. However, the company did reassure customers that no personal data has been compromised, although it is yet to be revealed what kind of data had been stolen.

Instagram hack locked out users out of their accounts

A weird Instagram hack has locked hundreds of users out of their accounts by changing login details, and later usernames, profile images and associated email addresses. Some accounts were deleted, while others had their profile pictures changed to images from popular films, such as Despicable Me.

The issue has been addressed by Instagram, but many users report that they did not receive much help.

“We are aware that some people are having difficulty accessing their Instagram accounts,” the company tweeted, and offered guidance, which can be accessed here, for affected users. In addition to picking strong passwords and enabling two-factor authentication, the social networking service also advises users to carefully check which third-party apps have been granted access to accounts, and if necessary revoke that access. Since the Cambridge Analytica scandal, third-party app access to accounts has been limited, but some users might still be handing over their account details to questionable apps.

According to guidelines explaining how to recover accounts, when an email address is changed for an Instagram account, the user is supposed to be notified about this via email to the original account. The notification email allows users to revert the change if it wasn’t made by them. However, several users have expressed dismay about Instagram’s security as they were not notified about changes in their accounts, thus were unable to revert them in time.

It is not yet known what the purpose of such a hack was, and whether accounts will be recovered.

Data of 2 million T-mobile customers stolen by hackers

Wireless network operator T-mobile reported a security incident in which hackers may have accessed personal information of around 2 million customers. The incident happened on August 20th, and while it was quickly shut down, some customer information is believed to have been accessed.

While the perpetrators are not currently known, the company did revealed that company servers were compromised. The unauthorized entry was noticed by T-mobile staff, and it was immediately shut down. While staff were quick to react, it is believed that certain personal information was accessed by hackers. It likely includes phone numbers, email addresses, full names, ZIP codes and similar information. The company was also quick to reassure that no financial information (such as credit card data), passwords or social security numbers were accessed. T-mobile has also told Motherboard that roughly 3% of its 77 million customers were affected, or 2-25 million people.

Personal information of 130 million Chinese hotel guests found for sale on a Dark Web forum

It has been reported that the data of 130 million Huazhu Hotel guests had been stolen and is now being sold on a Dark Web forum. The advertisement on a forum was first noticed by several cybersecurity firms who informed the hotel about the breach.

Huazhu Hotels Group Ltd is the hotel chain in question, and the data being sold is 141.5GB in size and contains 240 million records, with personal information of around 130 million guests. The current price for the data is 8 Bitcoins ($56,424 or €48,281 at the time of writing). Chinese cybersecurity firm Zibao have verified the data and have confirmed it to be authentic. The same group also suggested that the breach may have taken place earlier this month, and might have been the result of a mistake made by Huazhu’s development team, who may have accidentally uploaded copies of their database onto GitHub.

It is thought that the data for sale includes personal information, such as email address, phone number, ID number, as well as booking information like full name and card number. All of the data is believed to have been from people who have stayed in one of the Huazhu Group hotels.

Air Canada mobile app breach potentially exposed thousands of passport numbers

Canadian airline Canada Air revealed that around 20,000 thousands customers may have gotten their data stolen in a data breach involving the airline’s mobile app. According to Air Canada, the breach was detected between August 22-24, when an unusual login was detected within the airline’s mobile app. Immediate action was taken by the company but that did not stop the attackers from potentially accessing data of approximately 20,000 customers.

In addition to the name, email address and phone number, app users can choose to add all kinds of information to the app, including passport number, gender, birthdate, nationality, passport expiration date, Known Travel Number, etc. All the information added to the app may have been accessed by the attackers. However, while financial data is not believed to have been stolen, users are encouraged to monitor their financial information.

People who may have had their accounts accessed by attackers have been informed by email, and those who did not receive the email are likely to be safe. However, all Air Canada app users have been asked to reset their passwords as a precaution.

For users who potentially had their personal information and passport numbers stolen, Air Canada is quick to point out that the risk of someone else obtaining a passport in their name is low.