Cybersecurity news headlines by WiperSoft [1-31 July, 2019]

Cybersecurity news headlines  [1-31 July, 2019]

It’s been a while since our last cybersecurity news headline report, but in this July edition we report on a huge data breach involving 5 million Bulgarian citizens, Equifax finally settling for the 2017 data breach, Facebook being fined a record-breaking $5 billion for its inability to protect user data, a Capital One breach compromising 106 million customers, and FaceApp privacy concerns.

In no particular order, here’s what made the biggest headlines in July.

Data of 5 million Bulgarians stolen

During the largest hack in the country’s history, data of 5 million Bulgarians was stolen from the national tax agency. In a country with a population of 7 million, that’s essentially all adult citizens. The hack on Bulgaria’s national tax agency was acknowledged by authorities after news outlets were emailed by the alleged perpetrator with links to some of the stolen data. In addition to claiming responsibility for the hack, the perpetrator also mocked the country’s state of cybersecurity.

The leak contains highly personal information such as personal identification numbers, names, home addresses and even financial data. One of the files sent to news outlets is reported to have contained more than 1.1 million personal identification numbers with income, social security and healthcare figures. According to Bulgarian media, the records date back to 2007, but most of the leaked information is still relevant.

It is still unknown how the hacker was able to gain access to the system and steal the data, but officials have said that a vulnerability in the system for filling tax returns from abroad may have been exploited. While the investigation is still in its early stages, police were able to track down a suspect. A 20-year old security expert was arrested as a possible suspect, but according to reports has been released. The man denies having anything to do with the attack. Some also believe that Russia might have been behind the attack.

Equifax to pay at least $575 million in data breach settlement

Credit reporting firm Equifax has to pay at least $575 million in fines to settle the data breach incident once and for all. The 2017 data breach, which resulted in leaked data of 150 million Americans, was one of the worst incidents of this kind in history.

Equifax has been facing a lot of backlash for not patching a known security vulnerability, which led to the breach. The company was informed of a vulnerability affecting its ACIS database in March 2017 but failed to patch it until July 2017 when hackers had already accessed consumer data.

In addition to the mistrust the public has for the company, it now has to pay up to $700 million in fines for the incident. The company has agreed to pay at least $575 million but the sum may go up to $700 million, depending on how much money people claim as compensation. In addition to the fines, Equifax will also have to give affected customers six free credit reports each year for seven years, as well as a free annual credit report.

Facebook fined a record $5 billion for data breaches

The Federal Trade Commission (FTC) has imposed social media giant Facebook with a record-breaking penalty of $5 billion. More than a year ago, the FTC announced that they are investigating Facebook over its repeated privacy violations. FTC alleged that Facebook had used deceptive disclosures and settings to get users’ data, which violated FTC’s 2012 agreement with Facebook. In addition to sharing a user’s data with apps that people on said user’s friend list use, Facebook also used phone numbers given by users for security purposes for advertising and misled many to believe facial recognition software was disabled by default when in fact it was enabled. To settle these charges, Facebook has agreed to pay the $5 billion fine.

At first glance, it seems like a huge amount of money, but in reality it’s only a month’s worth of revenue for Facebook. Despite that, the penalty is still the largest ever imposed on a company for privacy violations.

“The $5 billion penalty against Facebook is the largest ever imposed on any company for violating consumers’ privacy and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide. It is one of the largest penalties ever assessed by the U.S. government for any violation,” the FTC has said.

In addition to the fine, an independent privacy committee would have to be created. Members would be nominated by independent parties and may only be fired by a super majority of Facebook’s board of directors. Facebook will also have to designate a team of compliance officers responsible for Facebook’s privacy program.

However, Democratic FTC commissioners have criticized the settlement as essentially letting Facebook off the hook. Commissioner Rohit Chopra has expressed that the settlement imposes no meaningful changes to the company’s structure or financial incentives, and it does not include any restrictions on the company’s mass surveillance or advertising tactics. Chopra also expressed concern that the settlement essentially allows Facebook to decide how much information it can harvest from users and what it can do with it, as long as it creates a paper trail.

Marriott is facing a fine of $123 million for data breach

Hotel chain Marriott is facing a £99 million ($123 million) fine under GDPR (General Data Protection Regulation) for the 2014 data breach that exposed information of up to 383 million guests. UK’s Information Commissioner’s Office (ICO) has determined that after purchasing Starwood hotels, Marriott had failed to secure its systems, which allowed attackers to compromise the guest database and steal data. The breach is believed to have happened in 2014 but was not detected until 2018.

Attackers took off with personal information like guests’ names, email addresses, phone numbers, home addresses, dates of birth, and arrival/departure information. Furthermore, 5 million users had their passport numbers exposed, and 8 million customers had their credit card data revealed. It is believed that nearly 30 million European citizens and 7 million UK residents had their data stolen to some extent.

Marriott is planning to contest the decision. Under GDPR, for serious infringements, companies could be facing fines of up to €20 million or 4% of a company’s annual turnover, whichever is higher.

Ageing app FaceApp raises privacy concerns

FaceApp, an app initially released in 2017, has gone viral again after it added a feature that allows to age a person in a photo. After celebrities started posting their own aged photos, the app became hugely popular and attracted a lot of attention, and not all of it is good.

The app, developed by Russian company Wireless Lab, allows users to upload photos and change appearances of the person in the photo. It allows one to change hairstyles, add facial hair or make-up, and most recently age a person. Soon after the app became popular, some questioned how FaceApp handles the data it gets from users. One particularly alarming comment about how FaceApp collects all photos on a phone made headlines everywhere and sparked a panic about whether the Russian government is now in possession of millions of photos. Others pointed out that once the photo is uploaded, FaceApp can do whatever it wants with it.

After the initial panic died down, articles started emerging about whether the app is actually as dangerous as initially reported. Security specialists carried out tests and found no evidence that the app collects all photos on the device. Nor does it send any user data to Russia. Well, it claims not to. The only worrying thing about the app is that you indeed allow it to use your photo for whatever purpose. However, the app’s privacy terms aren’t entirely uncommon.

While blown out of proportion, the whole incident sparked a good conversation about privacy and how much data users are sharing about themselves without even realizing it.

Capital One announces data breach affecting 106 million people

Capital One has disclosed one of the biggest data breaches in history involving 100 million American and 6 million Canadian customers. Millions of people had their personal information stolen, and tens of thousands had their Social Security numbers and bank account numbers compromised.

According to Capital One, the breach occurred on March 22 and 23, 2019 but was not noticed until July. The hacker, now identified as Paige Thompson, shared information about the hack on GitHub, where the post was seen by someone who reported the potential breach to Capital One. After carrying out an investigation, the company uncovered that someone had indeed accessed the systems and stolen user data. It is believed that the hacker was able to get into the systems through a misconfigured web application firewall, a vulnerability that has since been fixed.

106 million Capital One customers had their names, addresses, zip/postal codes, phone numbers, email addresses, and dates of birth compromised, and a number of customers also had their credit scores, balances, payment histories, contact information and transaction data stolen. What’s worse, 140,000 Social Security numbers and 80,000 bank account numbers were also accessed.

Affected customers will be notified of the breach and will receive free credit monitoring services. Capital One also does not believe that any of the stolen information has been disseminated or used for fraud.

The hacker believed to have carried out the attack has been arrested after essentially bragging about the incident on social media.