Cybersecurity news headlines for 1-31 October, 2019

This month’s edition of cybersecurity news headlines covers 4 different stories. UK government decides not to proceed with age verification for online pornography, UniCredit suffers a data breach exposing 3 million customer records, Facebook withdraws appeal and agrees to pay £500,000 for its role in the Cambridge Analytica scandal, and 3.1 million Indian cards dumped on Joker’s Stash.

In no particular order, here’s what made headlines this month.

UK will not proceed with age verification for online pornography

To prevent children from accessing adult content, the UK had previously introduced plans to force pornography websites to implement age verification systems. By making site visitors submit credit card details or scanned copies of ID cards/passports, the UK government was hoping to make accessing pornography more difficult for underage children. The sensitivity of the whole thing sparked a huge debate about privacy and how the new rules would have put many people at risk of blackmail.

However, it seems that the UK will no longer go forward with these plans. The plans were delayed in the past, but it now appears that the government will be looking for other ways to protect children from inappropriate content.

“The government has concluded that this objective of coherence will be best achieved through our wider online harms proposals and, as a consequence, will not be commencing Part 3 of the Digital Economy Act 2017 concerning age verification for online pornography,” Secretary of State for Digital, Culture, Media and Sport Nicky Morgan says in the written statement.

“The Digital Economy Act objectives will therefore be delivered through our proposed online harms regulatory regime. This course of action will give the regulator discretion on the most effective means for companies to meet their duty of care. As currently drafted, the Digital Economy Act does not cover social media platforms.”

The statement continues to say that adult content is too easily accessed online. Privacy organizations have welcomed the decision as the legislation would have caused serious privacy problems.

UniCredit reveals data breach exposed 3 million customer records

Italian financial services company UniCredit has revealed a data breach that exposed information of three million Italian customers. A file generated in 2015 has been blamed for the incident as it contained a defined set of around 3 million said records.

The company notes that while personal information such as names, cities, telephone numbers and emails were part of the breach, no bank details that would allow access to accounts or unauthorized transactions have been compromised. Nevertheless, the exposed personal information could be used to perform social engineering attacks or identity theft.

“The UniCredit cyber security team has identified a data incident involving a file generated in 2015 containing a defined set of approximately 3 million records limited to the Italian perimeter. The records consist of names, city, telephone number and email only. Consequently no other personal data or any bank details permitting access to customer accounts or allowing for unauthorized transactions have been compromised,” the press release detailing the incident states.

An internal investigation has been launched to find out how exactly the breach took place, and the police have been notified about the incident. Furthermore, affected customers will be informed via post or online banking in the near future.

Facebook agrees to pay £500,000 fine for Cambridge Analytica

Last year, the Information Commissioner’s Office issued Facebook a fine of £500,000 for Cambridge Analytica, an incident Facebook’s reputation is still recovering from. After an investigation into the misuse of personal data for political gain, the UK watchdog declared that Facebook failed to protect its users and allowed their data to be misused.

The incident in question led to political consulting company Cambridge Analytica having access to harvested data of 87 million Facebook users worldwide. Facebook had become aware of the unauthorized harvesting of their users’ data but failed to ensure that Cambridge Analytica delete it. The social media giant was heavily criticised for failing to protect its users and is still working to restore its reputation almost two years later.

£500,000 was the highest penalty that a company could have been fined with under the laws before General Data Protection Regulation (GDPR). However, since the GDPR came into effect, the fines could be as high as €20 million, or 4% of the company’s annual turnover, whichever is higher. Since the incident took place before GDPR, the old law applied to this case.

When the UK watchdog first issued the fine, Facebook had appealed against it, but it seems the two have reached an agreement. While Facebook did say the company should have done more to ensure their users’ data protection, it has not made any public admissions of accountability.

“An agreement has now been reached between the parties. As part of this agreement, Facebook and the ICO have agreed to withdraw their respective appeals. Facebook has agreed to pay the £500,000 fine but has made no admission of liability in relation to the MPN,” ICO said in a statement.

1.3 million Indian payment cards sold on Joker’s Stash

In what is believed to be the largest card dump in recent history, 1.3 million Indian payment cards are being sold on Joker’s Stash, dark web’s largest payment card shop. The cards are being sold for $100 each, potentially earning crooks $130 million overall.

Software company Group-IB’s security researchers, who were the first to notice the upload, told ZDNet that the cards belong to mainly Indian users.

“The database under the name “INDIA-MIX-NEW-01” (full name: “ INDIA-MIX-NEW-01 (fresh skimmeD INDIA base): INDIA MIX TR1+TR2/TR2, HIGH VALID 90-95%, uploaded 2019-10-28 (NON-REFUNDABLE BASE”) has been on sale on one of the most notorious underground card shops, Joker’s Stash, since October 28, 2019,” Group-IB said in a blog post.

While it is not yet clear how exactly the data was stolen, there is a strong possibility that it was obtained via skimming devices, which are often installed on ATMs and point of sale systems. Group-IB researchers note that the database contains only credit and debit cards dumps Track 2, which indicates that the data was not obtained via Magecart attacks.

The software company also notes that the sheer size of the dump is unusual. While larger numbers of card details have been put up for sale on Joker’s Stash, the data was released in smaller batches. This is the first time such a large number of cards has been dumped on the payment card shop at once.

The card data sold on Joker’s Stash could be used to clone the cards and make money withdrawals from ATMs.