Cybersecurity news headlines (March 15 – March 31)

The second half of March has been pretty bad for cybersecurity, mainly because of the Cambridge Analytica scandal, which is one of the biggest to hit the tech world in the last few years. There were also news about data breaches, Microsoft making a questionable decision and Facebook collecting your call history and SMS. Without getting too much into it, here are the top news headlines from March 15 – March 31.

Expedia’s Orbitz suffers data breach

Travel company Expedia’s subsidiary company Orbitz has suffered a data breach exposing more than 888,000 payment cards to crooks. The breach was detected earlier this month but has reportedly taken place between October 2016 and December 2017. Reportedly, the hackers responsible for the breach may have been able to access customers’ personal information (name, date of birth, address, phone number, email address, etc.), as well as payment information.

The affected customers are being notified about the breach and will be offered one year of free credit monitoring and identity protection service. The company reassures that using the current Orbitx.com website is completely safe. In the meantime, the company is working with cyber security experts and law enforcement to investigate the incident.

Call history and SMS collected by Facebook

Facebook has been in hot waters since the Cambridge Analytica scandal, and criticism has only become harsher when a programmer noticed that Facebook was keeping track of incoming and outgoing calls, as well as SMS messages sent from his phone. The tweet revealing this has gathered thousands of likes, further intensifying the debate over privacy.

Reportedly, Facebook gathered information from users’ phones about incoming and outgoing calls, their start time, duration, who the call was to/from, SMS sent/received, as well as a list of contacts. The programmer noticed these logs when he downloaded his Facebook data as a ZIP file, which all users can do from their profiles. The file contains all information the social media company has about the user. While Facebook collecting information you provide it with is nothing new, it should not have access to your phone in such a way. However, if you had the Facebook app or Messenger installed on your Android, it’s possible the company has access to much more information than you think.

Facebook explained that users have given the apps permissions to log such data, supposedly “this helps you find and stay connected with the people you care about, and provides you with a better experience across Facebook”. Since users were not aware that information about their calls and SMS was collected, people are hesitant to believe what the company is saying.

Only Android users have been affected by this, as Apple does not allow apps to access such information on iOS. Hopefully, this will caution users to actually think about the permissions they grant to apps, and revoke them if they are unnecessary or endanger their privacy.

Leader of hacking groups responsible for stealing over $1 billion from banks arrested

It has been reported that an alleged leader of an organized Russian cybercrime gang that is tied to Carbanak and Cobalt malware attacks has been arrested. The group has been active since 2013 and is responsible for stealing more than $1 billion from banks. The crooks would send spear-phishing emails to bank employees to infect their machines with Carbanak malware, and when a computer is infected, malware would be deployed through the bank’s internal network. This would allow the hackers to control ATMs, which would release cash when commanded. Europol provides a graph depicting the method here. Reportedly, banks in more than 40 countries were affected, with around $10 million per heist.

The leader of the group was arrested in Alicante, Spain, during an investigation conducted by Spanish National Police, Europol, US’s FBI, and other law-enforcement agencies. The exact amount of money the group managed to steal is not currently know. Security company Kaspersky released a report back in 2015, claiming that the group stole $1 billion, thus three years later the amount is believed to be much larger.

Offensive language banned on Microsoft services starting May

If you are using any Microsoft services, you were probably informed that the company is changing its Terms of Services. If you are like most users, you did not read the updated version. However, a civil rights advocate Jonathan Corbett, actually read the document and one particular change stood out. Starting May 1st, Microsoft will ban offensive language on its platforms. This rather controversial move has caused quite a stir for a couple of reasons. Offensive language is a broad term, and it is not specified what exactly would count as such. And how would Microsoft find out whether you used such language? Apparently, Microsoft will be able to review your content in order to resolve the issues. However, they do say that they will not monitor the entire services.

The whole passage sounds like this: “Don’t publicly display or use the Services to share inappropriate content or material (involving, for example, nudity, bestiality, pornography, offensive language, graphic violence, or criminal activity)”. Again, the terms are not explained in a detailed manner, instead bread terms are used. However, one things is clear, and that’s starting May 1st, many users might find themselves violating Microsoft’s terms of Services.

Cambridge Analytica harvested data of 50 million Facebook users

Chris Wylie, data scientist turned whistleblower, has revealed that British data analytics company Cambridge Analytica has obtained and misused the information of 50 million Facebook users. Cambridge Analytica is the company that reportedly helped Donald Trump win the 2016 US presidency elections, and worked with the winning Brexit campaign. This has become one of the biggest scandals to hit the tech world in recent years, with claims that Cambridge Analytica created a tool using the obtained information in order to predict user voting patterns so that political parties would be able to tailor advertisements.

The data was collected via an app called thisisyourdigitallife. An academic from Cambridge University, Aleksandr Kogan, released the app in 2014, and it offered users $1 to take part in a survey. If users chose to participate, they would be asked to allow the app access to their Facebook information. Reportedly, over 270,000 users gave the app permission to use their profile information. The app was also permitted access to the participants’ friend list. If the users in the lists did not have their profiles set to private, the app would also harvest their information. In this way, the data of 50 million users was obtained.

According to Wylie, who has collaborated with Kogan, the data harvesting was done for Strategic Communication Laboratories, which also owns Cambridge Analytica. And the company was responsible for Donald Trump’s US presidential campaign. The data was reportedly misused to profile voters and influence them with targeted ads and messages.

The incident has brought a lot of criticism for Facebook as well, with Facebook founder Mark Zuckerberg calling the incident “the biggest mistake that we made here”. In 2015, Facebook became aware of this data collection and demanded that Cambridge Analytica delete it. However, the data analytics firm did not erase the data, and Facebook never looked into it further. Not only did Facebook not investigate if the data was deleted, it also failed to  ensure user privacy and has made it easy for parties to access user information without the user knowing about.

Facebook has lost the already fragile trust of its user, who have started deleting their profiles. It has to do a lot of damage control, and employ strict regulations so that this does not happen again.