Cybersecurity news headlines November 15-30, 2018
Cybersecurity news headlines November 15-30, 2018
To continue the November edition of cybersecurity news headlines, we report on the news that made the biggest cybersecurity headlines in November 15-30. This edition is all about data breaches and leaks, with Instagram exposing users’ passwords in plain text, Amazon leaking information, and Atrium Health suffering a data breach. It also seems the Uber 2016 data breach incident has finally come to a close, as the ridesharing company is fined £900,000 by UK and Dutch data protection agencies for the incident and the subsequent cover-up. And in other, entirely unsurprising, news seven EU countries file complaints against Google for the company’s habit of tracking location.
Without further ado, here is what made the biggest headlines in cybersecurity in the last two weeks.
Instagram bug exposes users’ passwords in plain text
Instagram may have accidentally exposed some of its users’ passwords in plain text because of a security issue in the “Download Your Data” feature. The feature was introduced in April in order to comply with the General Data Protection Regulation (GDPR), which came into affect in May this year. It allows users to download a copy of their data from Instagram, including photos, posts, comments, etc. However, in addition to allowing users to view the data Instagram has about them, the feature also exposed some passwords in plain text.
Reportedly, when a user used the feature, which requires them to enter their password, the URL of the page displayed the password in plain text. The plaintext passwords were also stored on Facebook’s servers. Facebook reassures users that the passwords were not exposed to anyone else, and have since been deleted from Facebook’s servers.
Affected users are being notified about the security issue, and are advised to change their passwords as well as clear their browsing history as a security precaution. It seems only a small amount of users have been affected, but the security issue certainly does not help Facebook improve its reputation.
If you have not been notified about your account being affected but are still worried, you can secure your account by changing your password and enabling two-factor-authentication. And remember, the more complex and unique your password is, the better.
Amazon leaks users’ information
On 21 November, some Amazon users started getting emails from the company saying that due to a “technical error”, users’ names and email addresses associated with their accounts have been exposed. The emails offer very little detail and are written in an unusual way, making the emails seem rather suspicious. Instead of using users’ names in the greeting, the emails simply say “Hello”. It then proceeds to tell users that Amazon accidentally disclosed their name and email address, but it does not explain how it happened, or how many users were affected. Some users questioned whether the email actually came from Amazon, or if it was some kind of phishing attempt or a scam. However, it was later confirmed that the email was in fact sent by Amazon.
Despite numerous enquiries, Amazon remains tight-lipped about the incident. However, it did say to news website the Register that the incident is not the result of a hack, but rather a technical error. UK’s Information Commissioner’s Office is reportedly keeping an eye on the situation but it does not seem to be too concerned.
It goes without saying that many Amazon users are quite annoyed about the whole situation. Amazon’s weird email and their secrecy is certainly not helping either.
Seven countries file GDPR complaints against Google
Seven EU countries (Poland, Greece, Norway, Sweden, Slovenia, the Netherlands, and the Czech Republic) have filled General Data Protection Regulation (GDPR) complaints against Google, claiming that the tech giant uses deceptive practices in order to track users’ location. The countries have filed the complaints with their respective national data protection authorities, and base their complaints on research published by Norway’s Consumer Council. Earlier this year, it was also revealed that even if users turn off “Location History”, Google still tracks location via “Web and App Activity”. For location tracking to be completely prevented, users also need to turn off the latter feature.
According to the European Consumer Organisation (BEUC), Google’s location data collection practices don’t give consumers a choice other than to provide their location data, which is then used for targeted advertising. Furthermore, BEUC argues that Google lacks valid legal ground for processing said data, and that because of the deceptive practices users’ consent “is not freely given”, which violates the GDPR.
“Location data can reveal a lot about people, including religious beliefs (going to places of worship), political leanings (going to demonstrations), health conditions (regular hospital visits) and sexual orientation (visiting certain bars),” BEUC comments on why location tracking is problematic.
If found guilty, Google could be facing a fine of up to €20 million, or 4% of its annual global turnover, whichever is higher, under Europe’s GDPR.
Uber fined £900,000 for the 2016 data hack and cover-up
Back in 2016, Uber’s systems were compromised in an attack, which exposed information of around 57 million Uber riders and drivers. Instead of disclosing the attack to authorities and its customers, the ridesharing company concealed the incident and paid the attacker $100,000 to keep quiet, claiming it’s a reward for identifying a bug. The data breach and subsequent cover-up were revealed in 2017 when Dara Khosrowshahi became the new CEO of Uber.
The company already agreed to pay $148 million in the US in order to settle the incident. However, because European citizens were also affected, UK and Dutch data protection agencies are also issuing fines. UK’s Information Commissioner’s Office (ICO) fined Uber £385,000 ($435,260), while Dutch Data Protection Authority issued a fine of £532,000 ($601,440), totalling a fine of around £900,000 (around $1.2 million). Compared to US’s $148 million fine, this does not seem like a large sum of money, and that is mainly because the breach happened in 2016, when GDPR was not yet in force. Under the new European data protection laws, Uber would have faced a fine of up to 4% of annual global revenue.
Atrium Health data breach involving 2.65 million patient records
Health care company Atrium Health has revealed that a data breach may have exposed the information of around 2.65 million patients. Reportedly, the breach was caused by a hack on the organization’s third-party billing vendor, AccuDoc. Atrium Health explain that an unauthorized third-party gained access to AccuDoc’s databases between September 22, 2018 and September 29, 2018. As soon as the unauthorized access was discovered, it was immediately terminated, and an investigation was launched. Both AccuDoc and Atrium Health are reportedly in contact with Federal Bureau of Investigations (FBI). Furthermore, while the information was accessed by an unauthorized person, there is no evidence to suggest that the information was removed from AccuDoc’s systems.
The accessed database included information such as names, home addresses, dates of birth, medical record numbers, account balances, insurance policy details, and service dates. Moreover, it is believed that around 700,000 Social Security numbers were accessed. However, it is not believed that credit card numbers or other financial information is at risk.
Atrium Health is in the process of informing affected individuals by mail. However, a toll-free number has also been provided in the official website for those who may have questions regarding the incident.
WiperSoft.com is not sponsored, affiliated, linked to or owned by malware developers or distributors that are referred to in this article. The article does NOT endorse or promote malicious programs. The intention behind it is to present useful information that will help users to detect and eliminate malware from their computer by using WiperSoft and/or the manual removal guide.
The article should only be used for educational purposes. If you follow the instructions provided in the article, you agree to be bound by this disclaimer. We do not guarantee that the article will aid you in completely removing the malware from your PC. Malicious programs are constantly developing, which is why it is not always easy or possible to clean the computer by using only the manual removal guide.