Cybersecurity news headlines (September 15-30)

In order to help you keep up with what’s going on in the world of cybersecurity, twice a month we publish articles detailing the biggest cybersecurity news stories from the previous two weeks. We provide information about data breaches, malware attacks and other major incidents related to cybersecurity.

Just like the first few weeks of the month, the second half of September has been quite calm. Nevertheless, as has become standard, every couple of weeks there is some kind of data breach. This time, it’s fashion retailer SHEIN involved in one, with possibly 6.5 million of its customers affected. In other news, we remind you of two past incidents involving the personal information of tens of millions of people, as fines have been issued and settlements have been reached. Continue reading for cybersecurity news headlines 15-30 September 2018.

Facebook hack affects 50 million users

Social media giant Facebook announced on Friday that a security issue affected almost 50 million accounts and possibly allowed attackers to access the affected accounts. According to the company, attackers exploited a vulnerability in Facebook’s code that impacted the “View As’ feature. The feature allows users to see how their profiles would look like to others.
“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” Facebook explained in the blog post.

Facebook’s vice president of product management Guy Rosen said that attackers were able to steal the tokens by taking advantage of three vulnerabilities related to the “View As” tool. The vulnerabilities have existed at least since 2017. The vulnerabilities were explained in the same Facebook blog post we linked above, if you are interested.
According to Facebook CEO Mark Zuckerberg, there are no indications that attackers were able to have access to private messages, change information or post anything. However, it is yet to be known whether personal information (gender, date of birth, etc.) was accessed.

Law enforcement have been contacted, and Facebook has launched an investigation into the incident. The vulnerability has now been fixed, and the security tokens of around 50 million accounts have been reset. An additional 40 million accounts also had tokens reset. The “View As” feature has been turned off temporarily. The token reset means that 90 million users had to re-login on Friday. Upon login, they would be greeted with a message from Facebook, explaining what has happened.

Facebook has been in rough waters ever since the Cambridge Analytica scandal broke out. With the new European data protection laws in place, Facebook could be facing some serious trouble over the incident. Ireland’s Data Protection Commission, often called the EU watchdog, has requested Facebook to submit more information about the incident, as there are concerns about the fact that the incident was discovered on Tuesday (25 September) and that Facebook is not able to clarify the nature of the breach. According to certain media reports, Facebook could be fined as much as $1.63 billion under the new European data protection laws, which have been in place since 25 May 2018.

Fashion retailer SHEIN suffers a data breach involving 6.5 million users

One of the largest online fashion retailers SHEIN announced that unknown attackers have stolen the personal information of around 6.5 million customers over the course of two months. The breach was first noticed on August 22 and is believed to have started in June 2018. While the breach is still under investigation thus not many details are available, SHEIN has revealed that the attackers breached the security protections in place and this allowed them to access email addresses and encrypted passwords.

When the company noticed the breach on August 22, they immediately hired a leading forensic cybersecurity firm as well as a law firm in order to carry out a thorough investigation. The investigation so far has confirmed that both email addresses and encrypted passwords were stolen from users who registered on the website. The number of affected customers seems to be roughly 6.42 million. But the company reassures that there is no evidence of stolen credit card information, as SHEIN does not store it on their systems. Nevertheless, customers are urged to contact their banks directly if they notice anything unusual or believe their cards may have been compromised.

The investigation will continue while affected customers are being contacted and all site users are urged to change their passwords as soon as possible. The fashion retailer’s website is now safe to visit and customers may continue shopping as usual.

Equifax fined £500,000 for the 2017 data breach

Back in May 2017, we saw one of the biggest data breaches in history when sensitive information of as many as 145 million people was stolen from Equifax, a consumer credit reporting agency. The breach, which could have been prevented had Equifax patched a critical vulnerability in time, resulted in names, phone numbers, addresses, social security numbers, dates of birth and driver’s licence details of millions of people stolen.

The Equifax breach got much worse when it was revealed that Equifax had been warned about the vulnerability by the US Department of Homeland Security but failed to take action. In addition, the breach was also concealed for a month.

Because the breach involved millions of UK customers, UK’s Information Commissioner’s Office launched their own investigation, and have now issued a £500,000 fine, which is the largest possible penalty under the UK’s Data Protection Act 1998. For a company of this size, £500,000 is not a lot of money, and had the EU’s General Data Protection Regulation (GDPR) been in place at the time of the breach, Equifax would have faced a maximum fine of €20 million or 4% of its annual global revenue, whichever is higher.

Ex-NSA employee sentenced to 5.5 years in prison for illegally taking top secret documents home

Nghia Hoang Pho, an ex-NSA employee, has been sentenced to 5.5 years in prison after it was revealed that Pho had taken top secret documents home. Pho, who was a developer for NSA’s Tailored Access Operations (TAO) since 2006, took classified documents home between 2010 and 2015. The incident made headlines when it was reported by the media that Pho was the employee who took home NSA hacking tools, which were later stolen by Russian hackers. However, the US government has never confirmed Pho to be the person involved.

The home computer storing highly classified documents was allegedly running popular security software by Kaspersky Lab, a Moscow based cybersecurity company. The US government concluded that Russian hackers were able to steal the classified data via Kaspersky, an allegation that resulted in Kaspersky being banned from US federal agencies. Kaspersky Lab has fought allegations of ties with the Russian government ever since.

However harmless the purpose may be, NSA has strict guidelines over taking classified files home and considers such actions illegal. And not only had Pho taken top secret files home, his actions also allegedly resulted in Russian hackers stealing highly sensitive information. He had pleaded guilty in October last year, and has been sentenced to 66 months in prison on Tuesday. He will be 73 years old by the time he is released from prison.

Uber agrees to pay $148 million in settlement over the 2016 Uber data breach and cover-up

In December last year, it was revealed that hackers had stolen the information of 57 million Uber riders and 7 million drivers in 2016, an incident that Uber concealed for over a year. The incident was revealed when Dara Khosrowshahi became the new CEO of Uber. Under state laws, data breaches should be disclosed within a reasonable time frame, but Uber’s decision to not only conceal the breach for over a year but also pay the hacker responsible was a clear violation of the law. The whole incident brought a lot of backlash for the company and now it seems Uber will have to pay a substantial amount of money.
The company has agreed to pay $148 million in a settlement agreement for the breach and cover-up. Uber has also agreed to strengthen their data security practises to ensure better security for customer and employee data.