Displaying items by tag: data breach

Facebook faces lawsuit over data leak scandal

Written on Thursday, 20 December 2018 10:15

A DC attorney general has announced that he will file a lawsuit against Facebook over the Cambridge Analytica scandal.

Attorney General Karl Racine said the social media giant had “failed to protect the privacy of its users and deceived them,” after the data of tens of millions of its users were leaked to third-parties.

The suit alleges the company violated the Consumer Protection Procedures Act through its lax privacy standards, and that it misrepresented third-party developers’ ability to obtain data. The office intends to seek civil penalties if proven in court.

After the scandal emerged in March, Facebook CEO Mark Zuckerberg testified before Congress and answered questions from the Senate commerce and judiciary committees on privacy, data mining, regulations and Cambridge Analytica. The political consultancy had gathered names, “likes” and other data from more than 87 million Facebook users without their permission or knowledge.

Facebook was fined £500,000 by the UK's data protection watchdog for its role in the scandal.

“Facebook failed to protect the privacy of its users and deceived them” about who had access to their data and how it was used,” Attorney General Karl Racine said in a statement. “Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users’ permission. Today’s lawsuit is about making Facebook live up to its promise to protect its users’ privacy.”

The lawsuit is the latest blow for the social media giant in recent weeks. A report in the New York Times revealed that Facebook had allowed ‘partner’ companies such as Netflix, Spotify and the Royal Bank of Canada the ability to read, write and delete users’ private messages.

On the stock exchange, Facebook had fallen by 7.3%, with Loup Venture founder Gene Munster advising against the buying of its stocks, quoting that the social media behemoth’s ‘best days are behind it’.

Published in Apps

Equifax breach the latest in troubling hacking trend

Written on Wednesday, 20 September 2017 08:55

Large digital security breaches are a common occurrence in the corporate world today. The latest breach, experienced by consumer credit reporting agency Equifax, follows a trend of troubling hacks that have played out across the globe this year. It seems adversaries will stop at nothing to evolve their threats, move with even more speed, and find new ways to widen their operational space.

Equifax chief executive Richard Smith said his company “will make changes” after a massive security breach in July that may have exposed the data of up to 143 million people, he said in an opinion piece in USA Today on September 12. Smith said the company first learned of the breach on July 29, but didn’t go public with the information for six weeks because “we thought the intrusion was limited.”

Smith described the hack as the “most humbling moment” in the company’s 118-year history. Founded in 1899 and based in Atlanta, Georgia, it is the oldest of the three largest American credit agencies along with Experian and TransUnion. “We are devoting extraordinary resources to make sure this kind of incident doesn’t happen again,” Smith wrote, promising to “make changes and continue to strengthen our defenses against cyber crimes.”

The company has been highly scrutinized for its handling of the data breach, which compromised the personal information of as many as 143 million Americans. Residents in the United Kingdom and Canada were also impacted. After detecting the breach, Equifax waited six weeks before it notified the public in early September. Rather than informing people whose data had been compromised, the company set up a website that wasn’t ready for days.

Yahoo experienced similar scrutiny when it dealt with massive data breaches. The company announced in September 2016 that hackers in 2014 had stolen data from more than 500 million of its users’ accounts. Yahoo then announced in December 2016 another breach dating back to 2013 in which over a billion users had their data stolen. The US Securities and Exchange Commission opened an investigation into whether Yahoo should have informed investors sooner about the breaches.

To make up for its failure to protect users’ data, Equifax, which rakes in around US$ 3.1 billion in annual revenue, offered free credit monitoring services to its customers. But the company was criticized for requiring those who enrolled for the offer to waive their right to sue the company. Soon enough, Equifax backtracked on the requirement, allowing customers to sue the company if they sent it in writing within 30 days.

Nevertheless, Equifax has been forthcoming about the wider issue of cybersecurity and the need for change. Smith acknowledged some of the company’s problems in his article, admitting that consumers and media have raised “legitimate concerns” about the services Equifax offered and the operations of its call center and website. “We accept the criticism and we are working to address a range of issues,” he said.

Smith said the company is now committed to doing everything it can to support those affected by the breach. “Our team is focused on this effort and we are engaged around the clock in responding to millions of inquiries from consumers,” he said. Equifax has warned, however, that credit card numbers of around 209,000 people have been exposed, in addition to “personal identifying information” on roughly 182,000 customers involved in credit report disputes.  

Prior to Equifax’s data breach, Time Warner-owned US TV network HBO was the latest major corporation to fall victim to hackers. HBO confirmed on July 31 that a whopping 1.5 terabytes of material had been stolen – a significantly larger amount than the 200 gigabytes stolen from Sony Pictures in 2014. Similar to Equifax’s breach, HBO’s hackers obtained potentially sensitive information, including employee data and even access to internal corporate emails.

The string of corporate hacks this year, including the global “WannaCry” ransomware attack in May and the subsequent “Petya” attack in late June, represent a chilling trend taking place all over the globe, in which cyber hackers are finding more avenues to infiltrate even the most seemingly protected organizations, by findingnew ways to widen their operational space.

An ever-evolving threat

Hackers today have more tools at their disposal than ever before. They also have a keen sense of when to use each one for maximum effect. In Cisco’s Annual Cybersecurity Report 2017, it explains how the explosive growth of mobile endpoints and online traffic work in favor of cyber hackers. Adversaries have more space in which to operate, the report claims, and more choices of targets and approaches.

It may not be possible to stop all attacks, the report says, but you can minimize both the risk and the impact of threats by “constraining your adversaries’ operational space and, thus, their ability to compromise assets.” Cisco suggests that companies should simplify their collection of security tools by integrating them into an automated architecture to streamline the process of detecting and mitigating threats. That leaves companies with more time to address more complex and persistent ones.  

According to Cisco’s 2017 Security Capabilities Benchmark Study, organizations that have not yet suffered a security breach may believe their networks are safe. This confidence is probably misplaced, the report says, considering that 49 percent of the security professionals surveyed said their organizations have had to manage public scrutiny following a security breach.

Take Yahoo for instance: Following the shocking revelation that 1.5 billion of its users accounts were hacked on two separate occasions, the company was forced to slash the price of its core internet business in the sale to US telecom giant Verizon by $350 million. Yahoo is also in the midst of lawsuits related to the way the hacks were handled. In an effort to diffuse the situation and make up for damage to its reputation, Yahoo announced that it would not award CEO Marissa Mayer a cash bonus for 2016.

The Cisco study found that nearly a quarter of the organizations that have suffered an attack lost business opportunities, and four in ten said those losses were substantial. One in five organizations lost customers due to an attack, and nearly 30 percent lost revenue. When breaches occur, operations and finance were the functions most likely to be affected (36 percent and 30 percent, respectively), followed by brand reputation and customer retention (both at 26 percent).

The report once again emphasizes the importance of companies focusing their resources on reducing their adversaries’ operational space if they want to avoid the aforementioned consequences. As a result, attackers will find it difficult to gain access to valuable enterprise resources and to conduct their activities without being detected. Automation, the report says, is essential to achieving this goal.

Automation helps companies to understand what normal activity is in the network environment, so they can focus their resources on more significant threats. Simplifying security operations, the report says, is the most effective way of eliminating adversaries’ unconstrained operational space. Unfortunately, most organizations are using more than five solutions from more than five vendors, according to the study, creating a complex web of technology, which can be a recipe for less, not more, protection.

Published in Reports

After revealing last year that over a billion of its users' accounts had been hacked in two separate occasions, Yahoo just revealed another hack, involving some 32 million accounts that have been accessed by intruders over the past two years.

Reuters reported that the accounts were compromised using forged cookies. Yahoo is said to be in disbelief that the accounts were accessed by the "Same state-sponsored actor believed to be responsible for the 2014 hack." About 500 million accounts were hacked in the 2014 attack.

"Based on the investigation, we believe an unauthorized third party accessed the company's proprietary code to learn how to forge certain cookies," said Yahoo in its latest annual filing.

In an effort to diffuse the situation, Yahoo announced that it would not award CEO Marissa Mayer a cash bonus for 2016 due to the findings of an independent committee's research into the 2014 security issues. The CEO has also offered to pass up any 2017 annual equity award due to the data breaches.

In September of last year, Yahoo confirmed that 500 million user accounts had been breached during a hack in late 2014. In addition, Yahoo announced in December of last year that another 1 billion accounts were accessed in a data breach that occurred all the way back in 2013.

All of the controversy is happening just as Yahoo is being acquired by US telecoms giant Verizon which is purchasing its core internet business. Because of the security concerns, Verizon revealed last month that it was cutting $350 million from its acquisition price bringing it down to $4.48 billion. The acquisition is expected to close in the second quarter of 2017.

Following the shocking announcement made by Yahoo last year that 1.5 billion of its users accounts were hacked on two separate occasions, Yahoo has slashed the price of its core internet business in the sale to US telecom giant Verizon by $350 million. Under the revised terms of the delayed deal, Verizon will now purchase Yahoo’s assets for $4.48 billion.

Yahoo is still in the midst of lawsuits related to the large cyber attacks against its users, which affected more than 1.5 billion people. The company announced in September last year that hackers in 2014 breached the accounts of more than 500 million user accounts stealing personal information. Then in December, Yahoo admitted to another cyber attacks which took place in 2013 affecting more than a billion users.

The terms of the revised sales agreement between Yahoo and Verizon now says that Yahoo will continue to cover the cost of a Securities and Exchange Commission probe into the breaches as well as shareholder lawsuits. However, Verizon will share the cost of government investigations and third-party litigation related to the hacks.

“We have always believed this acquisition makes strategic sense,” said Verizon executive vice president Marni Walden. “We look forward to moving ahead expeditiously so that we can quickly welcome Yahoo’s tremendous talent and assets into our expanding portfolio in the digital advertising space.”

Verizon is purchasing Yahoo’s main operating business which is a way for the dwindling internet company to separate from its more valuable stake in Chinese internet e-commerce giant Alibaba, in which it will become a new entity, renamed Altaba, Inc., and will act as an investment company. Yahoo’s deal with Verizon is expected to close by July, ending Yahoo’s more than 20 years as an independent company.

Following the massive hacks against its users, Yahoo is said to be ramping up security. Yahoo’s current CEO Marissa Meyer said last month that “approximately 90 percent of our daily active users have already taken or do not need to take remedial action to protect their accounts, and we’re aggressively continuing to drive this number up.”

The SEC has reportedly opened an investigation as to whether Yahoo should have informed investors sooner about the massive data attacks. The company boasted over a billion users in 2016, with more than 650 million of those people connecting from mobile devices. According to US law, companies that fall victim to large data hacks must disclose them as soon as they are deemed to affect stock prices.

Published in Finance

Yahoo has revealed more details about the large hacks against its users’ accounts, saying hackers may have been able to user a maneuver to break into accounts without stealing passwords.

Last year Yahoo announced that an estimated one billion of its users had their accounts breached, which, according to Yahoo, involved forging of ‘cookies’ or files used to authenticate users when they log into their accounts.

The investigation into the hacks is in the final stage, AFP reported. Yahoo is said to be in the final stages of sending out notifications to the list of compromised account owners. A Yahoo spokesperson said the company was notifying all potentially affected users and said the forged cookies have been “invalidated”.

“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password,” said Yahoo in a statement. “The investigation has identified user accounts for which we believe forged cookies were taken or used.”

The company broke the news in September last year that in 2014 hackers stole personal information from more than 500 million of its users’ accounts. Yahoo then revealed another attack in December last year, this one dating back to 2013, which affected more than a billion users.

The data breaches have been a major setback for Yahoo which was a leading internet company, especially since it is currently in the process of selling its core operations to US telecoms giant Verizon for $4.8 billion. Following the disclosure of the hacks, reports say that Verizon and Yahoo have come to an agreement to discount the price by $250 million to $300 million.

Yahoo revealed on Monday, 23 January, that the closing of the $4.8 billion deal to sell its core internet assets to US telecom giant Verizon has been delayed several months. What’s more, the US Securities and Exchange Commission have opened an investigation into whether Yahoo should have informed investors sooner about its two major data breaches announced last year.

The US Securities and Exchange Commission is said to have requested documents from Yahoo in December 2016 concerning the two data breaches the company disclosed last year. According to US law, all companies that experience such hacks must disclose them as soon as they are deemed to affect stock prices – which Yahoo did not.

The company announced in September last year that hackers in 2014 had stolen data from more than 500 million of its users’ accounts. The company then announced in December another breach dating back to 2013, in which over a billion users had their data stolen.

The focus of the SEC’s investigation into Yahoo is to determine why it took Yahoo several years to reveal the 2013 and 2014 hacks, the Wall Street Journal reported. However, the SEC has not yet decided whether it will file a lawsuit against the company. The data breaches have been a huge embarrassment for Yahoo as it plans to sell its core internet business to Verizon – a deal that Yahoo recently announced is delayed.

The deal, which was originally set to close this quarter, has been pushed into the next quarter, AFP reported. The announcement came as Yahoo released its quarterly earnings figures that showed a profit of $162 million in the final three months of 2016. The company said in a release, “Yahoo has continued to work with Verizon on integration planning for the sale of its core business.”

Following the disclosure of the data breaches, Yahoo’s deal with Verizon is now in doubt – a deal which would end the company’s more than twenty years as an independent company. Yahoo insists that it is ramping up security to ensure that data breaches will not be an issue again. Yahoo CEO Marissa Meyer said, “Our top priority continues to be enhancing security for our users.”

Meyer added that “approximately 90 percent of our daily active users have already taken or do not need to take remedial action to protect their accounts, and we’re aggressively continuing to drive this number up.”

 

Published in Government

Today, everything is online. The internet is where people go to book flights, go shopping, complete banking transactions, socialize, and so much more. It has provided a world of profound convenience and happiness for people. The only downside is that we’ve become too comfortable with uploading sensitive information which has created a field day for data theft and identity hackers. For instance, Yahoo announced in September 2016 that a massive hack on its network in 2014 saw 500 million of its user’s data breached. Yahoo then announced in December 2016 another breach of more than one billion user accounts that occurred in August 2013, separate and distinct from the previous hack.

"Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry," California-based Yahoo said in a release after the announcement of its 500 million user breach. "Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account.”

What’s so troubling about Yahoo’s recent announcement is that the company’s chief information security officer, Bob Lord, said the company hasn’t been able to determine how the data from the one billion accounts was stolen. Lord wrote in a post: “We have not been able to identify the intrusion associated with this theft. The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”

The Yahoo incident highlights the vulnerability facing even the largest and seemingly most secure organizations around the world. Yahoo was reportedly alerted to the massive breach of accounts by law enforcement and is said to have examined the data with the assistance of outside forensic experts. The hacked data does not appear to include payment details or plaintext passwords, but it’s been reported that the hashing algorithm MD5 is no longer considered to be secured which is bad news for account holders.

The MD5 algorithm is a widely used hash function. The algorithm was designed to be used as a cryptographic hash function, but it has been found to suffer from “extensive vulnerabilities”. Some sources say the security of the MD5 has been “severely compromised” with its weaknesses having been exploited in the field.

The Yahoo hack shows just how seemingly innocuous bits of data obtained by cyber-attacks can be leveraged for profit and even potentially for espionage and information warfare. Yahoo’s breach is reportedly the largest on record.

John Dickson, from the security consultancy firm Denim Group, says while the Yahoo data breached by the cybercriminals is “a bunch of junk,” it still provides the opportunity to create a searchable database with information such as birth dates and phone numbers. For hackers seeking to make profit or commit industrial or state espionage, the personal data provides a world of opportunity.

Just look at the recent US presidential election hack for proof. One of the hacks was the Gmail account of Clinton campaign chairman John Podesta. Media reports said Podesta was tricked into revealing his password when he received a fake email. These kinds of attacks, according to security analysts, are often well-planned, and executed by gathering personal information from individuals, such as birth dates, passwords, etc – the very same information that was hacked from Yahoo’s users.

“If you’re trying to research and get information about a target, you’re going to use everything you can find,” says Dickson, who once was an officer at the Air Force Information Warfare Center. But what was the target of the Yahoo attack? Some believe that the Yahoo hack wasn’t necessarily financially focused. For instance, the Yahoo hackers did not collect credit card or social security numbers, which has led some analysts to the conclusion that there might’ve been motives other than money.

To make things worse, Yahoo is under intense scrutiny after admitting recently that some of its employees were aware of the theft of 500 million users’ data as early as 2014 – years before the company publicly acknowledged what had happened. In response to the breach, Yahoo reported that 23 consumer class action lawsuits have been filed in response to the breach. It is too early for the company to estimate monetary damages, but reports suggest that the hack has led to a loss of about $1 million so far.

Yahoo went into more detail about the hack in a filing in which it wrote, “In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the company could not substantiate the hacker’s claim. Following this investigation, the company intensified an ongoing broader review of the company’s network and data security, including a review of prior access to the company’s network by a state-sponsored actor that the company had identified in late 2014.”

News of Yahoo’s breach has been tough for American telecom operator Verizon to swallow. Verizon officially agreed to purchase Yahoo Inc's core internet business for $4.8 billion in July 2016. Purchasing Yahoo's operations was expected to boost Verizon's AOL internet business, which it bought in 2015 for $4.4 billion, by giving it access to Yahoo's advertising technology tools as well as other assets such as search, mail and messenger.

But when news broke that Yahoo’s user information had been breached, Verizon reportedly asked for a $1 billion discount, which wasn’t disclosed until after the September sale even though Yahoo CEO Marissa Mayer allegedly learned of the breach in July. In a filing by Yahoo, it said it has formed an independent committee to review “the scope of knowledge within the company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed.”

The controversy surrounding Yahoo’s data breach plays directly into the paranoia inflicting the United States right now over cybersecurity concerns in the US election campaign and the potential impact of hacked email accounts from people close to Democratic presidential candidate Hillary Clinton. On October 7, 2016, the U.S. government formally accused Russia of trying to “interfere” with the American presidential election, and promised to respond at an undisclosed time and place.

Could data be weaponized as a new tool used by governments to execute specific foreign policy agendas? James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, a cybersecurity think-tank, said in a blog post, “Espionage and geopolitical manipulation can now be easily achieved through cyber and information warfare from any adversary.”

Scott added: "Now, at least China, Iran, Russia, and Venezuela have funded political propaganda campaigns that digitally weaponized information by spreading disinformation and polarizing content throughout Western nations.” Scott further noted that the breaches affecting Clinton and the Democratic National Committee were "dangerous because they provide a context-less release of information to the public that breeds distrust and resentment."

There are fears among experts that attackers could mix real data with manipulated information to distort facts, creating further confusion and mistrust. Security firm InfoArmor came forward in September to say its analysis of the first Yahoo breach indicated that “professional” hackers had stolen the data, and had later sold it to a “state entity”. The firm said that the breach “opens the door to significant opportunities for cyber espionage and targeted attacks to occur.”

With data breaches becoming more common around the world, leaders are stepping up to protect their nations from cyber-attacks. Outgoing US President Barack Obama recently called for a broad review to be conducted into the Russian hacking scandal. Meanwhile, Russian President, Vladimir Putin has approved a broad-ranging cybersecurity plan which is specifically aimed at bolstering the country’s defenses against cyber-attacks from abroad, while it will also be utilized for cracking down on perceived foreign influence.

Published in Reports