September 2018 started with a data breach bang, with British Airways disclosing a significant hack and data loss. 380,000 of the airlines’ website and mobile app customers had their debit and credit card details lifted via a maliciously injected script. The breach even caused BA owners, IAG, to drop in value 4%. And to compound matters, there were several claims made that the BA website wasn’t PCI DSS compliant, implying if they were PCI DSS compliant, their customer’s personal and payment card information would still be safe. For further details about this breach see my blog posts; British Airways Customer Data Stolen in Website and Mobile App Hack and British Airways Hack Update: Caused by Injected Script & PCI DSS Non-Compliance is Suspected.
Facebook continues to make all the wrong kind of privacy headlines after a massive user data breach was confirmed by the social media giant at the end of the month. Facebook said at least 50 million users’ data was at risk after hackers exploited a vulnerability the Facebook code. Facebook CEO Mark Zuckerberg said he doesn’t know who is behind the cyber attack, however, the FBI are investigating.
There was a good measure of embarrassment at the Tory Conference after a flaw in the conference App revealed the personal data of senior UK government cabinet ministers, with Boris Johnson, Michael Gove, Gavin Williamson among those whose their personal information and phones numbers made available.
There was a number of large data breach fines handed out in September, Tesco Bank was hit by a whopping £16.4 by the Financial Conduct Authority (FCA), the fine would have been doubled if it weren’t for Tesco’s good co-operation with the FCA investigation. The FCA said Tesco had security deficiencies which left their bank account holders vulnerable to a cyber attack in November 2016. The attack netted the bad guys, via 34 transactions, a cool £2.26 million. The FCA report said the cyber criminals had exploited weaknesses in the bank’s design of its debit card, its financial crime controls and in its financial crime operations team, to carry out the attack over a 48-hour period.
Equifax was fined the maximum pre-GDPR law amount of £500K by the Information Commissioner’s Office (ICO) after the US-based credit reference agency failed to protect the personal data of 15 million UK citizens. The ICO ruled Equifax’s UK branch had “failed to take appropriate steps” to protect UK citizens’ data. It added that “multiple failures” meant personal information had been kept longer than necessary and left vulnerable.
The ICO also fined Bupa £175K, for not having good enough security to prevent the theft of 547,000 customer records by an employee. Uber has paid £133m to settle legal claims to customers and drivers, as a result of trying to cover up a huge breach which occurred in 2016 from their regulators. The ride-hailing company admitted to paying off hackers to the tune of $100,000 to delete the data they robbed from Uber’s cloud servers. The personal data stolen was from 57 million Uber accounts, also included information about 600,000 driving license numbers.
Looks like the MoD and GCHQ are looking to beef up Britan’s Cyber Offense capabilities, announcing a plan to recruit a 2,000 strong ‘cyber force’ to take on the Russian threat. Meanwhile across the pond, the Mirai creators have done a deal to keep themselves out of jail in return for helping the FBI catch cybercrooks, which has echoes of the approach the FBI took with con artist and cheque fraud expert Frank Abagnale, the subject of book and movie “Catch me if you Can”.
Bristol Airport was impacted by a ransomware attack, which took down their arrival and departure screens for a couple of days, and a Scottish Brewery was also hit by ransomware attack through infected CV it had received through an online job advertisement.
Europol warned of 15 ways you could become a Cyber Crime Victim, and there was an excellent article in the New York Times on the Bangladesh’s Central Bank Cyber Theft
- British Airways Hacked, 380,000 Customer Payment Card details Stolen via Website & Mobile App
- Veeam MongoDB left unsecured, 440 million records exposed after AWS Misconfiguration
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
*** This is a Security Bloggers Network syndicated blog from IT Security Expert Blog authored by Dave Whitelegg. Read the original post at: http://feedproxy.google.com/~r/securityexpert/~3/zcvGDkiJMTs/cyber-security-roundup-for-september.html