On Monday, a First American Financial customer named David Gritz filed a class-action lawsuit against the real-estate title insurer for an alleged data breach exposing 885 million files. The breach was reported last week by cybersecurity researchers who claimed the files “were available without authentication to anyone with a web browser,” as reported by Bloomberg. Gritz’s lawyer claims that hundreds of millions of bank account numbers, Social Security numbers, and financial records were exposed because the company “failed to implement even rudimentary security measures.” The exorbitant volume of data includes files dating back to 2003. The lawsuit will play out in a U.S. District Court in Santa Ana, Calif., where First American is based.
“We deeply regret the concern this defect has caused,” commented First American CEO Dennis J. Gilmore in a statement posted to the company’s website. “We are thoroughly investigating this matter and are fully committed to protecting the security, privacy, and confidentiality of the information entrusted to us by our customers.” The company’s statement also implied that the exposed information had never been used for malicious intent, noting, “Though the ongoing investigation is in its early states, at this time there is no indication that any large-scale unauthorized access to sensitive customer information occurred.”
Apologies and addressing breaches are not enough, said Luis Corrons, a security evangelist at Avast. “It happens again and again – companies leaving data unprotected for everyone to see. Some major data leaks have happened because of this kind of negligence. Perhaps if it was punished by law with high fines, companies would be vigilant and better protect the data they are holding.”
“An unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21-22, 2019,” the content-sharing platform said on their site. The company discovered the hack on April 23, after its engineering team noticed suspicious activity related to certain databases. Flipboard then hired a third-party security firm to investigate.
Not all Flipboard databases were compromised, but the subset that was contained user names, hashed and “salted” (encrypted) passwords, email addresses, and digital tokens linking third-party accounts with a user’s Flipboard account. Flipboard does not collect financial info, credit card numbers, bank account numbers, or Social Security numbers. In its notice to the public, the company states that while there is no evidence that “the unauthorized person accessed third-party account(s),” all digital tokens have been either deleted or replaced as a precaution. All users’ passwords have been reset as well, so any user who is logged off and tries to log back in will be prompted to create a new password. The company states, “we implemented enhanced security measures and continue to look for additional ways to strengthen the security of our systems. We also notified law enforcement.”
This week’s stat
Last year the online gaming industry produced an estimated revenue of $135 billion, a 10.9% increase over 2017.
Phishing scam poses as Microsoft Office 365
A new phishing scam hitting inboxes pretends to be an alert from Office 365 informing users that their accounts have had unusual amounts of file deletions, reports BleepingComputer. The malicious email encourages the user to click on a VIEW ALERT DETAILS button, which then takes the user to a phony Office 365 login page. When the user enters his or her credentials, that login information is sent to a domain controlled by the attacker, while the user is then redirected to the official Office 365 page and asked to log in again.
Savvy users might notice that the phony Office 365 login page is hosted on an Azure site, which is a telltale sign that something is off. Microsoft and Outlook login pages will only be found on microsoft.com, live.com, microsoftonline.com, and outlook.com.
The incident is a good reminder to never click a link within an unvalidated email. Instead, close the email, open a new browser window, and then log in to the account in question — through the “front door.” More often than not, users will then learn that there is really nothing amiss regarding their account. Read more on how to defend yourself from email fraud.
California PD employs facial recognition tech
The police department in Anaheim, Calif., is using Veritone facial recognition software for “an initial, trial phase,” as reported by ZDNet. Anaheim Deputy Police Chief Julian Harvey commended the “IDentify” program, calling it “remarkably accurate” and noting that it has helped identify suspects in 100 cases and has led to the solving of at least one so far. The software compares new images, such as security footage from the scene of a crime, with the police department’s photo database of known offenders. “Even with a very grainy still from a heavily pixelated video, it’s managed to make a hit,” Harvey said.
Facial recognition technology is a controversial issue and, if used to support an indictment, will most likely be contested in court. San Francisco banned it earlier this month, and a furor arose over an Oregon county using Amazon facial recognition programs in their police work. Not everyone trusts the tech, but that is not daunting Veritone Founder and CEO Chad Steelberg, who claimed, “We are changing the job of law enforcement.”
In addition to police work, facial recognition tech can be applied to advertising, the travel industry, and various other uses. Last week, the Avast blog reported on facial recognition tech being used by a school in Australia for better exam security.
This week’s quote
“It is ridiculous to deny the value of this technology in securing airports and border installations.” – Jonathan Turley, a constitutional law expert at George Washington University commenting on facial recognition tech.
Healthcare industry fears cyberattacks
Results from a recent healthcare industry poll conducted by Chicago consulting firm Baker Tilly show that 26% of those surveyed consider cybersecurity “the emerging risk of most concern to their healthcare organization,” BusinessWire reported. Noting that healthcare today relies heavily on technology, a Baker Tilly healthcare specialist commented, “A data breach can be catastrophic to a healthcare provider.”
This week’s ‘must-read’ on The Avast Blog
The Mueller Report found that Russian hackers made a strong, deliberate attempt to influence the 2016 US presidential election. Will it happen again in 2020? Avast looks at the players involved and whether they’re doing enough to prevent history from repeating.
Learn more about products that protect your digital life at avast.com. And get all the latest news on today’s cyberthreats and how to beat them at blog.avast.com. Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.