Data security, Data Breaches and Privacy Breaches
We asssume our date is safe with the likes of Facebook, Google and many
"secure" large organisations.
But how true is that ? I decided to make up a bit of a list.
Remember some of these ?
Let me know if you know of any others of interest that should be added.
>> Email Enquiry <<
- Data and Security breaches
* 25/10/22 Medibank and AHM confirmed important personal private customer data stolen from
their secure systems.
Medibank and AHM confirmed their protected systems have been successfully hacked and compromised. Customer, Patient and
Medical Information stolen. Hackers sent proof of Medibank samples of stolen
patient customer data. Medibank confirms the breach is much more serious than
initially reported.
26/10/22 Medibank confirmed at least 4 Million or more customers personal data
and health claims data has been stolen. Including overseas students.
9/11/22 Medibank announced that the hackers have released all the files on the internet containing all the
detailed customer data downloaded from Medibank systems. Because Medibank refused to pay ransom for the breach.
All our personal Medibank data is now out there.
Reported by: Radio 3AW 693 Melbourne News. Also other news services and Medibank.
* 4/9/23 Commonwealth Bank blunder: Victorian couple lose $90,000.
A couple whose $90,000 was lost from their Commonwealth Bank account did
receive a dime back after over 2 months and only received a link to a
suicide helpline.
Ellie Houston 21 and her partner 23, were told by Commonwealth Bank to
contact Beyond Blue for their mental stress and anguish after their deposit
vanished over two months ago.
Thy transferred $90,000 for a property settlement from CBA to a Bank of
Melbourne account on June 30 2023.
“Our money came back to our CBA account because both of our names had not
yet been approved in the Bank of Melbourne account” Ms Houston told 3AW
Radio on 4/9/23.
The couple tried again to transfer the $90,000 to the Bank of Melbourne
account on July 4, but the money was returned to their account a few days
later.
“We came home from Bali on July 20, we went straight to the Commonwealth to
settle this land and transfer the money to the Bank of Melbourne,” she said.
“There is no money in our account. 75c. And they can’t tell us where it
went, nothing."
Ms Houston said the $90,000 had been in the CBA account when they were in
Bali, but when they were due to be transferred to the Bank of Melbourne on
their return home it was gone.
The couple received a "three-point" statement from the CBA
complaints team who said "Our records do not match your records". Even
though Ms. Houston had receipts and screenshots proof of the two times the
$90,000 was transferred.
A CBA spokesman told Daily Mail Australia “Mr. Murphy claims his account
balance should be $96,000. Subject to additional information from Mr.
Murphy, CBA is willing to conduct further investigations.” As at 4/9/23 they
have received nothing.
Reported by: Radio 3AW Neil Mitchell 4/9/23, Daily Mail Australia,
https://nybreaking.com/commonwealth-bank-blunder-victorian-couple-lose-90000-before-bank-sends-link-to-suicide-helpline/
* 22/9/22 Optus hacked with data breach affecting 10 million customers.
The ABC estimates up to 9.8 million Australians have been affected by the
attack with 2.8 million seriously impacted.
Describing one of Australia’s biggest cybersecurity breaches, Optus CEO
Kelly Bayer Rosmarin said on Friday that an “offshore-based entity”,
apparently Europe, had broken into the company’s database, accessing home
addresses, drivers licence and passport numbers of the equivalent to 40 per
cent of the country’s population.
The hackers then publically blatantly demanded a US$1 million ransom not to
release the information.
On 27/9/22 the purported attacker then actually released a text file of 10,000
records to the public as proof. This included email addresses from the Department of Defence and
the Office of the Prime Minister and Cabinet. Promising to leak 10,000 each day for the next four days unless
Optus pays them the $1m.
The Guardian Newspaper has verified the file contains records with people’s
names, dates of birth, email addresses, phone numbers, postal addresses, and
in some cases, licence numbers, passport numbers and Medicare card numbers.
Causing a frantic disorganised rush by many
people on 28/9/22 to have their drivers licenses, passports and even Medicare
cards changed and reissued at a huge cost to prevent their identity theft. Surprisingly even people who
had not been Optus customers for decades were stunned to find their long stored information
had not been safely archived and been stolen.
Reported by: The Guardian, ABC and just about every media outlet you can
think of.
* 1/7/22 Liberal MP faces lifetime Facebook ban after hackers posted porn
on page.
Victorian Political Liberal Party Parliamentarians Georgie
Crozier and also David Southwick two days later had their Facebook accounts hacked. Pornographic
pictures were put up and $1800 Credit Card money stolen. Then Facebook shut down
their pages and accounts without warning. Later her Instagram and
Whatsapp accounts were also shut down. This also happened to other Facebook
users. Facebook support proved difficult to contact and uncooperative to get accounts reactivated.
Crozier has reported the identity theft to police.
Reported by:19 July 2022 The Age Newspaper and Radio 3AW
* 10/6/22 Morgan Stanley lawsuit relating to Data Security Incidents.
Morgan Stanley Data Security Litigation, 1:20-cv-05914-AT (S.D.N.Y.)
If you are a former or current Morgan Stanley client who was sent a data
breach notice letter in July 2020 and/or June 2021 notifying you that your
Personal Information may have been compromised in Data Security Incidents,
you may be eligible for benefits from this class action Settlement.
Deadline to File a Claim Form August 11, 2022
A Settlement has been reached with Morgan Stanley Smith Barney LLC in a
class action lawsuit regarding the decommissioning or retiring of
information technology equipment that contained client data that occurred in
2016 and 2019. Morgan Stanley issued notices to customers regarding the Data
Security Incidents in July 2020 and/or June 2021. The Settlement, if
approved, would create a fund of $60 million, which will be used to provide
substantial benefits to Settlement Class Members including at least
24-months of fraud insurance coverage, reimbursement to the members of the
Settlement Class who file a valid claim for out-of-pocket losses and lost
time researching and remedying the effects of the Data Security Incidents,
as well as to pay Plaintiffs’ attorneys’ fees, costs, and expenses, and a
service award for each of the named Plaintiffs.
Plaintiffs allege that in 2016 and 2019, Morgan Stanley failed to properly
dispose of certain IT assets and that, as a result, unauthorized third
parties may have gained access to Morgan Stanley’s clients’ private
information, including, but not limited to, names, work and home addresses,
Social Security numbers, driver’s license numbers, income, asset value,
asset holding information, passport information, telephone numbers, dates of
birth and other personal information. Some of these devices that may contain
customer PII were sold on the internet and/or remain unaccounted for.
10 June 2022 https://www.morganstanleydatasecuritysettlement.com
* 11/1/21 Ubiquiti Breach Catastrophic
Ubiquiti Inc. [NYSE:UI] - a major vendor of cloud-enabled Internet of Things
(IoT) devices such as routers, network video recorders and security cameras
disclosed that a breach involving a third-party cloud provider had exposed
customer account credentials. Now a source who participated in the response
to that breach alleges Ubiquiti massively downplayed a catastrophic incident
to minimize the hit to its stock price, and that the third-party
cloud provider claim was a fabrication.
The third-party cloud provider involved is Amazon Web Services (AWS).
Reported by:KrebsonSecurity 30 March 2021.
* 29/7/19 Capital One server hacked by Amazon Web Services Employee
Consumer watchdog USA PIRG says this is the largest bank hack ever.
Former Amazon Web Services Systems Engineer employee Paige A. Thompson 33 of Seattle
collected data putting at risk more than 100 million people in USA and
Canada. Capital One is likely only one of several organisations whose data was
obtained by the defendant.
FBI was advised the acquired data was being stored on Github an online
platform with more than 36 million users. The perpitrator worked on AWS S3
Amazon Simple Storage Service, Amazon's platform for storing data for
millions of applications for companies all around the world. Information
included names, social security numbers and birth dates. She accessed the
server through Amazon's firewall and downloaded the data in March 2019 from Capital Ones's storage
space on Amazon's Cloud System.
Adam garber of USA watchdog PIRG says when social security numbers in particular are exposed
thats your "financial DNA" and it enables criminals to open accounts in your
name.
The incident brings the security of Cloud based information
services more and more into question. According to IBM data breachers have leaked more
than 11.7 Billion records during the past 3 years alone.
Reported by:USA Today-Money 31 July 2019.
* 6/2/2019 Optus penalised $10 million for misleading customers over
digital purchases.
The Federal Court has ordered Optus pay a $10 million penalty for its
treatment of customers who unknowingly purchased games, ringtones and other
digital content through its third-party billing service, following action by
the ACCC.
Optus admitted the company misled consumers and breached the ASIC Act
when it billed customers for third party-produced content which they
mistakenly bought or subscribed to through its "direct carrier billing"
(DCB) service.
The $10 million penalty is one of the highest imposed by the Court and equals the penalty paid by Telstra
last year after it admitted to similar conduct.
Reported by: Australian Competition and Consumer Commission (ACCC) 6 February
2019.
* 24/7/19 Credit reporting agency Equifax Security Breach
Equifax agreed to pay up to US$700 Million to settle a 2017 security breach that exposed the personal data of
147 Million people.
Reported by:USA Today-Money 31 July 2019.
* 15/12/18 Marriott Starwood Guest Reservation Database Security Incident
On September 8, 2018, Marriott received an alert from an internal security
tool regarding an attempt to access the Starwood guest reservation database.
Marriott quickly engaged leading security experts to help determine what
occurred. Marriott learned during the investigation that there had been
unauthorized access to the Starwood network since 2014. Marriott recently
discovered that an unauthorized party had copied and encrypted information,
and took steps towards removing it. On November 19, 2018, Marriott was able
to decrypt the information and determined that the contents were from the
Starwood guest reservation database.
Marriott has not finished identifying duplicate information in the
database, but believes it contains information on up to approximately 500
million guests who made a reservation at a Starwood property. For
approximately 327 million of these guests, the information includes some
combination of name, mailing address, phone number, email address, passport
number, Starwood Preferred Guest ("SPG") account information, date of birth,
gender, arrival and departure information, reservation date, and
communication preferences. For some, the information also includes payment
card numbers and payment card expiration dates, but the payment card numbers
were encrypted using Advanced Encryption Standard encryption (AES-128).
There are two components needed to decrypt the payment card numbers, and at
this point, Marriott has not been able to rule out the possibility that both
were taken. For the remaining guests, the information was limited to name
and sometimes other data such as mailing address, email address, or other
information.
Marriott reported this incident to law enforcement and continues to
support their investigation. The company is also notifying regulatory
authorities.
Marriott deeply regrets this incident happened.
Unfortunately Marriott Starwood chose NOT disclose even very basic important
information that would helpt others like you and me to check and protect
themselves against similar attacks. Obvious details such as a) IP source address of the
attack b) Internet Service Provider name c) Country of origin d) method of
attack.
* 6/3/18 Citrix hacked and didn't know until FBI alert
Criminals believed to be and Iranian group hacked into the Citrix internal
network and accessed and downloaded sensitive business documents totalling
at least 6 Terabytes of data.
Citrix was contacted by the FBI 6 March 2018 and told there was reasson to
believe there had been a cyberattack on the Citrix network.
Security firm Rescurity confirmed Citrix of the attack 28 December 2018. It
is belived to be a cyberespionage campaign targeting government,
military-industrial, energy companies, financial institutions and large
enterprises involved in critical areas of economy.
Reported by: Computer Reseller News, April 2019.
* 2018 Facebook admits it stored passwords as plaintext, allowed improper
access to photos and advised of a serious security software bug
Passwords for hundreds of millions of Facebook users have been housed in
plain text and searchable by thousands of Facebook employees since 2012.
An internal probe found Facebook staff had been building applications that
logged unencrypted password data and stored it in plain text on Facebook
servers making them searchable by more than 20000 Facebook employess.
Between 200-600 million users may have had their passwords stored as plain
text.
This issue comes 3 months after Facebook disclosed it had allowed third party
applications to improperly access photos from up to 6.8 million users. The
bug affected up to 1500 apps built by 876 developers and exposed photos for
12 days between 13-25 September 2018.
3 months before that Facebook revealed attackers exploited a vulnerability
in software code to potentially take over nearly 50 million people's
accounts. The vulnerability impacted the "View As" feature that lets people
see what their own profile looks like to someone else.
Reported by: Computer Reseller News, April 2019.
* February 2018 150 million MyFitnessPal accounts hacked in huge data breach.
Sports apparel make Under Armour admitted around 150 million MyFitnessPal
Smartphone App user accounts were hacked in February 2018.
The sports giant stated “an unauthorized party acquired data
associated with MyFitnessPal user accounts” in February but it only
became aware of the breach 25 March 2018. The data includes usernames, passwords and email addresses
but not bank, driving license or social security information.
It's the biggest data breach of 2018 so far, and Under Armour said it is
"working with leading data security firms to assist in its investigation" as
well as law enforcement authorities. Shares dropped almost 4% in after-hours
trading.
Unfortunately both MyFitnessPal and Under Armour chose NOT disclose even very basic important
information that would helpt others like you and me to check and protect
themselves against similar attacks. Obvious details such as a) IP source address of the
attack b) Internet Service Provider name c) Country of origin d) method of
attack.
* 2017 Equifax
On September 7 Equifax, Equifax, one of the three major consumer credit
reporting agencies, announced the cybersecurity incident. One of the largest
in history. It affected 143 million American consumers, including Names, Social Security
numbers, Birth Dates, Addresses and driver's license numbers. Unauthorized data access occurred from mid-May through July
2017. The breach was discovered on July 29.
Unfortunately Equifax chose NOT disclose even very basic important
information that would helpt others like you and me to check and protect
themselves against similar attacks. Obvious details such as a) IP source address of the
attack b) Internet Service Provider name c) Country of origin d) method of
attack.
* 2019 Zomato
In May 2017, the restaurant guide website Zomato was hacked resulting in the exposure of almost 17 million accounts. The data was consequently
redistributed online and contains email addresses, usernames and salted MD5
hashes of passwords (the password hash was not present on all accounts).
Reported by Data Analyst Adam Davies.
Breach date: 17 May 2017
Compromised accounts: 16,472,873
Compromised data: Email addresses, Passwords, Usernames
* 2016 Visa Credit Card Fraud
Did you know that for each $100 transacted in the Visa system, 6 cents
represents fraud ?
National Australia Bank, Merchant News, October 2006.
* 2016 FriendFinder Networks Inc
More than 412 million users credentials of adult websites owned by
California based FriendFinder Networks Inc were obtained.
Unfortunately FriendFinder networks chose NOT disclose even very basic important
information that would helpt others like you and me to check and protect
themselves against similar attacks. Obvious details such as a) IP source address of the
attack b) Internet Service Provider name c) Country of origin d) method of
attack.
* 2015 Ransomware and Cryptolocker Holding Companies to Ransom
Read this article how Ransomware has been monetised as a business model.
http://micronica.com.au/support/cryptolocker/
Computer Reseller News, August 2015
* 2015 Ukranian Power Grid breach
A successful cyber attack against the Ukranian Power grid resulted in
temporary power loss for 225,000 individuals.
Whats new in Electronics, July 2020.
* 2014 Yahoo data breach
This breach occured late 2014 and was not disclosed until
September 2016. It impacted 500 million accounts.
Unfortunately Yahoo chose NOT disclose even very basic important
information that would helpt others like you and me to check and protect
themselves against similar attacks. Obvious details such as a) IP source address of the
attack b) Internet Service Provider name c) Country of origin d) method of
attack.
* August 2013, 3 billion Yahoo accounts compromised
Initially Yahoo reported that 1 Billion of its accounts were compromised.The
largest data breach in history. They did not disclose it until December. But it then admitted that it actually affected
all of its 3 Billion accounts.
The stolen information included names, email addresses, phone numbers,
birthdates, security questions and answers and backup email addresses used
to reset lost passwords. Valuable information for someone trying to break
into other accounts owned by the same user, and particularly useful to a
hacker seeking to break into systems including government computers around the world.
Verizon in February lowered its original offer by US$350 million for Yahoo
assets in the wake of two massive cyber attacks at the internet company.
Unfortunately Yahoo and Verizon, who bought Yahoo, chose NOT disclose even very basic important
information that would helpt others like you and me to check and protect
themselves against similar attacks. Obvious details such as a) IP source address of the
attack b) Internet Service Provider name c) Country of origin d) method of
attack.
* February 2013, Altech Website Hacked
Australian distributor Altech Computers website fell victim to hackers who
gained access and uploaded 3 animated pornographic pictures on their product
news page. Causing the page to be down for a day. Altech said it was investigating the
source of the attack.
Computer Reseller News, February 2013
* 2010 Iranium Nuclear Program Hacker breach
The Stuxnet Virus compromised Programmable Logic Controllers (PLCs) used in the
Iranian Nuclear Program. Quoted as a prime example of the scale of attack that can
occur when Embedded Systems are breached by cyber attacks.
Whats new in Electronics, July 2020.
- Some Privacy breaches
People see value in handing over enormous amounts of private data to
Facebook, Google, Apple Etc. and letting AI algorithms deliver amazing
personalised customer experiences. Some example where computer privacy
stories are gaining traction:
* I was sitting on the sofa talking to my wife about a word game we both
play. She lamented that one of the people she plays against regularly had
not played in a while. While we were sitting there my phone flashed an alert
from the game informing me that my wife was looking for more games. That I
have to tell you is spooky. It's also accurate information.
Matthew JC Powell, CRN, November 2018
* I was driving along and saw a new restaurant that offered a cuisine with
which I am unfamiliar. Later that afternoon an ad for that restaurant
appeared in my Facebook feed. Way spooky-I didn't even say it out loud.
Matthew JC Powell, CRN, November 2018
- Scams
* 8/8/23 Australians lost $1.5 billion to Investment scams in 2022. - NAB Update 8/8/23
* 3/8/23 Australians scammed $3 billion in 2022. - ABC TV News 3/8/22
* 3/8/23 ANZ Bank 10000 customers scammed in 2022. - ANZ Bank CEO, Shayne Elliott, Radio 3AW 3/8/22
- Some Security Breach Resources
* Have I been pwned
- List of recent breaches