Today, HSBC Bank disclosed that they had a data breach between the dates of October 4th and October 14th. The amount of people affected by this breach is undisclosed, but only Americans have had their data compromised. The kinds of information that was leaked may include: full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history.
To rectify this, HSBC has said that they are going to enhance their authentication processes for their online banking and will offer affected customers a year long subscription to a “credit monitoring and suspicious activity alerting product”. These gifts and claims sort of fall flat, as they do not have good history with their security. According to Wired, they weren’t using “up to date encryption standards for online banking” and according to a Swansea University researcher, they were ranked in the bottom five of banks based on “the technical measures used by their respective websites” as of me writing this.
The way the breach occurred hasn’t been stated yet, but Ilia Kolochenko, the CEO and founder of High-Tech Bridge, has said that “as it would appear that only US customers have been affected, that could point to the breach occurring by way of an authorized third-party or careless employee”.
This breach definitely results from these accusations that Wired and the Swansea University researcher said, as potential hackers could have seen this informations and decided to attack them next, as they had reported lower levels of security as opposed to other targets.
Recently, a temporary worker at Chicago Public Schools was fired from her job and is alleged to have stolen a personal database in retaliation. The personal database contained the information of approximately 70,000 people. The information which was stolen included, names, employee ID numbers, phone numbers, addresses, birth dates, criminal histories, and any records associating individuals with the Department of Children and Family services.
She allegedly copied the database then proceeded to delete it from the Chicago Public School’s system. Those affected by this breach included employees, volunteers and others affiliated with Chicago Public Schools. Luckily, the breach was discovered before any information was used or spread in any way by the former employee. The individual is now being charged with one felony count of aggravated computer tampering/disrupting service and four counts of identity theft.
This incident is an example of a very essential part of computer security, no matter how many security measures are put in place to guard a system somebody, like a disgruntled employee, can still cause a security breach. The lesson to be learned is to keep a close eye on employees, especially those which show red flags, and to be careful what data/databases certain employees are authorized to use, view and modify.
In fairly recent news, eight adult websites had their databases breached and downloaded to a total file size of 98 megabytes. Now judging from that number, one could assume that this is not the most large-scale breach however it is still relevant. What was breached is as follows, IP addresses of users, hashed passwords, names and 1.2 million unique email addresses. Robert Angelini, the man behind it all claims that the figure is inaccurate as the website had only somewhere to the tune of 100k posts on it. The site has been since taken down for maintenance until the security vulnerability is fixed. He urges users to change their passwords. It is said that if the website cannot be secured then it will remain down forever.
This breach is compared to the breach of Ashley Madison in that the users could be blackmailed due to the nature of the website. The nature of the website of course being to post naked pictures of one’s spouse which is definitely of questionable ethics. The difference of course being the scale of the breach with Ashley Madison dumping 36 million users.
For those who have been breached, there are similar takeaways from other breaches, change your password and please don’t reuse passwords. Blackmail could be avoided by signing up for services like this with a disposable email account . Also, the password hashes that were dumped were hashed with Descrypt, a hash function created in 1979. A password hash posted to twitter by Troy Hung, the guy behind https://haveibeenpwned.com/ was cracked in 7 minutes by hashcat. In conclusion this illustrates the risks people may not know that they are putting themselves at by putting personal information on insecure websites.
Last week (as of writing) the Centers for Medicare & Medicaid Services announced a large data breach regarding Healthcare.gov’s Federally Facilitated Exchanges. The specific part of the exchanges that was breached is supposed to provide customers access with access to healthcare agents and brokers to assist in their applications for coverage.
“Our number one priority is the safety and security of the Americans we serve. We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information,” said CMS Administrator Seema Verma. “I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted. We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection.”
The breach seems to be a result of compromised agent/broker account, which CMS has done away with. The scope as reported by CMS is believed to be around 75,000 users, but the Office of the Inspector General has reported that no banking, federal tax, or personal health records were lost in the breach. CMS reported the breach to the FBI and are currently complying with the federal investigators regarding this event.
The strange activity began on October 13th and CMS identified it as a breach and reported it on October 16th. The offending accounts were disabled, and as an extra precaution they disabled the part of the FFE that allowed for agent/broker interaction with customers. As that tool is only one of multiple options for enrollment, Healthcare.gov remains open and operational while CMS works to fix the issues that led to a breach.
Apple has recently released the initial version of a new website that will allow their users to check what personal information has been collected by Apple. This comes after an interview with Tim Cook in March where he said: “We’ve never believed that these detailed profiles of people that have incredibly deep personal information that is patched together from several sources should exist”. This website would add an unprecedented level of transparency for a company of this size. Despite this transparency and their apparent aversion to not making their customers products Apple still collects a wide variety of user information ranging from calendars and contacts to entire documents and photos. The website has already been tested in the EU to make sure it passed all of the privacy regulations that are present there. Their intentions do seem pure at least for right now. As part of the recently released iOS 12, Apple added features which help block targeted ads based on shopping or search history. Apple has continued to be very active in trying to push regulations regarding privacy across the globe. Even though they are making it harder for other companies to get personal information and allowing you to see your own they are continuing to collect and store that same information.