Monthly Breach Report: November 2018 Edition on Nov 16, 2018
Another social media platform falls victim to software vulnerabilities, while a major Chinese airline is investigated by the GDPR – these are just some of the latest data breach news hitting headlines this last month.
October 08, 2018 – Google has announced that it is shutting down its social network platform Google+. What is behind this big decision is the data leak that exposed the personal data of up to 500,000 people. The data that was supposed to be limited to friends and circles, had been easily accessed by other app developers. Google discovered the bug in March 2018, during a comprehensive review of access given to third-party of Google accounts and Android device data.
Google put out a blog post highlighting the issue, but its move invited more criticism and scrutiny, especially since the company admitted that 438 apps may have used the application programming interface (API), that made the private data available. “We found no evidence that any developer was aware of this bug or abusing the API, and we found no evidence that any Profile data was misused,” Google said. In the blog post, it was also said that Google is going to make it easier for users to check and control exactly what data they share with apps.
Google+ will still exist for enterprises that use Google’s G Suite. Though the consumer version will be wrapped up by next year.
2. Cathay Pacific
October 24, 2018 – Hong Kong-based airline Cathay Pacific suffered a major data breach affecting up to 9.4 million passengers. The airline confirmed that personal information of its passengers was leaked that included passport numbers, email addresses, and some credit card details. The breach was spotted during an ongoing IT operation at the airline that showed unauthorized access to systems which held passenger data. The hackers were reportedly able to access 860,000 passport numbers, 245,000 Hong Kong identity card numbers, 403 expired credit card numbers, and an additional 27 credit card numbers with no CVV.
“We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures,” the airline’s CEO, Rupert Hogg said in a statement.
Despite the fact that Cathay Pacific is a Chinese company, it is still being investigated by the GDPR, due to the massive amount of time between the discovery of the breach and the announcement to the public.
3. Department of Defense
October 24, 2018 – “On Oct. 4, the Department of Defense identified a breach of personally identifiable information of DoD personnel that requires congressional notification,” said, Lt. Col. Joseph Buccino, a Pentagon spokesperson. The US Department of Defense (DoD) has been affected by a data breach after a huge volume of its critical intelligence data was exposed on a publicly accessible server.
The incident involved the potential compromise of the personnel PII that had not been operated by the Department but by a vendor providing travel management services to Pentagon, the spokesperson pointed out; noting that the vendor had been in charge of a small percentage of the services for DoD.
Meanwhile, it was reported, that the breach might have affected around 30,000 personnel members. Also, exact timeline to breach is still not known. While it was just recently detected, it’s possible that the intrusion took place months ago and went undetected.
October 17, 2018 – Anthem, the second-largest healthcare insurer in the U.S., agreed to pay $16 million fine to the government stemming from its massive 2015 breach. On March 13, 2015, Anthem had filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, it discovered cyber-attackers had gained access to their IT system via an undetected cyber-attack for the apparent purpose of extracting data, also known as an advanced persistent threat attack.
A cyber-attack called spear-phishing email, gave attackers access to sensitive data for weeks, including the Social Security numbers of tens of millions of Americans, along with names, medical IDs, birthdays, email addresses, street addresses, and employment information, including income data. Approximately, 79 million former and current customers were affected.
“Anthem takes the security of its data and the personal information of consumers very seriously,” the company said in a media statement. “We have cooperated with (the government) throughout their review and have now reached a mutually acceptable resolution.”
Source: Financial Express