Pages Navigation Menu

The blog of DataDiggers

Categories Navigation Menu

Chipotle customers are saying their accounts have been hacked

Posted by on Apr 17, 2019 in Apps, computer security, credential stuffing, data breach, data security, Food, Hack, multi-factor authentication, Password, Prevention, Privacy, Security, spokesperson | 0 comments

A stream of Chipotle customers have said their accounts have been hacked and are reporting fraudulent orders charged to their credit cards — sometimes totaling hundreds of dollars.

Customers have posted on several Reddit threads complaining of account breaches and many more have tweeted at @ChipotleTweets to alert the fast food giant of the problem. In most cases, orders were put through under a victim’s account and delivered to addresses often not even in the victim’s state.

Many of the customers TechCrunch spoke to in the past two days said they used their Chipotle account password on other sites. Chipotle spokesperson Laurie Schalow told TechCrunch that credential stuffing was to blame. Hackers take lists of usernames and passwords from other breached sites and brute-force their way into other accounts.

But several customers we spoke to said their password was unique to Chipotle. Another customer said they didn’t have an account but ordered through Chipotle’s guest checkout option.

Tweets from Chipotle customers. (Screenshot: TechCrunch)

When we asked Chipotle about this, Schalow said the company is “monitoring any possible account security issues of which we’re made aware and continue to have no indication of a breach of private data of our customers,” and reiterated that the company’s data points to credential stuffing.

It’s a similar set of complaints made by DoorDash customers last year, who said their accounts had been improperly accessed. DoorDash also blamed the account hacks on credential stuffing, but could not explain how some accounts were breached even when users told TechCrunch that they used a unique password on the site.

If credential stuffing is to blame for Chipotle account breaches, rolling out two-factor authentication would help prevent the automated login process — and, put an additional barrier between a hacker and a victim’s account.

But when asked if Chipotle has plans to roll out two-factor authentication to protect its customers going forward, spokesperson Schalow declined to comment. “We don’t discuss our security strategies.”

Chipotle reported a data breach in 2017 affecting its 2,250 restaurants. Hackers infected its point-of-sale devices with malware, scraping millions of payment cards from unsuspecting restaurant goers. More than a hundred fast food and restaurant chains were also affected by the same malware infections.

In August, three suspects said to be members of the FIN7 hacking and fraud group were charged with the credit card thefts.


Source: The Tech Crunch

Read More

California to close data breach notification loopholes under new law

Posted by on Feb 21, 2019 in Alabama, California, computer security, data breach, data security, driver, Florida, Government, Identity Theft, Iowa, Marriott, Nebraska, Oregon, Prevention, Privacy, Safety, San Francisco, Security, security breaches, starwood, United States | 0 comments

California, which has some of the strongest data breach notification laws in the U.S., thinks it can do even better.

The golden state’s attorney general Xavier Becerra announced a new bill Thursday that aims to close loopholes in its existing data breach notification laws by expanding the requirements for companies to notify users or customers if their passport and government ID numbers, along with biometric data, such as fingerprints, and iris and facial recognition scans, have been stolen.

The updated draft legislation lands a few months after the Starwood hack, which Becerra and Democratic state assembly member Marc Levine, who introduced the bill, said prompted the law change.

Marriott-owned hotel chain Starwood said data on fewer than 383 million unique guests was stolen in the data breach, revealed in September, including guest names, postal addresses, phone numbers, dates of birth, genders, email addresses, some encrypted payment card data and other reservation information. Starwood also disclosed that five million passport numbers were stolen.

Although Starwood came clean and revealed the data breach, companies are not currently legally obligated to disclose that passport numbers or biometric data have been stolen. Under California state law, only Social Security numbers, driver’s license numbers, banking information, passwords, medical and health insurance information and data collected through automatic license plate recognition systems must be reported.

That’s set to change, under the new California assembly bill 1130, the state attorney general said.

“We have an opportunity today to make our data breach law stronger and that’s why we’re moving today to make it more difficult for hackers and cybercriminals to get your private information,” said Becerra at a press conference in San Francisco. “AB 1130 closes a gap in California law and ensures that our state remains the nation’s leader in data privacy and protection,” he said.

Several other states, like Alabama, Florida and Oregon, already require data breach notifications in the event of passport number breaches, and also biometric data in the case of Iowa and Nebraska, among others.

California remains, however, one of only a handful of states that require the provision of credit monitoring or identity theft protection after certain kinds of breaches.

Thursday’s bill comes less than a year after state lawmakers passed the California Privacy Act into law, greatly expanding privacy rights for consumers — similar to provisions provided to Europeans under the newly instituted General Data Protection Regulation. The state privacy law, passed in June and set to go into effect in 2020, was met with hostility by tech companies headquartered in the state, prompting a lobbying effort to push for a superseding but weaker federal privacy law.


Source: The Tech Crunch

Read More

Massive mortgage and loan data leak gets worse as original documents also exposed

Posted by on Jan 24, 2019 in Amazon-S3, cloud storage, computer security, data breach, data security, database, email, Finance, Government, New York, ocr, Prevention, Privacy, Security, texas, United States, web browser | 1 comment

Remember that massive data leak of mortgage and loan data we reported on Wednesday?

In case you missed it, millions of documents were found leaking after an exposed Elasticsearch server was found without a password. The data contained highly sensitive financial data on tens of thousands of individuals who took out loans or mortgages over the past decade with U.S. financial institutions. The documents were converted using a technology called OCR from their original paper documents to a computer readable format and stored in the database, but they weren’t easy to read. That said, it was possible to discern names, addresses, birth dates, Social Security numbers and other private financial data by anyone who knew where to find the server.

Independent security researcher Bob Diachenko and TechCrunch traced the source of the leaking database to a Texas-based data and analytics company, Ascension. When reached, the company said that one of its vendors, OpticsML, a New York-based document management startup, had mishandled the data and was to blame for the data leak.

It turns out that data was exposed again — but this time, it was the original documents.

Diachenko found the second trove of data in a separate exposed Amazon S3 storage server, which too was not protected with a password. Anyone who went to an easy-to-guess web address in their web browser could have accessed the storage server and see — and download — the files stored inside.

In a note to TechCrunch, Diachenko said he was “very surprised” to find the server in the first place, let alone open and accessible. Because Amazon storage servers are private by default and aren’t accessible to the web, someone would have made a conscious decision to set its permissions to public.

The bucket contained 21 files containing 23,000 pages of PDF documents stitched together — or about 1.3 gigabytes in size. Diachenko said that portions of the data in the exposed Elasticsearch database on Wednesday matched data found in the Amazon S3 bucket, confirming that some or all of the data is the same as what was previously discovered. Like in Wednesday’s report, the server contained documents from banks and financial institutions across the U.S., including loans and mortgage agreements. We also found documents from U.S. Department of Housing and Urban Development, as well as W-2 tax forms, loan repayment schedules, and other sensitive financial information.

Two of the files — redacted — found on the exposed storage server. (Image: TechCrunch)

Many of the files also contained names, addresses, phone numbers, and Social Security numbers, and more.

When we tried to reach OpticsML on Wednesday, its website had been pulled offline and the listed phone number was disconnected. After scouring through old cached version of the site, we found an email address.

TechCrunch emailed chief executive Sean Lanning, and the bucket was secured within the hour.

Lanning acknowledged our email but did not comment. Instead, OpticsML chief technology officer John Brozena confirmed the breach in a separate email, but declined to answer several questions about the exposed data — including how long the bucket was open and why it was set to public.

“We are working with the appropriate authorities and a forensic team to analyze the full extent of the situation regarding the exposed Elasticsearch server,” said Brozena. “As part of this investigation we learned that 21 documents used for testing were made identifiable by the previously discussed Elasticsearch leak. These documents were taken offline promptly.”

He added that OpticsML is “working to notify all affected parties” when asked about informing customers and state regulators, as per state data breach notification laws.

But Diachenko said there was no telling how many times the bucket might have been accessed before it was discovered.

“I would assume that after such publicity like these guys had, first thing you would do is to check if your cloud storage is down or, at least, password-protected,” he said.


Source: The Tech Crunch

Read More

Facebook policy VP, Richard Allan, to face the international ‘fake news’ grilling that Zuckerberg won’t

Posted by on Nov 23, 2018 in Cambridge Analytica, data breach, digital media, Elizabeth Denham, Europe, Facebook, fake news, London, Mark Zuckerberg, online disinformation, Paul-Olivier Dehaye, Policy, Privacy, Richard Allan, Security, Social, Social Media, social network | 0 comments

An unprecedented international grand committee comprised of 22 representatives from seven parliaments will meet in London next week to put questions to Facebook about the online fake news crisis and the social network’s own string of data misuse scandals.

But Facebook founder Mark Zuckerberg won’t be providing any answers. The company has repeatedly refused requests for him to answer parliamentarians’ questions.

Instead it’s sending a veteran EMEA policy guy, Richard Allan, now its London-based VP of policy solutions, to face a roomful of irate MPs.

Allan will give evidence next week to elected members from the parliaments of Argentina, Brazil, Canada, Ireland, Latvia, Singapore, along with members of the UK’s Digital, Culture, Media and Sport (DCMS) parliamentary committee.

At the last call the international initiative had a full eight parliaments behind it but it’s down to seven — with Australia being unable to attend on account of the travel involved in getting to London.

A spokeswoman for the DCMS committee confirmed Facebook declined its last request for Zuckerberg to give evidence, telling TechCrunch: “The Committee offered the opportunity for him to give evidence over video link, which was also refused. Facebook has offered Richard Allan, vice president of policy solutions, which the Committee has accepted.”

“The Committee still believes that Mark Zuckerberg is the appropriate person to answer important questions about data privacy, safety, security and sharing,” she added. “The recent New York Times investigation raises further questions about how recent data breaches were allegedly dealt with within Facebook, and when the senior leadership team became aware of the breaches and the spread of Russian disinformation.”

The DCMS committee has spearheaded the international effort to hold Facebook to account for its role in a string of major data scandals, joining forces with similarly concerned committees across the world, as part of an already wide-ranging enquiry into the democratic impacts of online disinformation that’s been keeping it busy for the best part of this year.

And especially busy since the Cambridge Analytica story blew up into a major global scandal this April, although Facebook’s 2018 run of bad news hasn’t stopped there…

The evidence session with Allan is scheduled to take place at 11.30am (GMT) on November 27 in Westminster. (It will also be streamed live on the UK’s parliament.tv website.)

Afterwards a press conference has been scheduled — during which DCMS says a representative from each of the seven parliaments will sign a set of ‘International Principles for the Law Governing the Internet’.

It bills this as “a declaration on future action from the parliaments involved” — suggesting the intent is to generate international momentum and consensus for regulating social media.

The DCMS’ preliminary report on the fake news crisis, which it put out this summer, called for urgent action from government on a number of fronts — including floating the idea of a levy on social media to defence democracy.

However UK ministers failed to leap into action, merely putting out a tepid ‘wait and see’ response. Marshalling international action appears to be DCMS’ alternative action plan.

At next week’s press conference, grand committee members will take questions following Allan’s evidence — so expect swift condemnation of any fresh equivocation, misdirection or question-dodging from Facebook (which has already been accused by DCMS members of a pattern of evasive behavior).

Last week’s NYT report also characterized the company’s strategy since 2016, vis-a-vis the fake news crisis, as ‘delay, deny, deflect’.

The grand committee will hear from other witnesses too, including the UK’s information commissioner Elizabeth Denham who was before the DCMS committee recently to report on a wide-ranging ecosystem investigation it instigated in the wake of the Cambridge Analytica scandal.

She told it then that Facebooks needs to take “much greater responsibility” for how its platform is being used, and warning that unless the company overhauls its privacy-hostile business model it risk burning user trust for good.

Also giving evidence next week: Deputy information commissioner Steve Wood; the former Prime Minister of St Kitts and Nevis, Rt Hon Dr Denzil L Douglas (on account of Cambridge Analytica/SCL Elections having done work in the region); and the co-founder of PersonalData.IO, Paul-Olivier Dehaye.

Dehaye has also given evidence to the committee before — detailing his experience of making Subject Access Requests to Facebook — and trying and failing to obtain all the data it holds on him.


Source: The Tech Crunch

Read More

Vision Direct reveals breach that skimmed customer credit cards

Posted by on Nov 18, 2018 in computer security, credit card, data breach, data security, E-Commerce, Europe, Google-Analytics, Javascript, PayPal, Security, Vision Direct | 0 comments

European online contact lens supplier Vision Direct has revealed a data breach which compromised full credit card details for a number of its customers, as well as personal information.

Compromised data includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV.

It’s not yet clear how many of Vision Direct’s customers are affected — we’ve reached out to the company with questions.

Detailing the data theft in a post on its website Vision Direct writes that customer data was compromised between 12.11am GMT November 3, 2018 and 12.52pm GMT November 8 — with any logged in users who were ordering or updating their information on visionDirect.co.uk in that time window potentially being affected.

It says it has emailed customers to notify them of the data theft.

“This data was compromised when entering data on the website and not from the Vision Direct database,” the company writes on its website. “The breach has been resolved and our website is working normally.”

“We advise any customers who believe they may have been affected to contact their banks or credit card providers and follow their advice,” it adds.

(As an aside, Fintech startup Revolut didn’t hang around waiting for concerned customers to call — blogging today that, on hearing the breach news, it quickly identified 80 of its customers who had been affected. “As a precaution, we immediately contacted all affected customers letting them know that we had cancelled their existing cards and would be sending them a replacement one for free,” it adds.)

Vision Direct says affected payment methods include Visa, Mastercard and Maestro — but not PayPal (although it says PayPal users’ personal data may still have been swiped).

It claims existing personal data previously stored in its database was not affected by the breach — writing that the theft “only impacted new information added or updated on the VisionDirect.co.uk website” (and only during the aforementioned time window).

“All payment card data is stored with our payment providers and so stored payment card information was not affected by the breach,” it adds.

Data appears to have been compromised via a Javascript keylogger running on the Vision Direct website, according to security researcher chatter on Twitter.

After the breach was made public, security researcher Troy Mursch quickly found a fake Google Analytics script had been running on Vision Direct’s UK website:

The malicious script also looks to have affected additional Vision Direct domains in Europe; and users of additional ecommerce sites (at least one of which they found still running the fake script)…

Another security researcher, Willem de Groot, picked up on the scam in September, writing in a blog post then that: “The domain g-analytics.com is not owned by Google, as opposed to its legitimate google-analytics.com counterpart. The fraud is hosted on a dodgy Russian/Romanian/Dutch/Dubai network called HostSailor.”

He also found the malware had “spread to various websites”, saying its creator had crafted “14 different copies over the course of 3 weeks”, and tailored some versions to include a fake payment popup form “that was built for a specific website”.

“These instances are still harvesting passwords and identities as of today,” de Groot warned about two months before Vision Direct got breached.


Source: The Tech Crunch

Read More

Animoto hack exposes personal information, geolocation data

Posted by on Aug 20, 2018 in animoto, Cloud, data breach, Hack, Security, Social Media, TC | 0 comments

Animoto, a cloud-based video maker service for social media sites, has revealed a data breach.

The breach occurred on July 10 but was confirmed by the company in early August, and later reported to the California attorney general.

Names, dates of birth and user email addresses were accessed by hackers, but the company said it wasn’t known if data had been exfiltrated. The company also said that users’ scrambled passwords were exposed in the breach, but it wasn’t clear if the hackers gained the private key, which could be used to reveal the passwords in plain text.

The company also said in a security announcement that user geolocations were also exposed to hackers, but noted that it “does not keep geolocation information for all users.”

Payment data is not thought to be affected as it’s stored in a separate system, the company said.

Animoto did not immediately return a request for comment. TechCrunch will update once we learn more.

The New York City-based company did not say how many users were affected by the breach, but last August claimed more than 20 million users on its platform.

Animoto is the latest social media service to be breached. Last month, Timehop revealed a breach affecting 21 million users, exposing their names, email addresses, gender and dates of birth. Timehop’s breach was largely attributable to the company’s lack of two-factor authentication on its network, which helps prevent hackers from reusing already exposed credentials from breaches of other sites and services.

Animoto didn’t say how its breach occurred but pointed to “suspicious activity” on its systems. The company also said it reset employee passwords and reduced employees’ access to critical systems.


Source: The Tech Crunch

Read More

Dixons Carphone says millions more customers affected by 2017 breach

Posted by on Jul 31, 2018 in Carphone Warehouse, computer security, data breach, Dixons Carphone, Electronics, Europe, European Union, Gadgets, Mobile, Security, United Kingdom | 0 comments

A Dixons Carphone data breach that was disclosed earlier this summer was worse than initially reported. The company is now saying that personal data of 10 million customers could also have been accessed when its systems were hacked.

The European electronics and telecoms retailer believes its systems were accessed by unknown and unauthorized person/s in 2017, although it only disclosed the breach in June, after discovering it during a review of its security systems.

Last month it said 5.9M payment cards and 1.2M customer records had been accessed. But with its investigation into the breach “nearing completion”, it now says approximately 10M records containing personal data (but no financial information) may have been accessed last year — in addition to the 5.9M compromised payment cards it disclosed last month.

“While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted. We are continuing to keep the relevant authorities updated,” the company said in a statement.

In terms of what personal data the 10M records contained, a Dixons Carphone spokeswoman told us: “This continues to relate to personal data, and the types of data that may have been accessed are, for example, name, address or email address.”

The company says it’s taking the precaution of contacting all its customers — to apologize and advise them of “protective steps to minimize the risk of fraud”.

It adds it has no evidence that the unauthorized access is continuing, having taken steps to secure its systems when the breach was discovered last month, saying: “We continue to make improvements and investments at pace to our security environment through enhanced controls, monitoring and testing.”

Commenting in a statement, Dixons Carphone CEO, Alex Baldock, added: “Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right. That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today.

“Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us.”

Back in 2015, Carphone Warehouse, a mobile division of Dixons Carphone, also suffered a hack which affected around 3M people. And in January the company was fined £400k by the ICO as a consequence of that earlier breach.

Since then new European Union regulations (GDPR) have come into force which greatly raise the maximum penalties which regulators can impose for serious data breaches.

Last month, following Dixon’s disclosure of the latest breach, the UK’s data watchdog, the ICO, told us it was liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.

Of the 5.9M payment cards which Dixons disclosed last month as having been compromised, it said the vast majority had been protected by chip and PIN technology. But around 105,000 lacked the security tech so Dixons said at the time could therefore have been compromised.

It’s the additional 1.2M records containing non-financial personal data — such as name, address or email address — that have been revised upwards now, to ~10M records, which constitutes almost half the Group’s customer base in the UK and Ireland.

The spokeswoman told us the Group has approximately 22M customers in the region.

https://www.ncsc.gov.uk/guidance/ncsc-advice-dixons-carphone-plc-customers


Source: The Tech Crunch

Read More

Healthcare data breach in Singapore affected 1.5M patients, targeted the prime minister

Posted by on Jul 20, 2018 in Asia, computing, data breach, hacks, healthcare, Privacy, Security, Singapore, TC, World | 0 comments

In what’s believed to be the biggest data breach in Singapore’s history, 1.5 million members of the country’s largest healthcare group have had their personal data compromised.

The breach affected SingHealth, Singapore’s biggest network of healthcare facilities. Data obtained in the breach includes names, addresses, gender, race, date of birth and patients’ national identification numbers. Around 160,000 of the 1.5 million patients also had their outpatient medical information accessed by unauthorized individuals. All patients affected by the hack had visited SingHealth clinics between May 1, 2015 and July 4, 2018, Singapore newspaper The Straits Times reports.

“Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System confirmed that this was a deliberate, targeted and well-planned cyberattack,” a press release from Singapore’s Ministry of Health stated. “It was not the work of casual hackers or criminal gangs.”

The hackers appear to have accessed the sensitive data by compromising a single SingHealth workstation with malware and were then able to obtain privileged account credentials with which they accessed the patient database. The breach was first noticed on July 4 and a police report was filed on July 12.

During a press conference, investigating authorities disclosed that Singapore Prime Minister Lee Hsien Loong was “specifically and repeatedly targeted.”

The Prime Minister elaborated on the incident on his Facebook page:

(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = ‘https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v3.0’; fjs.parentNode.insertBefore(js, fjs);}(document, ‘script’, ‘facebook-jssdk’));

SingHealth’s database has experienced a major cyber-attack. 1.5 million patients have had their personal particulars…

Posted by Lee Hsien Loong on Friday, July 20, 2018


Source: The Tech Crunch

Read More

Timehop discloses July 4 data breach affecting 21 million

Posted by on Jul 9, 2018 in 2fa, Apps, data breach, Europe, GDPR, Hack, Security, Timehop | 0 comments

Timehop has disclosed a security breach that has compromised the personal data (names and emails) of 21 million users (essentially its entire user base). Around a fifth of the affected users — or 4.7M — have also had a phone number that was attached to their account breached in the attack.

The startup, whose service plugs into users’ social media accounts to resurface posts and photos they may have forgotten about, says it discovered the attack while it was in progress, at 2:04 US Eastern Time on July 4, and was able to shut it down two hours, 19 minutes later — albeit, not before millions of people’s data had been breached.

According to its preliminary investigation of the incident, the attacker first accessed Timehop’s cloud environment in December — using compromised admin credentials, and apparently conducting reconnaissance for a few days that month, and again for another day in March and one in June, before going on to launch the attack on July 4, during a US holiday.

Timehop publicly disclosed the breach in a blog post on Saturday, several days after discovering the attack.

It says no social media content, financial data or Timehop data was affected by the breach — and its blog post emphasizes that none of the content its service routinely lifts from third party social networks in order to present back to users as digital “memories” was affected.

However the keys that allow it to read and show users their social media content were compromised — so it has all keys deactivated, meaning Timehop users will have to re-authenticate to its App to continue using the service.

“If you have noticed any content not loading, it is because Timehop deactivated these proactively,” it writes, adding: “We have no evidence that any accounts were accessed without authorization.”

It does also admit that the tokens could “theoretically” have been used for unauthorized users to access Timehop users’ own social media posts during “a short time window” — although again it emphasizes “we have no evidence that this actually happened”.

“We want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile,” it adds.

“The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service. Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don’t store copies of your social media profiles, we separate user information from social media content — and we delete our copies of your “Memories” after you’ve seen them.”

In terms of how its network was accessed, it appears that the attacker was able to compromise Timehop’s cloud computing environment by targeting an account that had not been protected by multifactor authentication.

That’s very clearly a major security failure — but one Timehop does not explicitly explain, writing only that: “We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.”

Part of its formal incident response, which it says began on July 5, was also to add multifactor authentication to “all accounts that did not already have them for all cloud-based services (not just in our Cloud Computing Provider)”. So evidently there was more than one vulnerable account for attackers to target.

Its exec team will certainly have questions to answer about why multifactor authentication was not universally enforced for all its cloud accounts.

For now, by way of explanation, it writes: “There is no such thing as perfect when it comes to cyber security but we are committed to protecting user data. As soon as the incident was recognized we began a program of security upgrades.” Which does have a distinct ‘stable door being locked after the horse has bolted’ feel to it.

It also writes that it carried out “the introduction of more pervasive encryption throughout our environment” — so, again, questions should be asked why it took an incident response to trigger a “more pervasive” security overhaul.

Also not entirely clear from Timehop’s blog post: When/if affected users were notified their information has been breached.

The company posed the blog post disclosing the security breach to its Twitter account on July 8. But prior to that its Twitter account was only noting that some “unscheduled maintenance” might be causing problems for users accessing the app…

We’ve reached out to the company with questions and will update this post with any response. Update: A Timehop spokesman says individual users are being notified as they log back in to the app.

“An email to the entire user base is in the works for today,” he tells TechCrunch. “[It] took some time to get our send grid account ready for that many emails as we are not a big email sender in general.”

In terms of the reasons behind the multifactor fail, the spokesman said it’s still investigating why there was a security lapse “as we do in general make use of it”. “But this employee was here for so long, from back when we were just a baby company, so it seems something got overlooked,” he adds. 

In its blog about the incident, Timehop says that at the same time as it was working to shut down the attack and tighten up security, company executives contacted local and federal law enforcement officials — presumably to report the breach.

Breach reporting requirements are baked into Europe’s recently updated data protection framework, the GDPR, which puts the onus firmly on data controllers to disclose breaches to supervisory authorities — and to do so quickly — with the regulation setting a universal standard of within 72 hours of becoming aware of it (unless the personal data breach is unlikely to result in “a risk to the rights and freedoms of natural persons”).

Referencing GDPR, Timehop writes: “Although the GDPR regulations are vague on a breach of this type (a breach must be “likely to result in a risk to the rights and freedoms of the individuals”), we are being pro-active and notifying all EU users and have done so as quickly as possible. We have retained and have been working closely with our European-based GDPR specialists to assist us in this effort.”

The company also writes that it has engaged the services of an (unnamed) cyber threat intelligence company to look for evidence of use of the email addresses, phone numbers, and names of users being posted or used online and on the Dark Web — saying that “while none have appeared to date, it is a high likelihood that they will soon appear”.

Timehop users who are worried the network intrusion and data breach might have impact their “Streak” — aka the number Timehop displays to denote how many consecutive days they have opened the app — are being reassured by the company that “we will ensure all Streaks remain unaffected by this event”.


Source: The Tech Crunch

Read More

Bank says Ticketmaster knew of breach months before taking action

Posted by on Jun 28, 2018 in Banking, data breach, Europe, fraud, GDPR, Hack, Security, TC, TicketMaster | 0 comments

Ticketmaster UK announced on its site yesterday that it identified malicious malware on June 23rd that had affected nearly five percent of their customers, allowing an unknown third-party access to customers’ names, email addresses, telephone numbers, payment details and login information between February 2017 and June 23rd, 2018.

The company says the breach can be traced back to an AI chat bot it uses to help answer customers’ questions when a live staff member is unavailable. The software’s designer, Inbenta, confirmed that the malware had taken advantage of one piece of JavaScript that was written specially for Ticketmaster’s use of the chat bot.

However, both companies have confirmed that as of June 26th the vulnerability has been resolved. In its statement, Ticketmaster told customers that affected accounts had been contacted and were offered a free 12-month identity monitoring service as a consolation as soon as the company became aware of the breach.

But, according to UK digital bank Monzo, Ticketmaster was informed of the breach in April.

In a statement released by its Financial Crime team today, Monzo describes the events from its perspective. On April 6th, the bank began to notice a pattern of fraudulent transactions on cards that had been previously used at Ticketmaster. Out of 50 fraud reports the bank received that day, 70 percent of cards had made transactions on Ticketmaster in the last several months.

“This seemed unusual, as overall only 0.8% of all our customers had used Ticketmaster” said Natasha Vernier, Head of Financial Crime at Monzo, in the statement.

On April 12th, Monzo says it expressed its concerns directly to Ticketmaster and that the company said it would “investigate internally.” In the week to follow, Monzo received several more Ticketmaster related fraud alerts and made the decision to replace roughly 6,000 compromised cards over the course of April 19th and 20th, without mentioning Ticketmaster.

During that same period, Ticketmaster told Monzo that its completed internal investigation had shown no evidence of a breach.

This puts Ticketmaster in an awkward position, because under the 2018 General Data Protection Regulations (GDPR), companies are required to report information of a breach within 72 hours. Not 76 days. It’s uncertain, based on the timeline of events, if Ticketmaster will be held to these standards or the now-overturned 1998 standards, but either way the water is starting to heat up around the ticket dealer.

We’ve reached out to Ticketmaster for comment but the company did not reply by the time of publication

 

 

 

 

 


Source: The Tech Crunch

Read More