Category: Data Breach

Dixons Fined for Data Breach

Dixons Carphone has been fined £500,000 by the data watchdog over a computer hack which compromised the personal information of at least 14 million people.

The Information Commissioner’s Office found that hackers were able to access the names, postcodes, email addresses and failed credit checks of millions of people.

The data also included the details of 5.6 million payment cards used between July 2017 and April 2018.

Dixons Carphone says it has no confirmed evidence of any customers suffering fraud or financial loss as a result of the hack.

What Should Business Do to Protect Itself?

  1. Invest in expert cyber security and keep it up to date
  2. Maintain all computer devices with anti-virus and anti-malware and keep that up to date
  3. Regularly check all financial accounts. If you spot anything unusual, contact your provider immediately.
  4. Train staff on security procedures e.g. how to spot phishing attempts
  5. Stay up to date with protection against latest threats
  6. Remember that human beings are usually the weakest link in security.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

Cathay Pacific Data Breach

In 2018, aviation’s biggest data breach occurred when the information on 9.4 million customers was stolen from Cathay Pacific.

Strangely, most of the data accessed was about passenger travel plans and very little about financial information. Only 430 credit card details were stolen and most of those were incomplete or out of date.

Hong Kong’s watchdog – The Privacy Commissioner investigated the data breach and accused Cathay Pacific of two contraventions of law in having insufficient regard for data privacy and taking seven months to disclose the breach.

The data stolen consisted of passenger names, flight details, email address, membership number, phone number, date of birth etc. This included passport numbers in 9% of cases and identity numbers in 6% of cases.

The watchdog said Cathay contravened the law on two counts: first, it did not take all reasonably practicable steps to protect data. Second, Cathay retained Hong Kong identity card numbers 13 years after being collected.

Cathay’s investigation concluded there were two distinct groups of hackers. The first group is traced to October, 2014 when keylogger malware was installed to harvest user information and this attack continued until March 2018.

The second attack occurred in August, 2017 and exploited a vulnerability of an internet facing server, (a long standing and well known security risk). This second group made a brute force attack in March, 2018  that resulted in approximately 500 Cathay staff being locked out of their account, according to the report. The last known activity of the attack was on May 11, 2018.

Cathay said that its operations and flight safety systems were not impacted and flight safety was never compromised. Cathay has already made some changes, and said “as the sophistication of cyber attackers continues to increase, need to and will continue to invest in and evolve our IT security systems.”

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

Binance Crypto Exchange Hacked

BINANCE is one of the world’s biggest cryptocurrency exchanges I.e. an exchange for online currencies such as Bitcoin, Ethereum, Ripple etc. .  Hackers patiently built up information and hacked into the services and stole stole 7,000 bitcoin (about $40 million) — but also stole user security codes (two-factor authentication codes and API tokens) which can lead to further thefts.

Binance CEO Zhao Changpeng said “The hackers used a variety of techniques, including phishing, viruses and other attacks”.  “The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. The transaction was structured in a way that passed our existing security checks.”

Binance CEO Zhao Changpeng said “The hackers used a variety of techniques, including phishing, viruses and other attacks”.  “The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. The transaction was structured in a way that passed our existing security checks.”

The  hackers compromised multiple high-net-worth accounts, whose Bitcoin was kept in Binance’s hot wallet—which, unlike cold wallets, are connected to the internet. Anyone who keeps their Bitcoin in a Binance hot wallet should change that immediately.

The hackers got access to security codes for some users and that means they may still control certain user accounts and may use those to influence prices. Binance say they will monitor the situation closely.

Cyber currencies still seem a little like the Wild West and are taking a long time to become mainstream and become as safe as mainstream currency.

If you have any experiences with crypto-currencies do let me know, by email.

Fightback Ninja Signature

Massive Data Release on Internet

Collection #1 is a data set that was dumped onto the Internet. It contains 773 million email IDs and 21 million passwords and anybody can see the data.

Security researcher Troy Hunt runs the Have I Been Pwned website that lets people check if their email address has been in a data breach and he has analysed the data and uploaded it to his website haveibeenpwned.com so anyone can check if their details are included in this or any other high profile data breach. He does make the actual data available to anybody.

His analysis shows that Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. It’s made up of many different individual data breaches from literally thousands of different sources”

After cleaning the data and removing duplicates, it seems that 772,904,991 unique email addresses, along with 21,222,975 unique passwords are available in plain text. This does not include passwords that were found still in their hashed form.

Importantly, anyone who gets their hands on the cache can easily test the plain-text passwords against actual accounts. Approximately 140 million email accounts and some 10.6 million passwords were not known from past breaches.

If one or more of your accounts are in this data breach, then it is likely that one or more of your old passwords are available for others to see. Make sure you are not still using passwords from years ago.

Check if your accounts are included in the breach and if necessary change passwords and delete unnecessary accounts.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

Morrison’s to Pay Staff after Data Breach

In 2014, the personal details of thousands of Morrison’s staff including salaries, bank account details and home addresses were stolen and published online.

At the time, Morrisons said that all the staff details published were put on an unspecified location on the web for a few hours and were taken down immediately when they were discovered. It said in a statement: “We can confirm there has been no loss of customer data and no colleague will be left financially disadvantaged.” It was working with police to identify the source of the theft.

The hacker posted the information – including names, addresses, bank account details and salaries – online and sent it to newspapers.

It turned out that it was an employee, Andrew Skelton, who had posted the data online. He was caught and jailed for eight years in 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data.

However, Morrisons faced a huge payout to staff whose personal data were posted on the Internet after workers brought a claim against the company for “upset and distress”.

The High Court ruling that Morrisons is liable for the data breach then the Court of Appeal upheld the original decision against the supermarket. Morrisons said it would now appeal to the Supreme Court.

This case is the first data leak class action in the UK.

Morrisons had argued that it could not be held liable for the criminal misuse of its data, but three Court of Appeal judges rejected the company’s appeal, saying they agreed with the High Court’s earlier decision.

They said Morrisons was “vicariously liable for the offences committed by Mr Skelton against the claimants”.

Skelton was given eight years in prison for fraud, securing unauthorised access to computer material and disclosing personal data at a criminal trial in 2015.

The case continues.

If you have any experiences with scammers, spammers or time-waster do let me know, by email.

Fightback Ninja Signature