Never a good idea?
FreshMenu
Hid Data Breach Affecting 110,000 Users
FreshMenu, a food delivery provider based in
India, has come under social media attack for keeping under wraps a
data breach two years ago that exposed the personal information of
over 110,000 users.
The incident originally was brought to light in
2016 by data breach tracker HaveIBeenPwned, which discovered that the
breach exposed names, email addresses, phone numbers, home addresses,
and order histories, the Times of India reported on Wednesday. That
news report led to the strong response on social media.
Troy
Hunt, who runs HaveIBeenPwned, says he had informed FreshMenu
back in July 2016 that the breach had taken place, but the company
decided not to notify impacted customers.
… But security practitioners say that even if
payment information wasn't breached, the incident should have been
promptly reported to those affected.
"Customers have every right to know what data
of theirs has been compromised or leaked," says Rahul
Sharma, founder of the Perspective, a firm which focuses on cyber
policy. "This should be a practice followed by every company,
and I feel a law addressing this issue must come out soon."
"Who are they to decide whether my leaked
data is important or critical? If I am trusting them with my data, I
have every right to know when my data gets compromised, however small
the breach is."
Unfortunately, minimal is the key word.
Catalin Cimpanu reports:
A multi-year study on the stock price evolution for breached companies reveals that data breaches have a long-term impact on a company’s stock price, even if it’s somewhat minimal.
The study, carried out by the research team behind the CompariTech web portal, looked only at companies listed on the New York Stock Exchange (NYSE) that suffered and publicly disclosed breaches of one million records and over in the past three years.
Read more on ZDNet.
[From the article:
"In the long term, breached companies
underperformed
the market," the CompariTech team concluded in their report.
… Study authors noted that the impact of data
breaches likely diminished over time, but the damage was still
visible in the stock's NASDAQ performance indicator even after three
years, in some cases.
The Cold War in the Internet Age. How close to
the “trigger” are they willing to come?
German
Troops Face Russian 'Hybrid War' in Lithuania: Merkel
German Chancellor Angela Merkel said Friday Berlin
was boosting military cyber capabilities to respond to Russian hybrid
warfare that is targeting its troops deployed on NATO's eastern
flank.
"Here you are also confronted with a
situation that represents another part of the Russian military
doctrine: the idea of hybrid warfare," she told German troops
stationed in Lithuania as part of a NATO force deployed to deter
Russia.
NATO allies have accused Russia of using "hybrid
warfare" techniques, including subversion, propaganda and cyber
warfare, to undermine the West without
triggering a full NATO military response.
Russia has repeatedly denied that it stages such
attacks and has accused the US-led alliance of provoking an arms
race.
… Soon after their arrival, German troops were
subjected to false rape accusations while media reports said Moscow
also targeted NATO soldiers' smartphones.
(Related) Follows the Russian pattern. (They
also attacked the lab doing Olympic drug testing.)
Dutch
'Expelled Two Russian Spies Over Novichok Lab Plot'
Dutch
intelligence services arrested two alleged Russian spies on suspicion
of planning to hack a Swiss laboratory investigating the poisoning of
double agent Sergei Skripal, reports and officials said Friday.
The
two agents, believed to be working for Russia's
GRU military intelligence service, targeted the Spiez laboratory
near Bern, Dutch-based NRC newspaper and Swiss daily Tages-Anzeiger
said.
… At
the time, Spiez was analysing data related to poison gas attacks in
Syria, as well as the March 4 attack using the nerve agent Novichok
on Russian double agent Sergei Skripal and his daughter in Salisbury,
they reported.
The
laboratory does analytical work for the Hague-based Organisation for
the Prohibition of Chemical Weapons (OPCW), the global chemical arms
watchdog.
Interesting
argument.
Carrie Goldberg and her law firm represent Matthew
Herrick in Matthew Herrick v. Grinder LLC, a case that may
shake things up with Section 230 of the CDA’s protections for
platforms. Tor Ekeland Law, PLLC are co-counsel in the case.
Goldberg writes:
Our client, Matthew Herrick, was stalked and harassed by his ex-boyfriend through the Grindr app. The ex-boyfriend had created impersonating profiles to arrange sex dates with over a thousand men who came to Matthew’s home and workplace. Matthew reported it to Grindr over 100 times. He also got an Order of Protection and made criminal complaints against his ex, but the strangers kept coming. The impersonating profiles told them that Matthew had drugs to share and wanted to role-play rape fantasies. When our firm served Grindr’s team with a court order demanding they exclude Matthew’s ex from using their product, they said they didn’t have the technology to do so. They own the patent to geo-locating technology! And yet, they can’t screen users?!
We said, “If you can’t control your product, it’s dangerous.” So we, along with co-counsel Tor Ekeland Law, PLLC, sued Grindr using theories of products liability. This case challenges Section 230 of the Communications Decency Act (CDA), which tech companies claim exempts them from being liable for harm that happens on their platforms. The CDA, passed in 1995, was initially created to protect online bulletin boards from defamation cases. Over the last twenty-two years, the law has become broader and broader because of the way courts have interpreted it, granting protections to a broader array of internet service providers for a broader array of harmful activities.
Read
more on her blog, where you can also download the relevant
filings.
For
future Computer Security classes.
Secureworks
Launches New Security Maturity Model
Secureworks
has launched the Secureworks Security Maturity Model. It is
released, announces Secureworks, in response to "research which
shows that more than one-third
of US organizations (37%) face security risks that exceed their
overall security maturity. Within that group, 10% face a
significant deficiency when it comes to protecting themselves from
the threats in their environment."
Secureworks
is offering a complementary evaluation (an online process supported
by a security expert) to help organizations benchmark their own
security maturity. The model incorporates elements of well-known
frameworks like National Institute of Standards and Technology (NIST)
and ISO 27001/02 with insight from Secureworks' global threat
intelligence. It comprises four levels: guarded, informed,
integrated and resilient.
Further
information, and a route map for attaining security maturity, can be
found in a white paper titled '5 Critical Steps to a More Mature
Security Posture' (PDF).
The
price of entry into the China market?
Google built a prototype of a censored
search engine for China that links users’ searches to their
personal phone numbers, thus making it easier for the Chinese
government to monitor people’s queries, The Intercept can reveal.
The search
engine, codenamed Dragonfly, was designed for Android devices,
and would remove content deemed sensitive by China’s ruling
Communist Party regime, such as information about political
dissidents, free speech, democracy, human rights, and peaceful
protest.
Previously undisclosed details about the plan,
obtained by The Intercept on Friday, show that Google compiled a
censorship blacklist that included terms such as “human rights,”
“student protest,” and “Nobel Prize” in Mandarin.
Perspective.
Facebook’s
Crackdown on Misinformation Might Actually Be Working
… The study, released
as a working paper Friday afternoon, examines how Facebook and
Twitter users interacted with articles from 570 sites that have been
identified by at least one credible source as a purveyor of “fake
news”—that is, patently false, intentionally misleading, or
hyperpartisan content. It finds that engagement on stories from
those sites rose steadily on both Facebook and Twitter until shortly
after the 2016 U.S. presidential election. Beginning in early 2017,
however, those sites’ engagement began to drop off on Facebook—even
as it kept rising on Twitter.
While the authors caution that the study is “far
from definitive,” it’s noteworthy as perhaps the first
large-scale empirical study that directly examines the efficacy of
Facebook’s ongoing campaign against misinformation. Its findings
could serve as a guidepost as the company continues to reckon with
its influence on civil society.
(Related)
On the other hand…
Tech’s
New Problem: North Korea
North Korea operatives have sought to use U.S.
technology and social media networks to evade U.S.-led sanctions and
generate income, taking advantage of many of the same shortcomings
that allowed Russians to interfere in the 2016 election.
Cloaking their identities, the North Koreans have
been able to advertise jobs and find clients on job-search exchanges
such as Upwork and Freelancer.com.
Dogbert suggests a message for my students.
No comments:
Post a Comment