It seems silly to deny that a breach happened when anyone can check
for themselves.
Bob Diachenko recently reported on yet another
massive data exposure:
On November 12th, when auditing the search results for open/exposed Elasticsearch databases with Binaryedge.ioplatform, we have found what appeared to be a collection of personal records compiled by FIESP, the Federation of Industries of the State of São Paulo. FIESP is the largest class entity in the Brazilian industry. It represents about 130 thousand industries in various sectors, of all sizes and different production chains, distributed in 131 employers’ unions.
Records were stored in Elasticsearch with the total count of 180,104,892.
[…]
The largest collection of data (FIESP collection) had 34,817,273 personal records with exposed info like:
name
personal ID number (RG number)
taxpayer registry identification (CPF)
sex
date of birth
full address
email
phone number
Read more on Hackenproof.com.
As has happened waaaaay too many times to Bob and others, including
yours truly, he had difficulty making notification.
But when notification was finally made after
someone on Twitter got thru to FIESP, it was not received as one
might hope. Angelica Mari of ZDNet reported
today that:
FIESP said it is “investigating the alleged access to its database by a company that claims to work in digital security,” but it has pretty much denied that anything serious has happened at all.
The trade body argued that the databases Hacken Proof is talking about didn’t contain sensitive information or passwords and that “so far, there is no news that any personal information from the database has been exposed.”
“FIESP contacted [Hacken Proof], who said it had not made the data public and subsequently destroyed the information that it claims to have had access to. [Hacken Proof] also stated that its objective was to expose possible vulnerabilities to prevent potential leaks.”
It’s all in the language you choose.
HR software company PageUp says that a forensic expert it engaged to examine its systems has found “no specific evidence” that data was stolen during a security breach earlier this year.
Read more on Computerworld.
[From
the article:
After an initial investigation the company said
that it believed on the “balance of probabilities” that “data
relating to our clients, placement agencies, applicants, references
and our employees” was
accessed during the breach.
Data that it believed may have been vulnerable
included the personal details of employees of PageUp customers,
details of job applications lodged with the company’s customers,
and employment reference information.
PageUp said though there was no
evidence that data had been exfiltrated. [Note
that is is somewhat different than saying, “there was evidence that
the data was not exfiltrated.” Perhaps they kept no records (logs)
of data movement. Bob]
The question should have been asked and answered
prior to implementing the new meters. The same for any IoT device.
If it was, why not mention that as part of the release. If it was
not, are you ready for the lawsuits?
Bill Cameron reports:
As
utility companies across the state roll out new Internet-connected
electrical meters, Smithfield Township supervisors are calling on
Met-Ed to show how they’re protecting customers’ information.
The Board of Supervisors penned a letter this week to FirstEnergy
Corp., Met-Ed’s parent company, and state regulatory officials
asking what protections are in place to keep private consumer data
from unwanted eyes.
“What
limits have been placed on data collection and permissions for data
collection beyond monthly billing cycle totals?” it says in the
letter, dated Nov. 14, to FirstEnergy’s president, regional
president, state president, the state Office of Consumer Advocates
and the Pennsylvania Public Utility Commission. “The notice sent
to our residents makes no mention of this, yet is it is of prime
concern to us in order to protect and secure data of our residential
households.”
Read more on GovTech.
Bravo. We need more agencies and watchdogs asking
– and demanding – answers to these important questions.
’Tis the season! “Hey, if it works for
Amazon...”
Matthew Field reports:
Hackers are offering Black Friday discounts for stolen credit card details being bought and sold on the dark web as they seek to cash in on an online shopping bonanza.
Security experts including the FBI, the UK’s cyber defence agency and online security firms have warned of a wave of hacking and fraud as criminals exploit Britain’s biggest weekend of online shopping across Black Friday and Cyber Monday.
Read more on The
Telegraph.
..for the defense of Privacy everywhere?
Facebook
Appeals its UK Fine in Cambridge Analytica Scandal
Facebook
has appealed its
500,000-pound ($644,000) fine for failing to protect the privacy
of its users in the Cambridge Analytica scandal, arguing that U.K
regulators failed to prove that British users were directly affected.
Britain's
Information Commissioner Office leveled
the fine after concluding Facebook processed the personal
information of users unfairly by giving app developers access to
their information without informed consent.
… "Their
reasoning challenges some of the basic principles of how people
should be allowed to share information online, with implications
which go far beyond just Facebook, which is why we have chosen to
appeal," said Facebook lawyer Anna Benckert in a statement.
"For example, under ICO's theory people should not be allowed to
forward an email or message without having agreement from each person
on the original thread. These are things done by millions of people
every day on services across the internet."
This could be an interesting source of privacy
horror stories. Stay tuned.
Thai
Minister Defends Controversial Cybersecurity Bill
A Thai government official on Wednesday defended a
sweeping cybersecurity bill which experts have decried for allowing
the wholesale seizure of private computers and property, saying that
"every country has a need" to protect itself.
… In rare comments hitting out at the
government, a senior judge at the Thai Appeals Court condemned the
bill, calling it redundant.
"This law ignores the people's rights and
freedom," said Sriamporn Saligupta.
"If the next government is not good and uses
this as a tool, we will no longer have privacy rights."
The President and his minions are correct in their
assumption that people are more interested in shopping and feasting
than in worrying about the future. Much harder to change that than
asking the President to change his mind. Maybe.
The bombshell report, which warns of large-scale
climate disasters if the U.S. continues down the track it's headed,
was released without much rollout midday Friday.
Known as Black Friday, it's a day in which people
are likely more concerned with shopping than national affairs. Late
Friday in general is famous in Washington for being a "news
dump," in which an administration quietly releases
less-than-optimal news.
Clearly, it’s too late.