Tuesday, July 28, 2020


Not entirely clear what happened.
Promo.com discloses data breach after 22M user records leaked online
Promo.com, an Israeli-based marketing video creation site, has disclosed a data breach after a database containing 22 million user records was leaked for free on a hacker forum.
In a report shared with BleepingComputer by cybersecurity intelligence firm CloudSEK, a well-known seller of data breaches posted a database containing 22.1 million user records on a hacker forum.
This data contains users email addresses, names, genders, geographic location, and for 2.6 million of the users, their hashed passwords.
This leak included 1.4 million cracked passwords, which means they were decrypted and could immediately be used by attackers to log in to the users' accounts or use the passwords in credential stuff attacks at other sites.
"On July 21, 2020, our team became aware that a data security vulnerability on a 3rd party service had caused a breach affecting certain non-finance related Slidely and Promo user data. We immediately stopped all suspicious activity and launched an internal investigation to further learn about what happened," Promo's data breach notification states.
Although your account password was hashed and salted (a method used to secure passwords with a key), it’s possible that it was decoded," the data breach continues.
As the salt for each user's password was also included in the database, it is much easier for threat actors to crack the passwords and see them in their plain text form.




I bet you didn’t know your laptop was worth a million dollars…
Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach
In April, 2017, Lifespan issued a statement disclosing a stolen laptop incident involving unencrypted protected health information. In at least two places in their statement they claim that they are committed to protecting the security and confidentiality of patient data.
Today, OCR announced a settlement with Lifespan in which Lifespan is to pay more than $1 million dollars and implement a corrective action plan. It seems like OCR is sending an expensive reminder to entities to encrypt mobile devices. [About time! Bob] Let’s see what OCR’s press release says:
Lifespan Health System Affiliated Covered Entity (Lifespan ACE), a non-profit health system based in Rhode Island, has agreed to pay $1,040,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the theft of an unencrypted laptop. Lifespan ACE includes many healthcare provider affiliates in Rhode Island, and has designated itself as a HIPAA affiliated covered entity.1
On April 21, 2017, Lifespan Corporation, the parent company and business associate of Lifespan ACE, filed a breach report with OCR concerning the theft of an affiliated hospital employee’s laptop containing electronic protected health information (ePHI) including: patients’ names, medical record numbers, demographic information, and medication information. The breach affected 20,431 individuals.
OCR’s investigation determined that there was systemic noncompliance with the HIPAA Rules including a failure to encrypt ePHI on laptops after Lifespan ACE determined it was reasonable and appropriate to do so. OCR also uncovered a lack of device and media controls, and a failure to have a business associate agreement in place with the Lifespan Corporation.
Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality. Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director.
In addition to the monetary settlement, Lifespan has agreed to a corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/lifespan-ra-cap-signed.pdf – PDF*.




Non-virtual hackers. Sometimes we forget they still exist.
Burglars expose Walgreens customer data in a different kind of breach
Groups of unidentified thieves broke into multiple Walgreens stores in late May and early June and stole prescription information and other data on some 70,000 customers, a spokesman for the pharmacy chain said Monday.
The assailants forced their way behind pharmacy counters and stole drug prescriptions, and also took a “very limited number of hard drives attached to stolen cash registers,” according to a letter Walgreens sent affected customers. Customers’ health insurance and vaccination information may have been swept up in the breach, Walgreens said, but credit card data and Social Security numbers were not affected.




Strange this happened in San Francisco. Will there be an overreaction?
San Francisco Police Accessed Business District Camera Network to Spy on Protestors
EFF: “The San Francisco Police Department (SFPD) conducted mass surveillance of protesters at the end of May and in early June using a downtown business district’s camera network, according to new records obtained by EFF. The records show that SFPD received real-time live access to hundreds of cameras as well as a “data dump” of camera footage amid the ongoing demonstrations against police violence. The camera network is operated by the Union Square Business Improvement District (BID), a special taxation district created by the City and County of San Francisco, but operated by a private non-profit organization. These networked cameras, manufactured by Motorola Solutions’ brand Avigilon, are high definition, can zoom in on a person’s face to capture face-recognition ready images, and are linked to a software system that can automatically analyze content, including distinguishing between when a car or a person passes within the frame. Motorola Solutions recently unveiled plans to expand its portfolio of tools for aiding public-private partnerships with law enforcement by making it easier for police to gain access to private cameras and video analytic tools like license plate readers…”




This ‘ban’ seems to have a few holes in it.
Travelers to DC Must Quarantine
Beginning Monday July 27, 2020, anyone visiting or returning to the District for non-essential activities from 27 high-risk states will need to isolate themselves and self-monitor for symptoms of COVID-19 for 14 days. The list is valid until Aug. 10, when local officials will reevaluate and post an updated list on the D.C. health department’s coronavirus portal. People coming into the District for essential purposes are not required to self-quarantine on their arrival. Instead, D.C. health officials advise those visitors to monitor for symptoms and seek medical attention or testing if they start to feel ill. Travel to and from Maryland and Virginia is exempt from Bowser’s new order.



No comments: