Download free GDPR compliance checklist!

Category Archives for "Security"

Over 21 million stolen login credentials found on the dark web

Stolen login credentials from Fortune 500 companies have been found in numerous places on the dark web, many of which are available in plaintext form.

Amid the 21 million records exposed, it is noted that only 4.9 million of them were fully unique passwords, suggesting that many users have identical or similar passwords. 16 million of them being compromised during the last 12 months.

Source: State of Stolen Credentials in the Dark Web from Fortune 500 Companies | ImmuniWeb Security Blog

Study reveals 2019’s darkest cyber-threats

Webroot has released its third annual Nastiest Malware list, shedding light on 2019’s worst cybersecurity threats.

From ransomware strains and crypto-mining campaigns that delivered the most attack payloads to phishing attacks that wreaked the most havoc, it’s clear that cyber threats across the board are becoming more advanced and difficult to detect.

Full article: #Privacy: Study reveals 2019’s darkest cyber-threats

Facebook accepts Cambridge Analytica fine

Facebook has said it will pay the £500,000 financial penalty that the social network was issued by the UK’s data privacy watchdog, the Information Commissioner’s Office (ICO).

The fine came as a result of Facebook’s role in the Cambridge Analytica scandal, news of which first broke in March 2018.

Source: #Privacy: Facebook accepts ICO Cambridge Analytica fine

Using Cell Phone Numbers As A Secondary ID Can Pose Security Risks

Security experts say our growing reliance on cell phones to help confirm our identity online is motivating “SIM-swap” scams to highjack our numbers.

SIM-swap — a “social engineering” trick fraudsters use to take control of somebody else’s phone number. Once scammers control your number, they can get your text messages — including the verification codes many online services send when customers reset their passwords.

Source: Using Cell Phone Numbers As A Secondary ID Can Pose Security Risks, Experts Say : NPR

Supply chains show their weaknesses following Avast and NordVPN attacks

Antivirus solution provider Avast and VPN service NordVPN each disclosed a data breach that were traced back to a case of exposed credentials.

The security incidents are indicative of a key threat that exploits insecurities in the digital supply chain to mount a variety of attacks on businesses and critical infrastructure. Exploiting a third-party also vastly increases the scale of an attack, as a successful break-in opens up access to multiple businesses, making them all vulnerable at once.

Source: Supply chains show their weaknesses following Avast and NordVPN attacks

China Sharpens Hacking to Hound Its Minorities, Far and Wide

New, more sophisticated attacks are targeting Uighurs’ phones — even iPhones and even abroad, security researchers say. They warn that foreigners could be next.

“The Chinese use their best tools against their own people first because that is who they’re most afraid of,” said James A. Lewis, a former United States government official who writes on cybersecurity and espionage for the Center for Strategic Studies in Washington. “Then they turn those tools on foreign targets.”

Source: China Sharpens Hacking to Hound Its Minorities, Far and Wide – The New York Times

EBF publishes proposals on Cyber incident reporting

In order to ensure that financial institutions are able to quickly and effectively report cyber incidents without at the same time sacrificing a proper incident management and recovery process, The European Banking Federation (EBF) published its proposals on cyber incident reporting.

In particular EBF makes the following proposals for supervisors and regulators:

  • Establish a central reporting and coordination hub in each Member State;
  • Harmonise reporting thresholds and create a common taxonomy for cyber security incidents;
  • Foster public-private real-time collaboration between regulators, supervisors, law enforcement, financial institutions and other cross-sectoral infrastructure actors;
  • Further involve national CERTs in information sharing;
  • Introduce a regular bi-directional information flow between regulators/ supervisors and the industry.

Full report: EBF position on Cyber incident reporting

Ireland publishes note on data breach trends

Ireland’s Data Protection Commission has published information note on data breach trends from the first year of the General Data Protection Regulation (GDPR).

The total number of breach notifications received by the DPC during that time amounted to 5,818. Of all breach notifications received by the DPC, approximately 4% have been classified a ‘non-breaches’ and did not meet the definition of a personal data breach.

a total of 13% failed to satisfy the requirement of notification to the DPC ‘without undue delay’ (normally within 72 hours), as required under the provisions of GDPR.

Source: Data Breach Trends from the First Year of the GDPR

Security researchers expose new Alexa and Google Home vulnerability

Security researchers with SRLabs have disclosed a new vulnerability affecting both Google and Amazon smart speakers that could allow hackers to eavesdrop on or even phish unsuspecting users.

By uploading a malicious piece of software disguised as an innocuous Alexa Skill or Google Action, the researchers showed how you can get the smart speakers to silently record users, or even ask them for the password to their Google account. There’s no evidence that this vulnerability has been exploited in the real world, however, and SRLabs disclosed their findings to both Amazon and Google before making them public.

Source: Security researchers expose new Alexa and Google Home vulnerability – The Verge

Italy hit by a wave of musical ransomware attacks

The musical ransomware, FTCode, plays German rock music whilst encrypting victims’ files.

Researchers at AppRiver discovered FTCode within malicious email campaigns targeting Italian Officer 365 customers. Victims receive emails containing malicious content posing as invoices, documents scans and resumes.

Source: #Privacy: Italy hit by a wave of musical ransomware attacks