fbpx

Download free GDPR compliance checklist!

Category Archives for "Security"

Adult Cam Site Exposed 10.88 Billion Records Online

As part of a search on the Shodan engine for unsecured databases, security review site Safety Detectives found that CAM4 had misconfigured an ElasticSearch production database so that it was easy to find and view heaps of personally identifiable information, as well as corporate details like fraud and spam detection logs.

The site is CAM4, a popular adult platform that advertises “free live sex cams.” Leaked data comprises 7 terabytes of names, sexual orientations, payment logs, and email and chat transcripts—across 10.88 billion records.

Source: Adult Cam Site CAM4 Exposed 10.88 Billion Records Online | WIRED

1 ‘No data, security breach’: Aarogya Setu says after hacker claims ‘privacy of 90 million Indians at stake’

Aarogya Setu was alerted “by an ethical hacker of a potential security issue in the app”, which they discussed with him, but “no personal information of any user has been proven to be at risk”.

Elliot Alderson, a French security researcher claimed claimed on Twitter that a security issue has been found in the app and the privacy of 90 million Indians is at stake.

The official Twitter handle of Aarogya Setu, the contact-tracing app developed by the National Informatics Centre (NIC) under the Ministry of Electronics and Information Technology, asserted late on Tuesday that “no data or security breach had been identified” in the app.

Source: ‘No data, security breach’: Aarogya Setu says after hacker claims ‘privacy of 90 million Indians at stake’

Notorious Spyware Vendor Pushes COVID-19 Tracking Solution

A notorious spyware firm currently defending in a lawsuit on spying on WhatsApp users is marketing its COVID-19 tracking solution to governments around the world. But nevermind that, the notorious malware vendor is now selling a COVID-19 tracking app.

On October 29th, 2019, WhatsApp published a statement informing the users about a cyberattack the team stopped earlier in May 2019. In the statement, WhatsApp attributed the attack to NSO Group, an Israeli firm that sells spyware to governments and “authorized agencies” around the globe.

Source: Notorious Spyware Vendor Pushes COVID-19 Tracking Solution | forklog.media

German Federal Agencies Publish Privacy and IT Security Requirements for Digital Health Applications

On April 21, 2020, the Regulation on the Requirements and Reimbursement Process for Digital Health Applications (DiGAV) entered into force in Germany.

Among other provisions, the DiGAV includes specific IT security and privacy requirements. Shortly after the law took effect, Germany’s Federal Medicines and Medical Devices Agency (“BfArM”) also released an extensive explanatory Guidance to the DiGAV.

While the scope of application of the DiGAV and the BSI draft guidance may be limited, the documents can serve to provide useful insights and benchmarks for health applications generally.

Full article: German Federal Agencies Publish Privacy and IT Security Requirements for Digital Health Applications

Google Play has been spreading advanced Android malware for years

Hackers have been using Google Play for years to distribute an unusually advanced backdoor capable of stealing a wide range of sensitive data, researchers said.

Researchers from security firm Kaspersky Lab have recovered at least eight Google Play apps that date back to 2018, a Kaspersky Lab representative said, but based on archive searches and other methods, the researchers believe malicious apps from the same advanced group seeded Google’s official market since at least 2016.

Source: Google Play has been spreading advanced Android malware for years | Ars Technica

Quibi, JetBlue, Wish, others accused of leaking millions of email addresses to ad orgs via HTTP referer headers

Short-video biz Quibi, airline JetBlue, shopping site Wish, and several other companies leaked million of people’s email addresses to ad-tracking and analytics firms through HTTP request headers, it is claimed.

According to findings published Wednesday by Zach Edwards, of digital strategy firm Victory Medium, these businesses have spilled these contact details to advertising networks and the like over the past few years. Among those websites identified by Edwards – a group that also includes Mailchimp, The Washington Post, NGPVan.com, KongHQ, and GrowingChild.com – some promptly altered their websites when notified of the issue, but others have not.

Source: Quibi, JetBlue, Wish, others accused of leaking millions of email addresses to ad orgs via HTTP referer headers • The Register

India requires all workers to use its COVID-19 tracking app

India is now mandating that all workers use its COVID-19 contact tracing app, even though there are concerns it violates policies. The country’s home ministry will require that all workers, public or private, use its Aarogya Setu app starting May 4th.

Although the app relies on anonymous device identities and stores encrypted records of Bluetooth interactions with other devices, the Internet Freedom Foundation said the app doesn’t meet data protection standards or provide enough transparency for algorithms.

Source: India requires all workers to use its COVID-19 tracking app | Engadget

Home affairs data breach may have exposed personal details of 700,000 migrants

Privacy experts have blasted the home affairs department for a data breach revealing the personal details of 774,000 migrants and people aspiring to migrate to Australia, including partial names and the outcome of applications.

At a time the federal government is asking Australians to trust the security of data collected by its Covid-Safe contact tracing app, privacy experts are appalled by the breach, which they say is just the latest in a long line of cybersecurity blunders.

Source: Home affairs data breach may have exposed personal details of 700,000 migrants | Data protection | The Guardian

The Swedish DPA issues 18,700 euro fine against the National Government Service Centre

The Swedish Data Protection Authority imposes an administrative fine of 200,000 Swedish kronor (approximately 18,700 euro) on the National Government Service Centre for failing to notify affected parties as well as the Data Protection Authority about a personal data breach in due time.

The DPA noted that it took almost five months for the NGSC to notify the concerned parties and close to three months before the DPA received a data breach notification.

Source: The Swedish Data Protection Authority issues fine against the National Government Service Centre

Nintendo Accounts Hacked with Security Breach

Nintendo recently announced in a press release (originally published in Japanese) that ID and password information for Nintendo Network IDs (NNIDs) have been “obtained illegally by some means other than our service” since the start of April.

Due to this security breach, Nintendo has disabled login capabilities into Nintendo Accounts via a NNID for over 160,000 accounts.

As a result of this incident, information such as nicknames, date of birth, country or region, email address and gender associated with the NNIDs and Nintendo Accounts have all been compromised.

Source: Nintendo Accounts Hacked with Security Breach | HYPEBAE

>