Author Archives: Travis Taylor

New Breach Exposes an Entire Nation: Living and the Dead

A misconfigured database has exposed the personal data of nearly every Ecuadorian citizen, including 6.7 million children.

The database was discovered by vpnMentor and was traced back to Ecuadorean company Novaestra. It contained 20.8 million records, well over the country’s current population of 16 million. The data included official government ID numbers, phone numbers, family records, birthdates, death dates (where applicable), marriage dates, education histories, and work records.

“One of the most concerning parts about this data breach is that it includes detailed information about people’s family members,” stated a blog from vpnMentor announcing the discovery of the leak. “Most concerningly, the leaked data seems to include national identification numbers and unique taxpayer numbers. This puts people at risk of identity theft and financial fraud.”

The leaked data also included financial information for individuals and businesses including bank account status, account balance, credit type, job details, car models, and car license plates.

“The information in both indexes would be as valuable as gold in the hands of criminal gangs,” wrote ZDNet reporter Catalin Cimpanu. “Crooks would be able to target the country’s most wealthy citizens (based on their financial records) and steal expensive cars (having access to car owners’ home addresses and license plate numbers).” 

The exposed database was on a server running Elasticsearch, a software program that enables users to query large amounts of data. Elasticsearch has been involved in several high profile data leaks, mostly due to configuration mistakes. Other recent Elasticsearch leaks included a Canadian data mining firm’s records for 57 million US citizens, a medical database storing the data on 85 percent of Panamanian citizens, and a provincial Chinese government database that contained 90 million personal and business records. 

The post New Breach Exposes an Entire Nation: Living and the Dead appeared first on Adam Levin.

More than 50 U.S. Businesses Call For Federal Privacy Law

Fifty-one CEOs representing U.S.-based businesses sent an open letter to Congress requesting a comprehensive federal consumer privacy law.

Signed by the CEOs AT&T, Comcast, General Motors, Mastercard, and Wal-Mart, among others, the letter requested “a comprehensive consumer data privacy law that strengthens protections for consumers and establishes a national privacy framework to enable continued innovation and growth in the digital economy.”

The cosignatories of the letter are members of the Business Roundtable, an association of executives focuses on “working to promote a thriving U.S. economy… through sound public policy.”  

Attached to the letter was a proposal for a consumer policy framework that encompasses the need for federal legislation to override state privacy laws, a definition of personal data, the creation of a federal standard for data breach notifications, and the assignment of primary enforcement responsibilities to the FTC. The framework also calls for “no private right of action,” meaning that consumers would be unable to bring lawsuits for violations of the law. 

While the Business Roundtable requests a more uniform law to “ensure that consumers are not faced with confusion about their rights and protections based on a patchwork of inconsistent state laws,” many critics suggest that the ulterior motive is to pass a weaker set of privacy protections to supercede more stringent state laws currently in place in Maine and California. 

The post More than 50 U.S. Businesses Call For Federal Privacy Law appeared first on Adam Levin.

More than 50% of Canadians Affected by Data Breaches

19 million Canadians are estimated to have been affected by data breaches between late 2018 and 2019, slightly more than half the population of the country. 

The news was released by the Office of the Privacy Commissioner of Canada after the passage of the Personal Information and Electronic Documents Act (PIPEDA). Data breach reports have nearly sextupled since PIPEDA went into effect, with 446 incidents between November 2018 and June 2019.

One notable exception to the PIPEDA reporting requirements is Canadian political parties, which are not required to report data breaches, and often compile large amounts of data on voters. 

Hacking or “internal bad actors” account for the majority of the data breaches reported, with unintentional data leaks and the loss or theft of equipment comprising the bulk of the remainder.

Read more here.

The post More than 50% of Canadians Affected by Data Breaches appeared first on Adam Levin.

Voice Deepfake Scams CEO out of $243,000

The CEO of a UK-based energy firm lost the equivalent of $243,000 after falling for a phone scam that implemented artificial intelligence, specifically a deepfake voice.

The Wall Street Journal reported that the CEO of an unnamed UK energy company received a phone call from what sounded like his boss, the CEO of a German parent company, telling him to wire €220,000 (roughly $243,000) to a bank account in Hungary. The target of the scam was convinced that he was speaking with his boss due to a “subtle German accent” and specific “melody” to the man’s voice and wired the money as requested. 

According to a representative of Euler Hermes Group SA, the firm’s insurance company, the CEO was targeted by a new kind of scam that used AI-enhanced technology to create an audio deepfake of his employer’s voice. While the technology to generate convincing voice recordings has been available for a few years, its remains relatively uncommon in the commission of fraud.

Security experts worry the exploit could spark a new trend. 

“[W]e’re seeing more and more artificial intelligence-based identity fraud than ever before,” said David Thomas, CEO of identity verification company Evident in an article on Threatpost. “Individuals and businesses are just now beginning to understand how important identity verification is. Especially in the new era of deep fakes, it’s no longer just enough to trust a phone call or a video file.”

Read the Wall Street Journal article here (subscription required).

The post Voice Deepfake Scams CEO out of $243,000 appeared first on Adam Levin.

Google Discovers Massive iPhone Hack

Researchers at Google announced the discovery of a hacking campaign that used hacked websites to deliver malware to iPhones.

Project Zero, Google’s security research team, discovered fourteen previously unknown vulnerabilities, called zero day exploits, that were capable of compromising iPhones. Further research revealed a small collection of hacked websites capable of delivering malware to iPhone users visiting those sites.

“There was no target discrimination; simply visiting the hacked site was enough for the exploited server to attack your device, and if it was successful, installing a monitoring implant. We estimate that these sites receive thousands of visitors per week,” wrote Project Zero member Ian Beer in a blog post announcing their findings.

The data accessible on the compromised phones included the user’s location, their passwords, chat histories, contact lists, and full access to their Gmail accounts. 

“Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services… even after they lose access to the device,” said Beer.

The hacking campaign was active for at least two years before it was discovered by Project Zero. The research team informed Apple of their findings, and the targeted vulnerabilities were patched in an update in February 2019. 

The post Google Discovers Massive iPhone Hack appeared first on Adam Levin.