Author Archives: Travis Taylor

Canadian Credit Union Desjardins Data Breached by Employee

Canadian financial institution Desjardins reported a data breach that compromised the personal information of 2.7 million customers and 173,000 businesses.

The compromised data included names, addresses, birthdates, social insurance numbers, email addresses and transaction histories. The breach was reportedly the result of employee misconduct. Investigators believe an employee sold the data on the dark web. Evidence of fraudulent credit cards opened in customer names has been reported.

“This is a very serious situation,” said the Autorité des marchés financiers (AMF), an organization responsible for financial regulation in Québec in a statement.

“The AMF is satisfied with the actions taken to date by Desjardins Group to protect the interests and assets of its members. It remains confident that the institution’s officers have handled the situation with due rigour, transparency and speed and that the cooperation provided to law enforcement is full and complete,” it added.

Desjardins and its CEO were criticized following complaints by affected customers that registration for the five years of free credit monitoring offered by the company was difficult, with reports of crashed websites, long wait times on the phone, and limited support in French. After finding that only 13% of customers had signed up for the service, Desjardins expanded the service, offering lifelong identity theft protection for all of its clients, including those unaffected by the breach.

The Office of the Privacy Commissioner and the Québec Access to Information Commission have announced a joint investigation into the breach to determine if Desjardin was compliant with consumer protection regulations at the provincial and federal levels.

Read more about the story here.

The post Canadian Credit Union Desjardins Data Breached by Employee appeared first on Adam Levin.

Google Employees Are Eavesdropping on Customers

Google employees and subcontractors are listening to recordings gleaned from Google Home smart speakers and the Google Assistant smartphone app.

A report from Belgian news outlet VRT NWS showed that Google regularly uses staff and subcontractors to transcribe audio recordings taken from its network of home devices for the stated purpose of improving its speech recognition technology. A whistleblower employed as a subcontractor for Google shared over a thousand recordings with VRT NWS, many of which were recorded unintentionally and without the user’s consent.  

While the technology and devices are meant to be restricted to requests starting with the phrase “OK Google,” VRT NWS found that over 150 of the recordings were either made accidentally or where the command “was clearly not given.” Content of the recordings included conversations between parents and children, financial information, potential domestic violence, and medical-related questions. 

“[T]his work is of crucial importance to develop technologies sustaining products such as the Google assistant,” said a spokesman for the company, who added that roughly “0.2 percent of all audio fragments” were being analyzed by employees.

Google claims the recordings are stripped of any personally identifiable information, e.g. user names are replaced with serial numbers, etc. This ultimately does little to protect user privacy, since re-identification May be possible.

“[I]t doesn’t take a rocket scientist to recover someone’s identity; you simply have to listen carefully to what is being said… these employees have to look up every word, address, personal name or company name on Google or on Facebook. In that way, they often soon discover the identity of the person speaking,” said the VRT NWS report.

Read the VRT NWS story here

 

 

The post Google Employees Are Eavesdropping on Customers appeared first on Adam Levin.

Does Anyone Like Facebook’s Libra Currency?

Facebook’s plans to launch a new currency in cahoots with other digital giants is encountering heavy interference from the Congress and the Federal Reserve despite extensive lobbying by the company.

The stated purpose of the cryptocurrency developed by Facebook currently known as Libra is to provide free and-or low-cost financial services worldwide.  

“Imagine an open, interoperable ecosystem of financial services that developers and organizations will build to help people and businesses hold and transfer Libra for everyday use,” wrote the authors of the white paper introducing Libra. 

Members of Congress worry that the motivations behind Libra aren’t as benign as stated.

 “While I have serious questions about Facebook’s plans and intentions — such as how the technology will be employed and why they chose to do this in Switzerland rather than in the United States — a hearing will provide us an opportunity to learn more about their plans,” said  Representative Patrick McHenry (R-NC).

House Financial Services Committee chair Maxine Waters has asked to halt the development of Libra altogether. 

“Facebook has data on billions of people and has repeatedly shown a disregard for the protection and careful use of this data [and] is continuing its unchecked expansion and extending its reach into the lives of its users… Given the company’s troubled past, I am requesting that Facebook agree to a moratorium on any movement forward on developing a cryptocurrency until Congress and regulators have the opportunity to examine these issues and take action,” said Waters in a statement.

Federal Reserve Chairman Jay Powell shared similar concerns in his testimony before the House of Representatives. 

“Libra raises many serious concerns regarding privacy, money laundering, consumer protection and financial stability,” said Powell. 

David Marcus, the Facebook official heading the Libra project responded to the statements earlier this week.

“We understand that big ideas take time, that policymakers and others are raising important questions, and that we can’t do this alone,” wrote Marcus. 

The post Does Anyone Like Facebook’s Libra Currency? appeared first on Adam Levin.

British Airways Faces Record GDPR Fine

The 2018 data breach of British Airways may prove to be a record-breaking data compromise with the announcement of a newly proposed $230 million fine.

The U.K. Information Commissioner’s Office (ICO) proposed the fine under the European Union General Data Protection Regulation (GDPR) following the compromise of over 500,000 customers, including their login information, credit card numbers, and addresses. The fine is equal to 1.5% of British Airways total 2017 revenue, and represents the largest GDPR penalty to date.

While British Airways alerted the ICO within the 72-hour mandatory disclosure period for data breaches, the company was accused of poor internal cybersecurity and lax protections for customer data on its website and mobile app.

“When an organization fails to protect [customer data] from loss, damage or theft, it is more than an inconvenience. The law is clear: When you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights,” said UK information commissioner Elizabeth Denham.

“The ICO did what data protection and other regulatory authorities usually do–pick a large and easy target, make it an example, and hope everyone else gets in line. The fact that the fine was nearly 1.5% of BA’s global turnover speaks volumes about the willingness of the ICO to push the limits of their enforcement powers,” said CyberScout Global Privacy Officer Eduard Goodman.

“The fine being imposed by the UK ICO demonstrates that security failures are taken very seriously and organizations need to prioritize data protection, security, and privacy – or pay the price. While the largest fines are saved for those organizations particularly reckless with marketing efforts, consent and other core issues, ICO is signaling zero-tolerance for the failure to safeguard private information assets,” Goodman added.

The data breach was the result of a skimming attack by Magecart, a hacking group allegedly responsible for numerous compromised e-commerce sites, including Ticketmaster and Newegg.

British Airways is expected to contest the fine.

The post British Airways Faces Record GDPR Fine appeared first on Adam Levin.

Prison Time for Former Equifax Executive

The former CIO of Equifax has been sentenced to prison for selling his stock in the company before news of its 2017 data breach was publicly announced.

Jun Ying, the former Chief Information Office of Equifax U.S. Information Solutions, sold his shares in the company for over $950,000 ten days before the company admitted that its data had been accessed by hackers. He was sentenced to four months in prison and ordered to pay roughly $170,000 in fines and restitution.  

“Ying thought of his own financial gain before the millions of people exposed in this data breach even knew they were victims,” said U.S. Attorney Byung J. Pak.

The Equifax data breach compromised the names, Social Security numbers, birthdates, and addresses of over 145 million Americans. Ying is the second employee of the company to be found guilty of insider trading related to the incident. 

According to reports, Ying decided to sell his shares after researching the impact of the 2015 data breach of rival company Experian on its stock prices.

Read the U.S. Department of Justice’s statement on the case here.

The post Prison Time for Former Equifax Executive appeared first on Adam Levin.

Senate Republicans Block Election Security Bill

A bill that would provide a billion dollars to states for election security was blocked by Senate Republicans.

The Election Security Act, proposed by presidential candidate Senator Amy Klobuchar (D-Minn.), would have required paper ballots for voting systems as well as for President Trump to provide a strategy for protecting institutions from foreign cyberattacks.

“There is a presidential election before us and if a few counties in one swing state or an entire state get hacked into there’s no backup paper ballots and we can’t figure out what happened, the entire election will be called into question,” said Klobuchar.

Senator James Lankford (R-Okla.), who has worked with Klobuchar on previous election security efforts, voted to stop the bill, arguing that federal funding couldn’t be effectively implemented in time for the 2020 elections. 

“No matter how much money we threw at the states right now, they could not make that so by the 2020 presidential election,” Lankford said. 

Calls for legislation to secure elections have been renewed in the wake of the redacted release of the Mueller report, which detailed Russian interference in 2016. While several bills have passed the House of Representatives, many have been blocked in the Republican-controlled Senate, particularly by Majority Leader Mitch McConnell. 

The post Senate Republicans Block Election Security Bill appeared first on Adam Levin.

US-Iran Cyberwar Heats Up

President Trump has authorized a round of cyber attacks against Iran, and U.S. companies and agencies are bracing for counter attacks.

The Washington Post reported that the U.S. cyberattack had disabled Iranian missile control systems. The attack was the latest in escalating tensions between the two countries, which includes the recent downing of an unmanned surveillance drone. 

“This operation imposes costs on the growing Iranian cyberthreat, but also serves to defend the United States Navy and shipping operations in the Strait of Hormuz,” said former senior White House cybersecurity official Thomas Bossert.

The Department of Homeland Security Cybersecurity and Infrastructure Agency (CISA) issued an alert warning organizations of potential retaliation from Iranian hackers, including the deployment of “wiper” malware that deletes data from targeted computers and networks. 

“Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money,” said CISA director Christopher Krebs 

Cyber warfare is in addition to what the U.S. government has called “kinetic” actions, i.e. more traditional military operations. Earlier this month, the U.S. Cyber Command reportedly deployed offensive malware against Russia’s electrical grid.

The post US-Iran Cyberwar Heats Up appeared first on Adam Levin.

Adam Levin on CBS This Morning: Catfish Scheme Leads to Murder

Adam Levin was featured on CBS This Morning where he discussed the recent catfish scheme that led to the murder of an Alaska teenager.

Levin warned that young people are especially vulnerable to online manipulation:

“You can ruin your entire life in a matter of minutes based on what you see, what you do and how you react to people online… Do not believe everything you see or hear online.”

 

The post Adam Levin on CBS This Morning: Catfish Scheme Leads to Murder appeared first on Adam Levin.