ReportWire

Tag: Computer and data security

  • Report: California gun data breach was unintentional

    Report: California gun data breach was unintentional

    [ad_1]

    SACRAMENTO, Calif. — California’s Department of Justice mistakenly posted the names, addresses and birthdays of nearly 200,000 gun owners on the internet because officials didn’t follow policies or understand how to operate their website, according to an investigation released Wednesday.

    The investigation, conducted by an outside law firm hired by the California Department of Justice, found that personal information for 192,000 people was downloaded 2,734 times by 507 unique IP addresses during a roughly 12-hour period in late June. All of those people had applied for a permit to carry a concealed gun.

    The data was exposed just days after the U.S. Supreme Court ruled that people have a right to carry guns in public. The decision invalidated a California law that said people must give a reason for wanting to carry a concealed weapon, such as a threat to their safety. Lawmakers then tried to pass new restrictions for concealed carry permits, but failed.

    Investigators said they “did not uncover any evidence that the timing of the (data breach) was driven by a nefarious intent or was personally or politically motivated in any way.” Instead, they said state officials planned to publish what they thought was anonymous data “to meet anticipated heightened public interest in firearms-related data” following the court ruling.

    An intentional breach of personal information carries more stiff fines and penalties under California law, according to Chuck Michel, an attorney and president of the California Rifle & Pistol Association. Michel said his group is preparing a class action lawsuit against the state. He noted the leaked data likely included information from people in sensitive positions — including judges, law enforcement personnel and domestic violence victims — who had sought gun permits.

    “There is a lot of gaps and unanswered questions, perhaps deliberately so, and some spin on this whole notion of whether this was an intentional release or not,” he said. “This is not the end of the inquiry.”

    The Department of Justice contracted with the Morrison Foerster law firm to investigate the data exposure. The firm said it had “the mandate and autonomy to conduct an independent investigation that followed the facts and evidence wherever they led.”

    Officials at the California Department of Justice did not know about the breach until someone sent Attorney General Rob Bonta a private message on Twitter that included screenshots of the personal information that was available to download from the state’s website, the investigation said.

    State officials at first thought the report was a hoax. Two unnamed employees — identified only as “Data Analyst 1″ and “Research Center Director” — investigated and mistakenly assured everyone that no personal information was publicly available.

    Meanwhile, the website crashed because so many people were trying to download the data. Another group of state officials worked to bring the website back online, unaware of the breach. They got the website working again at about 9:30 p.m.

    State officials would not disable the website until about noon the next day. By then the information had already been downloaded thousands of times.

    State officials thought they were providing anonymous information in the aggregate for research and media requests about the use of guns in California. But the employee who created the website included several datasets that contained personal information.

    Investigators found that no one — neither the employee who compiled the data nor the officials that supervised the employee — knew the proper security settings to prevent the data from being available for public download.

    “This was more than an exposure of data, it was a breach of trust that falls far short of my expectations and the expectations Californians have of our department,” Bonta, the attorney general, said in a news release. “I remain deeply angered that this incident occurred and extend my deepest apologies on behalf of the Department of Justice to those who were affected.”

    Other information was also mistakenly released, including data from firearms safety certificates, dealer record of sale and the state’s assault weapons registry. That data included dates of birth, gender and driver’s license numbers for more than 2 million people and 8.7 million gun transactions. But investigators said there wasn’t enough information in those datasets to identify anyone.

    Investigators recommended more training and planning for state officials, including a review and update of policies and procedures.

    “This failure requires immediate correction, which is why we are implementing all of the recommendations from this independent report,” Bonta said.

    [ad_2]

    Source link

  • Australia flags new corporate penalties for privacy breaches

    Australia flags new corporate penalties for privacy breaches

    [ad_1]

    CANBERRA, Australia — Australia on Saturday proposed tougher penalties for companies that fail to protect customers’ personal data after two major cybersecurity breaches left millions vulnerable to criminals.

    The penalties for serious breaches of the Privacy Act would increase from 2.2 million Australian dollars ($1.4 million) now to AU$50 million ($32 million) under amendments to be introduced to Parliament next week, Attorney-General Mark Dreyfus said.

    A company could also be fined the value of 30% of its revenues over a defined period if that amount exceeded AU$50 million ($32 million).

    Dreyfus said “big companies could face penalties up to hundreds of millions of dollars” under the new law.

    “It is a very, very substantial increase in the penalties,” Dreyfus told reporters.

    “It’s designed to make companies think. It’s designed to be a deterrent so that companies will protect the data of Australians,” he added.

    Parliament resumes on Tuesday for the first time since mid-September.

    Since Parliament last sat, unknown hackers stole personal data from 9.8 million customers of Optus, Australia’s second-largest wireless telecommunications carrier. The theft has left more than one-third of Australia’s population at heightened risk of identity theft and fraud.

    Unknown cybercriminals this week demanded ransom from Australia’s largest health insurer, Medibank, after claiming to have stolen 200 gigabytes of customers’ data including medical diagnoses and treatments. Medibank has 3.7 million customers. The company said the hackers had proved they hold the personal records of at least 100.

    The thieves have reportedly threatened to make public medical conditions of high-profile Medibank customers.

    Dreyfus said both breaches had shown “existing safeguards are inadequate.”

    As well as failing to protect personal information, the government is concerned that companies are unnecessarily holding too much customer data for too long in the hope of monetizing that information.

    “We need to make sure that when a data breach occurs the penalty is large enough, that it’s a really serious penalty on the company and can’t just be disregarded or ignored or just paid as a part of a cost of doing business,” Dreyfus said.

    Dreyfus hopes the proposed amendments will become law in the final four weeks that Parliament will sit this year.

    Any new penalties will not be retroactive and will not effect Optus or Medibank.

    [ad_2]

    Source link

  • Binance crypto exchange hit by latest digital currency hack

    Binance crypto exchange hit by latest digital currency hack

    [ad_1]

    FILE – Binance CEO Changpeng Zhao answers a question during a Zoom meeting interview with The Associated Press on Tuesday, Nov. 16, 2021. Binance, the world’s largest cryptocurrency exchange, says more than $100 million was possibly taken illegally following a hack of its Binance Smart Chain blockchain network. “The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly,” CEO Changpeng Zhao said in a tweet, Friday, Oct. 7, 2022. (AP Photo)

    [ad_2]

    Source link

  • Former Uber security chief guilty of data breach coverup

    Former Uber security chief guilty of data breach coverup

    [ad_1]

    SAN FRANCISCO — The former chief security officer for Uber was convicted Wednesday of trying to cover up a 2016 data breach in which hackers accessed tens of millions of customer records from the ride-hailing service.

    A federal jury in San Francisco convicted Joseph Sullivan of obstructing justice and concealing knowledge that a federal felony had been committed, federal prosecutors said.

    Sullivan remains free on bond pending sentencing and could face a total of eight years in prison on the two charges when he is sentenced, prosecutors said.

    “Technology companies in the Northern District of California collect and store vast amounts of data from users,” U.S. Attorney Stephanie M. Hinds said in a statement. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”

    It was believed to be the first criminal prosecution of a company executive over a data breach.

    A lawyer for Sullivan, David Angeli, took issue with the verdict.

    “Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” Angeli told the New York Times.

    An email to Uber seeking comment on the conviction wasn’t immediately returned.

    Sullivan was hired as Uber’s chief security officer in 2015. In November 2016, Sullivan was emailed by hackers, and employees quickly confirmed that they had stolen records on about 57 million users and also 600,000 driver’s license numbers, prosecutors said.

    After learning of the breach, Sullivan began a scheme to hide it from the public and the Federal Trade Commission, which had been investigating a smaller 2014 hack, authorities said.

    According to the U.S. attorney’s office, Sullivan told subordinates that “the story outside of the security group was to be that ‘this investigation does not exist,’” and arranged to pay the hackers $100,000 in bitcoin in exchange for them signing non-disclosure agreements promising not to reveal the hack. He also never mentioned the breach to Uber lawyers who were involved with the FTC’s inquiry, prosecutors said.

    “Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber,” the U.S. attorney’s office said.

    Uber’s new management began investigating the breach in the fall of 2017. Despite Sullivan lying to the new chief executive officer and others, the truth was uncovered and the breach was made public, prosecutors said.

    Sullivan was fired along with Craig Clark, an Uber lawyer he had told about the breach. Clark was given immunity by prosecutors and testified against Sullivan.

    No other Uber executives were charged in the case.

    The hackers pleaded guilty in 2019 to computer fraud conspiracy charges and are awaiting sentencing.

    Sullivan was convicted of of obstruction of proceedings of the Federal Trade Commission and misprision of felony, meaning concealing knowledge of a felony from authorities.

    Meanwhile, some experts have questioned how much cybersecurity has improved at Uber since the breach.

    The company announced last month that all its services were operational following what security professionals called a major data breach, claiming there was no evidence the hacker got access to sensitive user data.

    The lone hacker apparently gained access posing as a colleague, tricking an Uber employee into surrendering their credentials. Screenshots the hacker shared with security researchers indicate they obtained full access to the cloud-based systems where Uber stores sensitive customer and financial data.

    It is not known how much data the hacker stole or how long they were inside Uber’s network. There was no indication they destroyed data.

    [ad_2]

    Source link

  • Former Uber security chief guilty of data breach coverup

    Former Uber security chief guilty of data breach coverup

    [ad_1]

    SAN FRANCISCO — The former chief security officer for Uber was convicted Wednesday of trying to cover up a 2016 data breach in which hackers accessed tens of millions of customer records from the ride-hailing service.

    A federal jury in San Francisco convicted Joseph Sullivan of obstructing justice and concealing knowledge that a federal felony had been committed, federal prosecutors said.

    Sullivan remains free on bond pending sentencing and could face a total of eight years in prison on the two charges when he is sentenced, prosecutors said.

    “Technology companies in the Northern District of California collect and store vast amounts of data from users,” U.S. Attorney Stephanie M. Hinds said in a statement. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”

    Sullivan was hired as Uber’s chief security officer in 2015. In November 2016, Sullivan was emailed by hackers, and employees quickly confirmed that they had stolen records on about 57 million users and also 600,000 driver’s license numbers, prosecutors said.

    After learning of the breach, Sullivan began a scheme to hide it from the public and the Federal Trade Commission, which had been investigating a smaller 2014 hack, authorities said.

    According to the U.S. attorney’s office, Sullivan told subordinates that “the story outside of the security group was to be that ‘this investigation does not exist,’” and arranged to pay the hackers $100,000 in bitcoin in exchange for them signing non-disclosure agreements promising not to reveal the hack. He also never mentioned the breach to Uber lawyers who were involved with the FTC’s inquiry, prosecutors said.

    “Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber,” the U.S. attorney’s office said.

    Uber’s new management began investigating the breach in the fall of 2017. Despite Sullivan lying to the chief executive officer and others, the truth was uncovered and the breach was made public, prosecutors said.

    Sullivan was fired. The hackers pleaded guilty in 2019 to computer fraud conspiracy charges and are awaiting sentencing.

    An email to Uber seeking comment on the conviction wasn’t immediately returned.

    Some experts have questioned how much cybersecurity has improved at Uber since the breach.

    The company announced last month that all its services were operational following what security professionals called a major data breach, claiming there was no evidence the hacker got access to sensitive user data.

    The lone hacker apparently gained access posing as a colleague, tricking an Uber employee into surrendering their credentials. Screenshots the hacker shared with security researchers indicate they obtained full access to the cloud-based systems where Uber stores sensitive customer and financial data.

    It is not known how much data the hacker stole or how long they were inside Uber’s network. There was no indication they destroyed data.

    [ad_2]

    Source link