Dec 142018

Jasper Lindell reports:

ActewAGL has confirmed 400 electricity, gas and water customers have received bundles of bills addressed to other utility customers in a massive privacy breach affecting 6000 customers in the ACT and NSW.

ActewAGL notified the Privacy Commissioner of the breach after it became aware of the mistake on Wednesday and had set up a taskforce by Friday afternoon to respond to affected customers.

Read more on Canberra Times.

Dec 132018

ASI Computers is notifying some of their customers after discovering on November 1, 2018 that usernames and passwords on a support web site had been hacked prior to December 2016. 

From their notification to California:

ASI confirmed which credentials had been exposed by the following day, November 2, 2018. ASI determined the affected credentials related to California residents. ASI notified affected individuals because their username and password were subject to unauthorized access.

Their notification to affected consumers begins:

We recently observed suspicious activity potentially impacting ASI Computer Systems accounts used to log into to access customer service support material and other general information. We take the privacy and security of your account and personal information very seriously and are investigating the suspicious activity. As a precautionary measure, your existing password has been deactivated and you will be required to select a new password to access ASI Computer Systems.

You can read their full notification and sample letter to customers on the California Attorney General’s web site
Dec 132018

From the maybe-if-we-just-say-it’s-not-our-fault? dept, Gareth Corfield reports:

Ticketmaster is telling its customers that it wasn’t to blame for the infection of its site by a strain of the Magecart cred-stealing malware – despite embedding third-party Javascript into its payments page.

In a letter to Reg reader Mark, lawyers for the controversy-struck event ticket sales website said that Ticketmaster “is of the belief that it is not responsible for the Potential Security Incident”.

They were referring to the June 2018 infection of its UK website with the Magecart payment credential-stealing malware. At the time, Ticketmaster publicly blamed “a customer support product hosted by Inbenta Technologies” for the infection. Inbenta chief exec Jordi Torras immediately hit back, telling us in June: “Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat.”

Read more on The Register.

Dec 132018

Janene Pieters reports:

A data leak affecting the municipality of Amsterdam revealed the names and addresses of residents upset about the city’s home share policy. In one case a phone number was also leaked, AT5 reports.

The data was not recorded on the municipality’s website in an unrecognizable way, according to the Amsterdam broadcaster. Around 10 Amsterdam residents were affected by the leak. Whether the data was misused is unclear. 

Read more on NL Times.

Dec 122018

Donita Taylor reports:

Rhode Island is suing the parent company of Google for hiding a security breach that affected 52.5 million users, state General Treasurer Seth Magaziner stated in a news release Tuesday.

“Google had an obligation to tell its users and investors that private information wasn’t being protected,” Magaziner stated in the release.


A motion to combine Rhode Island’s suit and two others into a class-action suit and to name the Rhode Island pension fund as lead plaintiff was filed Monday by a San Diego class-action law firm engaged by Magaziner’s office. 

Read more on Providence Journal.

Here is the text of the state’s press release, published December 11:

Rhode Island General Treasurer Seth Magaziner today announced that Employees’ Retirement System of Rhode Island filed a motion with the court to lead a shareholder class action lawsuit against Alphabet Inc., parent company of Google, after it was revealed that Google executives had hidden privacy breaches that compromised the personal information of 52.5 million users. 

“Google had an obligation to tell its users and investors that private information wasn’t being protected,” said Rhode Island General Treasurer Seth Magaziner. “Instead, Google executives decided to hide the breaches from its users and continued to mislead investors and federal regulators. This is an unconscionable violation of public trust by Google, and we are seeking financial restitution on behalf of the Rhode Island pension fund and other investors.”

The underlying action is pending in the U.S. District Court for the Northern District of California and accuses the company of misleading shareholders and federal regulators when they failed to disclose ongoing breaches in private user information from its social media platform Google+. 

In October, Google announced it was shutting down the Google+ social media platform, after whistle blowers came forward with claims that the company had hidden vulnerabilities in its security measures. On Monday, Google announced that personal information for 52.5 million users had been compromised.