Mar 242019

On March 22, Simon Cohen reported:

Read more on Digital Trends.

Here’s the text of the email notification Kanopy had sent to users on March 21, courtesy of someone who received it and sent it on to me:

From: “Kanopy” <[email protected]>
Date: March 21, 2019 at 3:24:43 PM PDT
Subject: Kanopy Security Update

Good afternoon,

Over the weekend, we became aware of an issue affecting the security of our
platform. We promptly resolved the issue by Monday afternoon and are taking
all necessary steps to maintain the security of our systems going forward.
While our investigation is ongoing, at this stage, we believe significantly
less than one percent of accounts have been affected.

The only thing as important as providing our Kanopy users with rich viewing
experiences is protecting the integrity and security of your data. As our
community continues to grow, we will always prioritize ensuring that our
platform is entirely secure, regardless of scale.

We regret that these circumstances have affected the Kanopy community. While
our analysis of the incident is ongoing, I personally assure you that we are
doing everything it takes to protect against this type of event in the

Olivia Humphrey
CEO, Kanopy

Mar 232019

Zack Whittaker reports:

A popular family tracking app was leaking the real-time locations of more than 238,000 users for weeks after the developer left a server exposed without a password.

The app, Family Locator, built by Australia-based software house React Apps, allows families to track each other in real-time, such as spouses or parents wanting to know where their children are. It also lets users set up geofenced alerts to send a notification when a family member enters or leaves a certain location, such as school or work.

But the backend MongoDB database was left unprotected and accessible by anyone who knew where to look.

Read more on TechCrunch.

Is this the same leak that Motherboard reported on, or is this an unrelated leak?  Zack tells me that these are totally unrelated leaks.  So we’ve had two reports of leaks with sensitive info and neither company could be contacted or was responsive when people attempted to notify them to secure their data?

The FTC really needs to go after companies who provide no way to notify them or who are not promptly responsive. Seriously. Saying you care about privacy and take it seriously is just a load of manure if no one can reach you to alert you when you’re bleeding sensitive data everywhere.

Mar 232019

Lorenzo Franceschi-Bicchierai reports:

A ransomware attack appears to have affected two American chemicals companies, Motherboard has learned.

Hexion and Momentive, which make resins, silicones, and other materials, and are controlled by the same investment fund, were hit by the ransomware on March 12, according to a current employee. An internal email obtained by Motherboard and signed by Momentive’s CEO Jack Boss refers to a “global IT outage” that required the companies to deploy “SWAT teams” to manage.

Read more on Motherboard.

Mar 232019

Balch & Bingham LLP write:

Last week, the U.S. District Court for the Middle District of Alabama denied Southern Independent Bank’s (“Southern Independent’s”) motion for class certification following a data breach which allegedly affected over 2,000 financial institutions across the country. Southern Independent, a community bank located in south Alabama, brought a class action complaint against Fred’s in response to a data breach in which hackers, using malware installed on servers, harvested payment data from consumer debit cards used at Fred’s stores.

As the district court’s opinion outlines, the data breach not only caused damage to the consumers, but also to the financial institutions that initially issued the debit cards to their customers.

And I was following along with this well-written post, and thinking, “Wow, the court is agreeing with Southern Independent on every point, so why was certification denied?”  And then I got to this paragraph, and my head hurt:

Despite the court’s conclusion that Southern satisfied the elements for class certification under Federal Rule of Civil Procedure 23(a), it could not ultimately support a grant of class certification. Southern Independent sought certification under Federal Rule of Civil Procedure 23(b)(3) which, in addition to the requirements outlined above, also mandates that adjudication as a class must be superior to other available methods and that common questions of law and fact predominate.  Alabama’s choice of law rules would necessitate adjudicating claims of negligence under the laws of each plaintiff’s jurisdiction.  The court concluded that doing so for over 2,000 financial institutions would require trying a negligence case under the laws of all fifty-one United States jurisdictions.  That immense logistical burden, coupled with factual disputes as to whether Southern Independent’s customers may have had their financial data compromised elsewhere and whether Southern Independent incurred unreasonable costs in response to the data breach, led the court to advance the case as an individual negligence action brought by Southern Independent against Fred’s.

Read more on JDSupra, and of course, the opinion itself. I thought it was great that the opinion contained a helpful visual:

From the opinion, an explanation of the graphic above:

“The vertical lines with arrows starting from Visa and MasterCard and moving
downward represent the series of contractual relationships that parallel the two sides of the payment card networks. The horizontal line at the bottom connecting
cardholders and merchants represents the connection between the two sides when
cardholders transact with merchants. Finally, the diagonal line represents the
relationship this lawsuit is about: the one between a merchant (Fred’s) and an
issuing bank (SIB). The Seventh Circuit explained that the theory of recovery
represented by the diagonal line would be a “new form of liability . . . in addition to
the remedies already provided by the contracts governing the card payment systems.” Cmty. Bank of Trenton, 887 F.3d at 808.”

Mar 232019

I missed this one when it first appeared, but it’s worth posting so that parents can once again remind their kids about online safety. Read the full news story on this one as it provides a lot of details about the hacker convincing the victim to give him the login credentials to her account, and what happened after she did that.  Even though the original perpetrator was caught, that student’s nude pictures were circulated to her friends and uploaded to the internet.  We really need to get young people to understand that uploading nude pictures of themselves to the internet, even if they think their account is locked or private, is way too risky.

Thomas Metevia reports:

A man has been arrested after paying a computer hacker to target a University of Central Florida student’s Snapchat account andv extort her for nude photos, according to the UCF Police Department.

John Thompson in May 2018 paid a computer hacker he found through the website 4chan to target his ex-girlfriend’s sister’s account in order to obtain nude pictures and videos, police said.

Read the whole report on Click Orlando.