Nov 172017

Tim Collins reports:

Hackers who attacked the now defunct website of second hand goods store Cash Converters may have access to the account details of thousands of customers.

Usernames, passwords, delivery addresses and potentially partial credit card numbers are among the data believed to have been stolen.

The culprits are said to be holding the information to ransom while the firm works with law enforcement authorities to investigate the incident.

Read more on Mail Online.

Nov 152017

Chris Foxx reports:

The BBC has discovered a security flaw in the office collaboration tool Huddle that led to private documents being exposed to unauthorised parties.

A BBC journalist was inadvertently signed in to a KPMG account, with full access to private financial documents.

Huddle is an online tool that lets work colleagues share content and describes itself as “the global leader in secure content collaboration”.

The company said it had fixed the flaw.

Read more on BBC.

Nov 142017

So far, all I’ve seen is their press release, so it will have to do until we get more details from other sources, but I do wonder what kind of “third party” alerted them to this – was it a third party vendor who had some responsibility for data security or a customer who experienced a problem after their using their card at a store? So far, it sounds like this is a brick-and-mortar  incident and not necessarily compromise of online purchases, but we’ll need to wait for more details, of course:

Forever 21 is notifying its customers that it recently received a report from a third party that suggested there may have been unauthorized access to data from payment cards that were used at certain Forever 21 stores. Forever 21 immediately began an investigation of its payment card systems and engaged a leading security and forensics firm to assist.

Because of the encryption and tokenization solutions that Forever 21 implemented in 2015, it appears that only certain point of sale devices in some Forever 21 stores were affected when the encryption on those devices was not operating. The company’s investigation is focused on card transactions in Forever 21 stores from March 2017October 2017. Because the investigation is continuing, complete findings are not available, and it is too early to provide further details on the investigation. Forever 21 expects to provide an additional notice as it gets further clarity on the specific stores and timeframes that may have been involved.

It is always advisable for customers to closely monitor their payment card statements. If customers see an unauthorized charge, they should immediately notify the bank that issued the card. Payment card network rules generally state that cardholders are not responsible for such charges.

We regret that this incident occurred and apologize for any inconvenience. We will continue to work to address this matter. For more information, please visit

Nov 112017

India Ashok reports:

Over one million users’ personal and financial data was inadvertently publicly exposed by US-based ride hailing firm Fasten. The leaked data includes names, emails, phone numbers, credit card data, links to photos, device IMEI numbers, GPS data and users’ taxi routes.

The firm also exposed sensitive information of its own drivers, including drivers’ car registration and license plate records as well as detailed individual profiles. According to Kromtech security researchers, who uncovered the breach, the data exposure was caused by an unsecured Apache Hive database.

Read more on IBT.

Nov 102017

Larry Dignan reports:

Equifax spent $87.5 million in the third quarter on its recent data breach.

The disclosure, which came amid an earnings report that showed revenue growth of 4 percent to $834.8 million and net income of $96.3 million.

In other words, the data breach affecting 145 million Equifax customers dented the cash cow, but certainly didn’t kill it.

Read more on ZDNet.

And of course, that $87.5 million doesn’t even come close to making those affected by the breach whole again. For how many years will you have to keep checking because your Social Security number was involved and our government still hasn’t trashed the SSN system and replaced it?

I really do prefer South Korea’s approach of severely penalizing executives and companies who have major cock-ups affecting consumers. Fine them, fire them, and prevent the company from taking on any new business for months on end. That might motivate companies to pay a bit more attention, perhaps?  How many months, you ask? It depends, I answer, serenely. You used a weak password and it was guessed within seconds? Eight months at least without taking on any new business. At least.  You encrypted the patient database, yes, but the encryption key was conveniently held in an employee’s email and they got phished?  Four months, at least.

Heck, I could create a whole menu in the World According to Dissent. But of course, that is my private world where justice actually prevails and my government doesn’t abuse its power and try to subpoena my details for no valid reason. Meanwhile, back in the REAL world, businesses violate consumer privacy left and right and then complain when they are violated by criminal hackers after they failed to secure our information adequately. And I shake my head and go put up more coffee…..