Jun 172019
 

RTÉ reports:

The Dublin Port Company has confirmed it has launched an investigation into the source of the data leak to establish how it occurred and by whom it was carried out.

This follows recent media reports regarding the company, detailing expenditure on credit cards.

Read more on RTÉ

Jun 142019
 

Sue Dremann reports the follow-up on a hack that occurred in 2015 and that was previously reported on this site.

The 36-year-old man who hacked and temporarily shut down Palo Alto Online and other Embarcadero Media websites nearly four years ago was sentenced Wednesday in San Jose federal court to time already served, one-year of home incarceration with electronic monitoring, three years of supervised release and $27,130 in restitution to the company.

Read more on Palo Alto Online.  Dremann provides a lot of details about the case, including why sentencing had been delayed.

Jun 142019
 

Mark Wyciślik-Wilson reports:

Security firm Symantec was attacked by a hacker back in February, but the company did not reveal details of the incident.

The attack has been brought to light by Guardian Australia which has seen some of the data extracted by hackers. This comprises not only passwords, but what is thought to be a list of Symantec clients — including government agencies. But Symantec is downplaying the data breach, dismissing it as a “minor incident”.

Read more on Beta News.

Jun 132019
 

Sergiu Gatlan reports:

A critical flaw in the Evernote Web Clipper Chrome extension could allow potential attackers to access users’ sensitive information from third party online services.

“Due to Evernote’s widespread popularity, this issue had the potential of affecting its consumers and companies who use the extension – about 4,600,000 users at the time of discovery,” says security company Guardio which discovered the vulnerability.

Read more on BleepingComputer.

Jun 122019
 

The following is a press release issued by the Federal Trade Commission (FTC) that relates to a data security incident — a misconfiguration — discovered by MacKeeper researchers in 2016 that was previously noted on this site, including a subsequent settlement between DealerBuilt and the New Jersey Attorney General’s Office.  From the wording of the release, it sounds like the FTC wants us to know that it is trying to avoid a repeat of what happened when the Eleventh Circuit held that they weren’t specific enough. What I might take away from this one, though, is that all the companies that have misconfigured databases or backups should be on notice that your failure to configure properly and take simple steps to audit or check your security may result in federal enforcement action that can be costly.

An Iowa company that sells software and data services to auto dealers has agreed to take steps to better protect the data it collects, to settle Federal Trade Commission allegations that the firm’s poor data security practices led to a breach that exposed the personal information of millions of consumers.

In a complaint, the FTC alleges that LightYear Dealer Technologies, LLC (doing business as DealerBuilt) failed to implement readily available and low-cost measures to protect personal information it obtained from its auto dealer clients.

“Today’s announcement reflects additional and significant improvements to the FTC’s data security orders that will further protect consumers and deter lax security practices,” said FTC Chairman Joe Simons. “The settlement with DealerBuilt imposes more specific security requirements and requires company executives to take more responsibility for order compliance, while also strengthening the third party assessor’s accountability and providing the FTC with additional tools for oversight.”

DealerBuilt develops and sells dealer-management system software and data processing services to auto dealers across the country. The software collects large quantities of personal information about dealership consumers, including names, addresses, birth dates, and Social Security numbers. Its payroll software collects similar information from dealership employees, along with bank account information. The FTC alleges that the personal data DealerBuilt collected was stored and transmitted in clear text, without any access controls or authentication protections.

According to the FTC’s complaint, a DealerBuilt employee connected a storage device to the company’s backup network without ensuring that it was securely configured, leaving an insecure connection for 18 months.

The company never performed any vulnerability scanning, penetration testing, or other measures that would have detected the vulnerability, according to the complaint. The FTC alleges that DealerBuilt failed to take other steps to protect personal data stored on its network such as developing, implementing, or maintaining a written information security policy and training for employees; using security measures to monitor its systems and assets; and imposing reasonable data access controls.

The FTC alleges these failures led to a breach of DealerBuilt’s backup database beginning in late October 2016 over a 10-day period, when a hacker gained access to the unencrypted personal information of about 12.5 million consumers stored by 130 DealerBuilt customers. The hacker downloaded the personal information of more than 69,000 consumers, including their Social Security numbers, driver’s license numbers, and birthdates, as well as wage and financial information. DealerBuilt did not detect the breach until it was notified by one of its auto dealer customers, who demanded to know why its customer data was publicly available on the Internet, according to the complaint. The types of personal information stolen from DealerBuilt—names, addresses and Social Security numbers—are often used to commit identity theft and fraud, the complaint notes.

The FTC alleges that DealerBuilt violated the FTC Act’s prohibition against unfair practices and the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program.

As part of the proposed settlement with the FTC, DealerBuilt is prohibited from transferring, selling, sharing, collecting, maintaining, or storing personal information unless it implements and maintains a comprehensive information security program designed to protect the personal information it collects. Among other things, the order requires DealerBuilt to implement specific safeguards that address the allegations in the FTC complaint.

The proposed settlement also requires the company to obtain third-party assessments of its information security program every two years. Under the order, the assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document review. In addition, the order requires a senior corporate manager responsible for overseeing DealerBuilt’s information security program to certify compliance with the order every year. Finally, the order grants the Commission the authority to approve the assessor for each two-year assessment period.

The Commission vote to issue the proposed administrative complaint and to accept the consent agreement with DealerBuilt was 5-0. The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register, after which the Commission will decide whether to make the proposed consent order final. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.

Source: FTC