Feb 222019

Bob  Diachenko writes:

On Feb 19, 2019, I have discovered a MongoDB that required no password. The database was located in an India region which (along with other data) also contained highly sensitive information collected on 458,388 individuals located in Delhi. A 4.1GB-sized database had been indexed by Shodan and was left unattended for public access.

The database was named “GNCTD” which also stands for Government of National Capital Territory of Delhi and contained the following collections and records:

  • EB* Registers
  • EB Users (14,861)
  • Households (102,863)
  • Individuals (458,388)
  • Registered Users (399)
  • Users (2,983)

Read more on Security Discovery.

Feb 212019

SAN FRANCISCO – A federal criminal complaint, filed on February 4, 2019, was unsealed in San Francisco today, charging John C. Fry with unlawful disclosure of Suspicious Activity Reports, announced United States Attorney David L. Anderson and United States Department of the Treasury, Treasury Inspector General for Tax Administration (TIGTA), Special Agent in Charge Rod Ammari.

According to the affidavit filed in support of the complaint, Fry, 54, of San Francisco, unlawfully accessed and disclosed Suspicious Activity Reports (SARs) and SAR information pertaining to an individual taxpayer and a company owned by the taxpayer.  Fry was an Investigative Analyst for the IRS’s law enforcement arm, the Criminal Investigation Division, in San Francisco.  In this position, Fry had access to various law enforcement databases including the Financial Crimes Enforcement Network (FinCEN), Palantir, and the Integrated Data Retrieval System.

The TIGTA investigation revealed that in May 2018, Fry logged on to FinCEN and Palantir from his work computer and conducted numerous searches related to the taxpayer who was a New York attorney.  Fry then disclosed the SAR information to an attorney based in Newport Beach, Calif.  On May 8, 2018, the attorney used a public Twitter account to circulate a dossier releasing confidential banking information related to the taxpayer and the taxpayer’s company.  The SAR information that was passed to the Los Angeles attorney was published in the Washington Post on May 8, 2018.  The Los Angeles attorney put Fry in contact with an investigative reporter in New York which led to confirmation of the confidential banking information and an interview, which was published in The New Yorker on May 16, 2018.

The criminal complaint charges Fry with violating 31 U.S.C. § 5322(a), which prohibits unauthorized disclosure of information from SARs.  Fry appeared before the U.S. Magistrate Judge Laurel Beeler in federal court in San Francisco on February 21, 2019.  He was released on a $50,000 bond.  Fry’s next scheduled appearance is scheduled for March 13, 2019, at 9:30 am, before U.S. Magistrate Judge Joseph C. Spero for preliminary hearing or arraignment on indictment.

A complaint merely alleges that crimes have been committed, and all defendants are presumed innocent until proven guilty beyond a reasonable doubt. If convicted, the defendant faces a maximum sentence of five years and a fine of $250,000 for a violation of 31 U.S.C. § 5322.  However, any sentence following conviction would be imposed by the court after consideration of the U.S. Sentencing Guidelines and the federal statute governing the imposition of a sentence, 18 U.S.C. § 3553.

The U.S. Attorney’s Office, Special Prosecutions/National Security Unit, is prosecuting the case.  The prosecution is the result of an investigation by the TIGTA.

Further Information:

Case #: 3:19:70176  The complaint can be reviewed here: https://www.justice.gov/usao-ndca/press-release/file/1134051/download

Source:  U.S. Attorney’s Office, Northern District of California

Feb 202019

Michael P. Rellahan reports:

A breach of Chester County government’s computer system via an internet bug led to intense work by county computer specialists over the Presidents Day weekend, but apparently has not led to any compromise of users’ information, a county spokesperson said Tuesday.

Chester County’s Department of Computing and Information Services (DCIS) detected and late last week responded to potential malware activity on the county’s computer network, getting assistance from third-party cybersecurity consultants, said Chester County Communications Coordinator Rebecca Brain.

Read more on The Daily Local.  In response to the incident, the county sounds like it is really tightening up its security in some respects, and no longer allows employees to use county computers or the county network for personal use, etc.

Feb 192019

Zack Whittaker reports:

Another security lapse has exposed millions of Aadhaar numbers.

This time, India’s state-owned gas company Indane left exposed a part of its website for dealers and distributors, even though it’s only supposed to be accessible with a valid username and password. But the part of the site was indexed in Google, allowing anyone to bypass the login page altogether and gain unfettered access to the dealer database.

The data was found by a security researcher who asked to remain anonymous for fear of retribution from the Indian authorities.

Read more on TechCrunch.

Feb 172019

Sarah Wynn reports:

The Ohio Department of Commerce says thousands of letters were sent by the state to those who qualify for unclaimed funds, but the letters were sent to the wrong people. The letters include personal information, including names and social security numbers, according to the state.

“Due to a processing error, approximately 9,000 consumers were mailed forms that were inaccurate,” the Ohio Department of Commerce’s Division of Unclaimed funds announced in a release on Friday.

Read more on ABC6.