Mar 152019

Felicia Choo reports:

The personal information of more than 800,000 people who have donated or tried to donate blood in Singapore since 1986 was improperly put online by a Health Sciences Authority (HSA) vendor for more than two months, but access to the database was cut off soon after the discovery.

Disclosing this in a statement on Friday (March 15), the HSA said its preliminary findings indicate that there was only one instance of external access – by a cyber security expert who discovered the vulnerability on Tuesday (March 12) and alerted the Personal Data Protection Commission to it a day later.

Read more on Straits Times.

The vendor was identified in HSA’s press release as Secur Solutions Group Pte Ltd (SSG). According to the press release:

HSA had provided the data to SSG for updating and testing. SSG placed the information in an internet-facing server on 4 Jan 2019 and failed to institute adequate safeguards to prevent unauthorised access. It had done so without HSA’s knowledge and approval, and against its contractual obligations with HSA.

Related:  Notice to those affected.

Kudos to the researcher who engaged in responsible disclosure. At the time of this posting, I’m not sure who that was.

Mar 152019

David Krebs and Jacey Safnuk of Miller Thomson LLP write:

… Data breach reporting obligations in Saskatchewan are influenced by a total of four relevant pieces of legislation, covering both public and private sectors. These laws will not all apply to every potential breach, of course, but it is crucial for organizations to understand that more than one of them may apply depending on the specific circumstances of the data breach:

  1. The Freedom of Information and Protection of Privacy Act (“FOIP”) applies to Government Institutions, such as ministries, Crown corporations, agencies, boards and commissions.
  2. The Local Authority Freedom of Information and Protection of Privacy Act (“LA FOIP”) applies to Local Authorities, such as school boards, post-secondary institutions, rural municipalities and regional health authorities.
  3. The Health Information Protection Act (“HIPA”) applies to wide range of organizations listed under 2(t) of HIPA who have custody or control over Personal Health Information.
  4. Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to any organization that collects, uses, or discloses personal information in a “commercial activity.” Saskatchewan does not have “substantially similar” privacy legislation, and, therefore, in Saskatchewan PIPEDA applies to all personal information used, collected, or disclosed in commercial activities and all personal information processed by “federal undertakings,” which then includes personal employee information of those organizations. Personal information of employees in the private sector is not governed by a provincial or federal law.

Read more on Lexology.

Mar 152019

Zeljka Zorz reports:

Chinese e-commerce giant Gearbest has exposed information and orders of millions of its customers through an unsecured Elasticsearch server, security researcher Noam Rotem and his team have found.

According to Rotem, the server was not protected with a password and anyone could access it and search the data.

Also, despite assurances from the company that sensitive data is encrypted, most of the contents of the database were decidedly not.

Read more on HelpNetSecurity. This seems to be a more concerning what-could-happen leak than a lot of other leaks that researchers find online — in part, because passport numbers are involved, but in part because the content of some people’s orders is exposed:

“Hidden in the ‘Sales’ section of Gearbest’s ‘Apparel’ category, users can find a vast array of sex toys. The nature of the store’s open database means the details of your private purchases could quickly become public knowledge.”

For many people across the world, purchasing sex toys is not problematic, but for some, who live in countries with prohibitive laws regarding sexuality and homosexuality, this information could lead to a death sentence for users.

Once again, what might seem like just another human error incident could have life-threatening consequences.

Mar 152019

Lily Hay Newman reports:

In January 2018 a group of hackers, now thought to be working for the North Korean state-sponsored group Lazarus, attempted to steal $110 million from the Mexican commercial bank Bancomext. That effort failed. But just a few months later, a smaller yet still elaborate series of attacks allowed hackers to siphon off 300 to 400 million pesos, or roughly $15 to $20 million from Mexican banks. Here’s how they did it.

At the RSA security conference in San Francisco last Friday, penetration tester and security advisor Josu Loza, who was an incident responder in the wake of the April attacks, presented findings on how hackers executed the heists both digitally and on the ground around Mexico.

Read more on Wired.

Mar 152019

Yuri Kageyama reports:

Mark Karpeles, who headed Mt. Gox, a Tokyo-based bitcoin exchange that went bankrupt after a massive hacking, was found guilty Friday of manipulating electronic data but cleared of embezzlement and breach of trust charges.

The Tokyo District Court handed down a prison sentence of two years and six months, suspended for four years, meaning Karpeles will not have to serve jail time.

Read more on Boston25.