May 212018

The University of Greenwich has been fined £120,000 by the Information Commissioner following a “serious” security breach involving the personal data of nearly 20,000 people – among them students and staff.

It is the first university to have been fined by the Commissioner under the existing data protection legislation (Data Protection Act 1998).

The investigation centred on a microsite developed by an academic and a student in the then devolved University’s Computing and Mathematics School, to facilitate a training conference in 2004.

After the event, the site was not subsequently closed down or secured and was compromised in 2013. In 2016 multiple attackers exploited the vulnerability of the site allowing them to access other areas of the web server.

The personal data included contact details of 19,500 people including students, staff and alumni such as names, addresses and telephone numbers.  However, around 3,500 of these included sensitive data such as information on extenuating circumstances, details of learning difficulties and staff sickness records and was subsequently posted online.

Head of Enforcement at the ICO, Steve Eckersley, said:

”Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution.

“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”

The Commissioner found that the University did not have in place appropriate technical and organisational measures for ensuring, so far as possible, that such a security breach would not occur, ie for ensuring that its systems could not be accessed by attackers.

SOURCE: Information Commissioner’s Office

May 202018

Zack Whittaker reports:

At least one server used by an app for parents to monitor their teenagers’ phone activity has leaked tens of thousands of accounts of both parents and children.

The mobile app, TeenSafe, bills itself as a “secure” monitoring app for iOS and Android, which lets parents view their child’s text messages and location, monitor who they’re calling and when, access their web browsing history, and find out which apps they have installed.

Read more on ZDNet.

May 202018

Tom Diacono reports:

Journalist-blogger Manuel Delia has warned his blog is being targeted by Ukrainian hackers in what he described as one of the most vicious cyber-attacks in Maltese history.

“The storm has been raging for most of this week and every effort of the technical team to counter the attack is met by a vicious onslaught on some other vulnerability of the website,” Delia said in an article on The Shift News. “The great bulk of the attack comes from Ukraine, though computers from all over the globe are being used to complement those waves. The website’s engineers say it is a well-funded, professional attack on a scale rarely known to be used on other websites in Malta.”

Read more on Lovin Malta.  There’s a great statement in the blogger’s post that I want to emphasize here:

Many people make the mistake of thinking this is an assault on the right of journalists to speak their mind. It is that. But it is more importantly an assault on people’s right to know.

May 192018

Kelly Sheridan reports:

A dataset containing more than 200 million lines of Japanese personally identifiable information (PII) has been found on the Chinese underground market, researchers report. It’s believed the data is authentic and was exfiltrated from multiple Japanese website databases.

Experts at FireEye iSIGHT Intelligence first noticed the actor advertising the dataset in December 2017. This actor has sold site databases on Chinese underground forums since at least 2013 and is likely connected to someone living in China’s Zhejiang province.

The team identified the actor and data as part of regular monitoring of the cyber threat landscape, explains Oleg Bondarenko, senior manager for international research at FireEye. The Chinese underground primarily consists of instant messenger groups such as QQ, he says. This dataset was not discovered on a forum but rather a group for sharing and offering data.

Read more on DarkReading.

May 192018

Benjamin Blanchet reports:

Thousands of UB community members’ account information have been hacked.

On Friday, UB confirmed that J. Brice Bible, vice president and chief information officer, is investigating and responding to a breach of 2,690 UBITName accounts. The breach affects 1,800 student accounts, 862 alumni accounts and 28 faculty and staff accounts, according to UB spokesperson John Della Contrada.

“Our initial investigation indicates that the affected individuals’ login information was stolen when they visited a non-UB website and entered their university login information,” Della Contrada said in a statement.

Read more on The Spectrum.

Update: I had written to UB to ask whether this was a phishing attack or how so many UB members had their credentials compromised.  A university spokesperson answered me:

1. We do not know specifically the external service that was compromised. It could be many. Students (and the population in general) signup for many services in their daily lives. The problem stems from the fact that affected students and others used the same username, email and password as they use at the university. Students are educated throughout the year not to use their university credentials when signing up for external services.

2. We haven’t correlated the third-party service to any phishing scheme. In fact, it may not have been from a phish at all but a legitimate service. We will attempt to determine specifics by reaching out to impacted users.

So that wasn’t exactly what I had expected to hear back, and I’m glad I asked. Hopefully, we’ll see an update at some point.