Jun 222019

Lawrence Abrams reports:

In an embarrassing security incident, the WeTransfer file sharing service announced that for two days it was sending it’s users shared files to the wrong people. As this service is used to transfer what are considered private, and potentially sensitive files, this could be a big privacy issue for affected users.

Starting today, users began to receive emails from WeTransfer [1, 2, 3] stating that on June 16th and 17th, files sent using the WeTransfer service were also delivered to people that they were not meant to go to.

The email goes on to say that the team doesn’t know what happened and that they are working to contain the situation.

Read more on BleepingComputer.

Jun 212019

Lester Wong reports from Singapore:

Insurance company AIA was fined $10,000 by the Personal Data Protection Commission (PDPC) for mistakenly sending 245 letters meant for various customers to just two people due to a programming error in its software system that auto-generates the letters.

The bulk of the letters (237) were premium notice letters for the company’s Integrated Shield Plan, and contained full names and policy numbers of the intended recipients, as well as premium amounts and due dates.

The letters were sent out between Dec 28, 2017, and Jan 2 last year, with 179 sent to the first recipient and 66 to the second one.

Read more on The Straits Times. That seems like a steep penalty for that kind of error.  How many mismailings have we seen in this country that never resulted in any fines at all?

Jun 182019

Matt Dathan reports:

The site containing bills currently before Parliament was showing private folders not meant for publication.

One Twitter user said they had found passwords had leaked online too.

A Parliamentary spokesman said it was looking into the reports but said it had not found any evidence that confidential parliamentary data had been breached.

Read more on The Sun.

Jun 182019

Zack Whittaker reports:

An internet advertising company specializing in helping law firms sign up potential clients has exposed close to 150,000 records from a database that was left unsecured.

The database contained submissions as part of a lead-generation effort by X Social Media, a Florida-based ad firm that largely uses Facebook to advertise various campaigns for its law firm customers.

Read more on TechCrunch. It’s another could-have-awful-consequences exposure situation. And not surprisingly, the researchers who found it throw in references to HIPAA, although further down in their report, they acknowledge that x Social Media is not covered by HIPAA.

Throwing in references to HIPAA doesn’t help if HIPAA doesn’t apply — even though the public may want the standards of security and privacy to be upheld in the business sector. What would have been more on point for vpnMentor to mention would be any privacy policy for x Social Media or assurances about data security that may have been violated.

Think FTC, not HHS, folks.