Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label customer privacy. Show all posts

Data Breach at Giant Tiger: Protecting Customer Information in the Digital Age

Data Breach at Giant Tiger: Protecting Customer Information in the Digital Age

In an increasingly interconnected world, data breaches have become a recurring nightmare for organizations of all sizes. The recent incident at Giant Tiger Stores Ltd., a popular discount retailer based in Ottawa, serves as a stark reminder of the importance of safeguarding customer information.

The Breach

On March 4, Giant Tiger discovered that its customer data had been compromised. The breach affected various categories of customers:

Email Subscribers: Names and email addresses of those who subscribe to Giant Tiger emails.

Loyalty Members and Online Orders: Names, emails, and phone numbers of loyalty members and customers who placed online orders for in-store pickups.

Home Delivery Orders: Some customers who placed online orders for home delivery may have had their street addresses compromised.

Thankfully, no payment information or passwords were part of the data breach. However, the incident highlights the vulnerability of customer data and the need for robust security measures.

Third-Party Vendor Involvement

Giant Tiger’s breach was linked to a third-party vendor. While the retailer did not disclose the vendor’s name, it relies on this external partner for managing customer communications and engagement. This situation underscores the risks associated with outsourcing critical functions to third parties. Organizations must carefully vet their vendors and ensure they adhere to stringent security protocols.

The Fallout

The fallout from a data breach can be severe:

Reputation Damage: Customers trust companies with their personal information. When that trust is violated, it erodes brand reputation. Giant Tiger now faces the challenge of rebuilding customer confidence.

Legal and Regulatory Consequences: Data breaches often trigger legal and regulatory investigations. Organizations may face fines, lawsuits, and compliance requirements. In Giant Tiger’s case, the breach occurred in Canada, where privacy laws are stringent.

Financial Impact: Remediation efforts, legal fees, and potential compensation to affected customers can strain an organization’s finances. Moreover, the cost of reputational damage can be immeasurable.

Mitigation Strategies

To prevent such incidents, companies must adopt proactive measures:

Vendor Risk Assessment: Regularly assess third-party vendors’ security practices. Understand their data handling processes and ensure they align with your organization’s standards.

Encryption and Access Controls: Encrypt sensitive data and limit access to authorized personnel. Implement robust access controls to prevent unauthorized entry.

Employee Training: Educate employees about cybersecurity best practices. Human error remains a significant factor in data breaches.

Incident Response Plan: Have a well-defined incident response plan in place. Swift action can minimize damage and protect customer trust.

Transparency and Communication

Giant Tiger’s response has been commendable. They hired cybersecurity experts for an independent investigation and promptly informed affected customers. Transparency is crucial during a breach. Customers appreciate honesty and timely updates.

Australia’s Telstra Hit by Data Breach Affected 132,000 Customers

On Sunday, Australia's largest telecom company Telstra Corp Ltd reported that because of an internal technical error 132,000 users’ data have been leaked. As per the data, Telstra has 18.8 million customer accounts which is more than the half population of Australia. 

Further, continuing the report, the company said that the information was made public owing to "a misalignment of databases." 

"We are removing the identified impacted customer details from the Directory Assistance service and the online version of the White Pages," Telstra chief financial officer Michael Ackland issued a statement. 

Furthermore, local media reported that a Telstra internal email estimated that around 30,000 present and formal employees have been hit by the hack. This incident was reported after the company had already suffered a minor data breach in October, because of the data breach specific employee data from 2017 had been made available to the public. 

Ackland further added, "no cyber activity was involved. Protecting our customers’ privacy is absolutely paramount and this is an unacceptable breach of their trust. We are in the process of contacting every impacted customer to let them know what has occurred.”

Optus, a company controlled by Singapore Telecommunications Ltd reported on September 22 that because of the system breach more than 10 million accounts have been impacted.

After the incidents occurred some of the sectors including telecom, banking, and other governmental sectors in the nation have been on high alert. The data that has been leaked in the breach includes names, email addresses, home addresses, passport numbers, and driver's licenses. 

“In these circumstances, we are seeking a Court order requiring Telstra to pay compensation to consumers who, we allege, did not get the service they signed up for,” ACCC Commissioner Liza Carver said.

Car Rental Giant Sixt Hit by Cyberattack, Operations Shut Down

Rental car giant Sixt, a company based in Germany announced that it has been hit by a cyberattack that resulted in large-scale inconvenience in Sixt's global operations. In April, the company closed down some parts of its IT infrastructure to restrict a cyberattack. 

Only important systems were operating, like the company website and mobile applications. Sixt said that the disturbance for employees and customers was expected, it believes that the disruption was contained to great extent. 

According to the company, it has offered business continuity to its customers, but the temporary disruptions in customer care centers and few branches can be expected for some time. "As a standard precautionary measure, access to IT systems was immediately restricted and the pre-planned recovery processes were initiated. Many central Sixt systems, in particular, the website and apps were kept up and running," said Sixt in a statement. Sixt did most of the car bookings with pen and paper last week, and systems that were not important have been shut down after the cyberattack. 

Calling customers were provided an automated notification "due to a technical problem, we are currently unavailable." No more details are available as of now, Sixt said that it has launched an inquiry into the issue, however, didn't disclose any information on how the attack happened. Sixt is requesting its customers to be patient until the issue is resolved. No ransomware group has claimed the responsibility for the attack as of now, however, the chances of ransomware are highly likely. 

According to Bleeping Computer, ransomware groups are targeting companies like Sixt because of the upcoming tourism season. Vacations are easy money for car rental companies. Ransomware groups generally operate during high traffic periods to increase the chances of damage to the targets. 

The greater the damage, the easier the ransom payment. Sixt said "impacts on the company, its operations and services have been minimized to provide business continuity for customers. However, temporary disruptions, in particular in customer care centers and selective branches, are likely to occur in the short term."

Morgan Stanley to Pay $60M to Resolve Data Security Lawsuit

 

Morgan Stanley agreed to pay $60 million in a preliminary settlement of a class-action lawsuit filed against the company on Friday, according to Reuters, for allegedly neglecting to secure customers' personal data before retiring outdated information technology. 

The settlement offer awaits the approval of New York District Judge Analisa Torres. The lawsuit was filed on behalf of around 15 million Morgan Stanley clients in response to two separate occurrences that occurred in 2016 and 2019. 

Morgan Stanley decommissioned two wealth management data centres in the first incident. Before removing the unencrypted computer equipment from the centres, the bank's vendor, Triple Crown, was tasked with deleting or destroying it. Even after it had left the vendor's control, this device was later discovered to contain data. According to Morgan Stanley, the vendor removed the devices and resold them to a third party without permission. 

As part of a hardware refresh programme, the second incident entailed the replacement and removal of branch office equipment. The bank was unable to discover some of these devices, which could have retained previously deleted information on discs in an unencrypted version due to a software error. 

Customers will receive a minimum of two years of fraud insurance coverage as part of the proposed settlement, as well as compensation for up to $10,000 in related out-of-pocket losses. The bank also stated that it would improve its data security procedures. 

Morgan Stanley maintains that there was no wrongdoing on its part, even though it is seeking a settlement. In a move to dismiss the complaint filed in August 2021, the bank said that despite extensive investigations and ongoing surveillance over the years, it has not discovered a single instance of data misuse generated from any of its own sources. Morgan Stanley was fined $60 million in civil penalties in October 2020 for failing to adequately supervise the decommissioning of its data centres in 2016. 

The Office of the Comptroller of the Currency imposed the penalty after discovering that the bank: failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices.

Cyberattacks In Companies Result in Customer Prices, Cost of Doing Business

 

If a person visits his favorite store that suffers cyberattacks frequently, he might think that someone stole his wallet. These types of data breach or cyberattack, the sense of fear, isn't new to the users. The rise in number of attacks, impact and the cost of these breaches, however, are new, customers notice. In today's date, a customer is up-to-date about these attacks, compared to earlier times. They affect the customers directly more in present times after all, like when threat actors steal personal data from a big organization. 

How do the customers think about such attacks? 

When threat actors target organizations, consumers pay the cost too. In simple terms, customer suffers from the price increase of goods and services. "When attackers sell customer data on the dark web and other criminals buy that data, they can turn an enterprise attack into hundreds of others. It can spin off into credit card fraud, identity theft, and a world of social engineering scams. Cyberattacks may strike once, but identity- and personal data-related fraud is forever," reports Security Intelligence. 

Cyberattacks affect costs because of ransomware payments, lawyer fees, increased insurance rates, cost of returning everything back online, and operational failure. The costs are paid by the companies, but at the last, the customers have to pay the prices. The costs of these attacks are increasing every year. According to Sophos survey, the average cost of a ransomware attack, for example, was $1.85 million in 2020 — double the previous year. 

The future keeps getting dark, cyberattacks costs across the world are said to increase by 15% per year for the next five years, said to reach $10.5 trillion per year by 2025, as per the cybersecurity experts. The rise is in the cost of doing business, which will affect the customer prices. According to Security Intelligence, "the rise in cyberattacks on businesses has heightened consumer worries in the past year. Some 44% feel more at risk from cybercrime than they did before the COVID-19 pandemic began, according to the Norton survey."

Thailand's Data on 106 Million Visitors has been Breached

 

After uncovering an unsecured database collecting the personal information of millions of tourists to Thailand, a British cybersecurity researcher unexpectedly stumbled upon his own personal data online. An unencrypted Elasticsearch server was discovered by Bob Diachenko, a cybersecurity researcher and security leader at Camparitech, exposing the personal data of approximately 106 million international passengers to Thailand. The data was accessible online in an unsecured database, allowing anyone to access it. 

Threat actors are constantly on the lookout for unprotected servers. There is no proof of how long the database was exposed before Diachenko's disclosure in this case. A honeypot, on the other hand, was set up to monitor hacker intrusions.

 “Notably, the IP address of the database is still public, but the database itself has been replaced with a honeypot. Anyone who attempts access at that address now receives the message: This is honeypot, all access were logged,” Diachenko added. 

A honeypot is a security tool that detects or prevents unauthorized network and information system breaches. The organization set up a honeypot to see how quickly hackers would attack an Elasticsearch server using a dummy database and fake data. From May 11 until May 22, 2020, Comparitech left the data exposed. It discovered 175 attacks in just eight hours after the service went live, with a total of 22 attacks in a single day. 

After he reported the problem to Thai authorities, the database was safeguarded. According to Diachenko, every visitor who visited Thailand in the last ten years may have had their personal information exposed as a result of the event. Over 200GB of user data was stored in the database. Date of arrival in Thailand, full name, sex, passport number, residency status, visa type, and Thai arrival card number were among the data disclosed. 

“Any foreigner who traveled to Thailand in the last decade or so probably has a record in the database. There are many people who would prefer their travel history and residency status not be publicized, so for them there are obvious privacy issues. None of the information exposed poses a direct financial threat to the majority of data subjects,” Diachenko stated. 

“No financial or contact information was included. Although passport numbers are unique to individuals, they are assigned sequentially and are not particularly sensitive,” Diachenko added.

Malaysia Airlines hit by ‘Data Security Incident’

 

Malaysia Airlines has educated Enrich frequent flyer individuals of a “data security incident” via a third-party IT service provider, demanding the breach avoided the national carrier’s core IT infrastructure and systems. The airline had conveyed an emailer to Enrich members this week, expressing it was informed of a "data security incident" at the third-party IT supplier. The breach included "some personal data" and happened sometime between March 2010 and June 2019, it said, adding that these details incorporated members name, date of birth, contact data, and different frequent flyer information like number, status, and tier level. 

Travel information like schedules, reservations, ticketing, and ID card, just as payment details were not compromised, as indicated by Malaysia Airlines. Its own IT infrastructure or systems likewise were not influenced, the carrier said. It noticed that there was "no proof" that any personal information had been abused and the breach didn't uncover any account passwords, however, it encouraged Enrich members to change their passwords as a safety measure. The airline likewise guided clients to pose any questions they may have directly via email to its data privacy officer. 

At press time, Malaysia Airlines presently couldn't seem to make a public statement on the security breach or post a notice on its website. It did, in any case, seem to affirm the incident on Twitter in its answers to clients. In one of a few such responses, the national carrier said: “The data security incident occurred at our third-party IT service provider and not Malaysia Airlines' computer systems. However, the airline is monitoring any suspicious activity concerning its members' accounts and in constant contact with the affected IT service provider to secure Enrich members' data and investigate the incident's scope and causes." 

 The announcement comes less than a month after revelations that software utilized by Singtel was “illegally attacked by unidentified hackers”, accessing file-sharing system FTA via third-party vendor Accellion. As per the telecommunications giant, the breach affected a “standalone system” which is utilized to share data internally as well as with external stakeholders. 

 “This is an isolated incident involving a standalone third-party system,” a statement from Singtel read at the time. “Our core operations remain unaffected and sound.”

Russian expert predicts end of WhatsApp - Users switching to Telegram

Over the past weeks, WhatsApp messenger has started losing millions of users. They migrate to Telegram. In mid-January, almost 25 million people came running to Telegram in just three days. Some WhatsApp fans went to another social network - Signal. It gained 7.5 million users in two days.

The reasons for the outflow from WhatsApp are related to the privacy policy, which allows the developer to share user data with Facebook, explained the coordinator of the Center for Secure Internet, Urvan Parfentiev. In particular, according to him, the location and phone numbers will become transparent.

Information and computer security specialist, programmer, blogger Sergey Vakulin said that in addition to the privacy policy, there are other reasons.

"First reason is the privacy policy. The second is functionality. The third reason is anonymization. People who care about their security and privacy of correspondence are less likely to trust WhatsApp," said he.

According to Mr. Vakulin, the advantage of Telegram relative to many social networks is the lack of censorship.

There are those who like to watch something cruel, a murder. But on the social network VKontakte and Odnoklassniki, it is forbidden to do this. And on Telegram, you can create a channel that will not be censored", explained the blogger.

After the outflow of users, WhatsApp launched a powerful awareness-raising campaign and abandoned the previously announced measures. Therefore, "we cannot talk about the death of WhatsApp", stressed Parfentiev.

However, Vakulin believes otherwise.

"Most likely, we will see the death of WhatsApp. The old social networks and apps don't have enough functionality. A person needs to learn something new in the social network. Therefore, we are replacing it with a new one," commented he.

At the moment, dozens of messengers are known. The most popular in Russia are the following: in the first place is WhatsApp, which in 2020 increased by five percent compared to 2019; in second place is Viber, followed by Skype. The fourth place is taken by Telegram, which grew by 10 percent. Facebook closes the top five (plus 6 percent).

Earlier, E Hacking News conducted an interview with a veteran Cyber Law specialist in India Vijayashankar Na (Mr. Naavi) and he shared with us his opinion on the new privacy policy of WhatsApp messenger and how it impacts the users.

Banking customers are tricked by SCA checks

Online scammers are using changes to European banking rules around customer authentication to trick consumers into handing over their sensitive financial details, according to Which?

The consumer rights group warned that attackers are spoofing the emails being sent from banks, payment firms and e-commerce providers asking for up-to-date info, as part of new Strong Customer Authentication (SCA) requirements.

Firms across the EU are gearing up for the changes, part of PSD2, which will require a form of two-factor authentication on any online transactions over €30, although some exceptions apply.

Ironically, payments providers and e-commerce firms in the UK have been given a further 18 months to comply with the new rules, originally set for a September 14 deadline.

Yet that hasn’t stopped the scammers: Which? claimed it has already spotted phishing emails imitating emails from Santander, Royal Bank of Scotland (RBS) and HSBC.

Urging the recipient to update their banking information ahead of “new procedures,” they include links designed to take the victim to a legitimate-looking page designed to harvest banking details.

Which? argued that in many cases, legitimate brands are making it harder for consumers to spot phishing emails, by including links in their own emails, and by using multiple unusual domains for various landing pages.

The group claimed that 78% of its members think banks and other financial firms should never include links in emails, to make phishing attempts easier to spot.

Tripwire VP, Tim Erlin, agreed, arguing that companies can’t simultaneously tell customers not to follow links in emails but then continue to send them emails urging them to click through.

“As long as banks send legitimate emails as a means of communicating with customers, scammers will attempt the same with fake emails,” he added.

“Email as implemented today is a terrible system for conducting business. While attempts have been made to improve the technology, none of them have taken hold.”

GDPR privacy law exploited to reveal personal data

About one in four companies revealed personal information to a woman's partner, who had made a bogus demand for the data by citing an EU privacy law.

The security expert contacted dozens of UK and US-based firms to test how they would handle a "right of access" request made in someone else's name.

In each case, he asked for all the data that they held on his fiancee.

In one case, the response included the results of a criminal activity check.

Other replies included credit card information, travel details, account logins and passwords, and the target's full US social security number.

University of Oxford-based researcher James Pavur has presented his findings at the Black Hat conference in Las Vegas.

It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

"Generally if it was an extremely large company - especially tech ones - they tended to do really well," he told the BBC.

"Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

He declined to identify the organisations that had mishandled the requests, but said they had included:

- a UK hotel chain that shared a complete record of his partner's overnight stays

- two UK rail companies that provided records of all the journeys she had taken with them over several years

- a US-based educational company that handed over her high school grades, mother's maiden name and the results of a criminal background check survey.

Mr Pavur has, however, named some of the companies that he said had performed well.

10,000 Clients Affected in Aegon Life Insurance Data Leak


Around 10,000 customers of Aegon Life Insurance, a joint venture between the Netherlands-based Aegon and India's Times Group, fall prey to a data leak which was caused through website's support channels, which clients used to communicate with the insurer regarding their grievances.

Reportedly, the data compromised included all the details ranging from the very basic demographic ones like name, gender, age to more specific ones such as health policy problems and annual income. It occurred due to a security vulnerability in the company's website.

Renie Ravin, Indian web developer and co-founder of the independent blogging platform, 'IndiBlogger', discovered the vulnerability which led to the data leak and reported it to the company in July 2019.

However, there is no evidence of the exposed data being illegally accessed or misused.

Referencing from the statements given by the company, "Aegon Life Insurance, India announces that a vulnerability on their website exposed information of some Indian customers who had used web forms to get in touch with Aegon Life."

"Aegon Life immediately fixed the vulnerability and have since informed all customers of this exposure. Aegon Life estimates that up to 10,000 customers were possibly affected."

"We will initiate an outreach program in the coming days to offer guidance to affected customers and to let them know what information was exposed. At Aegon Life, data security and customer privacy are of utmost importance and we will continue to be transparent with customers as we investigate further," the company added.