Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label data misuse. Show all posts

Qantas Employee Data Misuse: Over 800 Bookings Affected by Rogue Staff

 

Qantas recently experienced a security breach involving employees of India SATS, its ground handler in India. These employees exploited their access to alter customer bookings and divert frequent flyer points into their own accounts. The fraud, which occurred in July and August 2024, impacted over 800 bookings and potentially exposed sensitive data, including passport information. 

However, Qantas has emphasized that there is no evidence that the passport data has been misused. This breach was not a result of a cyberattack but rather an instance of insider fraud. Employees of India SATS, using a partner airline’s system, changed frequent flyer details, funneling the earned points into an account they controlled. Following the breach, Qantas promptly suspended the contractors involved, restored customers’ points, and fixed the altered bookings. Qantas reassured its customers that it has implemented new restrictions on accessing bookings to prevent a similar incident in the future. It also clarified that this was not a technical hack, but rather a case of “rogue employees” abusing their position. 

A spokesperson for Qantas further stated that they are unaware of any current bookings being affected by this incident and that an ongoing police investigation is in place. The breach has raised concerns about other airlines in the Oneworld Alliance potentially being affected. However, Qantas has not confirmed any involvement of other airlines in the scandal. Despite the breach, the airline continues to assert that this was an isolated incident tied to two contractors abusing their access. This breach follows another Qantas security issue earlier in 2024, when a technical error in the MyQantas app gave customers access to other users’ accounts. 

While there was no cyberattack involved, the error allowed some customers to view booking information, frequent flyer points, and boarding passes of other users. Qantas promptly fixed the issue and reassured its customers that no financial information was compromised. In both cases, Qantas has emphasized the importance of security and quickly worked to remedy the problems. 

As cybersecurity threats continue to evolve, the airline is working to strengthen its internal systems and access controls, protecting customer data from potential breaches, whether caused by technical errors or human misconduct.

The Hidden Cost of Connected Cars: Your Driving Data and Insurance

 

Driving to a weekend getaway or a doctor's appointment leaves more than just a memory; it leaves a data trail. Modern cars equipped with internet capabilities, GPS tracking, or services like OnStar, capture your driving history. This data is not just stored—it can be sold to your insurance company. A recent report highlighted how ordinary driving activities generate a data footprint that can be sold to insurers. These data collections often occur through "safe driving" programs installed in your vehicle or connected car apps. Real-time tracking usually begins when you download an app or agree to terms on your car's dashboard screen. 

Car technology has evolved significantly since General Motors introduced OnStar in 1996. From mobile data enhancing navigation to telematics in the 2010s, today’s cars are more connected than ever. This connectivity offers benefits like emergency alerts, maintenance notifications, and software updates. By 2030, it's predicted that over 95% of new cars will have some form of internet connectivity. Manufacturers like General Motors, Kia, Subaru, and Mitsubishi offer services that collect and share your driving data with insurance companies. Insurers purchase this data to analyze your driving habits, influencing your "risk score" and potentially increasing your premiums. 

One example is the OnStar Smart Driver program, which collects data and sends it to manufacturers who then sell it to data brokers. These brokers resell the data to various buyers, including insurance companies. Following a critical report, General Motors announced it would stop sharing data with these brokers. Consumers often unknowingly consent to this data collection. Salespeople at dealerships may enroll customers without clear consent, motivated by bonuses. The lengthy and complex “terms and conditions” disclosures further obscure the process, making it hard for consumers to understand what they're agreeing to. Even diligent readers struggle to grasp the full extent of data collection. 

This situation leaves consumers under constant surveillance, with their driving data monetized without their explicit consent. This extends beyond driving, impacting various aspects of daily life. To address these privacy concerns, the Electronic Frontier Foundation (EFF) advocates for comprehensive data privacy legislation with strong data minimization rules and clear, opt-in consent requirements. Such legislation would ensure that only necessary data is collected to provide requested services. For example, while location data might be needed for emergency assistance, additional data should not be collected or sold. 

Consumers need to be aware of how their data is processed and have control over it. Opt-in consent rules are crucial, requiring companies to obtain informed and voluntary permission before processing any data. This consent must be clear and not hidden in lengthy, jargon-filled terms. Currently, consumers often do not control or even know who accesses their data. This lack of transparency and control highlights the need for stronger privacy protections. By enforcing opt-in consent and data minimization, we can better safeguard personal data and maintain privacy.

Nefilim Ransomware Evolving Rapidly: Top Targets at a Glance


Ransomware has continually expanded both in terms of threat and reach as threat actors continue to devise fresh methods of introducing new ransomware variants and malware families. One such newly emerged ransomware that was first identified at the end of February 2020, Nefilim, threatens to release victims’ encrypted data if they are unable to pay the ransom. With a striking code resemblance to that of Nemty 2.5 revenge ransomware, Nefilim is most likely to be distributed via exposed Remote Desktop Protocol, according to Vitali Kremez, an ethical hacker at SentinelLabs.

Earlier this month, researchers from threat intelligence firm Cyble, discovered a post by the authors of Nefilim ransomware, claiming to have hacked The SPIE Group, an independent European market leader for technical services in the fields of energy. As per the claims made by the operators in the post, they are in the possession of around 11.5 GB of company’s sensitive data that include corporate operational documents- company’s telecom services contracts, dissolution legal documents, infrastructure group reconstruction contacts and a lot more.

Since April 2020, Nefilim has targeted multiple organizations around the globe, narrowing down on the regions- South Asia, South America, Oceania, North America, and Western Europe. Going by the count of attacks disclosed publicly, manufacturing comes on top as the most preferential and hence the most targeted industries by the operators of Nefilim ransomware; Mas Holdings, Fisher & Paykel, Aban Offshore Limited, Stadler Rail were some of the major targets. Other industries infiltrated by Nefilim are communication and transportation; Orange S.A. and Toll Group, Arteris SA being some of the top targets respectively. One important thing to notice here is that the ransomware has spared the healthcare and education sector entirely as of now, interestingly, no organization from the two aforementioned sectors has been targeted.

Nefilim uses a number of ways including P2P file sharing, Free software, Spam email, Torrent websites, and Malicious websites, to infiltrate organizations’ IT systems. Designed specially to penetrate Windows PCs, Nefilim actively abuses Remote Desktop Protocol and uses it as its primary attack vector to infiltrate organizations. It employs a combination of two distinct algorithms AES-128 and RSA-2048 to encrypt the target’s data that is later leaked on their websites known as Corporate Leaks- when victims’ fail to pay the ransom.

Users are advised to stay wary of exposed ports and security departments shall ensure closing off unused ports, experts have also recommended to ‘limit login attempts’ for Remote Desktop protocol network admin access from settings to stay guarded.

Avast Antivirus Harvested Users' Data and Sold it Google, Microsoft, IBM and Others



Avast, a popular maker of free anti-virus software being employed by almost 435 million mobiles, Windows and Mac harvested its users' sensitive data via browser plugins and sold it to third parties such as Microsoft, Google, Pepsi, IBM, Home Depot, and many others, according to the findings of an investigation jointly carried out by PCMag and Motherboard.

As per the sources, the investigation basically relied on leaked data; documents used to further the investigation belonged to Jumpshot which is a subsidiary of Avast. The data was extracted by the Avast anti-virus software itself and then repackaged by Jumpshot into various products which were sold to big companies as the report specified, "Potential clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Conde Nast, Intuit, and many others."

"The sale of this data is both highly sensitive and is, in many cases, supposed to remain confidential between the company selling the data and the clients purchasing it," other company documents found.

Allegedly, Avast has been keeping a track of personal details such as exact time and date when a user starts surfing a website, the digital content being viewed by him and his browsing and search history. As per the findings, the information sold by Jumpshot includes Google Maps searches, Google search engine searches, YouTube videos viewed by users, activity that took place on companies' LinkedIn handles and porn websites visited by people. The data contained no traces of personal information of people like their names or email addresses, however, the investigators at Vice pointed out how the access to such precise browsing data can potentially lead back to the identification of the user anyway.

When the investigation reports were made public, Jumpshot stopped receiving any browsing-related data harvested by extensions as Avast terminated the operations, however, currently, the popular anti-virus maker is being investigated for collecting user data asides from browser plug-ins.

While Google denied commenting on the matter, IBM told Vice that they have no record of dealing with Avast's subsidiary, Jumpshot. Meanwhile, Microsoft made it clear that at present they are not having any relationship with Jumpshot.

Facebook used user data to control competitors and rivals


Leaked documents from a lawsuit filed by a now-defunct startup Six4Three on Facebook shows some 700 pages revealing how Facebook leveraged user data against rivals and offered it up as a sop to friends.

NBC News reported how Facebook's executive team harnessed user data and used it as a bargaining chip to manipulate rivals. There are thousands of leaked documents to support that this was done under the supervision of the company's CEO Mark Zuckerberg.



NBC News has published an entire log of documents containing 7,000 pages including 4,000 internal communications such as emails, web chats, notes, presentations, spreadsheets on Facebook. These documents are dated between 2011 and 2015 that disclose the company's strategy of rewarding partners by giving them preferential data while denying the same to competitors.

The lawsuit that resulted in this major leak, was filed by Six4Three, a now inoperative startup which created the failed app Pikinis. The app allowed users to view pictures posted by people on Facebook and in order to work, the software required access to data on Facebook. The suit accuses Facebook of misusing and abusing data and uneven distribution of it. Other apps including Lulu, Beehive ID, and Rosa Bandet couldn't do business anymore after losing access to data.

The documents also revealed similar operations, for instance, the social network company gave extended access to user data to Amazon, as it partnered with Facebook and spent on Facebook advertising while denied data to MessageMe, a messaging app when it grew large enough to be a competition to Facebook.

Commenting on the documents, Facebook’s vice president and deputy general counsel, Paul Grewal, told NBC News, “As we’ve said many times, Six4Three — creators of the Bikinis app — cherry-picked these documents from years ago as part of a lawsuit to force Facebook to share information on friends of the app’s users.” However, no evidence has been provided by the company to support the "cherry-picked" claim.

In March, this year Zuckerberg said, that Facebook would focus more on its user's privacy as the social network's future. But for Facebook, privacy seems like a PR stunt and data more of a currency.