Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label e-government technologies. Show all posts

Critical Vulnerabilities in GovQA Platform Expose Sensitive Government Records

 

In a significant cybersecurity revelation, critical vulnerabilities were discovered in the GovQA platform, a tool extensively used by state and local governments across the U.S. to manage public records requests. 

Independent researcher Jason Parker uncovered flaws that, if exploited, could have allowed hackers to access and download troves of unsecured files connected to public records inquiries. These files often contain highly sensitive personal information, including IDs, fingerprints, child welfare documentation, and medical reports. 

The vulnerabilities in the GovQA platform, designed by IT services provider Granicus, have since been addressed with a patch deployed on Monday. However, the potential consequences of these flaws were severe. If exploited, hackers could have gained access to personally identifiable information submitted by individuals making public records requests. 

This information, often including driver's licenses and other verification documents, could be linked to the subjects of the requests, posing a significant privacy and security risk. Granicus, responding to the findings, emphasized that the vulnerabilities did not constitute a breach of Granicus systems, GovQA, or any other part of applications or infrastructure. 

The company classified the vulnerabilities as "low severity" but acknowledged the need to work with customers to minimize the information collected and disclosed. However, cybersecurity experts who reviewed the findings disputed this classification, considering the flaws to be more severe than labeled. The GovQA platform is a crucial tool used by hundreds of government management centers in at least 37 states and the District of Columbia.

Its purpose is to assist offices in sorting and delivering records to requesters through official public access channels. The flaws in the platform, discovered by Parker, could have allowed bad actors not only to access sensitive personal information but also to trick the system into letting individuals edit or change the metadata of records requests without detection by administrators. 

By modifying the webpage's code, a skilled hacker could have accessed more information than intended, potentially leading to the exposure of highly sensitive data. The GovQA platform, used for managing records requests, often involves individuals submitting personal information for verification purposes. This information is stored alongside the requested files and could be exposed in the event of a cyberattack. 

The vulnerabilities were particularly concerning as they could be exploited to access records tied to both the requestor and the subject of their request, even in cases where requests were denied. The findings by Jason Parker underscore the broader challenges faced by state and local governments in safeguarding sensitive information. With cyber incidents targeting government entities becoming more common, the need for robust security measures and a culture of responsibility around code security is paramount. 

As President Joe Biden recently signed an executive order focused on preventing sensitive data from falling into the hands of foreign adversaries, the vulnerabilities in the GovQA platform highlight the urgency of addressing security risks in widely used records systems. The incident serves as a reminder of the potential consequences when cybersecurity vulnerabilities are present in critical tools that manage sensitive government data.

US Eye Clinic Suffers Data Breach, 92,000 Patients Hit

 

A healthcare clinic based in Missouri US named ‘Mattax Neu Prater Eye Center’ has suffered a cyber attack, in the wake of which, the center announced the breach at the end of June. However, the attack took place in December 2021. The center has informed the US regulators of a data breach in which more than 92,000 individuals have been affected.

“This incident has affected eye care practices across the country, and is not specific to Mattax Neu Prater. This data security incident occurred entirely within Eye Care Leaders’ network environment, and there were no other remedial actions available to Mattax Neu Prater,” center added. 

Mattax Neu Prater Eye Center is a premier provider of advanced laser vision correction, such as LASIK, as well as cataract correction and advanced technology replacement lenses in Springfield, Missouri US. It provides surgical and non-surgical care and has reported that the “third-party data security incident” may have compromised the sensitive data of patients. 

“However, a lack of available forensic evidence prevented Eye Care Leaders from ruling out the possibility that some protected health information and personally identifiable information may have been exposed to the bad actor,” the clinic added. 

Further, Mattax Neu Prater said that at present the firm does not hold any evidence of identity theft as a result of the incident, but following the attack, the clinic has informed its patients who might be impacted via postal mail. 

Cybersecurity experts suggest that all healthcare organizations should adopt a zero-trust approach to digital facilities. This approach treats every connected device as a potential intruder until it is accurately verified. According to the Experts, old-school approaches like using firewalls and antivirus software have become less effective. 

Cybersecurity researchers also believe that the best way to protect the system is by deleting passwords altogether. Some other cybersecurity tips that can help healthcare professionals are given below:

• Store patient data on systems that are not connected to the internet. 
• Train staff on phishing attacks and how they work. 
• Use two-factor or multi-factor (biometrics) for logins instead of passwords.
• Never click links in email or download attachments. 
• Encrypt all data so if it is accessed or compromised, it will not be exposed.

Amazon Fined With EUR 746 Million By Luxembourg Over Data Protection

 

Amazon has been fined 746 million ($880 million) Euros by the Luxembourg government over data protection rules. Despite its powerful presence across the globe, the American multinational technology company that focuses on e-commerce, digital streaming, cloud computing, and artificial intelligence, has continued to make headlines for various reasons, at times even serious allegations. Interestingly, it also falls under the category of "frightful five" which is a name given to the five most valuable tech giants that collectively influence almost everything that happens in the tech world. Amazon has undoubtedly become an integral part of most households, not only just American but worldwide. In terms of power, Amazon is a leading player both economically and socially. 

According to authorities, Amazon broke the EU’s data protection rules. It is assumed that the fine that has been charged for a data protection violation is the largest since the passage of the regulation. 

The Luxembourg National Commission for Data Protection had issued a notice on July 16. In the wake of which, Amazon said in a securities filing, "Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation."

"We believe the CNPD's decision to be without merit and intend to defend ourselves vigorously in this matter," the company added, using the organization's French acronym. 

The Securities and Exchange Commission (SEC) document did not disclose any further technical details, but Amazon was sued by a European consumer group for using personal credentials for marketing purposes without authorization. Also, the Luxembourg agency declined to comment on further inquiries by saying that its investigations are confidential. 

Following the allegations, Amazon was already fined by French authorities 35 million Euros last year for not following laws on browser "cookies" that track users. Meanwhile, Google (another of "frightful five") had also been charged with a fine of 100 million Euros for similar data protection rules. Alongside, Facebook, yet another giant firm labeled under "frightful five" is also under investigation in Ireland for leaked data.

Russia is ready to supply Vietnam with e-government technologies



The Ministry of Digital Development, Communications and Mass Communications of the Russian Federation reports that Russia is ready to supply Vietnam with e-government technologies, smart and safe city solutions, as well as information security products.

Rostelecom, Russia's largest provider of digital services and solutions, and Vietnam's leading provider of telecommunication services and information technology services Vietnam Posts and Telecommunications Group (VNPT) signed a Memorandum of understanding (MOU) aimed at developing cooperation in the field of information and communication technologies.

The Memorandum was signed by President and CEO of VNPT Pham Duc Long and President of Rostelecom Mikhail Oseevsky. The signing was attended by Prime Minister of Vietnam Nguyen Xuan Phuk and Prime Minister of the Russian Federation Dmitry Medvedev. In accordance with the text of the Memorandum, the main areas of cooperation are information security, e-government and smart cities.

The Memorandum involves the exchange of media products and programs, the implementation of joint thematic projects, press tours and internships of journalists.

In addition, Russia is ready to share its experience in the transition to digital broadcasting, to offer domestic equipment (digital broadcasting and television transmitters) for the Vietnam market and to establish cooperation in the design and construction of broadcasting networks.

According to Pham Duc Long, VNPT is implementing the digital transformation strategy to become the leading provider of digital services in the region. Cooperation with Rostelecom will help VNPT to successfully implement digital projects and e-government projects in Vietnam, helping to solve the important task of the digital transformation of Vietnam in the direction of digital government, digital economy and society.

Mikhail Oseevsky, President of Rostelecom, said that the business cooperation with VNPT in innovative high-tech platforms has been developing for the second year already. The signed Memorandum was an obvious confirmation of the interest of companies in the further expansion of cooperation.