Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label personal information exposure. Show all posts
Third-Party Risks
Biometric data biometric vulnerability Data Breach Data Leak Hackers attack Indian Government Indian Government hacked personal information exposure Third-Party Risks

Massive Data Breach Exposes Sensitive Information of Indian Law Enforcement Officials

 

Recently, a significant data breach compromised the personal information of thousands of law enforcement officials and police officer applicants in India. Discovered by security researcher Jeremiah Fowler, the breach exposed sensitive details such as fingerprints, facial scans, signatures, and descriptions of tattoos and scars. Alarmingly, around the same time, cybercriminals advertised the sale of similar biometric data on Telegram. 

The breach was traced to an exposed web server linked to ThoughtGreen Technologies, an IT firm with offices in India, Australia, and the United States. Fowler found nearly 500 gigabytes of data, encompassing 1.6 million documents dating from 2021 to early April. This data included personal information about various professionals, including teachers, railway workers, and law enforcement officials. Among the documents were birth certificates, diplomas, and job applications. 

Although the server has been secured, the incident highlights the risks of collecting and storing biometric data and the potential misuse if leaked. “You can change your name, you can change your bank information, but you can't change your actual biometrics,” Fowler noted. This data, if accessed by cybercriminals, poses a long-term risk, especially for individuals in sensitive law enforcement roles. Prateek Waghre, executive director of the Internet Freedom Foundation, emphasized the extensive biometric data collection in India and the heightened security risks for law enforcement personnel. 

If compromised, such data can be misused to gain unauthorized access to sensitive information. Fowler also found a Telegram channel advertising the sale of Indian police data, including specific individuals’ information, shortly after the database was secured. The structure and screenshots of the data matched what Fowler had seen. For ethical reasons, he did not purchase the data, so he could not fully verify its authenticity. In response, ThoughtGreen Technologies stated, “We take data security very seriously and have taken immediate steps to secure the exposed data.” 

They assured a thorough investigation to prevent future incidents but did not provide specific details. The company also reported the breach to Indian law enforcement but did not specify which organization was contacted. When shown a screenshot of the Telegram post, the company claimed it was “not our data.” Telegram did not respond to requests for comment. 

Shivangi Narayan, an independent researcher, stressed the need for more robust data protection laws and better data handling practices by companies. Data breaches are so frequent that they no longer shock people, as evidenced by a recent face-recognition data breach involving an Indian police force.

Globally, as governments and organizations increasingly use biometric data for identity verification and surveillance, the risk of data leaks and abuse rises. For example, a recent face recognition leak in Australia affected up to a million people and led to a blackmail charge. It also has to be noted that many countries are looking at biometric verification for identities, and all of that information has to be stored somewhere. If they decide to farm it out to a third-party company, they lose control of that data.
Read more »
SEC probe
class action lawsuits Cybersecurity Experts Cybersecurity Incident Data Breach insurance settlements MOVEit breach personal information exposure Progress Software SEC investigation SEC probe

Progress Software Confirms SEC Investigation into MOVEit Mass-Hack

 

U.S. securities regulators are delving into the widespread MOVEit hack, which has left the personal information of over 64 million individuals exposed, according to the creators of the affected software.

Progress Software revealed in a recent regulatory filing that it has received a subpoena from the U.S. Securities and Exchange Commission (SEC), requesting "various documents and information" regarding the MOVEit vulnerability. 

“The SEC investigation is a fact-finding inquiry, the investigation does not mean that Progress or anyone else has violated federal securities laws and the investigation does not mean that the SEC has a negative opinion of any person, entity, or security,” the filing added. “Progress intends to cooperate fully with the SEC in its investigation

In the same filing, Progress assured that it anticipates only a marginal financial impact from the MOVEit mass-hacks, despite the extensive scope of the breach.

The company outlined expenses of $1 million related to the MOVEit vulnerability, accounting for both received and anticipated insurance reimbursements of around $1.9 million.

Nevertheless, Progress cautioned that potential losses may still occur, as 23 affected clients have initiated legal proceedings against the company and are seeking indemnification. Additionally, 58 class action lawsuits have been filed by individuals claiming to be affected.

Although almost half a year has passed since the discovery of the MOVEit zero-day vulnerability, the precise number of affected MOVEit Transfer customers remains uncertain. Cybersecurity firm Emsisoft reports that 2,546 organizations have confirmed being impacted, affecting more than 64 million individuals.

Fresh cases continue to surface. Just last week, Sony acknowledged that over 6,000 employees had their data accessed in an incident related to MOVEit. Flagstar Bank also disclosed that more than 800,000 customer records were pilfered.

November Security Breach

In its filing, Progress Software disclosed incurring additional expenses of $4.2 million linked to a distinct cybersecurity incident in November of 2022.

The filing did not divulge specifics about the event. However, John Eddy, a spokesperson for Progress, representing the company through a third-party agency, verified that during that period, Progress Software had identified signs of unauthorized entry into its corporate network, including evidence of certain company data being exfiltrated. The incident was made public in December 2022.

Progress Software has not disclosed the types of data that were accessed or the number of individuals affected. Eddy informed TechCrunch that the company maintained full functionality throughout the 2022 incident, which was unrelated to any "recently reported software vulnerabilities."

The company affirmed that expenses associated with this incident primarily encompassed the engagement of external cybersecurity experts and other incident response professionals. It also noted that it received approximately $3 million in insurance settlements.
Read more »
Subscribe to: Posts (Atom)