We need more data breech news!
Nov. 15th, 2020 12:30 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneLive in Texas? Have a driver's license? Think the information is held securely?
BWAHAHAHAHA!
A contractor for the state motor vehicle department, Vertafore, said "the data was exposed between March and August and affected licenses issued before February 2019.
Exposed data included driver’s license numbers, addresses, dates of birth and vehicle registration history, according to the company. The group said that no Social Security numbers or financial account information were compromised.
The breach happened after three files were accessed by an unauthorized user after the files were “inadvertently stored in an unsecured external storage service,” Vertafore said in its statement."
"An unsecured external storage device" means they probably put it in an Amazon Cloud or something similar and didn't secure it properly. Because security is hard!
THEN DON'T PUT IT SOMEWHERE THAT YOU DON'T KNOW HOW TO EFFING SECURE PROPERLY!
Oh, but they're going to pay for data monitoring and "identity restoration services", whatever the heck that is. Thoughts and prayers, people, thoughts and prayers.
https://thehill.com/policy/cybersecurity/525923-data-breach-of-software-vendor-exposes-almost-28-million-texas-drivers
https://news.slashdot.org/story/20/11/15/0638241/data-breach-exposes-27-million-texas-drivers-license-records
This next one is a doozy, and definitely involves a misconfigured Amazon storage bucket. Now, Amazon is not to blame: they're selling you a service, YOU are responsible for securing it. It's like people not changing the combination on their brief case or luggage.
Anyway, there's this company that works with major, MAJOR, online hotel/travel reservation systems, like Expedia. Specifically Expedia and others. And 10 MILLION FILES were exposed. Not records of people or reservations. FILES. As in collections of records. So we don't know how many people are affected. August 2020 - by itself! - contained 180,000 records. During the COVID slower travel period!
The company in question, Prestige, is in a whole heap o' trouble, because credit card data was leaked, but also because they fall under the European GDPR regulations. It's quite possible that they're going to be fined out of existence. And because they did not secure their credit card information, they could be stripped of their ability to process credit cards, which would nullify their cashflow. Once they were notified about this exposure, they contacted Amazon and the naked storage bucket was immediately secured.
Here's what was exposed: "The records contain a raft of information, Website Planet said, including full names, email addresses, national ID numbers and phone numbers of hotel guests; card numbers, cardholder names, CVVs and expiration dates; and reservation details, such as the total cost of hotel reservations, reservation number, dates of a stay, special requests made by guests, number of people, guest names and more.
The exposure affects a wide number of platforms, with data related to reservations made through Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees, Sabre and more."
Have you made an online booking since 2013? Your data may have been in there. I know I'm a likely unwilling participant.
Here's some ways that the information could be used against us: "Hotel guests affected could be the targets of a wide range of attacks, from identity theft and phishing to someone hijacking their vacations, researchers said. For instance, they pointed out that cybercriminals could use details of hotel stays to create convincing scams and target wealthy individuals who have stayed at expensive hotels. And if any hotel stays revealed embarrassing or compromising info about a person’s life, it could be used to blackmail and extort them."
https://threatpost.com/millions-hotel-guests-worldwide-data-leak/161044/
https://it.slashdot.org/story/20/11/15/0422207/credit-card-numbers-for-millions-of-hotel-guests-exposed-by-misconfigured-cloud-database
BWAHAHAHAHA!
A contractor for the state motor vehicle department, Vertafore, said "the data was exposed between March and August and affected licenses issued before February 2019.
Exposed data included driver’s license numbers, addresses, dates of birth and vehicle registration history, according to the company. The group said that no Social Security numbers or financial account information were compromised.
The breach happened after three files were accessed by an unauthorized user after the files were “inadvertently stored in an unsecured external storage service,” Vertafore said in its statement."
"An unsecured external storage device" means they probably put it in an Amazon Cloud or something similar and didn't secure it properly. Because security is hard!
THEN DON'T PUT IT SOMEWHERE THAT YOU DON'T KNOW HOW TO EFFING SECURE PROPERLY!
Oh, but they're going to pay for data monitoring and "identity restoration services", whatever the heck that is. Thoughts and prayers, people, thoughts and prayers.
https://thehill.com/policy/cybersecurity/525923-data-breach-of-software-vendor-exposes-almost-28-million-texas-drivers
https://news.slashdot.org/story/20/11/15/0638241/data-breach-exposes-27-million-texas-drivers-license-records
This next one is a doozy, and definitely involves a misconfigured Amazon storage bucket. Now, Amazon is not to blame: they're selling you a service, YOU are responsible for securing it. It's like people not changing the combination on their brief case or luggage.
Anyway, there's this company that works with major, MAJOR, online hotel/travel reservation systems, like Expedia. Specifically Expedia and others. And 10 MILLION FILES were exposed. Not records of people or reservations. FILES. As in collections of records. So we don't know how many people are affected. August 2020 - by itself! - contained 180,000 records. During the COVID slower travel period!
The company in question, Prestige, is in a whole heap o' trouble, because credit card data was leaked, but also because they fall under the European GDPR regulations. It's quite possible that they're going to be fined out of existence. And because they did not secure their credit card information, they could be stripped of their ability to process credit cards, which would nullify their cashflow. Once they were notified about this exposure, they contacted Amazon and the naked storage bucket was immediately secured.
Here's what was exposed: "The records contain a raft of information, Website Planet said, including full names, email addresses, national ID numbers and phone numbers of hotel guests; card numbers, cardholder names, CVVs and expiration dates; and reservation details, such as the total cost of hotel reservations, reservation number, dates of a stay, special requests made by guests, number of people, guest names and more.
The exposure affects a wide number of platforms, with data related to reservations made through Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees, Sabre and more."
Have you made an online booking since 2013? Your data may have been in there. I know I'm a likely unwilling participant.
Here's some ways that the information could be used against us: "Hotel guests affected could be the targets of a wide range of attacks, from identity theft and phishing to someone hijacking their vacations, researchers said. For instance, they pointed out that cybercriminals could use details of hotel stays to create convincing scams and target wealthy individuals who have stayed at expensive hotels. And if any hotel stays revealed embarrassing or compromising info about a person’s life, it could be used to blackmail and extort them."
https://threatpost.com/millions-hotel-guests-worldwide-data-leak/161044/
https://it.slashdot.org/story/20/11/15/0422207/credit-card-numbers-for-millions-of-hotel-guests-exposed-by-misconfigured-cloud-database
no subject
Date: 2020-11-16 01:23 am (UTC)no subject
Date: 2020-11-16 01:38 am (UTC)I'm so glad that I'm pretty much retired from the IT profession. I never had any data breaches from the database servers that I managed, but we never went to a cloud environment when I worked. We had one penetration test attack, and apparently my servers were pretty much the best defended in the department! I felt pretty smug about that. But I just can't understand people putting data, much less absolutely critical data, in the cloud without securing it properly. They either don't know how to do it, or can't be bothered, or their bosses won't give them time to do it. But you're right, the stoopid, it burns.
Have you made an online booking since 2013?
Date: 2020-11-16 01:38 am (UTC)Why do I have a suspicion that despite my lack of known and knowing involvement with any of the named players, I still may not be in the clear?
Re: Have you made an online booking since 2013?
Date: 2020-11-16 01:43 am (UTC)I was talking to a friend about Facebook, and they were smug about having never created an account. I told her that if someone in Glendale posts "I had dinner with Ted and Sue at Bob's Place", then Facebook creates shadow profiles about Bob and Sue because they now now that Ted and Sue ate at Bob's Place. It's amazing how data about people gets put together and accumulates. And then gets spilled all over the bloody place.
no subject
Date: 2020-11-16 03:53 am (UTC)Which makes me think ... I bet they weren't secured by an IT professional, but by some woefully not up to the task administrative assistant ... because, you know, that cloud stuff, it means you don't need an IT staff. Our AA can take care of all that data stuff now!
no subject
Date: 2020-11-16 06:08 am (UTC)I would hope that the problem is managers not giving people enough time to do the job properly rather than it being handed off to an AA, but who knows. We'll never got a full answer because they never release the post mortems of what happened to the public. For that matter, when they did a penetration test of our network at one of my jobs, even I didn't get to see the results of the attacks on my servers, and I was in charge of those servers! That really ticked me off. While I know they didn't get in, I wanted to see the report!!! And I LOOOOVE your icon!
no subject
Date: 2020-11-17 05:09 am (UTC)no subject
Date: 2020-11-17 05:34 pm (UTC)Interesting point. But if they dumped it on a thumb drive and lost it, the only way they'd know is if data started turning up on the dark net and they're saying no information was compromised. Even if it were put on a thumb drive for transport somewhere, it should have been encrypted! I'll admit, most of the databases that I administered were not encrypted, but they didn't store sensitive information and they were pretty thoroughly locked down. We had a penetration test ran against our network, and mine were the most secure servers and were not breached, which was not the same news against our system.
But they're still idjits. ;-)
no subject
Date: 2020-11-18 05:55 am (UTC)