Data breach at DoorDash, attacks on Airbus suppliers and possible unpatchable Apple devices
Welcome to Cyber Security Today. It’s Monday September 30th, I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
The DoorDash food delivery app and Airbus, an aircraft manufacturer. You might think they don’t have a lot in common. Now they do. Both have been the victims of cyber attacks through their suppliers.
On Friday DoorDash, which operates in 4,000 cities across the U.S. and Canada, said it had been hacked through a third-party service provider. It didn’t identify which company that was, but suppliers can be computer firms that host an application and data, or a supplier that provides monitoring services to DoorDash. It said the hacker could have accessed personal data on as many as 4.9 million subscribers, delivery personnel and merchants. How bad is it? Approximately 100,000 delivery people, called Dashers, had their driver’s license numbers stolen. For some Dashers and merchants, the hacker got the last four digits of their bank account number. For some consumers, they got the last four digits of their credit or debit cards. On top of that there were millions of names, email addresses, delivery addresses, order history, phone numbers stolen. DoorDash is urging those notified to change their passwords. By the way, this hack happened last May. The company only discovered it this month.
As for Airbus, according to the French news agency AFP, in the last 12 months four of its parts suppliers have been the subjects of major attacks, including engine maker Rolls-Royce and other contractors. It isn’t clear how much data attackers got. One anonymous source said some stolen documents dealt with engines on a military plane Airbus makes. In January Airbus itself acknowledged there had been an “unauthorized access to data.” Aircraft component manufacturers, of course, are a great source of technology information. And reportedly one of them had a direct link to Airbus’s computer network.
The lesson for companies from both of these incidents is to do a better job of overseeing the cyber security of suppliers. Firms may have to even audit the security of those suppliers, because third parties can be doorway into other firms. Meanwhile consumers have to ask tough questions of firms they deal with. Like, how come it took four months to discover a data breach?
The security industry is in an uproar over a report someone has discovered a way to compromise a lot of iPhones, iPads, Apple TVs and Apple Watches. This would affect many devices except newer ones like the iPhone Xs and XR. Apparently this particular exploit, dubbed Checkm8, cannot be fixed by Apple with a software patch. And having a fingerprint or password lock may not be a defence. Before you panic, security company Malwarebytes points out a few things: First, so far, the only way to exploit this bug is if an attacker gets hold of your device. Second, if you encrypt all the data on your device you’d be safe — unless the attacker has time to install malware to defeat the encryption. So don’t let your Apple device out of your sight, use a fingerprint or password lock, and standby for more details.
Finally, some big names including Microsoft and Mastercard have formed a group to help co-ordinate law enforcement and corporate efforts to recover funds for victims of cyber attacks. Called the CyberPeace Institute, it plans also to look into the sources of cyber attacks as well as urge countries to behave more responsibly on the Internet. It hopes to be a credible source of research into the impact of cyber attacks for policy makers
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon