Non-profit suffers email hack, ex-employee sues after data breach and private photos exposed
Welcome to Cyber Security Today. It’s Monday June 3rd. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanda.com. To hear the podcast click on the arrow below:
People Inc., a non-profit agency for helping people with disabilities and special needs in Western New York, acknowledged last week it suffered a data breach. The incident was caused when the email accounts of two staffers were hacked. Their mail had sensitive personal information on current and former agency clients, including names, social security numbers, medical information and government ID numbers. According to one news report, it involved information on 1,000 people. There are no details, but one possibility is a staffer was receiving or sending an unprotected database of patient information to another. A hacker scanning through email would be interested in reading attachments.
There are several ways this could have been prevented. One is by having two-factor authentication enabled on email accounts. That way if a hacker is able to guess a password they still can’t get into the email. Two-factor authentication involves having a special code sent to a cellphone when a user logs in and has to be entered, in addition to a password. For convenience the system can be set up so the second factor isn’t needed unless someone tries to access the mail from a different computer. The other defence is to force all staff to encrypt attachments they create so in case there is an email breach documents can’t be read. Companies with sensitive information — particularly in the healthcare field — should think about these two solutions.
Organizations should worry about protecting the personal information of customers, but they should also keep in mind they have sensitive information about employees. This comes to mind with news that a tech company called Citrix is facing a class-action lawsuit in Florida from a former staffer following a data breach. That breach happened between last October and March of this year. Citrix says some of the files stolen may have included information about current and former employees. The lawsuit alleges the data wasn’t properly protected. The allegations in the suit have not been proven in court. The point is companies should remember it’s not only customers that might go after you if there’s been a breach.
Another example has emerged of sloppy employees failing to make sure a company database open to the Internet is secured. This time it’s Japanese imaging giant Ricoh, which sells the Theta 360 degree camera. It’s a slender, pocketable camera that lets you take and post photos. One push of the button and you get a circular image of everything around you. You can then post images to the theta360 web site and let everyone, or only a restricted number of people, see the image. However, researchers at security company vpnMentor found security on the theta360 web site wasn’t very good. The database could be accessed without a password. No sensitive personal information was exposed, like dates of birth, credit card numbers and the like. But those photos users wanted to stay private wouldn’t have been. Ricoh has closed the hole.
Finally, Apple has released security updates for its Airport Extreme and AirPort Time Capsule Wi-Fi base stations. Owners should make sure these have been installed. And updates for iTunes and iCloud for Windows were also released and should be added.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.