Restaurant chain data breach, Cisco and D-Link security updates and a surveillance camera bug
Welcome to Cyber Security Today. It’s Monday January 6th. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com. Happy New Year, and I’m glad to be back to my regular podcast schedule.
2020 starts with news of a data breach similar to many I reported on last year: The hack of a system at a restaurant chain with data-stealing malware. This time it’s the U.S.-based Landry chain of 600 outlets with brands such as Landry’s Seafood, Chart House, Saltgrass Steak House, Claim Jumper, Morton’s The Steakhouse, Mastro’s Restaurants and Rainforest Cafe. Some of these have outlets in Canada. Data of people who used their debit or credit cards on the outlet’s payment systems weren’t affected, because those systems have data encryption. However, there’s a separate system for waiters and waitresses to enter food and drink orders that didn’t have the same protection. That system was only supposed to be used to swipe Landry reward cards. However, some waitstaff mistakenly swiped payment cards on this system. Landry’s says that happened in “rare circumstances.” But the malware on its systems may have copied that data. Again, one of the problems is people are swiping payment card along the side. You need to have a payment card with a chip allowing you to insert the card at the bottom of a reader. That’s safer than swiping.
Network managers returning to work this morning are being faced with a notice from Cisco Systems of a number of vulnerabilities in the Cisco Data Center Network Manager that need to be patched. This software is used in switches with the Nexus NX operating system. The warning on these bugs was issued January 2nd.
Owners of D-Link Wi-Fi routers should be on the lookout for security updates. Security researchers have discovered a number of bugs that the manufacturer is fixing. Check your device instruction manual for the proper way to find updates on the D-Link website.
The year also started off with the introduction of California’s new privacy law. It allows residents of the state the right to access the personal data that certain sized companies have collected on them, to demand it be deleted and to prevent it from being sold to third parties including advertisers. The law applies to companies headquartered anywhere in the world that meet the size requirement and collect data from California residents. Rather than have separate compliance policies for Californians and people elsewhere in the world many companies have decided to make their data access policies for all customers meet the new obligations. As a result you may notice at the bottom of some web sites there’s now a link or a button that says “Do Not Sell My Personal Information.” Companies may also have web pages that now give more detail on what information they collect. Note, though, that it’s still early and there are no standard rules on how all this is to be done. California will finalize regulations on that later this year. Big tech companies like Google and Twitter have set up web sites for compliance. According to one news report, Facebook says it doesn’t have to do anything because technically it doesn’t sell user data.
Finally, another report on how so-called smart devices are sometimes not so smart. A company called Xiomai makes a system called Mi Home that allows users to have remote controlled Internet-connected lights, speakers and video surveillance cameras. Late last month a user who has the system connected to their Google Nest Hub with a screen discovered he was getting still pictures from inside homes of other people who had Xiomai cameras. Google was alerted and temporarily killed its integration with the Mi Home system. Manufacturer Xiaomi last week said the problem started December 26th and could occur only in extremely rare circumstances, including having a poor network. It believes 1,044 users could have been affected. The problem is now fixed, although Google’s link with Mi Home may still be suspended. The fault is blamed on a cache update. Whatever, it’s a reminder to companies to be more scrupulous in their operations. Meanwhile consumers should be more careful about whether they need to have surveillance cameras on inside their homes.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon