What’s behind data breaches, holes in two American COVID aid websites, EasyJet data breach and more.
Welcome to Cyber Security Today. It’s Wednesday May 20th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
To hear the podcast click on the arrow below:
Every year the U.S. telecom giant Verizon releases a large report analyzing thousands of data breaches. It’s one of the most comprehensive looks at factors behind data thefts. The goal is to give companies an idea of how they can best protect themselves from attacks. This year’s report was released Tuesday, and it’s full of facts. I’ll mention two here: First, hacking into systems using lost, stolen or easily guessed passwords are involved in 80 per cent of data breaches. Many organizations are still unable to close that door. They can do it by making two-factor authentication mandatory and making sure employees use hard-to-guess passwords. Second, mistakes by employees leading to data theft of data are increasing. That includes making settings errors so files are open to anyone on the Internet. That’s a problem that can be reduced through intensive employee security awareness training.
Speaking of mistakes, here are two big ones: The Arkansas Times reports that the state’s new COVID-19 Pandemic Unemployment Assistance website had a big hole in it: A person with basic computer knowledge could have fiddled with the URL and accessed the financial applications of anyone who had filed for help. That would have included seeing other people’s bank account and Social Security numbers. The state was notified and closed the site so it can be fixed. Meanwhile the state of Illinois admitted trouble with its new Pandemic Unemployment Assistance website. Radio station WBEZ quoted a business owner saying she was able to see the private information of other applicants by making two clicks on the site. The radio station said the website was created under a $9.5 million no-competing bid contract by a large consulting firm. Experts might say these are two examples of rushed work leading to mistakes.
Ukraine’s security service has detained a hacker who made headlines last year by putting up for sale collections of millions of stolen email addresses and passwords. The man wasn’t named, but in the cybercriminal underworld he was known as Sanix. According to the news site ZDNet, Sanix didn’t steal the data; he was a data broker who sold stolen information. This arrest comes after the arrest of five hackers in Poland who ran a competing stolen data site called Infinity Black.
Canadians who have flown on the carrier EasyJet could be among the nine million customers who had their email and travel details stolen after the airline discovered it had been hacked. The attacker also got away with credit card details of more than 2,200 passengers. EasyJet is a British-based airline that flies to a number of countries, mainly in Europe. If you are notified your email address has been stolen, watch your email carefully for suspicious messages where you have to click on a link or download a document. If your credit card number was stolen watch your statements for suspicious transactions.
Finally, administrators using the Adobe Magneto e-commerce platform for their online stores are being warned to update to the latest version of the framework. According to the ZDNet news service, the FBI quietly sent out a flash warning earlier this month that attackers are exploiting a three-year-old vulnerability in a Magneto plugin to steal credit and debit card data. There is a fix to the plugin, but it only works for stores running version 1 of Magneto. And support for that version ends June 30th. Store owns should be running version 2 of Magneto and related plugins for best security.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.