At a glance.
- Privacy issues with online dating.
- Guidance for HSE breach victims.
- Parking system breach update.
- Mac zero-day patched.
- Comment on third-party incidents and loyalty programs.
As if dating weren’t hard enough…
The US Attorney’s Office, Eastern District of Virginia reports that Eugene Johnson, Jr. pleaded guilty to mail fraud tied to an online dating scam. According to Raj Parekh, acting U.S. Attorney for the Eastern District of Virginia, “Through his use of fictitious personas, the defendant’s fraudulent scheme preyed on members of our community who thought they were helping a servicemember with significant financial needs.” Johnson, often posing as a US Marine and single father, courted his victims on dating sites with promises of marriage, swindling more than $270,000 out of at least eight targets in three states over the course of four years. Johnson could serve up to twenty years in prison.
Meanwhile, Bloomberg reports that a data breach of Japan’s most popular dating app, Omiai, potentially exposed the personal data of over 1.7 million users. Omiai owner Net Marketing Co. disclosed that in April an intruder gained unauthorized access to user info, including photos of drivers’ licenses, passports, and other identifying documents used as proof of age. Though the app charges male users ¥3,980 ($37) a month for membership (women are free), no credit card info was compromised.
Guidance for victims of the HSE data breach.
In the wake of the massive ransomware attack on Ireland’s Health Service Executive (HSE), the Irish Times offers advice for individuals who fear their data might have been compromised. The Conti ransomware group threatened they would release the 700GB of data stolen in the attack if their $20 million ransom demand was not met by last Monday, and as officials refused to pay, it’s likely the data will be published. Authorities fear cybercriminals could use the data, which include patient contact info and treatment data, for blackmail or phishing scams, in particular, posing as HSE officials in order to convince targets to share additional data or payment details. The Garda National Cyber Crime Bureau advises that if anyone is contacted “by persons stating that they have your personal details and/or looking for bank account details you should not engage or provide any personal information.” The HSE secured a High Court injunction forbidding the publication of the data, though there’s no way to prevent criminals from sharing the info on the dark web.
Update on ParkMobile breach.
In March, public parking payment app ParkMobile disclosed that it suffered a data breach as the result of a vulnerability in a third-party software application. The company, which serves hundreds of American cities, sent out an email yesterday updating users on the incident and confirming that no credit card information was compromised. Community Impact Newspaper reports that ParkHouston was among the parking entities impacted, and the compromised data included user license plate numbers, email addresses, phone numbers, as well as street addresses. More than 20 million user accounts created prior to March 17, 2021 were exposed, and ParkMobile is working with a cybersecurity firm to improve their defenses.
Mac users are sometimes believed to feel a sense of immunity to malware. While macOS and the systems that run it have their security virtues, there’s no such thing, of course, as immunity. XCSSET malware has been found exploiting a zero-day to take screenshots, TechCrunch reports. Apple has patched the problem, and users should take note.
We heard from NordVPN’s Daniel Markuson, a digital privacy expert at NordVPN, who comments on that unwarranted sense of immunity.
“It’s true that hackers target Android or Windows more often because of their popularity. But recently, a number of vulnerabilities in macOS and iOS have finally busted the myth of Apple’s unbreakable security. Many people have come to believe that Apple products are somehow hacker-proof. While this may be true to some extent, vulnerabilities still exist as no device is 100% immune to cyber threats.
“We’re hearing lots of discussions about VPNs and their benefits for both individuals and businesses. People are getting more concerned about their privacy and data security, and already have a VPN app installed on their desktops or Android phones. However, the same couldn’t be said about iPhone users – many of them still have what may be called ‘the Apple syndrome,’ and believe they are safe because they use iOS.
Third-party risk and airline passenger data.
The news of Air India’s third-party exposure or passenger data has prompted industry comment. Saryu Nayyar, CEO of Gurucul, noted that you may well be affected by a security problem at an organization you’ve never heard of:
“Once again, cybercriminals are flying off with millions of personally identifiable data of airline passengers, just in time for summer travel. The data stolen can be used in social engineering scams to steal even more from these victims. The breach of third party IT Supplier to Air India, SITA, is to blame for this incident and numerous other breaches as SITA services 90% of the world’s airlines. I liken this to the Takata air bag recall in that most car manufacturers rely on Takata for their air bags. And most airlines rely on SITA for airport, border and aircraft operations. It’s overwhelming to realize a single supplier can take down an entire industry… no one ever heard of SITA or Takata before these incidents. And now we’ll never forget them.”
Rajiv Pimplaskar, CRO at Veridium, sees the incident as another reason to be leery of how we use passwords.
“While the exact cause of the SITA data breach is not yet known, it is clear that loyalty accounts, such as frequent flier or hotel rewards programs are prime targets or ‘honeypots’ for credential theft since they contain rich Personally Identifiable Information (PII). Further, loyalty accounts have less stringent rules around password resets or reuse as compared to financial services accounts employing multi factor authentication (MFA) methods thereby making it easier for credential harvesting and lateral movement.
“Verizon’s Data Breach Investigations Report (DBIR) indicates that over 80% of data breaches use compromised credentials. Airlines and the hospitality industry need to accelerate their adoption of passwordless technologies such as ‘phone as a token’ or FIDO2 security keys that eliminate this dependence on credentials. Passwordless authentication can reduce the attack surface of such breaches as well as limit the resulting data exposure. Finally, such authenticators have less friction and can be adopted by both employees and customers improving user experience and productivity.”