How could two employees of The Dutch municipal health organization for preventive healthcare GGD steal millions of personal data from Dutch citizens and start selling them in the open market?
In the Netherlands about 8 million coronavirus tests has been done. In addition, there are over 800 thousand source and contact tracing carried out. All this information is stored in the GGD databases which contains personal information of all those that have participated in any coronavirus related GGD exercises.
What Went Wrong?
It happened that GGD employees could do a search of specific persons or a complete dump of the database. The idea was to enable an employee to quickly find the test result quickly of any person in the database.
Employees then do a global search and export the result to an external file which could then be downloaded, forwarded to anybody within or outside the GGD.
Apparently, this outer disregard to privacy has been going on for months at the GGD. Apparently about 26,000 employees and call centre employees had access to the database. From these, 8000 of them had access to the source and contact tracing information. It is unclear how many of these people could export the content of the entire database.
The Bad News
The data leak contains full name, email address, home address, telephone numbers and social security numbers, gender, date of birth. Medical records and the contact trace information. In fact, the data haul contains all you need for an identity theft and for potential blackmail.
How Often does such things happen?
Unfortunately, data leakage at government institutions in the Netherlands is very common, but such a malicious event where you have the private data of citizens leaked from the government being sold in the open market is not very common.
In March last year a data leak was discovered at the infection radar of the National Institute for Public Health and the Environment (RIVM). This body is responsible for the handling of the Coronavirus management in The Netherlands. Due to poor security programming non-technical users could see the information filled in by other users.
It seems many government organizations have not really taken data loss prevention and Zero trust security as very important yet. Otherwise, it is mind-bending to imagine how these employees could not only see all personal data of citizens but do a search of someone in the database and finally able to dump the result to a file and forward it out of the organization without a red light going off.
Data loss prevention training for your organization
Training programs to help your organization prevent data loss.
Social media giant Twitter has launched a new pilot scheme in the United States to handle the spread of misinformation.
Under the new Birdwatch scheme, customers are invited to identify data in other people’s tweets they suppose is misleading and write notes that “provide informative context.”
Twitter said it believes that a community-driven strategy in which customers monitor each other and furnish a free fact-checking service will enable extra content to be flagged as misinformation.
“We apply labels and add context to Tweets, however we do not desire to restrict efforts to circumstances where something breaks our rules or receives widespread public attention,” said the company in a blog post yesterday.
For now, any notes that are made will not show up on Twitter but will only be seen on a separate Birdwatch site where pilot participants can rate the helpfulness of notes added by different contributors.
“Eventually we aim to make notes visible directly on Tweets for the global Twitter audience, when there is consensus from a broad and various set of contributors,” said Twitter.
All data contributed to Birdwatch will be publicly accessible and downloadable in TSV files. When fully fledged, Birdwatch will be powered by algorithms based on the reputations of the contributors and “consensus systems.”
A computer will rank the notes made on tweets according to how useful they are.
Commenting on the pilot scheme’s introduction, Twitter user @morganiswizard wrote: “So let me get this straight, you’re attempting to stop random people from spreading misinformation with the aid of letting other random people decide what misinformation is? OK.”
Another Twitter user, Ben Collins, said that he was worried how the “Birdwatch” scheme would work in the open internet.
“The big thing I’m worried about with Birdwatch? Brigading,” said Collins. “Say one extremist forum really hates one true tweet by way of a particular user. They all sign up en masse and drown out good info. “As this rolls out to more people, I do not see a defence against that.”
He added: “Long term, Twitter desires to take the labelling of harmful lies out of the mouth of a faceless team at the company and provide it to the community.”
Researchers have found a vulnerability in TikTok which ought to have allowed attackers to harvest users’ smartphone numbers and private profile details.
Check Point revealed today that the flaw, which has now been fixed by the famous social network, was found in the app’s “Find Friends” feature.
The problem stems from the fact that TikTok lets in customers to sync their telephone contacts with the app, for that reason connecting user profiles with telephone numbers.
If exploited, the flaw could have allowed attackers to bypass the app’s HTTP message signing to login, and then sync contacts to find out the profiles of all the TikTok customers in the victim’s cellphone book.
Worse still, the SMS log-in system from a mobile device involved TikTok servers generating a token and session cookies, however these did not expire for 60 days, meaning an attacker could use the same cookies to login for weeks.
Among the profile details uncovered by using the vulnerability are TikTok nickname, profile and avatar pictures, unique user IDs and settings including whether a user is a follower or if a user’s profile is hidden.
Checkpoint head of products vulnerabilities research, Oded Vanunu, stated his group was curious to see if the TikTok platform should be used to attain access to personal user data.
“We were able to bypass multiple protection mechanisms of TikTok, that led to privacy violation. The vulnerability should have allowed an attacker to build a database of user details and their respective telephone numbers,” he explained.
“An attacker with that degree of touchy information could operate a vary of malicious activities, such as spear phishing or other crooked actions. Our message to TikTok customers is to share the bare minimum, when it comes to your private data, and to upgrade your phone’s operating system and applications to the latest versions.”
A TikTok statement acknowledged the work of “trusted partners” like CheckPoint in making the platform safer for users. “We proceed to strengthen our defenses, both by continuously upgrading our internal capabilities such as investing in automation defenses, and also by working with third parties,” it added.
Tesla has sued a former worker for allegedly stealing about 26,000 confidential files in his first week of work at the company, in accordance to a court filing.
The organization stated on Friday that within three days of being hired, software program engineer Alex Khatilov “brazenly stole thousands of trade secret that took Tesla years to develop” and transferred them to his private Dropbox, a cloud storage service.
Tesla stated that when confronted by Tesla’s security team, Khatilov claimed he had only transferred a couple of personal administrative documents. Khatilov informed the New York Post the files ended up in his Dropbox by mistake when he was trying to make a backup replica of a folder on his computer.
Tesla stated the files, which represented “200 man-years of work”, have been extraordinarily treasured by the company and when exposed to its competitors would give them a roadmap to copy Tesla’s innovation.
It said Khatilov’s was a member of an elite group of Tesla’s 40 employees out of 50,000 that had access to the intellectual property. No other employee was involved in the IP theft.
Tesla’s security group detected the file downloads on January 6, after Khatilov was employed on December 28, and confronted him by means of videocall as he was working from home, in accordance to the court filing.
Tesla said throughout this call, Khatilov delayed sharing his screen with the team, during which time “he hurriedly starts deleting records from his computer. However, investigators were still capable to view hundreds of private documents uploaded to his Dropbox, which Khatilov claimed he somehow forgot.
Khatilov, who informed the New York Post that he was unaware he was being sued till the newspaper called him on Friday, was fired the same day.
Medical documents belonging to truck drivers and rail workers may have been exposed following an alleged cyber-attack on an occupational healthcare provider in Virginia.
Data apparently belonging to employees of the United Parcel Service (UPS) and Norfolk Southern Railroad was published online to a leak website by the gang behind Conti ransomware. The cyber-criminals claimed to have obtained the data throughout a December cyber-attack on Taylor Made Diagnostics (TMD).
The HIPAA Journal reported that the leaked data includes full names, Social Security numbers, details of scientific examinations, drug and alcohol testing reports, and scans of driving licences.
With locations in Chesapeake and Newport News, TMD is an operator of occupational health clinics used by transportation agencies and government agencies. The company provides services inclusive of drug testing, CPR training, fit-for-duty evaluations, vaccinations, and respirator fit testing.
According to their website, TMD clients include the US military, the US Secret Service, the navy special warfare development group, BAE systems, Old Dominion University, the Social Security Administration, and the Virginia Department of Military Affairs.
While TMD has not verified the alleged attack, FreightWaves reported that amongst the more than 3,000 TMD files leaked on January 8 were multiple health records for employees at both UPS and Norfolk Southern dated as currently as December 2020.
In addition, the trucking news source spotted records belonging to personnel of US government agencies, defence contractors, and multiple smaller trucking companies.
Norfolk Southern Railroad, which employs nearly 25,000 humans in 22 states, said that it was investigating the veracity of the cyber criminal’s claims.
“The security of our employees’ data is a priority for Norfolk Southern and a requirement for our vendors,” Norfolk Southern spokesperson Jeff DeGraff wrote in an email to FreightWaves.
“Norfolk Southern is looking into the issue but has not issue any comment at this time.”
UPS, which employs 362,000 people in the US and an additional 82,000 internationally, said it is also looking into the possible data breach.
According to the US Department of Health and Human Services, in December alone, 37 US healthcare vendors reported hacking or unspecified information technology incidents that compromised nearly 1.5 million patients.
A cloud misconfiguration at a now-defunct social media app Fleek, has uncovered hundreds of thousands of explicit images of customers that they thought had been deleted. Fleek was once seen as an unfiltered and uncensored choice to Snapchat “Campus Stories.” A hit with US college students, it promised to automatically delete pictures after a short period, encouraging customers to publish salacious photographs of themselves engaged in sexually explicit and unlawful activities.
A group led by Noam Rotem found AWS S3 misconfigured buckets October last year belonging to the now defunct Fleek and owner Squid Inc. The researchers found that not was this not true but many images were still available on the amazon bucket for download months after the service ceased to exist.
Fleek customers were mostly university students naive of the implications of importing snap shots that exhibit them attractive in embarrassing and crook activities, such as drug use. If cyber-criminals acquired these pictures and knew how to locate the people exposed, they ought to effortlessly target them and blackmail them for giant sums of money.”
In total, the research crew located around 377,000 archives in the 32GB bucket. This additionally included pictures and bot scripts.
Having contacted both Squid Inc’s founder and AWS to notify about the privacy ISSUE vpnMentor discovered the bucket had been secured about a week after it was discovered. However, it is uncertain whether the information has been deleted or not.
It is important to understand from service provider what happens to your data if the service ceased to exist in the case of Fleek. Often, with smaller companies, the companies keeps possession of the data, and there’s very little accountability stopping them from misusing it or sharing with others in the future.”