Category Archives: Privacy

Navigating Data Privacy Laws in a Global Business Environment

In an increasingly interconnected world, businesses must navigate a maze of complex data privacy laws that vary by country and region. This blog post explores key strategies for businesses to remain compliant with international data privacy laws, highlighting the role of platforms like Findings.co in facilitating compliance.


Understanding the Landscape

Firstly, businesses must gain a comprehensive understanding of the regulations that apply to them, such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the United States. Each set of regulations has its own set of requirements regarding data collection, storage, and processing, making compliance a challenging but essential endeavor.


Implementing Robust Data Governance

To manage compliance effectively, businesses should establish a robust data governance framework that includes data protection impact assessments, regular audits, and clear policies for data handling and breach notifications. This framework ensures that all aspects of data privacy—from collection to deletion—are handled according to legal requirements.


Leveraging Technology for Compliance

Technological solutions play a crucial role in achieving and maintaining compliance. Tools and platforms like Findings.co offer automation features that can help businesses monitor compliance continuously and manage data privacy more efficiently. These technologies can automate the creation of compliance reports and ensure that the business adapts to changes in privacy laws quickly and effectively.


Training and Awareness

Keeping staff informed and trained on the latest data privacy laws and best practices is essential. Regular training sessions can help prevent data breaches and ensure that employees understand their roles in protecting personal data.


Building Trust Through Transparency

Businesses that are transparent about their data handling practices are more likely to build trust with their customers. This involves clear communication about how customer data is collected, used, and protected, as well as how customers can exercise their rights under the laws.


A Continuous Journey

Navigating global data privacy laws is a continuous journey that requires vigilance, adaptability, and a proactive approach. By understanding the legal landscape, implementing strong governance, leveraging technology, educating staff, and maintaining transparency, businesses can not only comply with these laws but also enhance their reputation and build stronger relationships with customers.

In today’s digital age, compliance with data privacy laws is not just a legal requirement but a competitive advantage that underscores a company’s commitment to protecting consumer data.

Keep Calm and Comply On: Singapore’s PDPA

PDPA Overview The Personal Data Protection Act

In 2024, as digital connectivity and data exchange continue to expand, protecting personal privacy has become increasingly critical.  Singapore’s Personal Data Protection Act (PDPA) represents a critical step in protecting individuals’ personal information while balancing the operational needs of organizations. This blog explores the PDPA’s core components, its objectives, and its implications for both individuals and organizations. In short, the PDPA is a general data protection law that applies to all private sector organizations.


What is Personal Data?

Personal data is any information about an individual who can be identified from that data, or from that data in conjunction with other information accessible to the organization. This broad definition encompasses a wide range of information, from names and contact details to medical records and financial information, highlighting the PDPA’s comprehensive approach to privacy.


Introduction to the PDPA:

The PDPA sets a baseline standard for personal data protection in Singapore, supplementing sector-specific frameworks such as those governing banking and insurance. It addresses the collection, use, disclosure, and care of personal data, ensuring organizations adhere to strict guidelines in managing personal information. Additionally, it is worth noting that there are more regulations established under this Act:


  • The Personal Data Protection (Notification of Data Breaches) Regulations 2021, which address the procedures following data breaches.

  • The Personal Data Protection (Composition of Offences) Regulations 2021, outlining the classification of offenses under the act.

  • The Personal Data Protection (Do Not Call Registry) Regulations 2013, establishing guidelines for the Do Not Call Registry.

  • The Personal Data Protection (Enforcement) Regulations 2021, detailing enforcement measures.

  • The Personal Data Protection (Appeal) Regulations 2021, specifying the appeal processes related to decisions made under the act.


Objectives of the PDPA:

The PDPA’s primary goal is to protect individuals’ personal data from misuse, fostering trust in organizations that handle such data. It aims to balance the protection of individual privacy with the legitimate needs of organizations to use personal data for reasonable purposes. By regulating personal data flow, the PDPA seeks to reinforce Singapore’s reputation as a trusted global business hub.


Scope and Applicability of the PDPA:

The PDPA covers both electronic and non-electronic formats of personal data. However, it exempts individuals acting in personal or domestic contexts, employees within their organizational capacity, public agencies dealing with personal data, and business contact information. This distinction ensures the PDPA’s provisions are targeted and relevant to the protection of personal privacy without unduly burdening personal or internal business processes.


Data Protection Obligations Under the PDPA:

Organizations are mandated to comply with the PDPA when engaging in any form of personal data collection, use, or disclosure. These obligations include obtaining consent, ensuring data accuracy, providing security safeguards, and allowing individuals access to and correction of their data. Compliance is not optional; it’s a legal requirement, with significant implications for non-adherence.


Development and Evolution of the PDPA:

Since its inception, the PDPA has undergone several key developments:

  • 2013: The Personal Data Protection Commission (PDPC) was established to oversee the Act’s implementation and enforcement.

  • 2014: Provisions related to the DNC Registry became operational, alongside the main data protection rules.

  • 2020: Amendments were passed to update the PDPA, reflecting evolving data protection needs.

  • 2021: These amendments took effect in phases, starting from February, marking the continuous effort to strengthen data protection in Singapore.


Most recently, on March 1, 2024, PDPC released Advisory Guidelines on using Personal Data in AI systems, focusing on recommendations and decisions. These guidelines, while not legally binding, provide a framework for how the PDPA might be enforced concerning AI. They offer clarity on exceptions for using personal data in AI development, emphasize data protection and accountability, and suggest transparency in policies.


Highlights:

  • The guidelines outline when organizations can use personal data exceptions for AI development.

  • They advise on protecting data and ensuring accountability in AI system deployment.

  • Organizations are encouraged to disclose their data protection policies to build trust.


Commitment to data protection:

The PDPA embodies Singapore’s role in balancing individual privacy rights with the operational needs of organizations. Its comprehensive approach, from setting standards for personal data management to establishing the DNC Registry, reflects a nuanced understanding of the digital age’s challenges. As the PDPA evolves, it remains a cornerstone of Singapore’s data protection regime, ensuring the country remains a secure and trusted place for both individuals and businesses.


November Security Breach Round Up

November Security Breaches

Welcome to this month’s edition of our data breach round up, where we unravel the recent cyber threats that have sent shockwaves across industries. In a digital landscape fraught with challenges, our commitment at Findings is to equip you with the knowledge and tools necessary to navigate these turbulent waters.

This month’s featured breaches spotlight the vulnerabilities that transcend sectors, from the technology giant Samsung to the healthcare domain with McLaren Health Care, and even reaching into the retail space with Dollar Tree. Each incident reveals not only the compromise of personal and sensitive data but also the profound implications for privacy, security, and trust in our increasingly interconnected world.

  1. Samsung:

    Samsung has acknowledged a significant data breach affecting its U.K. customer base. The breach, which spanned a year, was first brought to light in a statement to TechCrunch by Chelsea Simpson, a spokesperson for Samsung via a third-party agency. According to Simpson, the breach led to unauthorized access to contact details of some Samsung U.K. e-store customers. The specifics of the breach, including the number of affected customers and the method used by hackers, remain undisclosed.

    In communications with affected customers, Samsung revealed that the breach stemmed from a vulnerability in an unspecified third-party business application. This vulnerability exposed the personal data of customers who made purchases on the Samsung U.K. store from July 2019 to June 2020. The company only discovered the breach on November 13, 2023, over three years after the fact, as detailed in a letter to customers that was shared on X (formerly Twitter).

    The compromised data includes names, phone numbers, postal and email addresses, but Samsung assures that no financial information or passwords were affected. The company has reported the breach to the U.K.’s Information Commissioner’s Office (ICO), where spokesperson Adele Burns confirmed that the regulator is conducting enquiries into the incident.

    This breach marks the third such incident disclosed by Samsung in the past two years. Previous breaches include a September 2022 attack on Samsung’s U.S. systems, with undisclosed customer impact, and a March 2022 breach where Lapsus$ hackers allegedly leaked around 200 gigabytes of Samsung’s confidential data, including source codes and biometric unlock algorithms.

  2. KidSecurity:

    KidSecurity, a popular parental control app, inadvertently exposed user data due to a security oversight. The app, with over a million downloads, tracks children’s locations and activities. Researchers discovered that the app failed to secure its Elasticsearch and Logstash databases, leaving over 300 million records publicly accessible for over a month. This exposed data included 21,000 phone numbers, 31,000 email addresses, and partial credit card information.

    The unprotected data became a target for malicious actors, with indications of a compromise by the ‘Readme’ bot. Cybersecurity expert Bob Diachenko highlighted the severity of this breach, especially considering the app’s focus on children’s safety. The exposure of sensitive information such as contact details and payment information poses serious risks, including identity theft and fraud. KidSecurity had yet to comment on the breach at the time of the report.

  3. McLaren Health Care:

    McLaren Health Care recently informed its patients of a cybersecurity incident affecting its computer systems. The healthcare provider noticed suspicious activity around August 22, 2023, and immediately commenced an investigation with third-party forensic specialists. This inquiry revealed unauthorized access to McLaren’s network between July 28 and August 23, 2023, with potential data acquisition by the unauthorized party.

    A thorough review, completed by October 10, 2023, indicated that sensitive information might have been compromised. The data at risk includes names, Social Security numbers, health insurance details, medical information like diagnoses, physician details, medical records, and Medicare/Medicaid data.

    In response, McLaren has taken steps to secure its network and is reviewing and reinforcing its data protection policies and procedures. They are also offering affected individuals identity theft protection services through IDX, including credit monitoring and a $1,000,000 insurance policy, valid until February 9, 2024.

    McLaren urges individuals to stay vigilant, monitor their financial statements, and report any suspicious activity. For further assistance, IDX is available for inquiries, with representatives knowledgeable about the incident. McLaren emphasizes that, as of now, there is no evidence of misuse of the compromised information.

  4. Staples:

    Staples, a prominent American office supply retailer, recently confirmed a cyberattack that led to significant service disruptions and delivery issues. The company, operating 994 stores across the US and Canada and 40 fulfillment centers, took immediate action to contain the breach and safeguard customer data. The incident came to light following multiple Reddit posts from earlier in the week, reporting issues with Staples’ internal operations. Employees noted problems accessing various systems, including Zendesk, VPN employee portals, and email services. Comments on Reddit from Staples employees expressed surprise and concern, with one stating, “I’ve never seen anything like this in my 20 years with Staples.”

    Unconfirmed reports also suggested that employees were advised against using Microsoft 365’s single sign-on and that call center staff were sent home. Staples confirmed to BleepingComputer that they had to take protective measures against a “cybersecurity risk,” which disrupted their backend processing, product delivery, and customer service communications. Although Staples stores remain open, the company’s online operations, including staples.com, continue to face challenges. A company spokesperson stated that systems are gradually coming back online, but some delays in processing orders are expected. Staples has assured a swift return to normal operations and has posted a similar notice on their website.

    BleepingComputer reported that no ransomware or file encryption was involved in the attack. Staples’ rapid response, including shutting down networks and VPNs, may have prevented the attack from reaching its full potential. The extent of any data theft and the potential consequences, such as ransom demands, remain to be seen. This cyberattack is not Staples’ first brush with cybersecurity issues. In March 2023, Essendant, a Staples-owned distributor, faced a multi-day outage impacting online orders. Furthermore, in September 2020, a data breach at Staples exposed customer and order information due to an unpatched VPN vulnerability.

  5. Dollar Tree:

    Dollar Tree, a notable discount retail chain with stores across the United States and Canada, has been affected by a data breach involving a third-party service provider, Zeroed-In Technologies. This breach has impacted nearly 2 million individuals, specifically targeting Dollar Tree and Family Dollar employees.

    The breach, occurring between August 7 and 8, 2023, was disclosed in a notification to the Maine Attorney General. While the intrusion into Zeroed-In’s systems was confirmed, the exact details of accessed or stolen files remained unclear. Consequently, Zeroed-In conducted a thorough review to identify the compromised information, which included names, dates of birth, and Social Security numbers (SSNs).

    Affected individuals have been notified and offered a twelve-month identity protection and credit monitoring service. In response to inquiries from BleepingComputer, a Family Dollar spokesperson stated, “Zeroed-In is a vendor that we and other companies use. They informed us that they identified a security incident, and they provided notice of the incident to current and former employees.”

    The breach’s impact may extend beyond Dollar Tree and Family Dollar, potentially affecting other Zeroed-In customers, although this has not been confirmed. Zeroed-In has not responded to inquiries about the incident.

    The breach’s magnitude has prompted law firms to investigate the possibility of a class-action lawsuit against Zeroed-In.

  6. General Electric:

    General Electric (GE), a prominent American multinational involved in various industries, is investigating a possible cyberattack and data theft. A hacker known as IntelBroker allegedly breached GE’s development environment, initially attempting to sell access on a hacking forum for $500. After failing to attract buyers, the threat actor claimed to offer both network access and stolen data, including sensitive military and DARPA-related information.

    IntelBroker, recognized for previous high-profile cyberattacks, provided screenshots as evidence of the breach, showing data from GE Aviation’s database on military projects. GE confirmed to BleepingComputer their awareness of these allegations and their ongoing investigation.

    IntelBroker’s past exploits include a breach of the Weee! grocery service and a significant data theft from D.C. Health Link, a healthcare marketplace used by White House and House staff. The D.C. Health Link breach, which led to a congressional hearing, revealed that a misconfigured server had exposed sensitive data online.

  7. HSE:

    Holding Slovenske Elektrarne (HSE), Slovenia’s largest electricity provider, was recently hit by a ransomware attack. Despite this, the company’s power generation remained unaffected. HSE, which accounts for about 60% of Slovenia’s domestic power production, managed to contain the attack within a few days.

    The company’s IT systems and files were encrypted, but operational functions continued normally. HSE informed national cybersecurity authorities and the police, and engaged external experts for mitigation. While no ransom demand has been received yet, the company remains cautious during the cleanup process.

    Unofficial sources attribute the attack to the Rhysida ransomware gang, known for high-profile attacks without immediate ransom demands. The breach might have occurred through stolen passwords from unprotected cloud storage, although this has not been confirmed. Rhysida has been active since May 2023 and is notorious for targeting various organizations internationally. HSE is yet to issue a formal response to these allegations.

The array of cyberattacks faced by the companies above demonstrate the complexity and severity of the cybersecurity landscape. These incidents serve as stark reminders of the persistent threats in the digital domain, urging organizations to fortify their defenses and adopt more robust data protection measures. As the aftermath of these breaches unfolds, it is imperative for companies to not only address the immediate security gaps but also to engage in proactive measures to safeguard against future threats. Furthermore, these events underscore the need for ongoing vigilance, transparency, and collaboration among businesses, regulatory bodies, and cybersecurity experts to enhance the resilience of our digital ecosystem against such pervasive and evolving threats.

Navigating the GDPR Compliance Labyrinth: A Practical Guide

Navigating the GDPR Compliance Labyrinth: A Practical Guide

In the digital realm, data is the cornerstone upon which businesses are built. However, with great data, comes great responsibility, particularly in the eyes of the law. The General Data Protection Regulation (GDPR) is a mandate that oversees the data governance within the European Union (EU) and the European Economic Area (EEA). Its ripple effects are felt far and wide, transcending geographical borders. This guide aims to demystify the GDPR compliance journey, offering a structured checklist to ensure a seamless adaptation to these regulatory requisites.


Understanding Your Data Landscape

Before diving into the GDPR compliance checklist, it’s pivotal to have a clear understanding of the data you hold. This includes knowing the type of data, its origin, and its purpose.

  • Data Inventory: Conduct a thorough data inventory to identify the type of data you process and store.
  • Data Flow Mapping: Trace the journey of data within your organization to understand how it’s processed and shared.

Aligning with GDPR Principles

The GDPR is hinged on seven fundamental principles which form the bedrock of data protection.

  • Lawfulness, Transparency, and Fairness: Ensure your data processing activities are lawful, transparent, and fair.
  • Purpose Limitation: Process data strictly for the purposes it was collected.

Technical and Organizational Measures

A robust data protection framework is the linchpin in ensuring GDPR compliance.

  • Data Protection by Design and Default: Implement data protection from the onset of any process or system development.
  • Data Security: Employ robust security measures to safeguard data against unauthorized access and data breaches.

Individual Rights and Requests

Under GDPR, individuals have been accorded a set of rights concerning their data.

  • Right to Access: Ensure individuals can access their data and understand how it’s being processed.
  • Right to Rectification: Provide a mechanism for individuals to rectify inaccurate data.

Accountability and Governance

Establishing a governance framework is paramount to demonstrate compliance with GDPR.

  • Data Protection Officer (DPO): Appoint a DPO to oversee data protection activities.
  • Training and Awareness: Cultivate a data protection culture through training and awareness programs.

Data Breach Notification and Responses

Preparedness is key in mitigating the impact of a data breach.

  • Breach Notification: Have a solid breach notification process in place to inform relevant parties in the event of a data breach.
  • Incident Response Plan: Develop a comprehensive incident response plan to tackle data breaches effectively.

Regular Audits and Reviews

Continuous evaluation is crucial to ensure that your data protection measures are up to snuff.

  • Compliance Audits: Conduct regular GDPR compliance audits to ascertain adherence to data protection principles.
  • Continuous Improvement: Foster a culture of continuous improvement to enhance your data protection framework.

Embarking on the GDPR compliance journey may seem like traversing a legal labyrinth. However, with a structured approach encapsulated in this checklist, navigating through the GDPR compliance maze becomes less daunting, ensuring your organization remains on the right side of the law.

What is Edge Computing?

Findings.co explains the positives and negatives of edge computing

 

Edge computing is a growing trend in the field of network technology that is changing the way data is processed and analyzed. Instead of relying solely on a centralized server to process data, edge computing brings processing capabilities closer to the source of the data, or the “edge” of the network. This allows for more efficient and effective data processing and analysis, as well as increased performance and reduced latency.

 

Edge computing has become increasingly popular due to the rise of the Internet of Things (IoT) and other connected devices. These devices generate a vast amount of data that needs to be processed and analyzed in real-time, and edge computing provides a way to do this without overburdening centralized servers.

 

In essence, edge computing enables smart apps and IoT sensors to perform real-time functions by addressing three related challenges:

  • Remote device connectivity to a network

  • Slow data processing caused by network or computing limitations

  • Edge devices that create network bandwidth issues

 

By processing data closer to the source (at the edge of the network), edge computing can overcome these challenges and improve efficiency, reduce latency, and enhance the overall performance of the system. This allows for faster and more reliable data processing, making real-time functionality possible.

 

One of the main benefits of edge computing is improved efficiency. By processing data at the edge, devices can perform some of the computing tasks that would otherwise require a more powerful centralized server. This not only reduces the workload on the server but also reduces the amount of data that needs to be transmitted over the network, resulting in faster processing times and lower latency. Microsoft Azure shared a great example of this, writing, “A security camera in a remote warehouse uses AI to identify suspicious activity and only sends that specific data to the main datacenter for immediate processing. So, rather than the camera burdening the network 24 hours per day by constantly transmitting all of its footage, it only sends relevant video clips. This frees up the company’s network bandwidth and compute processing resources for other uses.” 

 

Of course, however, there are several risks associated with edge computing. One of the most significant risks is security. With data being processed and stored at multiple edge devices, it can be more challenging to secure the network against potential attacks. This is especially true when it comes to securing data in transit between edge devices and central servers.

 

Another risk is data privacy. Edge computing involves collecting and processing large amounts of data, which can potentially be used to identify individuals or groups. One of the primary concerns is that edge computing may collect and process personal data, such as personally identifiable information (PII), biometric data, or sensitive information related to health, financial, or other personal matters. This raises concerns about the potential for misuse or unauthorized access to personal information. Another data privacy risk associated with edge computing is the potential for data breaches or cyberattacks. Since edge devices are distributed and may not have the same level of security measures as centralized servers, they may be more vulnerable to attacks. Moreover, edge devices may transmit data over insecure networks or unsecured channels, further increasing the risk of interception or data leakage.

 

Network connectivity is another potential risk. Edge computing relies on stable and fast network connectivity between edge devices and central servers. If the network connection is unreliable or slow, it can negatively impact the performance of the entire system.

 

Compatibility issues can also arise with edge computing. Edge devices may be running different operating systems and software, which can create compatibility issues when it comes to integrating them with other devices and central servers.

 

Finally, managing and maintaining edge devices can be challenging. This includes firmware updates, security patches, and troubleshooting issues. This can be especially problematic in large-scale deployments with many devices spread out over a wide area.

 

Despite these risks, the benefits of edge computing make it an increasingly popular technology for organizations looking to improve their data processing and analysis capabilities. As the technology continues to evolve, it is likely that many of these risks will be mitigated, making edge computing an even more attractive option for businesses and organizations of all sizes. 

 

Noting the security issues is important to prevent detrimental damages to companies. To mitigate these data privacy risks, organizations must implement privacy-by-design principles in their edge computing solutions. This includes conducting privacy impact assessments (PIAs) to identify potential privacy risks and implementing technical and organizational measures to address them. Additionally, companies must ensure that they obtain valid user consent for collecting and processing personal data and that they adhere to data protection regulations. Encryption and other security measures should also be implemented to protect data both in transit and at rest, and data monitoring and auditing processes should be in place to detect and respond to security incidents.

 

 

 

 

The Great Data Breaches: Tales of Cybersecurity Misadventures

Findings.co talks about the decade's biggest breaches from the past decade.

The Great Data Breaches: Tales of Cybersecurity Misadventures

Data breaches are a nightmare of the digital age that have plagued companies and organizations around the world in recent years. With cybercriminals constantly evolving their tactics, no one is safe from the threat of a data breach. While this list can go on and on we’ve narrowed it down to some of the most well known breaches to date.

Let’s take a look at some of the most notable data breaches that have occurred in the past decade, and the lessons we can learn from them!

Equifax: The One That Got Away

In 2017, Equifax, one of the largest credit reporting agencies, suffered a breach that exposed the personal information of 147 million people, including names, birthdates, Social Security numbers, and other sensitive data. Equifax system administrators discovered that attackers had gained unauthorized access via the Internet to the online dispute portal that maintained documents used to resolve consumer disputes. In a statement released, Equifax writes, “The attack vector used in this incident occurred through a vulnerability in Apache Struts (CVE-2017-5638), an open-source application framework that supports the Equifax online dispute portal web application. Based on the company’s investigation, Equifax believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017.”

 

(From SEC filing report)

This was a huge blow for the credit industry, as it exposed flaws in the system that allowed unauthorized access to sensitive personal information. It also highlighted the need for companies to invest in cybersecurity measures to protect their customers’ data.

Yahoo: Twice Bitten, Thrice Shy

In 2013 and 2014, Yahoo experienced two separate data breaches and every user who had a Yahoo account was likely affected by its massive hack. The stolen information included names, email addresses, phone numbers, dates of birth, and security questions and answers. The sheer scale of this breach was unprecedented, and many companies lack the ability to collect and store all network activity that could be used to trace a hacker’s steps, making it difficult to investigate data breaches. This was highlighted by the Yahoo breach in 2013 and 2014, where investigators struggled to follow the hackers’ tracks due to a lack of network activity data.

 

Marriott: A Wake Up Call

In 2018, Marriott International, one of the world’s largest hotel chains, suffered a data breach that exposed the personal information of 500 million customers. In a company statement, Marriott explains that they “learned during the investigation that there had been unauthorized access to the Starwood network since 2014. The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.” The breach at Marriott International exposed the personal information of approximately 500 million customers who made a reservation at a Starwood property. The stolen information included names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. Some guests’ payment card numbers and expiration dates were also compromised, but they were encrypted using AES-128. This breach was a wake-up call for the hospitality industry, which has traditionally lagged behind other sectors in cybersecurity. It highlighted the importance of designing security measures into products and services from the outset, rather than bolting them on as an afterthought.

Target: The Target of Cybercrime

In 2013, Target, a major U.S. retailer, experienced a breach that affected 110 million customers. This was one of the earliest and most widely publicized data breaches. Prior to this event, cybersecurity was not given the same level of attention as it is today. The professional practices that many businesses implemented in response to this event likely prevented numerous data breaches from occurring. The breach began when a third-party contractor for Target, Fazio Mechanical Services, fell victim to a spear phishing attack. The hackers then used the stolen credentials to access Target’s corporate network and install malware on Target’s POS devices. Target’s security team received a notice for a generic threat but did not act on the warning. The breach wasn’t detected until three days later, and the US Department of Justice uncovered the scope of the danger on December 12th. The hackers gained access to data including full names, phone numbers, email addresses, payment card numbers, and credit card verification codes. This breach was a turning point in the battle against cybercrime, as it demonstrated that even the biggest companies were vulnerable to attack. It also highlighted the need for companies to invest in cybersecurity measures and to take a proactive approach to threat detection and response.

Capital One: A Capital Mistake

In 2019, Capital One experienced a breach after an outside individual obtained unauthorized access to personal information of about 100 million US customers and 6 million Canadian customers. Capital One explained that they discovered this security incident after the configuration vulnerability was reported to Capital One by an external security researcher through their Responsible Disclosure Program on July 17, 2019. The accessed information included personal information collected from credit card applications, such as names, addresses, and self-reported income, as well as customer status data, credit scores, and transaction data from 23 days in 2016-2018. Additionally, the individual obtained about 140,000 Social Security numbers and 80,000 linked bank account numbers of secured credit card customers. This incident underscores the importance of securing sensitive financial data and having strong cybersecurity policies, including employee training and regular security audits.

eBay: Buy and Beware

In 2014, eBay experienced a massive data breach that affected all 145 million users at that time. The hackers were able to access encrypted passwords and personal details of customers, including names, email addresses, phone numbers, and physical addresses. As a result, eBay was forced to ask all of its users to change their passwords in a surprising turn of events. In many instances, hackers may unscramble encrypted passwords and then use automated softwares that logs into thousands of popular social media sites and banking accounts. At the time, eBay faced extreme criticism for its slow response and poor communication with affected customers following the massive data breach. This incident highlights the importance of swift action and proactive communication with customers in the aftermath of a data breach. Even more importantly, it was a lesson in the importance of password hygiene and the need for companies to implement strong password policies, such as two-factor authentication.

(from eBay’s website)

Anthem: The Healthcare Hack

In 2015, Anthem, one of the largest health insurance companies in the U.S., announced that it suffered a breach that exposed the personal information of 80 million customers, including names, birthdates, Social Security numbers, and other sensitive data. How did it happen? According to the investigative report, the Anthem data breach began in February 2014 when a user in one of the company’s subsidiaries opened a phishing email containing harmful content. This led to the download of malicious files and remote access to the user’s computer, as well as dozens of other systems within the Anthem enterprise, including the company’s data warehouse. The attacker was able to move laterally across Anthem systems and escalate privileges, ultimately compromising at least 50 accounts and 90 systems. This resulted in access to approximately 78.8 million unique user records after querying the data warehouse. This breach was a stark reminder of the importance of securing sensitive healthcare data, which is highly sought after by cybercriminals. It also highlighted the need for companies to invest in cybersecurity measures and to take a proactive approach to threat detection and response.

Microsoft Exchange: The Latest Threat

In 2021, Microsoft Exchange email servers were attacked, affecting 60,000 companies worldwide. The hackers were able to exploit four zero-day vulnerabilities, which allowed them to gain unauthorized access to emails from small businesses to local governments. They took advantage of a few coding errors over three months to take control of vulnerable systems. Once they gained access, they could request data, deploy malware, use backdoors to gain access to other systems, and ultimately take over the servers. Many people assumed that the requests were legitimate because they looked like they came from the Exchange servers themselves. Although Microsoft was able to patch the vulnerabilities, owners of individual servers that didn’t update their systems would still be vulnerable to the exploit. Because the systems weren’t on the cloud, Microsoft couldn’t immediately push a patch to fix the issues. In July 2021, the Biden administration, along with the FBI, accused China of the data breach. Microsoft followed suit and named a Chinese state-sponsored hacker group, Hafnium, as the culprit behind the attack.

 

These are just a few of the largest data breaches in the past decade, and there have been many others affecting a range of industries and types of organizations. The lessons we can learn from these breaches are clear: companies need to take cybersecurity seriously and implement robust security measures to protect their customers’ data. By staying informed and investing in the latest cybersecurity technologies, we can help to prevent the next big data breach.

 

 

January Security Breach Round Up

Findings.co reveals the top breaches in January 2023

While a new year is supposed to bring in new and exciting opportunities, quite the opposite happened to these companies after they had their resolutions spoiled by hackers. Let’s review some of the most interesting data breaches that happened in January..


PayPal:


Yes, even massive financial companies like PayPal fall victim to breaches. On January 18, 2023, PayPal informed customers that unauthorized parties were able to access PayPal customer accounts using their login credentials. In the company notice, PayPal writes, “the personal information that was exposed could have included your name, address, Social Security number, individual tax identification number, and/or date of birth.” After an incident like this, it is extremely important that users change their passwords for other online accounts as well as activate two-factor authentication, which can prevent hackers from accessing their other accounts. 


T-Mobile:

Another breach? This time, 37 million people were apparently affected. On January 19th, 2023, T-Mobile released a statement writing, “We are currently in the process of informing impacted customers that after a thorough investigation we have determined that a bad actor used a single Application Programming Interface (or API) to obtain limited types of information on their accounts.” Obtained information includes name, billing address, email, phone number, date of birth, account number, and information such as the number of lines on the account and service plan features. T-Mobile further writes, “While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program.” While we hope that T-Mobile does indeed strengthen their cybersecurity program, we’d like to note that the telecommunications giant has suffered several security incidents in the past few years. 


Google Fi:

Think of a domino effect here. When one goes down, so can the next. It is alleged that Google Fi’s security incident is connected to the T-Mobile incident right above this one. Google Fi is a mobile virtual network operator that uses T-Mobile’s network for the majority of its connections. It is believed that hackers may have accessed customer information such as phone numbers, SIM card serial numbers, account status, and mobile service plan data. To explain the aftermath of this, BleepingComputer explained that, “the exposed technical SIM data allowed threat actors to conduct SIM swap attacks on some Google Fi customers, with one customer reporting that the hackers gaining access to their Authy MFA account. SIM swapping attacks are when threat actors convince mobile carriers to port a customer’s phone number to a mobile SIM card under the attacker’s control.” After the SIM swapping attacks, hackers can access a person’s email, accounts registered with the phone number, and authentication apps. 


Mailchimp:


Don’t be that person – always think twice before opening links from people you don’t know. On January 11, 2023, Mailchimp discovered that an unauthorized actor conducted a social engineering attack on Mailchimp employees and contractors. By doing so, the hacker was able to obtain access to select Mailchimp accounts using employee credentials compromised in that attack. The hacker accessed a tool used by Mailchimp customer-facing teams for customer support and account administration. In a company notice explaining the situation, Mailchimp confirms, “this targeted incident has been limited to 133 Mailchimp accounts.”


JDSports: 


JDSports, a British sports-fashion retail company based in England also unfortunately fell victim to an attack in January. JDSports notified customers via email explaining the situation, pictured below.  


Photo Source:




The sports company warns that the attack resulted in unauthorized access to a system containing customer information for orders placed between November 2018 and October 2020. Information such as full names, billing details, delivery addresses, email addresses, phone numbers, order details, and final four digits of payment cards were accessed.



 

Before wrapping up for the month, did you hear about SwiftSlicer, a new data wiping malware that aims to overwrite crucial files used by the Windows operating system? BleepingComputer explains that it allows “domain admins to execute scripts and commands throughout all of the devices in the Windows network.  SwiftSlicer was deployed to delete shadow copies and to overwrite critical files in the Windows system directory, specifically drivers and the Active Directory database.” Researchers at a cybersecurity company, ESET, say that SwiftSlicer has the ability to overwrite data using 4096 bytes blocks and then the malware can reboot the system. Since this is a new discovery, it’s important that companies continue using the most up-to-date antivirus softwares. 





Learn About Our Continuous Monitoring Solution

December Security Breach Round Up

December security breaches

2023 is here and while I would love nothing more than to say that everything is awesome in the security world, I would be lying to all of you if I said there were no data breaches in the month of December. 

While most people usually wind down and enjoy the holiday season with family in December, the top dogs at the companies below probably had nothing but stress on their minds. 

Let’s dig in and see what mistakes were uncovered this month.


  1. LastPass:

Well this is a little awkward, isn’t it? Given that LastPass is a password manager, one would think that they would have strong measures in place to protect their consumer’s privacy; however, that does not seem to be the case. In a company notice, LastPass writes: “we recently notified you that an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data.” The threat actor copied information from a backup source that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. The company continues to explain that “the threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.” It is important to note that many organizations and their employees use LastPass to store passwords. If you were not aware of this incident, it is time you look into protecting your accounts and changing your passwords.


  1. Uber:

When I found out about yet ANOTHER Uber breach, my reaction was a deep sigh of frustration. This time the breach resulted from a compromised third-party vendor. BleepingComputer reported about the incident and shared that “a threat actor named ‘UberLeaks’ began leaking data they claimed was stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches. One of the documents seen by BleepingComputer includes email addresses and Windows Active Directory information for over 77,000 Uber employees. While BleepingComputer initially thought this data was stolen during the September attack, Uber told BleepingComputer it believes it is related to a security breach on a third-party vendor.” After further investigations, Uber later shared with BleepingComputer that the threat actor stole its data in a recent breach on Teqtivity, which Uber uses for asset management and tracking services. Teqtivity informed that the threat actor was able to access device information such as serial number, make, models, and technical specs. Additionally, user information such as first name, last name, work email address, and work location details were accessed. 


  1. Five Guys:

I’ll be the first to admit that Five Guys is irresistible – especially on a cheat day. So of course I hate to be the bearer of bad news here, but alas, it has to be said. On December 29, 2022, Five Guys released a statement confirming a breach that occurred in September 2022 that exposed sensitive customer data by an unauthorized party who accessed a file server. The company writes: “The investigation identified unauthorized access to files on our file server that occurred on September 17, 2022. We conducted a careful review of those files and, on December 8, 2022, determined that the files contained information submitted to us in connection with the employment process.” Stolen data would include employee personally identifiable information (PII) such as names, social security numbers and driver’s license numbers. We see this time and time again where threat actors access sensitive information and companies do not inform victims until months later. In those months, the attackers can commit identity and credit fraud and sell user data on the dark web. That is one of the reasons why Findings is so useful – we continuously monitor your systems and the dark web to make sure that if an incident like this does ever occur, it will not take you months to find out.

 

  1. Sequoia:

For those who are unaware, Sequoia is a popular benefits and payroll management company. In a company notice, they stated: “Sequoia Benefits and Insurance Services LLC (“Company”) recently became aware that an unauthorized party may have accessed a cloud storage system that contained personal information provided in connection with the Company’s services to its clients, including your employer or, if you are a dependent, your family member’s employer.” Information accessed by the unauthorized party consists of personal information including demographic information such as name, address, date of birth, gender, marital status, employment status, social security number, work email address, member ID, wage data for benefits, attachments that may have been provided for advocate services, ID cards, and any COVID test results or vaccine card that may have been uploaded.

  1. Social Blade:

Social Blade is an analytics platform that provides statistical data for numerous social sites such as YouTube, Twitter, Twitch and Instagram. They confirmed that they suffered a data breach after their database was breached and put up for sale on a hacking forum. Social Blade monitors tens of millions of social media accounts and the hacker claims to have obtained 5.6 million records. The sample data that was posted by the hacker also suggests that many of the records contain user information. Users online were quick to share an email that was apparently sent privately to affected users. In the email, Social Blade confirms the breach and reports that the affected data includes email addresses, IP addresses, password hashes, client IDs and tokens for business API users, and authentication tokens for connected accounts. Other non-personal and internal data was also compromised. Roughly 0.1% of users also had their addresses leaked, but credit card information was not exposed. A similarity we see here in comparison to other breaches is that this was not Social Blade’s first breach. In 2016, the company also confirmed that it suffered a breach. Let’s see if the most recent breach will be the push they need to better protect their company and prevent future attacks. 

Image

source: twitter

Now that we are in 2023, we hope that companies will take the necessary steps to protect their systems. Findings has a few New Year’s resolutions we recommend companies take on to ensure that they are protecting their employees and consumers.

Attackers prey on those who don’t regularly change their passwords. In fact, it makes their jobs easier. Make sure your systems are secure with New Year’s Resolution # 1: Require your employees to change their passwords every 90 days.

With an increase in cyber attacks being committed against supply chains, it’s vital that every business implements mandatory cybersecurity training programs. Having employees that are aware of all things cyber security is beneficial in minimizing the risks associated with cyber attacks.

Staying vigilant and continuously assessing potential risks in your supply chain is an essential New Year’s Resolution that companies need to follow in 2023.

Updates are usually required for a reason, and many times it’s for security reasons. When systems are up to date, it makes it harder for hackers to attack and find loopholes in the system. 

If you haven’t heard of our continuous monitoring solution, you may want to consider looking into it.

Andddd that’s a wrap for this month!


Findings wishes you all a happy and healthy New Year.

 

We’re here for you. Learn more today.

November Security Breach Round Up

November Security Breaches

From grocery stores, to banks, and everything in between – November saw it all when it came to breaches. As I mentioned in September, hackers are not picky. Let’s just say, when an opportunity arises, they will swoop right in and overtake your systems and access any data they can get their e-hands on.

 

Be careful, and keep staying informed – our goal is to make sure no company ends up on this list next month. 

 

Let’s dive in. 

 

  1. WhatsApp


Whatsapp with this?! The app that we all know, love, and use, WhatsApp, has supposedly fallen victim to a massive data leak. And by massive, I mean nearly 500 million user records have been leaked online. So… what happened? On November 16, 2022, an ad on a well-known hacking community forum was posted by someone claiming to be selling a 2022 database of WhatsApp user mobile numbers. It is also claimed that 32 million users from the United States have been included. Although only phone numbers were leaked, it is important to note that leaked phone numbers are typically used for marketing purposes, phishing, impersonation, and fraud. 

 

  1. Bed Bath & Beyond

Ah, phishing at its finest. While almost anyone who enters Bed Bath & Beyond can get lost for hours browsing, no one likes hearing about breached data. The United States retail giant confirmed that unauthorized access to company data was accessed after an employee was phished. In an 8-K filing to the U.S Securities and Exchange Commission, Bed Bath & Beyond explained that data of the employee’s hard drive and other shared drives that the employee had access to were accessed. The company is still investigating whether the drives have any sensitive or personally identifiable information.

 

  1. DropBox


File hosting service, DropBox, also fell victim to a phishing incident. In a statement from the company, they explained the situation saying “We were recently the target of a phishing campaign that successfully accessed some of the code we store in GitHub. No one’s content, passwords, or payment information was accessed, and the issue was quickly resolved. Our core apps and infrastructure were also unaffected, as access to this code is even more limited and strictly controlled. We believe the risk to customers is minimal. Because we take our commitment to security, privacy, and transparency seriously, we have notified those affected.” The company goes on to explain that on October 14, GitHub alerted them that suspicious behavior was going on. DropBox found that a threat actor was pretending to be CircleCI and was able to access one of DropBox’s GitHub accounts. To date, their investigation has found that the code accessed by the threat actor contained some credentials, primarily, API keys used by Dropbox developers.

 

  1. TransUnion


Isn’t it ironic how an agency who determines your credit score, is the one that could be ruining your credit? There are three main credit bureaus in America – Experian, Equifax and TransUnion. Unfortunately, the consumer credit reporting agency, TransUnion, experienced a breach and began notifying individuals about the incident on November 7,2022. The company collects and assembles information on over 1 billion consumers worldwide, 200 million of those being Americans. The type of information that was exposed includes names, social security numbers, driver’s license numbers, and account numbers. 

 

  1. AirAsia


AirAsia, the largest airline in Malaysia with approximately 22,000 employees and worldwide operations, has unfortunately fallen victim to a supposed ransomware attack. The group behind this attack is known as the Daixin Ransomware Gang and they have supposedly stolen data of 5 million AirAsia passengers and employees. The Daixin team is known for disrupting operations with ransomware and stealing personally identifiable information. With this data, the cyber threat group threatens to release the stolen information unless a ransom is paid. In a tweet shared by Soufiane Tahiri, screenshots from the group can be seen that were posted on the dark web. The information applies to both employees and passengers. In these documents, information such as date of birth, country of birth, where the person is from, start of employment for employees and their secret question and answer used to secure their accounts could be found. 

 

  1. Sonder


In a company security update, Sonder, a hospitality company, notified the public that they became aware of unauthorized access to one of its systems that included guest records. Information that was accessed includes: 

  • Sonder.com username and encrypted password

  • Full name, phone number, date of birth, address, and email address

  • Certain guest transaction receipts, including the last 4 digits of credit card numbers and transaction amounts

  • Dates booked for stays at a Sonder property

  • Government issued identification such as driver’s licenses or passports

 

  1. Sobeys

This incident shows that ANY business can get breached. Even a supermarket. Incase you aren’t familiar, Sobeys is one of the two national grocery retailers in Canada. On November 7, 2022, Sobeys’ parent company wrote in a notice that the grocery stores were impacted by an IT systems issue. While the company hasn’t publicly confirmed a cyber attack on its systems, a local media outlet reported that “two provincial privacy watchdogs said they had received data breach reports from Sobeys. Both Quebec’s access to information commission and Alberta’s privacy commission have both been notified by the grocer about a “confidentiality incident.” 

 

  1. Whoosh

Russian scooter sharing company known as Whoosh has confirmed that it too was breached. Hackers started to sell a database containing the details of 7.2 million customers on a hacking forum. Alleged stolen data on the hacking forum allegedly contains promotion codes that would allow someone to access the service for free, as well as partial user identification and payment card data. Included were email addresses, phone numbers, and first names. A russian news outlet, RIA Novosti was told by Whoosh that, “The leak of some of the personal data of customers of the Russian scooter rental service Whoosh at the beginning of November did indeed occur, but did not affect sensitive user data, such as access to accounts, transaction information or travel details” 

 

  1. Coinsquare:


Cryptocurrency is a sexy industry to talk about, but this incident is a little less appealing. To round up the month, a Canadian cryptocurrency exchange, Coinsquare has become the latest victim of a security breach. Data such as customer names, email addresses, residential addresses, phone numbers, dates of birth, device IDs, public wallet addresses, transaction history, and account balances were compromised. According to customer reports, Coinsquare allegedly contacted them via email and let them know that it had identified an intrusion and a database containing personal information accessed by an unintended third party. In a Tweet responding to an account sharing about the hack, Coinsquare wrote, “We have no evidence any of this information was viewed by the bad actor, but in an abundance of caution, we wanted to make our users aware. We notified all clients, but only identified 3 clients whose accounts were accessed.” 



Companies can get careless when it comes to securing their systems, their employees, and their customers. And while we are here to help you, the first step begins with you staying informed. Which we see you are since you made it this far! 


We’re here to help you. Contact us today

October Security Breach Round Up

October security breach round up - findings.co

October was Cyber Security Awareness Month, and yet, another month, another breach. In a month that is geared towards helping organizations protect themselves, large companies have yet again fallen victim to these heinous attacks. One after the other, many companies and their consumers are now wondering when these breaches will stop. 

 

Here are our top October 2022 know-worthy incidents:

 

Toyota:

    • Toyota is no stranger to data breaches. And by the looks of it, it seems as though the company hasn’t learned from past mistakes (remember the 2019 breach that affected over 3 million of Toyota’s customers?). On October 7, 2022, Toyota issued an apology after nearly 300,000 people who used T-Connect, a telematics service that connects vehicles via a network, were exposed. The Japanese car giant explained that personal data was leaked when an access key was publicly made available on GitHub for almost five years. Email addresses and customer control numbers may have been exposed since 2017.


Microsoft:

    • Another tech giant hit yet again. On October 19, 2022, Microsoft addressed the public after security researchers at SOCRadar informed Microsoft of a misconfigured Microsoft endpoint. After the discovery, Microsoft explained that the researchers exaggerated the entire situation. This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers. Information about planning or potential implementation and provisioning of Microsoft services was involved. In addition, the data that was potentially compromised includes names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner. 


Verizon:

    • In a notice, the company confirms, “we determined that between October 6 and October 10, 2022, a third party actor accessed the last four digits of the credit card used to make automatic payments on your account. Using the last four digits of that credit card, the third party was able to gain access to your Verizon account and may have processed an unauthorized SIM card change on the prepaid line that received the SMS linking to this notice.” 


Carousell:

    • On October 14, Carousell Singapore disclosed that it experienced a breach. And this wasn’t a small breach either – almost 2 million accounts were compromised. The company explains, “it is unlikely that this incident will result in an identity theft as it does not include information like your NRIC number,” but it is believed that emails were compromised. 


Medibank:

    • Bad news for Medibank, one of the largest Australian private health insurance providers. On October 12, 2022 the company discovered that customer information may have been compromised after a hack on their systems. It was thought that the original hack only affected certain customers, but after this week, the company is assuming that all 3.9 million customers were affected. The company said it had received a series of files from the alleged hacker, and they found the files included 100 ahm policy records, which include personal and health claims data, plus another 1,000 policy records from ahm, and files which contain some Medibank, ahm and international student customer data. The records provided to the company include names, addresses, dates of birth, Medicare numbers, phone numbers and medical claims data, including information about diagnosis, procedures and location of medical services.


Twilio:

    • Sometimes companies just can’t catch a break. Cloud communications company, Twilio, disclosed a new data breach stemming from a June 2022 security incident. After a lengthy investigation, the company concluded that 209 customers and 93 Authy end users had accounts that were impacted by the incident. 

 

Don’t let your company end up on this list. See how findings can help you here.

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today

Let's Tackle Compliance Together

Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!