Data breaches you might have missed during latest Facebook ordeal

1 Oct 2018

Image: DreamLand Media/Shutterstock

Last week in the world of infosec, Tory MPs found their details spread online after a major data breach, while Tesco paid out £16m for a 2016 breach.

There was no avoiding the enormous Facebook data breach this week, putting the social network in even more hot water at a time when it is trying to be seen as a more welcoming place online.

An investigation showed that as many as 50m users accounts were breached by an access token harvesting attack, with more than 40m additional users possibly affected also.

The person or group behind the breach – the largest in Facebook’s history – remains a mystery. However, those responsible would have to have been particularly skilled, given they were after access tokens.

This breach was one of a number that either came to light or were brought back into the spotlight this week.

Conservative Party app leaked MPs’ personal details

The Guardian has revealed that a major flaw found in an app designed for the UK’s Conservative Party allowed anyone logged in to read private data of senior party members.

The app was created ahead of the party’s official conference, but major security oversights allowed for people to see members’ phone numbers and email addresses. Additionally, anyone logged in was able to amend personal details of senior MPs, including a minister’s image on the app.

In one example, MP Gavin Williamson’s photo was changed to that of media magnate Rupert Murdoch, referencing Williamson’s former employer.

Given the widespread changes one could make about other people’s information, the app’s potential breach of GDPR has been brought into question.

In a statement, the Conservative Party said: “The technical issue has been resolved and the app is now functioning securely. We are investigating the issue further and apologise for any concern caused.”

Reports of Qatari cyber-espionage campaign in US

Dubai-based television news channel Al Arabiya claims to have unearthed more details on a major cyber-espionage campaign led by Qatar against more than 1,200 Americans, including friends of US president Donald Trump.

The original claim was made by a US Republican lobbyist called Elliot Broidy, who said that senior officials from a number of Arab governments – including the United Arab Emirates, Saudi Arabia and Syria – were targeted by cyber-criminals working on behalf of the Qatari government.

This latest report said that the Qatari campaign stretched across four continents and, according to a complaint filed by lawyer and US ambassador Lee Wolosky, did not hold back in criticising Qatar.

“The evidence uncovered in this case ties Qatar to a cyber-espionage campaign targeting the email accounts of US citizens and thousands of other political opponents around the world,” he said. “Ongoing litigation in the US sought to hold Qatar and its agents in the US accountable.

Qatar’s relationship with its Arab neighbours is less than favourable at the moment, to the extent that Saudi Arabia is considering turning the peninsula nation into an island by building a canal along the countries’ border.

Tesco fined £16.4m over 2016 data breach

The UK’s financial regulator has ordered retail chain Tesco to pay up £16.4m over a major data breach that occurred back in 2016, according to The Guardian.

The news at the time revealed that the company’s banking division – Tesco Bank – had suffered a major data breach, with money from thousands of bank accounts being removed by hackers.

The Financial Conduct Authority (FCA) issued a statement saying that Tesco was being hit with a financial penalty because it “failed to exercise due skill, care and diligence”, adding that the entire situation was avoidable.

The FCA’s executive director of enforcement and market oversight, Mark Steward, said: “The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.

“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.”

One in four employees have experienced a data breach

New research published by 247meeting surveying 2,000 professionals has found a worrying statistic: a quarter of respondents admitted to being on the end of a data breach at some point.

Of those surveyed, 26pc said that despite having access to customer data, they had not been trained up on GDPR and that more than one-third didn’t know where their security policy was saved. Based on its findings, some of the industries most likely to have employees not trained up on GDPR include: hospitality and management (51pc), media and internet (45pc), and marketing, advertising and PR (44pc).

Perhaps most strange of all, a quarter of senior managers said they had experienced having a complete stranger on the line during a conference call.

“We were initially shocked that so many senior managers had experienced a cyberattack or data breach yet, since they were the ones more willing to share conference call PINs and leave their computers unlocked when not at their desk, the results aren’t that surprising,” said Gavan Doherty, CEO of 247meeting.

Colm Gorey was a senior journalist with Silicon Republic