Major US Postal Service data breach exposes 60m users

26 Nov 2018

A parked USPS truck. Image: Tupungato/Depositphotos

It was a busy week in the world of infosec with a major breach at the US Postal Service exposing data of 60m users.

In the build-up to the retail extravaganza that is Black Friday and Cyber Monday, the world’s biggest retailer at first denied it was hit by a major data breach, despite customers receiving emails stating as such.

The email, sent to a large number of Amazon account holders, claimed that the issue was fixed and that it was not the result of any customer’s actions. However, the e-commerce giant eventually admitted to TechCrunch it was on the receiving end of a breach, and that the names and email addresses of those exposed were obtained by hackers.

Broken USPS API exposes 60m users

A number of US Postal Service (USPS) users – equivalent to almost a fifth of the US population – found themselves on the end of a substantial data breach.

According to Krebs on Security, a broken API within USPS’s mail tracker service called Informed Delivery allowed any user to see another user’s details. Brian Krebs appeared to confirm this with a copy of the API on his own site.

In a statement to Krebs on Security, USPS said: “Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”

Krebs claimed that identity thieves are using this information to see what packages are being sent to users’ homes on what days, in order to exploit them.

Google reveals election interference strategy for 2019

The alleged influence of Google products in European elections was once again thrown into the spotlight as the company laid out its plans for how it intends to combat interference in next year’s EU elections.

Issues such as last May’s Eighth Amendment referendum highlighted the extent of untraceable advertising campaigns running across online platforms such as Google and Facebook, with the former eventually blocking all ads related to the referendum.

In a blogpost, the company said that it will introduce a new verification system requiring every individual or organisation putting forward election advertising to provide identification and disclose who is funding the ad campaign.

Google also said it will introduce an EU-specific Election Ads Transparency Report and searchable ad library to provide more information about who is purchasing election ads.

German developer hit with €20,000 GDPR fine

Anyone familiar with data protection and privacy should be horrified to hear how a German chat platform developer called Knuddels.de – which translates as ‘Cuddles’ from German – was storing user passwords in plaintext.

According to Spiegel Online – via The Register – as many as 800,000 email addresses and more than 1.8m pseudonyms associated with their passwords were published as part of a data breach. The company behind Knuddels.de was informed of the breach in September when someone sent an email warning that details of 8,000 of its users were published to Pastebin.

While the developer notified its users and the Baden-Württemberg data protection authority after its discovery, the German courts ruled that securing this data in plaintext was in breach of GDPR, and fined the company €20,000.

Third of HR teams fail to delete personal data on time

New research conducted by the HR software provider Ciphr has published new findings on the discrepancies between data protection policies and practices among UK HR teams. This includes finding that a third of HR teams fail to delete personal data on employees after data retention periods expire.

Although 83pc of the 137 UK HR professionals surveyed said they have set retention periods for employee, leaver and candidate data, just 69pc said they had put these policies into practice and actually deleted data where retention periods had expired.

The study also found that HR professionals are widely ignoring one of the UK Information Commissioner Office’s key recommendations for GDPR compliance, that being to enable self-service access to data. Only 31pc of respondents said they had enabled self-service access to personal data for employees in response to the GDPR, with that proportion falling dramatically for job applicants (7pc) and former staff (4pc).

A parked USPS truck. Image: Tupungato/Depositphotos

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com