Adobe Fined $1M in Multistate Suit Over 2013 Breach; No Jail for Spamhaus Attacker. From KrebsOnSecurity.
Adobe will pay just $1 million to settle a lawsuit filed by 15 state attorneys general over its huge 2013 data breach that exposed payment records on approximately 38 million people. In other news, the 39-year-old Dutchman responsible for coordinating an epic, weeks-long distributed denial-of-service attack against anti-spam provider Spamhaus in 2013 will avoid any jail time for his crimes thanks to a court ruling in Amsterdam this week.
On Oct. 3, 2013, KrebsOnSecurity broke the story that Adobe had just suffered a breach in which hackers siphoned usernames, passwords and payment card data on 38 million customers. The intruders also made off with digital truckloads of source code for some of Adobe’s most valuable software properties — including Adobe Acrobat and Reader, Photoshop and ColdFusion.
- Red Cross Blood Service admits to personal data breach affecting half a million donors. From ABC.net.au.
The personal data of 550,000 blood donors that includes information about “at-risk sexual behaviour” has been leaked from the Red Cross Blood Service in what has been described as Australia’s largest security breach.
Data from blood donor registration form posted insecurely online
Leak included identifying information and “personal details” of 550,000 donors
All copies of the data believed to be destroyed
The organisation said it was told on Wednesday that a file containing donor information was placed on an “insecure computer environment” and “accessed by an unauthorised person”.
The biggest lesson emerging from the recent recall of 3.2 million debit cards by various Indian banks is that most of the systems that the government and the country’s financial sector put in place to deal with a major cyber attack failed to detect the data breach that necessitated this recall.
As banks scramble to put together a root cause analysis of the events that led to the malware (malicious software) attack that led to one of the biggest security breaches in banks in India in September and October, there is a realisation that institutions failed to share information with each other, leading to cascading failures that permitted the breach to continue undetected for a while.
2. Data breach at Weebly affects 43 million users. From Graham Cluely.
A data breach at free website builder Weebly has compromised the personal information of over 43 million users.
News of the breach arrived on 20 October when LeakedSource.com published a database of 43,430,316 Weebly users’ information on its website. Those records contain a username, email address, password, and IP address.
Little information is known about how those responsible for the breach exfiltrated all of that data, but we do know that the breach occurred at the web-hosting service in February 2016 and that an anonymous source provided LeakedSource with the database.
1. Verizon signals Yahoo data breach may affect acquisition. From CSO Online.
Verizon has signaled that Yahoo’s massive data breach may be enough reason to halt its US$4.8 billion deal to buy the internet company.
On Thursday, Verizon’s general counsel Craig Silliman said the company has a “reasonable basis” to believe that the breach involving 500 million Yahoo accounts has had a material impact on the acquisition. This could give the company room to back out or get a large discount.
- NSA contractor arrest highlights challenge of insider threat. From Washington Times. The arrest of a National Security Agency contractor for allegedly stealing classified information was the second known case of a government contractor being publicly accused of removing secret data from theintelligence agency since 2013.
The latest arrest came despite efforts to reform security after the Edward Snowden disclosures, especially in regards to insider threats.
Harold Thomas Martin III, 51, of Glen Burnie, Maryland, was arrested by the FBI in August after federal prosecutors say he illegally removed highly classified information and stored the material in his home and car. A defense attorney said Martin did not intend to betray his country.
Guccifer 2.0 dumps a bunch of Clinton Foundation donor data. From Endgadget. Julian Assange’s “October surprise” press conference may have been a bust but his Gilligan, the hacker calling himself Guccifer 2.0, came through on Tuesday, releasing a large database of information reportedly stolen from the Clinton Foundation. The dump includes the names, addresses and emails of both individual and corporate donors as well as their contribution amounts.
Yahoo’s disclosure that hackers stole user data from at least 500 million accounts in 2014 has highlighted shortcomings in U.S. rules on when cyber attacks must be revealed and their enforcement.
Democratic Senator Mark Warner this week asked the U.S. Securities and Exchange Commission to investigate whether Yahoo and its senior executives properly disclosed the attack, which Yahoo blamed on Sept. 22 on a “state-sponsored actor.”
The Yahoo hack could become a test case of the SEC’s guidelines, said Jacob Olcott, former Senate Commerce Committee counsel who helped develop them, due to the size of the breach, intense public scrutiny and uncertainty over the timing of Yahoo’s discovery.
- Trump hotel chain fined over data breaches. From ComputerWorld.
Trump Hotel Collection has arrived at a settlement with New York Attorney General Eric T. Schneiderman over hacks that are said to have led to the exposure of over 70,000 credit card numbers and other personal data.
The hotel chain, one of the businesses of Republican presidential candidate Donald Trump, has agreed to pay $50,000 in penalties and promised to take measures to beef up its data security practices, according to the attorney general’s office.
The chain is one of many hotels and retailers that have been hit recently by malware that skimmed payment card information.
The White House is looking into a cyber breach after what appeared to be a scan of first lady Michelle Obama’s passport was posted online.
The fresh disclosures, which included emails to and from White House staff, raised further concerns about the security of sensitive systems following a string of breaches affecting government agencies, private companies and the Democratic National Committee. Though officials declined to say whether the disclosures were authentic, there were no immediate reasons to suspect they were not.
The US att
Yahoo Confirms At Least 500 Million Accounts Were Hacked. From Fortune.
Yahoo said on Thursday that information for at least 500 million user accounts was stolen from its network in 2014 by what it believed was a state-sponsored actor, a theft that appeared to the biggest cyber breach ever.
Yahoo said data stolen may have included names, email addresses, telephone numbers, dates of birth, and encrypted passwords but that unprotected passwords, payment card data, and bank account information did not appear to have been compromised, the company said.
“This is the biggest data breach ever,” said well-known cryptologist Bruce Schneier.