Tag Archives: Breach

Australia's IMF Bentham to fund complaint against Facebook over alleged privacy breach
July 10, 2018 6:43 am|Comments (0)

(Reuters) – Litigation funding provider IMF Bentham Ltd (IMF.AX) said on Tuesday it was funding a representative complaint against social networking website Facebook Inc (FB.O) over alleged breaches of the Australian Privacy Principles.

FILE PHOTO: A Facebook panel is seen during the Cannes Lions International Festival of Creativity, in Cannes, France, June 20, 2018. REUTERS/Eric Gaillard/File Photo

The company said it would fund the complaint made to the Australian Information Commissioner against Facebook Australia, Facebook Inc and Facebook Ireland. The complaint is being handled by Sydney-based law firm Johnson Winter & Slattery.

The Australian Information Commissioner has also commenced a separate investigation into the matter, IMF Bentham said, adding a class action may follow depending on the Commissioner’s findings.

Facebook has come under intense scrutiny after it admitted in March to making mistakes in letting 50 million users’ data get into the hands of political consultancy Cambridge Analytica.

The company lost more than $ 50 billion in market value in the week after the allegations emerged that Cambridge Analytica improperly accessed data to build profiles on American voters and influence the 2016 presidential election.

Facebook had said in April that a little more than 311,000 Australian users may have had their information improperly shared with Cambridge Analytica. (bit.ly/2Ejpktb)

Facebook’s Australian arm was not immediately available for a comment.

Reporting by Ambar Warrick in Bengaluru; Editing by Himani Sarkar

Tech

Posted in: Cloud Computing|Tags: , , , , , , , , ,
New Zealand's Z Energy flags possible data breach in online card system
June 27, 2018 6:21 am|Comments (0)

(Reuters) – New Zealand-based fuel supplier Z Energy Ltd on Wednesday said it has been presented with evidence that customer data from its Z Card Online database was accessed by a third party in November 2017.

The database held customer data such as names, addresses, registration numbers, vehicle types and credit limits with the company, Z Energy said in a statement. The data accessed did not include bank details, pin numbers or information that would put customer finances directly at risk, it said.

Z Energy did not specify the extent to which its customer data had been compromised.

The company said it had notified affected customers and advised the Privacy Commissioner of the breach. It said the system in question had been closed since December 2017.

The Z Card allows customers to manage fuel accounts online, and is used primarily by companies with vehicle fleets.

Z Energy said it had been made aware of a potential vulnerability in the system in November, but had not found evidence of any data breaches at that time.

Z Energy operates in both New Zealand and Australia. New laws in Australia requiring companies to report data breaches took effect in late-February this year.

Reporting by Ambar Warrick in Bengaluru

Tech

Posted in: Cloud Computing|Tags: , , , , , , , ,
Saks, Lord & Taylor hit by payment card data breach
April 1, 2018 6:01 pm|Comments (0)

NEW YORK (Reuters) – Hudson’s Bay Co said on Sunday that data from card payments in some of its Saks and Lord & Taylor stores in North America had been compromised.

The Lord & Taylor flagship store building is seen along Fifth Avenue in the Manhattan borough of New York City, U.S., October 24, 2017. REUTERS/Shannon Stapleton

The Canadian retail company said it had identified the issue and taken steps to contain it, adding that “there is no indication” so far that the issue had affected the company’s e-commerce or other digital platforms.

Customers will not be liable for fraudulent charges that may result from the issue, the company said.

The stores involved include Saks Fifth Avenue, Saks OFF 5TH and Lord & Taylor, the company said.

Reporting by David Henry in New York; Editing by Bill Rigby

Tech

Posted in: Cloud Computing|Tags: , , , , , , ,
Exclusive: Uber paid 20-year-old Florida man to keep data breach secret – sources
December 7, 2017 12:29 am|Comments (0)

SAN FRANCISCO/WASHINGTON (Reuters) – A 20-year-old Florida man was responsible for the large data breach at Uber Technologies Inc last year and was paid by Uber to destroy the data through a so-called “bug bounty” program normally used to identify small code vulnerabilities, three people familiar with the events have told Reuters.

FILE PHOTO – The logo of Uber is seen on an iPad, during a news conference to announce Uber resumes ride-hailing service, in Taipei, Taiwan April 13, 2017. REUTERS/Tyrone Siu

Uber announced on Nov. 21 that the personal data of 57 million passengers and 600,000 drivers were stolen in a breach that occurred in October 2016, and that it paid the hacker $ 100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money.

Uber made the payment last year through a program designed to reward security researchers who report flaws in a company’s software, these people said. Uber’s bug bounty service – as such a program is known in the industry – is hosted by a company called HackerOne, which offers its platform to a number of tech companies.

Reuters was unable to establish the identity of the hacker or another person who sources said helped him. Uber spokesman Matt Kallman declined to comment on the matter.

Newly appointed Uber Chief Executive Dara Khosrowshahi fired two of Uber’s top security officials when he announced the breach last month, saying the incident should have been disclosed to regulators at the time it was discovered, about a year before.

It remains unclear who made the final decision to authorize the payment to the hacker and to keep the breach secret, though the sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November of last year.

Kalanick, who stepped down as Uber CEO in June, declined to comment on the matter, according to his spokesman.

A payment of $ 100,000 through a bug bounty program would be extremely unusual, with one former HackerOne executive saying it would represent an “all-time record.” Security professionals said rewarding a hacker who had stolen data also would be well outside the normal rules of a bounty program, where payments are typically in the $ 5,000 to $ 10,000 range.

HackerOne hosts Uber’s bug bounty program but does not manage it, and plays no role in deciding whether payouts are appropriate or how large they should be.

HackerOne CEO Marten Mickos said he could not discuss an individual customer’s programs. “In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made,” he said, referring to U.S. Internal Revenue Service forms.

According to two of the sources, Uber made the payment to confirm the hacker’s identity and have him sign a nondisclosure agreement to deter further wrongdoing. Uber also conducted a forensic analysis of the hacker’s machine to make sure the data had been purged, the sources said.

One source described the hacker as “living with his mom in a small home trying to help pay the bills,” adding that members of Uber’s security team did not want to pursue prosecution of an individual who did not appear to pose a further threat.

The Florida hacker paid a second person for services that involved accessing GitHub, a site widely used by programmers to store their code, to obtain credentials for access to Uber data stored elsewhere, one of the sources said.

GitHub said the attack did not involve a failure of its security systems. “Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code,” that company said in a statement.

‘SHOUT IT FROM THE ROOFTOPS’

Uber received an email last year from an anonymous person demanding money in exchange for user data, and the message was forwarded to the company’s bug bounty team in what was described as Uber’s routine practice for such solicitations, according to three sources familiar with the matter.

Bug bounty programs are designed mainly to give security researchers an incentive to report weaknesses they uncover in a company’s software. But complicated scenarios can emerge when dealing with hackers who obtain information illegally or seek a ransom.

Some companies choose not to report more aggressive intrusions to authorities on the grounds that it can be easier and more effective to negotiate directly with hackers in order to limit any harm to customers.

Uber’s $ 100,000 payout and silence on the matter at the time was extraordinary under such a program, according to Luta Security founder Katie Moussouris, a former HackerOne executive.

“If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops,” Moussouris said.

Uber’s failure to report the breach to regulators, even though it may have felt it had dealt with the problem, was an error, according to people inside and outside the company who spoke to Reuters.

“The creation of a bug bounty program doesn’t allow Uber, their bounty service provider, or any other company the ability to decide that breach notification laws don’t apply to them,” Moussouris said.

Uber fired its chief security officer, Joe Sullivan, and a deputy, attorney Craig Clark, over their roles in the incident.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi, said in a blog post announcing the hack last month.

Clark worked directly for Sullivan but also reported to Uber’s legal and privacy team, according to three people familiar with the arrangement. It is unclear whether Clark informed Uber’s legal department, which typically handled disclosure issues.

Sullivan and Clark did not respond to requests for comment.

In an August interview with Reuters, Sullivan, a former prosecutor and Facebook Inc (FB.O) security chief, said he integrated security engineers and developers at Uber “with our lawyers and our public policy team who know what regulators care about.”

Last week, three more top managers in Uber’s security unit resigned. One of them, physical security chief Jeff Jones, later told others he would have left anyway, sources told Reuters. Another of the three, senior security engineer Prithvi Rai, later agreed to stay in a new role.

Reporting by Joseph Menn in San Francisco and Dustin Volz in Washington; Additional reporting by Heather Somerville and Stephen Nellis in San Francisco; Editing by Jonathan Weber and Bill Rigby

Our Standards:The Thomson Reuters Trust Principles.

Tech

Posted in: Cloud Computing|Tags: , , , , , , , , ,
Uber CEO says company failed to disclose massive breach in 2016
November 22, 2017 12:03 am|Comments (0)

(Reuters) – Uber Technologies Inc [UBER.UL] failed to disclose a massive breach last year that exposed the data of some 57 million users of the ride-sharing service, the company’s new chief executive officer said on Tuesday.

FILE PHOTO: Uber CEO Travis Kalanick speaks to students during an interaction at the Indian Institute of Technology (IIT) campus in Mumbai, India, January 19, 2016. REUTERS/Danish Siddiqui

Discovery of the company’s handling of the incident led to the departure of two employees who led Uber’s response to the incident, said Dara Khosrowshahi, who was named CEO in August following the departure of founder Travis Kalanick.

Khosrowshahi said he had only recently learned of the matter himself.

The company’s admission that it failed to disclose the breach comes as Uber is seeking to recover from a series of crises that culminated in the Kalanick’s ouster in June.

FILE PHOTO: The logo of Uber is seen on an iPad, during a news conference to announce Uber resumes ride-hailing service, in Taipei, Taiwan April 13, 2017. REUTERS/Tyrone Siu/File Photo –

According to the company’s account, two individuals downloaded data from a third-party cloud server used by Uber, which contained names, email addresses and mobile phone numbers of some 57 million Uber users around the world. They also downloaded names and driver’s license numbers of some 600,000 of the company’s U.S. drivers, Khosrowshahi said in a blog post.

He said he had hired Matt Olsen, former general counsel of the U.S. National Security Agency, to help him figure out how to best guide and structure the company’s security teams and processes.

The chief executive of Uber Technologies Inc, Dara Khosrowshahi attends a meeting with Brazilian Finance Minister Henrique Meirelles (not pictured) in Brasilia, Brazil October 31, 2017. REUTERS/Adriano Machado

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in the blog post.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” he said. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

(Corrects paragraph 1 to data instead of date)

Reporting by Jim Finkle in Toronto; Editing by Tom Brown

Our Standards:The Thomson Reuters Trust Principles.

Tech

Posted in: Cloud Computing|Tags: , , , , , , ,
What you should know, and do, about the Yahoo breach
December 20, 2016 4:15 pm|Comments (0)

Yahoo’s announcement that state-sponsored hackers have stolen the details of at least 500 million accounts shocks both through scale — it’s the largest data breach ever — and the potential security implications for users.

That’s because Yahoo, unlike MySpace, LinkedIn and other online services that suffered large breaches in recent years, is an email provider; and email accounts are central to users’ online lives. Not only are email addresses used for private communications, but they serve as recovery points and log-in credentials for accounts on many other websites.

To read this article in full or to leave a comment, please click here


Uncategorized

Posted in: Web Hosting News|Tags: , , , ,
Here’s what you should know, and do, about the Yahoo breach
December 19, 2016 1:50 pm|Comments (0)

Yahoo’s announcement that state-sponsored hackers stole the details of at least 500 million accounts shocks both through scale — it’s the largest data breach ever — and the potential security implications for users.

That’s because Yahoo, unlike MySpace, LinkedIn and other online services that suffered large breaches in recent years, is an email provider; and email accounts are central to users’ online lives. Not only are email addresses used for private communications, but they serve as recovery points and log-in credentials for accounts on many other websites.

To read this article in full or to leave a comment, please click here


All articles

Posted in: Web Hosting News|Tags: , , , , ,