Category Archives: Safety & Security

Data breach exposes data of more than 100K patients at Utah Pathology Services

Data breach exposes data of more than 100K patients at Utah Pathology Services

A number of reports have named healthcare facilities and services as a prime target for cyber attacks, no surprise given the amount of personal data contained in their patient records. What the below report shows, however, is it took the identification of a different problem to reveal the the scope of data that was being made available, including in some cases social security numbers.

As one might expect, Utah Pathology has updated its security measures but it has also offered one year of free identity monitoring services to individuals affected by the incident.

 

The company wrote it discovered on June 30 that an unknown third party hacked into one of its email accounts in an attempt to redirect funds from the business. After discovering the attempted fraud, Utah Pathology secured the email account and launched an investigation.

Approximately 112,000 patients had their personal information exposed by a data breach at Utah Pathology Services.

The breach was discovered when the organization discovered “an unknown party attempted to redirect funds from within Utah Pathology,” according to a press release from the company. The attempted fraud led to the discovered of that patient information was accessible and included one or more of the following:

    • Date of birth
    • Gender
    • Phone number
    • Mailing address
    • Email address
    • Insurance information including ID and group numbers and clinical and diagnostic information related to pathology services
    • And, for a smaller percentage of patients, Social Security number

 

Source: Breach exposes data of more than 100K patients at Utah Pathology Services | KUTV

Emerging Technology Trend: Data Privacy Compliance Becomes Part of a New Normal

Emerging Technology Trend: Data Privacy Compliance Becomes Part of a New Normal

Data privacy compliance will spur corporate spending, leading to an investing opportunity to those that recognize it.

The General Data Protection Regulation (GDPR) was adopted in April of 2016 by the European Union and became effective in May of 2018. At a high level, these regulations are fairly straightforward in their requirement to “Protect User Data,” but we see that, like any regulation worth its salt, compliance may not be as straightforward as advertised. As you’ll see, despite the complexities and sea of acronyms to be had, the bottom line is data privacy compliance will spur corporate spending, leading to an investing opportunity to those that recognize it. With that said, here’s a look at GDPR’s set of regulations affecting companies that collect data on citizens of countries within the European Union.

This legislation looks to lay out a framework that protects “fundamental rights and freedoms of natural persons and in particular their right to protection of personal data.” From the get-go, this is strong stuff. This is targeted at information that users have already provided (knowingly or unknowingly) to companies they interact with online.

READ MORE HERE: Emerging Technology Trend: Data Privacy Compliance Becomes Part of a New Normal | Nasdaq

Alexa hack showcases vulnerabilities in connected IoT devices

Alexa hack showcases vulnerabilities in connected IoT devices

A recent report from Check Point Security (CHKP) revealed a number of Amazon (AMZN) and Alexa subdomains were vulnerable to a Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting (XSS). The report goes on to say that by using XSS, an attacker would be able to acquire a CSRF token that would provide them access to elements of the smart home installation. Another reminder of the dark side to our increasingly connected Digital Lifestyle and one that also bodes well for those constituents inside the Foxberry Tematica Research Cybersecurity & Data Privacy Index

According to the researchers, these could include automatically installing Alexa skills without the knowledge of the user, acquiring a list of all installed skills, silently removing installed skills, acquiring the victim’s voice history with Alexa, and to even gain personal information.

This skill manipulation can allow for a modified version of an existing skill to be installed and then used by the user, one that could allow actions to be performed by the attacker, or for further acquisition of data from the user. It could even be possible for an attacker to install a skill to eavesdrop into conversations near an Echo device.

“Internet of Things devices are inherently vulnerable and still lack adequate security, which makes them attractive targets to threat actors,” Check Point writes. “Cybercriminals are continually looking for new ways to breach devices, or use them to infect other critical systems. This research presented a weak point in what is a bridge to such IoT appliances. Both the bridge and the devices serve as entry points. They must be kept secured at all times to keep hackers from infiltrating our smart homes.”

Source: Alexa hack granted attackers access to an Echo user’s smart home network | Appleinsider

GDPR class action lawsuits over cookie tracking consent hit Oracle and Salesforce

GDPR class action lawsuits over cookie tracking consent hit Oracle and Salesforce

One of the key differentiators in Tematica’s Cybersecurity & Digital Privacy investment theme and the Foxberry Tematica Research Cybersecurity & Data Privacy Index has been the recognition of the evolving data privacy regulatory landscape. One of those key pieces is the GDPR regulation, which includes consent for processing an  EU citizens’ personal data must be informed, specific and given freely and confers rights on individuals surrounding their data, including ability to receive a copy of their personal information. It’s against that regulatory backdrop that Oracle and Salesforce are lawsuits in the UK and Netherlands.

The high profile nature of these companies and therefore these lawsuits along with the impact on third party cookie usage for ad tracking and targeting and the potential size of the fines to be had make these cases to watch.

 

The use of third party cookies for ad tracking and targeting by data broker giants Oracle and Salesforce is the focus of class action style litigation announced today in the UK and the Netherlands.

Non-profit foundation, The Privacy Collective, has filed one case today with the District Court of Amsterdam, accusing the two data broker giants of breaching the EU’s General Data Protection Regulation (GDPR) in their processing and sharing of people’s information via third party tracking cookies and other adtech methods.

The Dutch case, which is being led by law-firm bureau Brandeis, is the biggest-ever class action in The Netherlands related to violation of the GDPR — with the claimant foundation representing the interests of all Dutch citizens whose personal data has been used without their consent and knowledge by Oracle and Salesforce.

A similar case is due to be filed later this month at the High Court in London England, which will make reference to the GDPR and the UK’s PECR (Privacy of Electronic Communications Regulation) — the latter governing the use of personal data for marketing communications. The case there is being led by law firm Cadwalader.

Discussing the lawsuit in a telephone call with TechCrunch, Dr Rebecca Rumbul, class representative and claimant in England & Wales, said: “There is, I think, no way that any normal person can really give informed consent to the way in which their data is going to be processed by the cookies that have been placed by Oracle and Salesforce.

“When you start digging into it there are numerous, fairly pernicious ways in which these cookies can and probably do operate — such as cookie syncing, and the aggregation of personal data — so there’s really, really serious privacy concerns there.”

Source: Oracle and Salesforce hit with GDPR class action lawsuits over cookie tracking consent | TechCrunch

Another privacy watchdog to investigate TikTok

Another privacy watchdog to investigate TikTok

It seems a day doesn’t go by that we don’t hear of another digital or data privacy concern. A reminder that we need to be careful and mindful with our digital footprint, but also a positive driver for the Foxberry Ltd Tematica Research, LLC Cybersecurity & Digital Privacy Index and the corresponding ETF from Rize ETF.

Today’s latest Signal is below and its and it raises potential questions for potential TikTok suitors such as Microsoft (MSFT) and others. It also likely means privacy focused Apple (AAPL), which had been reportedly talking to TikTok will take a hard pass on the company.

France’s data privacy watchdog CNIL said on Tuesday that it has opened a preliminary investigation into Chinese-owned video-sharing app TikTok after it received a complaint.

TikTok, owned by China’s ByteDance, is already under investigation over privacy concerns by U.S., European Union and Dutch authorities.

“A complaint about TikTok was received in May. This complaint is now under investigation,” a CNIL spokesman said, confirming a Bloomberg report.

In the United States, officials have said that TikTok poses a national security risk because of the personal data it handles.

In June, the European Data Protection Board (EDPB) said it would set up a task force to assess TikTok’s activities across the bloc after a request from an EU lawmaker concerned about its data collection and security and privacy risks.

Source: French privacy watchdog opens preliminary investigation into TikTok

You may want to think twice before opening that email…

You may want to think twice before opening that email…

According to Barracuda Networks, cybercriminals are increasingly registering accounts with legitimate email services, especially Alphabet’s (GOOGL) Gmail and Verizon’s (VZ) Yahoo, to use them in impersonation and Business Email Compromise (BEC) attacks. Another data point that speaks to the ingenuity of attackers capitalizing to compromise on defense weaknesses, especially during the COVID-19 pandemic, and the growing demand profile for cybersecurity and data privacy solutions that are propelling the constituents in the Foxberry Tematica Research Cybersecurity & Data Privacy Index.

In their most recent threat spotlight report, Barracuda researchers observed that 6,170 malicious accounts that have used Gmail, AOL and other email services, have been responsible for over 100,000 BEC attacks which have impacted nearly 6,600 organizations. What’s more, since April 1, these ‘malicious accounts’ have been behind 45% of all BEC attacks detected.

Essentially, cybercriminals are using malicious accounts to impersonate an employee or trusted partner, and send highly personalized messages for the purpose of tricking other employees into leaking sensitive information, or sending over money.

The preferred choice of email service for malicious accounts is Gmail, which accounts for 59% of all email domains used by cybercriminals. Yahoo! is the second most popular, accounting for just 6% of all observed malicious account attacks.

Source: 6,600 organizations bombarded with 100,000+ BEC attacks – Help Net Security

Old Problems, New Technology: Cybersecurity Today and the Companies Leading the Way

Old Problems, New Technology: Cybersecurity Today and the Companies Leading the Way

The term “cybersecurity” often brings to mind images of either a nefarious looking hooded computer nerd superimposed over floating dollar signs or a picture of a shiny lock superimposed over a background of floating binary numbers – imposing and futuristic stuff! 

While we are all enamored with the newest and shiniest things, let’s not forget that current cybersecurity technology is just another step in the evolution of protecting communications and data storage. Securing information and verifying identity are millennia-old processes that started with trusted couriers and clay seals. Today’s trusted couriers come in the form of digital identity verification, with clay seals in the form of 256 bit (and higher) encryption. In addition to this framework are the secure message pathways in the form of what is known as “end-to-end” encryption, which not only wraps each message in encryption but provides a fortified route in between any and all participants. 

At a high level, the basic approach to message security hasn’t changed over thousands of years. Long ago, anyone looking to disrupt secure communication could do so by either corrupting the messenger or capturing the message en route and modifying or replacing the message contents altogether. When we look at how this can happen today, the basic approach is the same but the methods have once again evolved. 

Let’s take a look at how hackers can compromise your communications and data – the “attack vectors.”

READ MORE HERE

Microsoft talks about privacy and transparency for Edge

Microsoft talks about privacy and transparency for Edge

Compared to several years ago, there are a number of internet browsers one can use on desktop, laptop, smartphone or a tablet to surf the web and do all of the digital things associated with Tematica’s Digital Lifestyle investing theme. While the more commone ones are Microsoft’s Internet Explorer, Google’s Chrome, and Apple’s Safari, there have been functionality, compatibility as well as privacy concerns with those products. In fact, in a bid to protect our privacy and block data-grabbing ads and trackers, members of Team Tematica prefer to use Brave, Firefox and DuckDuckGo as well as NordVPN, Norton VPN and Cloudflare. Given all of that it, as well as Apple talking up how it values the privacy of its customers, it comes as little surprise that Microsoft would discuss its improved privacy with Edge, its new internet browser. Now to see what Google does…

Our browser privacy promise is to provide you with the protection, transparency, control and respect you deserve. To uphold commitments to give you transparency into Microsoft products, the Microsoft Edge team provided a privacy whitepaper that explains how Microsoft Edge features and services work and how each may affect your privacy. The goal of the Microsoft Edge team is to give you a full understanding into how your data is used, how to control the different features, and how to manage your collected data, so you have the info you need to make the right privacy decisions for you.

Source: Microsoft Edge Privacy Whitepaper – Microsoft Edge Development | Microsoft Docs

Before you TikTok, think again

Before you TikTok, think again

Similar to the explosive adoption in videoconferencing service Zoom Video Communications, traffic for short-form mobile video platform  TikTok has soared of late more than likely due in part to the coronavirus lockdowns and self-cocooning that has taken place over the last several weeks. However, as the authors below point out, “HTTP traffic can be easily tracked, and even altered by malicious actors.”

After the cybersecurity and data privacy issues that were uncovered with Zoom, we suspect much more will be made of this privacy vulnerability at TikTok in the coming days. Let’s remember that the average number of days between a breach being discovered according to Accenture is roughly 50 days.

 

TikTok’s continued use of HTTP to move sensitive data across the internet is allowing the videos and other content being sent by the app’s users to be tracked and altered, according to two web developers.

Talal Haj Bakry and Tommy Mysk noted in a blog that the CDN used by TikTok still uses unencrypted HTTP for data transfers instead of HTTPS creating a gap in their security that can be exploited.

“While this [using HTTP] improves the performance of data transfer, it puts user privacy at risk. HTTP traffic can be easily tracked, and even altered by malicious actors,” they said.

TikTok’s high risk factor has already pushed the U.S. military to ban its members from using the Chinese-owned app due to its privacy and security issues. The company has rejected those claims, but the app’s activity has spurred some legal action. In early 2019, the Federal Trade Commission said Musical.ly, TikTok’s earlier iteration, illegally gathered and used children’s personal data, and levied a $5.7million fine on the app for violating the Children’s Online Privacy Protection Act (COPPA).

Part of the problem is TikTok takes advantage of the fact that Apple and Google still allow developers to not use HTTPS, a loophole that allows for backward compatibility. But the Bakry and Mysk said doing so should be a rare exception and not for such a heavily used app. The versions of TikTok for iOS, 15.5.6, and Android, 15.7.4, still send content to their CDN using HTTP.

“Consequently, TikTok inherits all of the known and well-documented HTTP vulnerabilities. Any router between the TikTok app and TikTok’s CDNs can easily list all the videos that a user has downloaded and watched, exposing their watch history. Public Wifi operators, Internet Service Providers, and intelligence agencies can collect this data without much effort,” they wrote.

This leaves anyone using the TikTok app open to man in the middle attacks where a threat actor could replace the video, photo or text being transmitted with spam or fake news designed to embarrass the sender.

Source: TikTok app inherently unsafe and a privacy risk | SC Media