Search This Blog

Showing posts with label Data Privacy Laws. Show all posts

Data of almost all employees of Russian Railways were publicly available


The personal data of 703 thousand employees of Russian Railways, from the CEO to the drivers, were publicly available. A few hours later, the site administrator who published the data closed access to it, but this did not prevent their further distribution. The Russian Railways announced the beginning of the inspection.

Note that according to the report for the first half of 2019, the number of employees of Russian Railways amounted to 732 thousand people, thus, in the public domain were full names, addresses, Individual insurance account number (SNILS), phones and even photos of 96% of employees.

However, the representative of Russian Railways assured that the personal data of the passengers were not stolen: "The Ticket Sales System has the protection of personal data of a high degree of reliability.”

The founder and technical director of the company DeviceLock, specializing in the prevention of data leakage from corporate computers, Ashot Hovhannisyan on Tuesday, August 27, reported in his Telegram-channel "Information Leak" and in his blog on the Habr.com that unknown posted in open access personal data of 703 thousand people. At the same time, the attackers added a note to the publication: Thanks to Russian Railways for the information provided by careful handling of personal data of its employees."

The data of Russian Railways employees was published on the website infach[.]me under the title "Slaves of the Railways". At the moment, the website doesn’t work. The infach[.]me domain was registered in February 2018, it allowed users to anonymously publish personal data of other people.

According to the results of the first inspection of the Russian Railways, it became known that the data of the company's employees got into open access after hacking the system. According to one version, cybercriminals hacked servers on which the Personnel Department stored complete information about its employees, including their names, surnames, SNILS, mobile phones, tax identification number. According to another version, attackers hacked the database of the Corporate University of Russian Railways, where almost all employees study. The company said that the incident is an attempt to discredit, but its purpose is still unknown.

It should be noted that the day before also became known about the leakage of data of hundreds of Russians, presumably through the Russian System for Operative Investigative Activities (SORM), with which the security services can read the correspondence of citizens.

The largest Russian Telecom company Tele2 monitors subscribers using a script


The company is totally out of line and distributes its malicious scripts through CDN, which allows it to receive information about any customer actions.

In the 21st century, it is becoming increasingly difficult to keep your personal data safe. Now providers began to get into the personal territory of Internet users. Earlier, another Russian Telecom company Beeline was noticed in violation of confidentiality, which distributed spam ads directly on websites using the virus.

Recently it was found out that Tele2 is monitoring subscribers using a dangerous script. The company gets access to the data due to the mass implementation of scripts via CDN.

Clients of the operator did not even suspect that they were being watched The script, which Tele2 worked hard to distribute. It was designed to display additional advertising on the site, and also with its help, it is possible to calculate keywords for the formation of targeted advertising. The provider managed to do this using HTTP links, instead of HTTPS.

So, this mechanism can allow third parties not only to monitor the activity of subscribers but also to fully monitor all activities.

Experts believe that such actions of telecommunications companies are not a way to profit from advertising, everything is much more serious.

At the moment Tele2 is one of the largest companies in Russia, which is engaged in the establishment of 5G network. This means that it has access to many channels and servers. Soon all devices of Russians will become infected after successful integration of 5G network. It is possible that this data is transmitted to the authorities of the country, since at the moment the Network is the only area where the government does not have the authority for total control, so they are forced to obtain it in such a fraudulent way.

Recall that EhackingNews previously published information that providers of Kazakhstan persuade customers to install a "state trusted certificate" on all devices, which will allow intercepting all encrypted traffic of the country in order to protect citizens from cyber threats and illegal content. Telecom operators warn that if the certificate is absent, then customers may encounter problems accessing certain Internet resources.

GDPR privacy law exploited to reveal personal data

About one in four companies revealed personal information to a woman's partner, who had made a bogus demand for the data by citing an EU privacy law.

The security expert contacted dozens of UK and US-based firms to test how they would handle a "right of access" request made in someone else's name.

In each case, he asked for all the data that they held on his fiancee.

In one case, the response included the results of a criminal activity check.

Other replies included credit card information, travel details, account logins and passwords, and the target's full US social security number.

University of Oxford-based researcher James Pavur has presented his findings at the Black Hat conference in Las Vegas.

It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

"Generally if it was an extremely large company - especially tech ones - they tended to do really well," he told the BBC.

"Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

He declined to identify the organisations that had mishandled the requests, but said they had included:

- a UK hotel chain that shared a complete record of his partner's overnight stays

- two UK rail companies that provided records of all the journeys she had taken with them over several years

- a US-based educational company that handed over her high school grades, mother's maiden name and the results of a criminal background check survey.

Mr Pavur has, however, named some of the companies that he said had performed well.

Programmer coded a software to track women in porn videos using face-recognition






A Chinese programmer based in Germany created a software using face-recognition technology to identify women who had appeared in porn videos. 

The information about the project was posted on the Chinese social network WeiboA. Then a Twitter handle @yiqinfu tweeted ’’A Germany-based Chinese programmer said he and some friends have identified 100k porn actresses from around the world, cross-referencing faces in porn videos with social media profile pictures. The goal is to help others check whether their girlfriends ever acted in those films.’’

The project took nearly half a year to complete. The videos were collected from websites 1024, 91, sex8, PornHub, and xvideos, and all together it consists of  100+ terabytes of data. 

The faces appearing on these videos are compared with profile pictures from various popular social media platform like Facebook, Instagram, TikTok, Weibo, and others.

The coder deleted the project and all his data after it found out that the project violates the European privacy law. 

However, there is no proof that there is no program on the global system that matches women’s social-media photos with images from porn sites. 

According to the programmer whatever he did ‘was legal because 1) he hasn't shared any data, 2) he hasn't opened up the database to outside queries, and 3) sex work is legal in Germany, where he's based.’

But, this incidence has made clear that program like this could be possible and would have awful consequences. “It’s going to kill people,” says Carrie A. Goldberg, an attorney who specializes in sexual privacy violations. 

“Some of my most viciously harassed clients have been people who did porn, oftentimes one time in their life and sometimes nonconsensually [because] they were duped into it. Their lives have been ruined because there’s this whole culture of incels that for a hobby expose women who’ve done porn and post about them online and dox them.” 

The European Union’s GDPR privacy law prevents this kind of situation, but people living in other places are not as lucky. 

Gmail Gears Up For Tougher Data Privacy Laws


Google's email service as it gets ready for tougher data privacy laws has now added the option to enable messages to become unreachable after a definite set time.

The new "confidential mode" can be utilized to stop recipients being readily able to forward, copy, download or print correspondence sent by means of Gmail.

BBC News reports that the new facilities are a part of a much pervasive overhaul of the cloud-based administration.Experts say that the options were "long past due" although should enable Google to persuade more organizations and businesses to join.

Chris Green, from tech consultancy Lewis says:

"Other platforms, like Microsoft Exchange, let you use plug-ins to do something similar. So this isn't anything unique. But none of the cloud-based mail services have offered these data protection features until now, so they are quite distinctive in that respect.”

Since screen grabs and photos of a computer display are as yet conceivable , the anti-copy functions though won't keep the determined users from replicating  messages – - yet they have planned to limit the risk of the confidential information being coincidentally passed on to the wrong party, which may constitute an information break or in other simpler terms , a data breach.

This move comes a month prior to another EU data privacy law - the General Data Protection Regulation (GDPR) - comes into force.

It requires organisation to inform nearby information curators of a breach inside 72 hours of getting to be mindful, and expands the amount that they can be fined for non-conformity.

"The timing of this is not a coincidence," Mr Green adds later “A lot of this will be about ensuring that Gmail will continue to be a viable for enterprise users, as it will help them show they are GDPR-compliant.”