Search This Blog

Showing posts with label Personal Data. Show all posts

Hackers Send Fake Census Form Alerts to UK Respondents

 


The United Kingdom, like every other country, runs a census every ten years. The census asks residents a number of questions regarding the address of individuals, their age, name, nationality, employment, health, education, and language. (The census here is mandatory and participants are obliged to provide answers)
 
The census happens in the year that ends with number-1, except Scotland, the census is postponed until 2022 due to the Covid-19 pandemic. Due to the Covid-19 pandemic, most of the respondents are filling their services online, they are getting a unique 16 digit access code from the government to each resident via snail-mail. The participant can go to the official government census website, enter the 16 digit login code, saving him the arduous work of filling the form by hand, and snail-mail it back. If the participant fails to fill the census form before 21-03-2021, the government will send a chain of warning notifications with a unique 16 digit code, requesting the participant to fill the form and also fining €1000 if he fails to do so.
 
Naked Security reports, "the criminals did make some grammatical mistakes in their forms that a native speaker of English might notice, and these would be another giveaway, along with the fake domain name, but the crooks have cloned the UK Office for National Statistics “look and feel” very believably."
 
Stay alert of forged forms-
 
If the participant hasn't filled the form yet but may soon do it, he/she should stay wary of fake "census reminders" that are sent by the hackers. And if you've already filled your form, be on alert if you think there have to be some modifications in the details. The hackers are trying to take advantage of the online census by luring the participants into phishing attacks and stealing their data.
 
The fake form may ask for your postcode instead of your 16 digits unique code (the hackers could've also sent a fake 16 digit code but they chose not to), after that, the hackers will ask you similar questions that you may answer while filling out the original forms. However, in the fake form case, you end up exposing your personal details to the hackers, instead of sending your details to Office for National Statistics.

 
How to stay safe?

 
1. Check the Domain name before filling the form on the official website.
 
2. Don't open links that you may receive via SMS or e-mail.
 
3. Stay alert of the text messages that you may receive, please go through the message before filling the form.
 

Forex Broker Leaked Customer Records

 

White hat hackers have disclosed a significant leak of client information by online forex dealer FBS Markets. This incorporates a great many confidential records, including names, passwords, email addresses, passport numbers, national IDs, credit cards, financial transactions and more. Details of the security breach, which has since been rectified after the dealer was cautioned, were uncovered by Chase Williams, a white hat hacker and site security expert, on the website WizCase. At this stage it isn't evident whether any of the leaked information has been utilized for deceitful purposes by threat actors.

The information leak was revealed as a part of a progressing WizCase research project that scans for unstable servers, and tries to set up who the proprietors of those servers are. WizCase informed FBS of the issue. Williams said that FBS left a server containing right around 20 TB of information and over 16bn records exposed. Regardless of containing very sensitive financial data, the server was left open without any password protection of encryption. WizCase's group said the FBS data “was accessible to anyone.” “The breach is a danger to both FBS and its customers,” WizCase said. “User information on online trading platforms should be well secured to prevent similar data leaks.”

The broker said, “The protection of our clients privacy is one of the core values of FBS, and we stick to the highest protection standards. FBS has never had such major accidents. In October 2020 we faced an overheating on the server which affected our logs recording. During the time when we were setting up a new ElasticSearch server, several wrong subnet masks were added accidentally, which led to the possibility to access the server for a very limited number of people only, in a certain part of the world.” 

FBS added that it had completed a technical audit and that to its knowledge no information had been downloaded. It has contacted the customers affected and whose information may have been undermined and encouraged them on what to do. FBS has additionally moved to a more encoded VPN and has introduced an intrusion detection system. New rules for working with the forex brokers infrastructure have been applied and other safety efforts have additionally been carried out.

Experts listed the methods used by fraudsters to obtain personal data

As noted by experts, information leakage in large companies does not often happen, but data theft can occur through contractors

Scammers learn personal data of Russians from gaps in the security of companies or from their informants in them, from social networks of citizens, as well as through phishing sites.

"Often, a person can simply share their name and phone number, for example, on social networks. Such data can also be collected from data leaks," said Sergey Golovanov, a leading expert at Kaspersky Lab.

He clarified that information leaks in large companies do not often happen, as they pay great attention to their cybersecurity. However, data theft can be carried out through contractors who do not always have the necessary resources to ensure security when processing personal data. Also, according to the expert, leaks can occur from small online stores or other services where customers are asked for such information.

As Anastasia Barinova, deputy head of the Group-IB Computer Forensics laboratory, noted, today, fraudsters are actively searching for insiders, including in banks, insurance companies, and financial organizations, since their schemes using personal data are now successful and effective.

“Criminal groups, including fraudulent call centers, can monetize this data, taking advantage of opportunities to steal and withdraw funds,” explained the expert.

In addition, Russians fall into the trap of fraudsters, filling out a form of personal data on a phishing site or publishing photos of documents and bank cards on Internet resources.

Golovanov said that scammers often combine information about potential victims from several sources and use it to gain people's trust. The expert recalled that personal data alone is not enough to conduct financial transactions on behalf of the victim. In this regard, he urged not to disclose bank card details or other confidential information to anyone under any circumstances.

Data Related to Thousands of Foxtons Clients Leaked Online

 

Estate agent Foxtons Group is under tremendous pressure after a daily newspaper named ‘publication i’ asserted that critical information pertaining to customers’ card and other personal details have been uploaded to a dak web site. As per the reports of publication i, on October 12 last year, a customer discovered card information, addresses, and personal messages belonging to over 16,000 individuals. 

The breached data has been linked to consumers before 2010 but what's alarming is that nearly one-fifth of the cards are still active. In most of the cases, threat actors exhibit their haul to the clients by selling a small sample online, before selling privately. The size of the personal data published online is relatively small, however, the total number of clients that have been affected remains the most intriguing question. 

Three weeks ago, Foxtons Group was notified of the published data by the client who discovered the same, however, it can be noted that the agency had not taken any measures to inform clients or the authorities yet. 

As per the reports, in the last three months, leaked files have been viewed over 15,000 times. Estate agent Foxtons Group released a statement saying that its Alexander Hall mortgage broking business was hit by malware in October 2020 during a strike that affected many other firms.

“Some IT systems were affected for several days but were restored without significant disruption to customers. All necessary disclosures have been made and full details of the attack were provided to the FCA and ICO at the time. We are satisfied that the attack did not result in the loss of any data that could be damaging to customers and believe that the ICO and FCA are satisfied with our response”, Foxtons Group stated.

The CTO of Cortex Insight, Stephen Kapp stated that “it is safe to assume the worst, and Foxton customers should look to protect themselves from identity fraud and card fraud as a result of this breach. With both personal information and payment card information lost, Foxtons customers should take some time to validate payments and potential credit history interactions since October and flag anything suspicious to their bank”.

Cook County’s Court Related Records Exposed

 

The WebsitePlanet research group in collaboration with Security Researcher Jeremiah Fowler found a non-password protected database that contained more than 323,277 court-related records. Upon further investigation, the researchers found that the records were completely identified with Cook County, Illinois, the second-most populous region in the United States after Los Angeles County.

As per the research group, nearly every record, which dated back to 2012 and as far as possible up to 2020, contained some type of personally identifiable information (PII), for example, complete names, home addresses, email addresses, case numbers, and private insights regarding the cases. The database seemed, by all accounts – to be an inside record management system that contained point by point notes about case status or issues with the cases or people. The case type appears to have been sorted by markers, for example, IMM (likely ‘immigration’), FAM (presumably 'family'), and CRI (most likely 'criminal'). The information was in plaintext, and web access had no limitations. The content could be accessed, downloaded, altered, or erased by anybody with an internet connection. 

The researchers quickly reached the Cook County CTO. The database was secured days after the fact. It is unclear, however, if the affected people were advised about the data exposure or on the off chance that they were educated about the danger of how this data could be utilized to possibly target them. The researchers state, "We could not find any reference to a public notice of a data breach of court records. No one replied to our responsible disclosure notice, phone voice message, or a follow-up email, so we were unable to know exactly what these records were used for or the full extent of the exposure." 

WebsitePlanet postulates that the database may have had a place with a specialist Cook County department of caseworkers working with individuals who required extra assistance. Nearly by definition, everyone included inside the database could be delegated ‘vulnerable’ and a practical objective for scammers. The data contained – would give various ways to deal with such assaults. Assaults could go from identity theft to blackmail.

French Cyber security Analyst Claims He Could Access Details Of Corona-Infected Persons Via The Government-Mandated Aarogya Setu App


A French cybersecurity analyst by the pseudonym 'Elliot Alderson' on Twitter claims he could access details of Corona infected people via the government-mandated Aarogya Setu app.

Robert Baptiste wrote on Twitter that it was feasible for a remote attacker to know “who is infected, unwell, make a self-assessment in the area of his (attacker’s) choice.” He was able to see “if someone was sick at the PMO office or the Indian Parliament" even with the most recent variant of the Covid-19 contact tracing application.

The creators of Aarogya Setu albeit even issued a statement accordingly in response to dismissing Baptiste's prior claims.

The French cybersecurity analyst asserted that he could gain access to the details of positive cases at a location of his choice. He didn't present any confirmation in this regard however guaranteed a point by point report about the alleged security flaws.

The official statement released by Aarogya Setu said “no personal information of any user has been proven to be at risk by the French ethical hacker”.

The statement earlier gave by the creators of the application said it was feasible for a user to get information for various places by changing the latitude/longitude, which is, at any rate, an accessible data.

The creators, notwithstanding, demanded that mass assortment of this information was unrealistic as “the API call is behind a Web Application Firewall”.

However all this has given rise to a raging debate on the utilization of contact tracing applications by governments, Eivor Oborn, Professor of Healthcare Management at Warwick Business School, UK, says “I think a real breach is made if the professionals are forced to use the app and then are not allowed to discontinue the monitoring after the threshold of the pandemic is over; this to me is a greater concern.”

He included that in a democratic nation like India, citizens ought to have transparency with respect to what, when, and how the information is being utilized. “I think it is good for the governments concerned to tangibly show benefits that accrue from data use,” Prof Oborn stressed.

Nonetheless, the government's chief scientific advisor, Prof K VijayRaghavan, says that the source code of the application will be made open very soon, “India is the only democracy which has made the use of contact tracing app mandatory, so steps should be taken to make the codebase of the app open source, and users should be given the option to delete their data, even from the servers.”


Data Brokerage A Serious Concern?



With the increasing worth and volume of personal data, Data Brokers have begun to gain a gigantic amount of 'traction' as of late, offering to oversee and monetize consumers' personal data sets. Utilizing a variety of assets to assemble data, the firm gathers consumer data and offers to sell them to other business.

The data gathered is typically sold as profiles which are offered to different business, hoping to target individuals for various ad campaigns.

For some people over the world, data brokerage may be an extremely new term; however, this 'plan of action' has turned out to be one of the most profitable ones in this period — it is a $200 Billion industry.

So as to keep your information from getting sold or utilized by somebody, out of the considerable number of data brokers in the business, 43% of them enable consumers to 'opt-out' for free while others may need to pay a certain amount.

There was a rather shocking incident from India where in 2017, The Economic Times reached out as a purchaser to a data broker, selling personal data, and what they found was quite surprising, for just ₹10,000 and ₹15,000, the company was selling personal data of up to 1 lakh citizens in urban areas like Bengaluru, Hyderabad and Delhi.

While there have been many unlawful exercises and approaches by Data Brokers, this business frequently is known to operate following the law. They may get hold of a 'huge amount of data'; in any case, the manner in which they accumulate it doesn't appear to be illegal in any way.

Data Brokerage in the wake of turning into a genuine worry in the on-going long periods of its ascent, it has fallen under cautious examination and governments of numerous countries have already begun watching out for the operations of these companies.

In any case, the internet is something to be careful about as one of the common ways for gathering information is via the internet for the openly accessible information i.e. public data and people there can do things way beyond our imagination.

Personal data of almost a billion people are hacked








Personal data of nearly one billion people have been hacked by a caliginous company that is untraceable since the incident has happened. 

The database contains email addresses of around 982 million people. According to researchers, this could be the ‘biggest and most comprehensive email database' breaches ever.

The pieces of information that have been compromised includes names, gender, date of birth, employer, details of social media accounts and home addresses. 

The database was created by Verifications.io, and it did not have any kind of security measure. 

The firm was a marketing company, that offered a service of email validation to another marketing firm. The service includes authentication of email addresses. 

The company took down its website after the leak was uncovered and they have refused requests for a comment on the situation.

The motive behind the hack is not clear as the backers are maintaining their anonymity because of dubious tactics used by them to offer their service. 


Moreover, they have refused to comment on the situation.

Apple Launches Privacy Website; Focus on the Protection of User’s Personal Data





Apple on Wednesday launched a refreshed privacy website https://www.apple.com/privacy/ updating the minisite to offer better education to its customers making them aware as to how the company attempts to safeguard the user's personal data across all of its products and services.

The privacy minisite covers a variety of areas, offering as much as much information to users about the iPhone producer's approach to handling and anchoring user information. With the abundance of data put away on an iPhone, iPad, or Mac, Apple is also quick to offer clarifications and explanations to its user base, with the end goal to keep building trust between the company and the population who purchases its services and products.

The privacy website will advise the users on how to protect their information while giving them access to various new approaches to comprehend Apple’s privacy as a “fundamental human right” philosophy and deal with their data appropriately.

To limit individual information, iOS and macOS devices are presently being built to have the capacity to process locally, gather only reason-specific data and randomise information to guarantee that it isn't identifiable at a granular level. What a considerable number of companies are doing on the cloud utilizing their servers, Apple is now doing on the device, all credit to the powerful chips like the A12 Bionic.

The Opening Message on the new site –
“At Apple, we believe privacy is a fundamental human right. And so much of your personal information — information you have a right to keep private — lives on your Apple devices. Your heart rate after a run. Which news stories you read first. Where you bought your last coffee. What websites you visit. Who you call, email, or message. Every Apple product is designed from the ground up to protect that information. And to empower you to choose what you share and with whom.”

On the new website, Apple has one again elucidated that just when the new v “Information and Security” icon shows up does it request for personal information. All the various other administrations where this icon does not show up, does not require personal information from the users.