With so much cybersecurity news flying around, it is hard to keep track of the bigger stories that emerged. Here is the GFI Security round-up of the three top cybersecurity stories of April 2018.
Panera Bread leaked millions of customer records.
Panerabread.com, the website for the American chain of more than 2000 US-based bakery-cafes, leaked millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number — for at least eight months before it was yanked offline in early April 2018.
The worst of it is was that security researcher Dylan Houlihan had reported the flaw to Panera Bread’s Director of Information Security in August 2017, but it was initially dismissed by the director as a likely scam. A week later, however, Panera Bread validated Houlihan’s findings, saying they were working on a fix.
Fast forward to April 2018 – eight months later – and Houlihan indicated that Panera Bread’s website was still leaking customer records in plain text. Worse still, the records could be indexed and crawled by automated tools with very little effort. It took popular security blogger Brian Krebs to expose the flaw for Panera Bread to jump into action. Even then, denials from spokespeople on major news channels, and then only to be scoffed at on Twitter for implementing a poor security patch job, made things even worse for the online food store.
Let this be a lesson to all: Don’t leave valuable and sensitive data open to the world. Oh and if a verifiable security researcher gets in touch to report a flaw, do not ignore them.
Europeans cautioned about Facebook’s facial recognition software
Facebook uses facial recognition software to automatically match people in photos your friends upload with the other billions of images on Facebook’s servers in which you might appear.
Security pundits around the world have warned about the privacy issues surrounding facial recognition software analysing your friends and family’s faces, and effectively databasing their facial features.
After a privacy outcry in the UK and other countries in the EU, the facial recognition feature was disabled in the EU some years ago.
However, in mid-April, Facebook had started quietly rolling out the updated facial recognition technology.
The technology continues to be contentious. At the time of writing, US Facebook has been ordered to face a class action lawsuit over the facial recognition components of their service, with a focus on how it tags photos of people without individual consent. The lawsuit says this breaches Illinois state law. Apparently, the facial recognition technology has been updated to meet the requirements set by the EU’s new privacy law GDPR, such as turn-it off-feature…an option we suggest you look into.
Millions of hotel rooms were vulnerable to hacked master key
A major vulnerability that impacted millions of hotel rooms around the world is being rectified, thanks to recent cybersecurity research. The findings showed that electronic locks, manufactured by the world’s largest provider Assa Abloy, could be fooled into revealing a single master key code from which a new card could be created – one that could open all its locks.
If you ever stay in hotels with automated key systems, you’ve likely used an Assa Abloy lock to protect your room. Well-known global hotel chains, such as Sheraton, Radisson and Hyatt, all reportedly make use of Assa Abloy’s lock mechanisms. Hackers, it turns out, could have exploited this vulnerability and gained access to any room secured with an Assa Abloy lock. Cybersecurity researchers explained that the entire process could be completed in under a minute by following a few simple steps: find a key card, use cheap hardware and custom card-reading software to locate the master key code, and copy the code onto a new or existing card.
Once the vulnerability was confirmed, it was shared with Assa Abloy, who’ve spent the last year developing and rolling out fixes to prevent the vulnerability being exploited by attack agents.
These were the top three security stories which made the headlines in the month of April. Think we missed a major story out? Let us know in the comments below.