With so much cybersecurity news flying around, it is hard to keep track of the bigger stories that emerged. Here is the GFI Security round-up of the three top cybersecurity stories of June 2018.
Ticketmaster customers hacked pretty badly. What will GDPR do about it?
Ticketmaster said a malware attack on one of its third-party vendor sites left 40,000 UK customers at risk of identity theft or fraud. Malicious software on third-party customer support product Inbenta Technologies reportedly led to the hack.
Ticketmaster removed Inbenta Technologies as soon as they discovered the hack, but it seems it had been lurking on the live ticketmaster system hoovering customer details for months.
The information that was compromised included names, addresses, phone numbers, payment details and, of course, the login details to Ticketmaster, reports IT Pro.
Victims are TicketMaster Customers who purchased or attempted to purchase tickets between September 2017 and June 2018:
INFORMATION ABOUT DATA SECURITY INCIDENT BY THIRD-PARTY SUPPLIER
Ticketmaster has created this website for customers whose personal information may have been compromised in the Inbenta incident. Ensuring the safety and security of the personal data of customers is very important to Ticketmaster. As soon as it was determined that there was potential unknown third-party access to certain personal information, Ticketmaster took swift action to address the issue and protect customers.
Ticketmaster also pulled together an information landing page explaining what they can and providing answers to frequently asked questions.
The concert ticket vendor said that less than 5% of its global customer base had been affected.
According to the BBC, “Ticketmaster is confident it has complied with General Data Protection Regulation (GDPR) rules – acting very quickly and informing all relevant authorities, including the Information Commissioner’s office.”
However, Online bank Monzo warned Ticketmaster that something weird was going on in early April, two months before the ticket-slinging giant revealed its payment pages had been hacked, reported the Register.
So, does this raise concerns under EU privacy law GDPR? Probably not. As Wired reports “Following disclosure of the breach, the Information Commissioner’s Office (ICO) said it was “making enquiries” in relation to the Ticketmaster breach and would be making a decision as to whether it should be dealt with under the 1998 or 2018 Data Protection Acts based on the dates the incident happened and then was discovered. The 2018 act, which brought in GDPR, only came into force on May 25, after the initial discovery but before the incident was disclosed.”
But let this be a lesson to the rest of us. Get your ducks aligned. The penalties, and media fallout, are not pretty.
Cryptocrash at South Korea’s Coinrail to the tune of $40 Billion
Many of us would be lying if we said we hadn’t at least thought about getting on the crypto-wagon to make some fast money.
While more traditional investors advise everyone to remain calm and only invest what they can afford (as they remind people that they is no intrinsic value to the asset), the market volatility is palpable.
Statista says the price of Bitcoin experienced an increase from about 371 U.S. dollars in January 2016 to over 13 thousand by December 2017. Also, market capitalization of Bitcoin rose from $0.04 billion in Q1 2012 to over $230 billion in Q4 2017.
But then the South Korean cryptocurrency exchange Coinrail was hacked to the tune of $40 billion dollars.
Coinrail, according to the Guardian, said it was hit by cyber intrusion, causing a loss for about 30% of the coins traded on the exchange. It did not quantify the value, “but the local Yonhap news agency estimated that about 40bn won (£27.8m) worth of virtual coins was stolen.”
Coinrail soon updated its website to say that “Seventy-percent of your coin rail total coin/token reserves have been confirmed to be safely stored and moved to a cold wallet and are in storage.”
But it was too late, the markets swan-dived. That is not to say they won’t rise once again like a flaming phoenix, but only time will tell
Apple to close iPhone privacy hole used by FBI
In mid-June, Apple announced it was closing the security loophole that was being exploited by the FBI to unlock phones without a passcode or fingerprint.
Typically, reports the New York Times, locked iPhones are being pried open by connecting another device running special software to the port, “often days or even months after the smartphone was last unlocked. “
Apple and Google started encrypting their mobile software by default in 2014. This default encryption, while the cybersecurity industry hoorahed, frustrated police and prosecutors could no longer pull data from smartphones. It turned out that even a warrant to access the iPhone of a suspected gunman who killed 14 people in California in late 2015 wasn’t enough – Apple’s then CEO Tim Cook refused to set a precedent that compromised his users’ privacy.
Things heated up when FBI pulled a U-turn. They announced they had paid a third-party to provide hacking techniques to break into the Apple phone. Two main companies have reportedly helped law enforcement hack into iPhones: Cellebrite and Grayshift, the latter founded by a former Apple employee.
According to the New York Times, “Law enforcement officials said they generally send iPhones to Cellebrite to unlock, with each phone costing several thousand dollars to open. In March, Grayshift began selling a $15,000 GrayKey device that the police can use to unlock iPhones themselves.”
Authorities are now concerned about the limitations of not being able to unlock an iPhone to verify suspects’ stories. However, some would argue it will only be a matter of time before a hacking firm finds a workaround: the cat and mouse game plays on.