Category Archives: Risks

Job search websites of 16 states exposed SSNs

On March 12th, a breach of the Kansas Department of Commerce's "America's Job Link Alliance-TS" job search websites server was discovered.   Two days later, the sites were locked down but only after 563,568 residents had their info harvested along with 1,393,109 of Alabama, 896,380 of Arizona, and 807,450 of Illinois.  In total, 5.5 million SSNs had been leaked from Arkansas, Arizona, Delaware, Idaho, Kansas, Maine, Oklahoma, Vermont, Alabama, and Illinois.

Kansas has no official data breach notification laws and wound up paying SHI $235,000 for  incident response and $175,000 to Shook, Hardy, and Bacon lawyers for legal representation.  It has been reported that only 260,000 notification emails wee sent to victims because "they don't have the contact details for everyone affected."

MySpace security flaw discovered

Cyber security researcher Leigh-Anne Galloway claims to have discovered a security flaw in MySpace which only required a name, username, and birthdate.  

After a massive breach of password was revealed in 2016, the website admins had disabled all passwords before 2013.  The simple recovery method only needed those three pieces of information of which the username was easily found in the MySpace profile URL and name displayed promptly on that profile homepage.

Galloway reported the flaw last April and did not receive a response but after media attention the flaw was promptly patched.

Deportation after UPMC Employee Data in Fake Tax Filings

After University of Pittsburgh Medical Center's (UPMC) employee identities were stolen from a database in 2014, a federal court has ordered the deportation of Martiza Maxima Soler Nodarse.  Nodarse of Venezuela   pleaded guilty as the second person involved in crimes related to 935 false US federal tax returns of UPMC employees.  The first person who plead guilty in April was Yoandy Perez Llanes of Cuba.  The tax return frauds resulted in approximately $1.5 million in disbursed unlawful refunds after approximately $2.2 million in tax return filings.

Nodarse received around $156,000 of electronics merchandise  in a scheme to launder the the money through Amazon gift cards they had shipped to Venezuela.  Nodarse received the shipped merchandise in  Colombia in March 2015 then was extradited to the U.S. to face charges in November 2016.

Some of the charges involved wire fraud, money laundering, and aggravated identity theft.

1k content moderator Facebook profiles exposed

Last year around November 2, 2016, a bug caused the activity log of Facebook (FB) groups to expose the profiles of its content moderators.   The bug involved the creation of this exposure whenever an administrator was removed for breaching the terms of service (TOS.)  Personal details of moderators who had censored accounts as early as August 2016 were then made viewable to the remaining FB group administrators.

Unfortunately, approximately 40 of those 1,000 content moderators worked in a counter-terrorism unit at Facebook's European headquarters in Dublin, Ireland.  Within those 40, it was determined that at least six had their personal profiles viewed by potential terrorists from US State Department designated groups Hezbollah, ISIS, and the Kurdistan Workers Party.

The detection of the exposure was first suspected when moderators began receiving friend requests from known suspects of the terror organizations they were tasked with analyzing.  Some of the moderators are contractors who are only paid just $15 per hour for scouring often high-disturbing material written in other languages.  Facebook policies allow disturbing imagery with the caveat that it doesn't promote or celebrate terrorism.  

SK Bithumb Cryptocurrency breach of 30k customers

Names, mobile numbers, and email addresses of approximately 30,000 South Korean Bithumb exchange customers were exposed from an employee's home computer.  Bithum has indicated no passwords were stolen but some customers have claimed to have lost their funds as a result.  Bithumb is one of the largest bitcoin exchanges and the amount affected is estimated to be billions of SK Won (almost $1M US Dollars.)

Bithumb has promised to pay 100k Won ($87 USD) to each member whose information was exposed.  Once again, the cost savings of bring your own device (BYOD) has proven not to be equal to the reputation and financial costs to a company which should retain workstation security controls and ownership.