Data Breach at Dailymotion

As we approach the end of 2016, the rate of data breach – or more accurately data breach discoveries – doesn’t appear to be slowing. The BBC reported on Tuesday (here) that the Dailymotion subsidiary of French media company Vivendi had details of more than 85 million users stolen, including usernames, email addresses and passwords, although the passwords had been encrypted using the Bcrypt algorithm. Dailymotion said the impact of the breach was limited and no personal information had been lost. It’s perhaps worrying that Daily Motion were advised of the breach by an external agency – Leakedsource. It said: “It has come to our attention that a potential security risk, coming from outside Dailymotion may have comprised the passwords for a certain number of accounts.” Mark James, a security specialist at security firm ESET commented: “Check and change your passwords on this site, if you have used that same password on any other site then change those immediately and possibly consider a password manager if you’re not already using one.” He added: “Without further information about what was or was not stolen, we won’t know the extent of the damage – but needless to say more data being added to your already overflowing online profile floating around the web is not good for any of us.” The BBC added, scarily – “This year has seen a series of massive data breaches, with experts saying there are now 1.5 billion stolen credentials available to hackers and attackers online.” And, once again, let’s look at the potential post GDPR fines, had personal data been leaked – Vivendi’s revenue last year was €10.76...

Major Data Breach in Japan

We’ve seen a number of high profile data breaches over the last couple of years, but it’s rare to hear of data breaches in the Asia Pacific region. Last Friday (December 5th) the Japanese Cosmetics firm Shisheido reported that the online store operated by their subsidiary IPSA Co. may have leaked the details of 420,000 customers. Stolen data includes Customer Names and Addresses, but more worryingly the payment card information of 56,000 customers may have been leaked. Those are customers who made purchases at the online store between December 14th 2011 and November 4th 2016 – that’s over five years. This serves to emphasise Price Waterhouse’s 2015 report (here) that said “Nearly 9 out of 10 large organisations surveyed now suffer some form of security breach – suggesting that these incidents are now a near certainty. Businesses should ensure they are managing the risk accordingly.” Shisheido learned of the data leak on November 4th, when they received a report from a payment agency, they’ve suspended their online store and notified the Japanese Police and the Ministry of Economy, Trade and Industry. Once again, we reiterate the words of Stephen Orphei, the chairman of the PCI Standards Council, the safest path for any business is to “take risk off the table”. If you’re not storing card or sensitive data then, even if your organisation is breached, there’s nothing for the bad guys to steal, and your company’s public reputation remains untarnished. We at Compliance3 can help you, get in...

It could be you?

The BBC reported this morning (here) that Camelot, the operator of the UK’s National Lottery, had suffered a data breach. Some 26,500 of the National Lottery’s 9.5 million online customers had had their account – comprising transaction history, date of birth, bank sort code, and the last four digits of their bank account number, compromised. Of those 26,500 –  50 of them “had some activity take place. It’s to Camelot’s credit that they locked down their systems on Monday after noticing suspicious activity, even though they don’t “hold full debit card or bank account details in National Lottery players’ online accounts“. Customers whose accounts may have been compromised have been forced to change their passwords. It has been suggested that these accounts were accessed using passwords sourced elsewhere and re-used; once again highlighting the dangers of using the same password on multiple sites. It is also another potential ‘padding’ attack, with hackers building a database of customer details that they might use to create fake identities. While data breaches continue to be revealed with a scary frequency, the number of data breaches involving financial information are becoming scarce. That’s a good sign in that Merchants are taking the security of payment card data seriously, the hackers are now turning their attention to ‘softer’ targets, and sourcing personal rather than financial data. Once again, we stress the need to be careful with online passwords and not re-use them across different online accounts. There are a number secure password ‘vault’ applications that store complex passwords; these might be worth considering if you have a large number of online accounts. It’s also...

Data Breach at Madison Square Garden.

  It was revealed recently that the Madison Square Garden Company (MSGC) has suffered a data breach at five of its venues. In a statement, the company wrote that it has notified customers that an investigation found “external unauthorized access to MSG’s payment processing system” at Madison Square Garden, the Theatre at Madison Square Garden, Radio City Music Hall, Beacon Theatre, and the Chicago Theatre in the past year. The data breach appears to have originated through compromised ‘swipe card’ machines, the older version of PED (Pin Entry Devices)  – as the use of ‘Chip and Pin’ is still not widespread in the United States. According to the MSGC statement “Data contained in the magnetic stripe on the back of payment cards swiped in person to purchase merchandise and food and beverage items at Madison Square Garden, the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater, and Chicago Theater between November 9, 2015 and October 24, 2016 may have been affected, including credit card numbers, cardholder names, expiration dates and internal verification codes. Not all cards used during this time frame were affected. This incident did not involve cards used on MSG websites, at the venues’ Box Offices, or on Ticketmaster.” That’s nearly a year before the compromise was detected, and during that period those venues hosted hundreds of  concerts and sporting events. Madison Square Garden alone held three Kanye West ‘events’, six sell-out concerts by Adele, two Radiohead concerts, and a long term residency by Billy Joel. And every card used to purchase merchandise, hot dogs or popcorn at those events might be compromised. It’s easy, here in...

Three Mobile Data Breach

It was announced this morning that three men had been arrested for a data breach at Three Mobile. The men were thought to have accessed a Customer Database at Three Mobile using ‘authorised logins’. This was not an external attack. Once in the database the perpetrators identified customers who were eligible for handset upgrades, ordered eight ‘high value handsets’ and then intercepted them prior to delivery. Dave Dyson, Three’s CEO said “I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question.”  Dave Dyson’s full statement can be found here. As well as the intercepted upgrades a further 400 ‘high value handsets’ have been stolen through burglaries – presumably targeted by the compromised Customer Data. Given that the iPhone 7 starts at £600, then 400 of those represents a potential loss of a quarter of a million pounds. Less than the cost of recent Tesco Bank breach, but hardly loose change. It’s not clear when the data was fraudulently accessed, or whether it was extracted and subsequently sold on. Customer data could be used for ‘credential stuffing’ and future identity theft – as we described here after the data breach that O2 reported this summer. Three claims to have strengthened its data controls, but Three customers should exercise caution, and consider changing their Three password, and the password on any other sites where they might reuse the password. Obviously it’s best practice...