by Bob | Nov 30, 2016 | Views
The BBC reported this morning (here) that Camelot, the operator of the UK’s National Lottery, had suffered a data breach. Some 26,500 of the National Lottery’s 9.5 million online customers had had their account – comprising transaction history, date of birth, bank sort code, and the last four digits of their bank account number, compromised. Of those 26,500 – 50 of them “had some activity take place. It’s to Camelot’s credit that they locked down their systems on Monday after noticing suspicious activity, even though they don’t “hold full debit card or bank account details in National Lottery players’ online accounts“. Customers whose accounts may have been compromised have been forced to change their passwords. It has been suggested that these accounts were accessed using passwords sourced elsewhere and re-used; once again highlighting the dangers of using the same password on multiple sites. It is also another potential ‘padding’ attack, with hackers building a database of customer details that they might use to create fake identities. While data breaches continue to be revealed with a scary frequency, the number of data breaches involving financial information are becoming scarce. That’s a good sign in that Merchants are taking the security of payment card data seriously, the hackers are now turning their attention to ‘softer’ targets, and sourcing personal rather than financial data. Once again, we stress the need to be careful with online passwords and not re-use them across different online accounts. There are a number secure password ‘vault’ applications that store complex passwords; these might be worth considering if you have a large number of online accounts. It’s also...
by Bob | Sep 23, 2016 | Views
YAHOO! today confirmed that the personal details of ‘up to 500 million users’ may have been stolen, back in 2014, by a data breach that Yahoo believes initiated by “state-sponsored actor”. That’s a stunning data breach, potentially compromising one in fifteen people worldwide. Rumours of the breach started back in August when a hacker called ‘Peace’ claimed to be selling data from 200 million Yahoo clients. At that time Yahoo dismissed the claims, saying that the data probably related to a 2012 data breach when a mere 400,000 of its user accounts were compromised. In 2012 Yahoo said “At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products.” The timing of the announcement of this breach couldn’t be worse for Yahoo!, as they negotiate sale of their core business to Verizon for $4.8 billion. Nordic cybersecurity expert Per Thorsheim – who broke the news of the 2012 LinkedIn data breach – described the latest Yahoo! data breach as “massive” adding “It will cause ripples online for years to come.” Perhaps more telling are the comments from U.S. Senator Richard Blumenthal who is calling for tougher legislation to “make sure companies are properly and promptly notifying consumers when their data has been compromised.” Senator Blumenthal said in a statement “If Yahoo knew about the hack as early as August, and failed to coordinate with law enforcement, taking this long to confirm the breach is a blatant betrayal of their users’ trust.” Yahoo! Were at pains to point out that no payment card data was compromised...
by Bob | Jun 21, 2016 | Views
My old mother had a phrase that she would use if I ever did anything particularly stupid; which was perhaps more frequently than I remember. The phrase was ‘God loves a tryer’, and while it was evident from my lack of success in many foolhardy ventures that God might indeed ‘love a tryer’, he didn’t necessarily encourage them. The phrase came to mind when I saw this picture posted on social media, and at least one ill-advised person on my media feed had fallen for it and posted the keys to their wallet on FaceBook for all to read and – in theory – exploit. Much like my recent post showing somebody allegedly harvesting card data from contactless cards (here), I doubt that many people fell for this gambit, but it highlights Compliance3’s message of ‘devaluing data’ – the information that this meme was attempting to harvest was undeniably valuable data – ‘Sensitive Authentication Data’ in the words of the PCI Standards Council. There’s a world of bad people ‘out there’ and they’re trying to get card details, by any means they can. We work with companies to ‘take risk off the table’. If card data doesn’t enter a business’s environment then they can’t be storing it – whether deliberately or innocently – and if they’re not storing it then it can’t be...