Medical supply firm falls for phishing, drug treatment chain patient data exposed, Americans worried about privacy and more
Welcome to Cyber Security Today. It’s Monday November 18th. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
A California company that makes glucose monitors and insulin pumps has admitted personal information on current and former patients as well as employees may have been accessed for two and a half months this year when some employees fell for an email phishing scam. The hacker may have accessed peoples’ names, dates of birth, addresses, social security numbers, medical information, drivers licence numbers and credit or debit card numbers. One wonders why personal data at a medical supplies firm wasn’t encrypted.
Meanwhile the news site DataBreaches.net reports someone at a network of U.S. drug and alcohol addiction treatment facilities called Sunshine Behavioral Health was clumsy enough to leave a database with tens of thousands of patient billing files open to be seen. This data included names, dates of birth, postal and email addresses, telephone numbers, credit card numbers and more. The files were being held in a misconfigured folder, or bucket, on Amazon AWS s3 servers. After being tipped off the new site alerted the company, which promised to take action. But, the reporter says, if you knew where to look the data could still be found. Again, if there’s patient information, why isn’t it encrypted. And why are apparently untrained employees still allowed to upload data to Amazon storage?
In the justice world, an Illinois man was sentenced last week to 13 months in prison and forfeit over a $500,000 dollars for running a business that launched denial of service attacks for hire on websites. Denial of service attacks essentially bombard websites with requests until they freeze or collapse. Over in Massachusetts, two men have been charged with taking over cellphones of at least 10 people, stealing cryptocurrency and making death threats. How’d they do it? By convincing cellphone companies to transfer the victim’s phone number to a device controlled by the scammers.
Worried about privacy? You’re not alone. According to a survey by the Pew Research Centre, 62 per cent of American adults think its impossible to go through daily life without some company or government collecting data on them. Just over 80 per cent of respondents felt they have very little or no control over the data companies and the government collects. Majorities agreed they are either very or somewhat concerned about the way their data is being used. Just over 80 per cent of respondents think the potential risks of data collection about them by companies outweighs the benefits. Companies should think about this: Around 70 per cent of respondents say they are not too or not at all confident companies will admit mistakes and take responsibility when they misuse or compromise data. They aren’t that confident government will be accountable if it misuses data. Read the full survey here.
Looking for a browser that promises more privacy? A new one called Brave came on the market last week, in desktop and mobile versions. Brave is supposed to block third-party ads, trackers and autoplay videos by default. That means you don’t have to tinker with the settings. That means Brave so far goes farther than Chrome, Firefox, Safari and Edge in blocking trackers and ads. Now, ads are how companies like Google that offer free search, email or other services make money. There may be web sites you like that you don’t mind showing ads. There’s a way to reward them. Join the Brave Rewards program, open a digital account and it pays the sites you want in micropayments for showing ads. No personal information is collected. Or you can pay for an article you really like through digital tokens. For more information see Brave.com.
Often you have to trust the hardware and software products you buy. For example, Android smartphones. The base Android operating system comes from Google. But a device manufacturer — like Samsung, Sony, LG, Motorola and others — can add software on top of that like skins, games and utilities. Some are firmware you can’t see in your list of apps but are supposed to help make the device work better. Google has no control over these added apps. But according to a security company called Kryptowire, lots of them have vulnerabilities. That’s right: Before you even pull your new phone out of the box it may be vulnerable to attack. The company scanned 29 new Android phones sold in the U.S. with its software and found 146 issues. Some are big, like possibly allowing a hacker to use the microphone for secret recordings, some are small. The news site Wired says some manufacturers dispute the findings, saying the discoveries aren’t really threats. What should you do? If you’re buying an Android phone make sure it’s from a big company with the resources to thoroughly test for bugs. Meanwhile, if Android device manufacturers don’t like this kind of scrutiny and publicity they should toughen up their procedures.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon