Microsoft admits a storage misconfiguation, data tracker leads to a data breach at a second US hospital chain, and more.
Welcome to Cyber Security Today. It’s Friday, October 21st, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Microsoft has acknowledged a misconfigured storage bucket open on the Internet exposed business data that could have been copied by anyone who found it. Some business documents between Microsoft and prospective customers could have been seen and stolen. After being notified in September of the open storage by researchers at a company called SOCRadar, the data was secured. But it included names, email addresses, email content, company names and phone numbers. It also may have included attached files relating to business between a customer and Microsoft or one of its partners.
Another American hospital chain is notifying patients of a data breach related to the use of the Meta Pixel tracker on their websites. Advocate Aurora Health, which has 26 hospitals in Wisconsin and Illinois, is notifying patients of the breach. It exposed the personal data of 3 million patients. This follows the admission by Novant Health that improper use of Meta Pixel led to the exposure of data of 1.3 million patients. According to the Bleeping Computer news service, Meta Pixel helps website operators understand how visitors interact with their sites. It also sends data to Meta — the parent of Facebook — which sends it to marketers and advertisers.
Police in Brazil this week arrested a person they believe is a member of the Lapsus$ extortion gang. This comes after the Brazilian Ministry of Health was hacked last year. Two people believed to be associated with the gang were charged last April in the U.K.
Two Americans have been sentenced to two-year prison terms for going after executives of cryptocurrency companies and others who likely had cryptocurrency. The convicts got control of the social media accounts of targets, then used that access to convince cellphone companies to give them control of the victims’ smartphones through SIM card swapping. The phone access was used to try and access bank accounts. It was alleged that the pair stole about $330,000 in cryptocurrency from victims.
More bad apps have been found in the Google Play store. Researchers at McAfee discovered 16 apps that managed to get past Google scrutiny and onto the marketplace. As is common, crooks disguised the malicious apps as utilities people might want: A currency converter, a flashlight, a digital image vault and a QR code reader. Smartphone apps like that can be appealing — our mobile phones are fun devices, why not load them up with useful apps? That attitude is how malware gets on your phone, and how your email and bank accounts get hacked. Be very careful before chosing to download apps that aren’t from brand-name companies. Research before you click.
Finally, Texas is suing Google for allegedly violating the state’s biometric law. The claim is that by illegally collecting voice prints, records of face geometry and more though Google Photos, Google Assistant and Nest Hub Max the company has unlawfully captured and used their data without getting informed consent. Then, the claim says, Google used the data for its own commercial interest. None of the claims have been proven in court.
That’s it for now. But later today the Week In Review edition will be out. This week David Shipley of Beauceron Security and I will discuss a Blind Carbon Copy email mistake, the risks of the use of real data when testing applications and new Canadian cyber incident statistics.
Links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.