Welcome to Cyber Security Today. This is the Week in Review edition for Friday, January 27th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes Terry Cutler of Cyology Labs will be here to discuss recent news. But first a look back at some of the headlines from the past seven days:
Data Privacy Week ends tomorrow. Terry will have some thoughts about what your company should be doing.
GoTo, which makes remote IT and communications software used by companies, has acknowledged a hacker not only stole encrypted backup data of customers in November but also an encryption key for some of that data. This data was stolen from the outside cloud storage provider that GoTo uses. Terry and I will discuss this incident.
We’ll also talk about employees at customer support provider Zendesk giving their usernames and passwords to a hacker after falling for an SMS text phishing scam.
And we’ll comment on a report that IT departments not only are slow to patch vulnerabilities, some aren’t even aware of them.
Elsewhere, a Canadian-based international manufacturer of die-cast tools and car parts has been the victim of a cyber attack. Exco Technologies said that three production facilities within its Large Mould Group are recovering from a cyber incident last week.
A hacker leveraged an application programming interface (API) to steal the personal information of 37 million customers over two months, undetected, from American cellular carrier T-Mobile.
American cybersecurity agencies issued a reminder to organizations to be on the lookout for remote monitoring and management applications that have been secretly implanted into their IT environments. Applications like AnyDesk, ScreenConnect and ConnectWise Control are being uploaded into victims’ networks to be used by attackers as a backdoor.
Video game maker Riot Games reportedly received a ransom demand of US$10 million after some of its source code was stolen. According to a news report, the hackers are now auctioning off what they said is code for the game League of Legends.
And a four-year-old copy of a U.S. government no-fly list was discovered on an unsecured server on the internet. The server belongs to the U.S. airline CommuteAir. The airline said the data was on a development server used for application testing.
(The following is an edited transcript of the first of the topics Terry Cutlter and I discussed. To hear the full conversation play the podcast.)
Howard: Let’s start by talking about Data Privacy Week. It’s often thought of as a way to remind consumers about how to protect their personal data when online, but companies play a role as well. What’s your experience with organizations treating privacy, as opposed to cybersecurity?
Terry Cutler: Let’s first differentiate the two: In general security will keep you safe from potential threats. Cybersecurity involves securing the data from unauthorized use to access. Data privacy refers directly to how companies are able to collect, manage, store and control the use of personal data.
Howard: The thing is, your company’s reputation can be influenced by consumers perception of how you value data privacy. In a recent consumer survey by Interac, which runs the credit and debit card networks used by banks and retailers, over half of Canadian respondents said they believe that organizations are primarily responsible for protecting their personal information. Nearly seven in 10 Canadian respondents would hold organizations that they have given personal information to accountable for a data breach. Just over 70 per cent want more control over their online information. What do you make of these numbers?
Terry: Well, you can’t have your cake and eat it too. Consumers rely heavily on convenience and, unfortunately, security and privacy are not about convenience. We saw this just happen very recently with Home Depot. Let me describe quickly how your information is actually being tracked when you purchase something. Assume you’re on your way to purchase a pair of pants. GPS satellites know that you just pulled up to the store’s parking lot. GPS companies are going to start selling your data about that parking lot to thousands of other firms that actually track insights and trends for this location. Those companies will analyze these photos and see where people are shopping. In some of the analytics they can actually predict where the consumer traffic is. That can give them early sense of some sales and revenues. That’s kind of like a heads-up of earnings. But it doesn’t stop there. There are at least 100 apps on your phone, including weather apps and traffic apps, that are also selling your geolocation data. Firms that specialize in these types of data could buy this information about foot traffic and spit out insights to how many consumers are actually visiting a store in a given location.
Remember you haven’t opted into anything yet. This is from apps that are tracking you. When purchasing those pants you wanted companies are also tracking. If you give away your email address companies can target your inbox [with ads]. And these companies can now link with banks as well, so they can see your transaction history. Some will anonymize data but at least they will see some insight into what’s happening in locations so they can predict things more accurately. If you’re shopping for those pants online there are a lot of companies that are scraping Facebook and Twitter to gather as much information about brands. The bottom line is if you’re not paying for the product you are the product.
Howard: You mentioned Home Depot. I think that you were referring to a just-released report by the Privacy Commissioner of Canada about Home Depot of Canada. If people gave their email addresses when they bought products to get an e-receipt and instead of a paper receipt they didn’t realize was the data that came with the e-receipt was going to Meta, the parent company of Facebook. The privacy commissioner Home Depot Canada customers were not properly informed what the company was doing with their data.
Terry: It makes sense: You think that you’re just going to get a copy of the receipt in your inbox. This happens all the time at other stores. When I do a self-checkout and it asks would I like to have an e-receipt, and you type it in there. So I’m a victim of that, too.
Howard: The privacy commissioner’s ruling is the company shouldn’t be doing that unless the customer knows exactly that’s what’s happening.