Tag Archive for: fine

FTC to fine CafePress for cover up of massive data breach

/in


Data breach

The U.S. Federal Trade Commission (FTC) wants to slap the former owner of the CafePress custom t-shirt and merchandise site with a $500,000 fine for failing to secure its users’ data and attempting to cover up a significant data breach impacting millions.

As the consumer protection watchdog explained, CafePress’ former owner, Residual Pumpkin Entity, stored its customers’ Social Security numbers and password reset answers in plain text, and their data longer than necessary.

“As a result of its shoddy security practices, CafePress’ network was breached multiple times,” the FTC said today.

“The Commission’s proposed order requires the company to bolster its data security and requires its former owner to pay a half million dollars [PDF consent order here] to compensate small businesses.”

Per the proposed settlement, Residual Pumpkin and PlanetArt (CAfePress’ new owner) will be required to implement multi-factor authentication, minimize the amount of collected and retained data, encrypt Social Security numbers stored on its servers.

The massive February 2019 data breach

Following a February 2019 breach of CafePress’ servers, unknown attackers accessed and later put up for sale on the dark web a throve of information belonging to 23,205,290 users, including:

  • millions of email addresses and passwords with weak encryption; 
  • millions of unencrypted names, physical addresses, and security questions and answers; 
  • more than 180,000 unencrypted Social Security numbers; 
  • and tens of thousands of partial payment card numbers and expiration dates.

CafePress purportedly tried to cover up this massive data breach and did not inform any of the impacted customers until September 2019, one month after BleepingComputer reported the breach.

At the time, CafePress did not respond to BleepingComputer’s queries and did not issue a statement regarding the incident. The only indication that something was wrong was that users were forced to reset their password when logging in (with no mention of the breach).

Failures to report breaches and investigate attacks

CafePress was also aware that it had data security problems even before the 2019 data breach. According to FTC’s complaint, the company…

Source…

Three Former U.S. Intelligence Community and Military Personnel to Pay $1.68M Hacking Fine

/in


On Sept. 7, U.S. citizens, Marc Baier, 49, and Ryan Adams, 34, and a former U.S. citizen, Daniel Gericke, 40, all former employees of the U.S. Intelligence Community (USIC) or the U.S. military, entered into a deferred prosecution agreement (DPA) that restricts their future activities and employment and requires the payment of $1,685,000 in penalties to resolve a Department of Justice investigation regarding violations of U.S. export control, computer fraud and access device fraud laws. The Department filed the DPA today, along with a criminal information alleging that the defendants conspired to violate such laws.

According to court documents, the defendants worked as senior managers at a United Arab Emirates (U.A.E.)-based company (U.A.E. CO) that supported and carried out computer network exploitation (CNE) operations (i.e., “hacking”) for the benefit of the U.A.E government between 2016 and 2019. Despite being informed on several occasions that their work for U.A.E. CO, under the International Traffic in Arms Regulations (ITAR), constituted a “defense service” requiring a license from the State Department’s Directorate of Defense Trade Controls (DDTC), the defendants proceeded to provide such services without a license.

These services included the provision of support, direction and supervision in the creation of sophisticated “zero-click” computer hacking and intelligence gathering systems – i.e., one that could compromise a device without any action by the target. U.A.E. CO employees whose activities were supervised by and known to the defendants thereafter leveraged these zero-click exploits to illegally obtain and use access credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States.

“This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization…

Source…

Let us tell you WhatsApp – we don’t want to pay that €225m GDPR fine • The Register

/in


WhatsApp has been slapped with a fine of €225m [PDF] following a long and drawn out investigation into whether it had provided the necessary data protection information to users under the EU General Data Protection Regulation (GDPR).

The fine – along with a slap on the wrist – has been imposed by the Data Protection Commission (DPC), the national independent authority in Ireland responsible for personal data protection in the EU.

It’s reported to be the heftiest fine ever issued by the DPC and the second-largest handed out under EU data protection laws.

WhatsApp, however, has already said it intends to appeal the decision and believes the fine is “entirely disproportionate.”

In a statement, a spokesperson for the company told The Reg: “WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so.

“We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision.”

In what has proved to be a highly technical ruling dating back to 2018, the DPC said the case examined whether WhatsApp has “discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service. This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.”

As well as the fine, the DPC has also ordered WhatsApp to take “a range of specified remedial actions” which some sources claim could make privacy policies even less user friendly.

If nothing else, WhatsApp is not alone. In July, Amazon said that an EU privacy watchdog had issued an $885m fine for failing to comply with…

Source…

Amazon faces prospect of EU fine over data privacy. School data breach. A look at Ryuk.

/in


At a glance.

  • Amazon’s European privacy issue.
  • School district data exposed.
  • A look at the Ryuk ransomware operation.

Amazon potentially faces largest GDPR fine ever.

The EU has drafted a decision to fine Amazon $425 million (or roughly 2% of the tech giant’s 2020 net income) for violation of the General Data Protection Regulation (GDPR), the Wall Street Journal reports. The CNPD, Luxembourg’s privacy commission and Amazon’s lead EU privacy regulator (Amazon’s EU headquarters are located in the Grand Duchy), has proposed the sanction for alleged data collection and handling violations. If approved by the EU’s other privacy authorities, this would be the largest fine since the GDPR was implemented in 2018. Though the details of Amazon’s offenses have not been disclosed, the size of the fine signifies a shift in the EU toward holding tech companies to task for their data privacy policies. 

Ireland, which oversees privacy regulations for Facebook, Google, and Apple, also plans to draft decisions for several privacy cases this year.

US school district data exposed in cyberattack.

Union Community School District in the US state of Iowa has disclosed that an intruder gained unauthorized access to its computer systems in April, the Courier reports. The attack temporarily disrupted the district’s servers, and the subsequent investigation found the intruder had accessed school data. “Those documents are currently under review, and the District is committed to providing additional information to the community as quickly as possible,” Superintendent Travis Fleshner explained.

The relentless menace of Ryuk.

The Wall Street Journal offers a profile of the infamous Ryuk ransomware gang, responsible for numerous recent cyberattacks that crippled US medical institutions. The world’s most active ransomware group, Ryuk was tied to a third of the 203 million ransomware attacks in the US last year and raked in at least $100 million in ransom payouts. While some threat groups have avoided targeting vulnerable institutions like hospitals, especially during the pandemic, Ryuk has attacked more than two hundred thirty healthcare providers  (lucrative targets due to their dependence on…

Source…