Cyber Security Headlines: Submarine cables severed, Microsoft’s BlueBleed problem, Health system breach

Internet connectivity worldwide impacted by severed EU subsea cables

An important submarine internet fiber cable located near the South of France was severed yesterday at 20:30 UTC, causing connectivity issues in Europe, Asia, and the United States, “including data packet losses and increased website response latency.” Repair technicians arrived on the scene promptly, but “had to wait for the police to collect evidence before they were allowed to work on restoring the damage.” At the same time, another subsea cable linking the Shetland Islands to the Scottish mainland has been damaged, too, leaving netizens on the island isolated from the rest of the world. This latter case has been confirmed to have been caused by a fishing trawler.

(Bleeping Computer)

Microsoft BlueBleed customer data leak claimed to be ‘one of the largest’ in years

Microsoft has confirmed a data leak linked to a misconfigured server for a cloud storage service but is disputing the extent of the problem. In a report released this week, threat intelligence firm SOCRadar revealed that the misconfigured server exposed sensitive data including proof-of-execution and statement-of-work documents, user information, product offers and orders, project details, personally identifiable information (PII), and possibly intellectual property. SOCRadar said that its Cloud Security Module monitors “public buckets” to detect exposed customer data and that six large public buckets contained information from more than 150,000 companies in 123 countries. The company is collectively referring to the leaks as “BlueBleed”.

(The Register)

Health system data breach due to Meta Pixel hits 3 million patients

Advocate Aurora Health (AAH) is a 26-hospital healthcare system located in Wisconsin and Illinois. It has announced a data breach that has potentially exposed the personal data of 3,000,000 patients. The cause of the breach was the improper use of Meta Pixel on AAH’s websites, where patients are required to log in and enter sensitive personal and medical information. “Meta Pixel is a JavaScript tracker that helps website operators understand how visitors interact with the site, helping them make targeted improvements.” But in addition to its tracking functions, it also sends sensitive data to Meta (Facebook) which is then shared with a network of marketers who target patients with advertisements that match their conditions. According to Bleeping Computer, “this privacy breach has taken the U.S. by storm, as Meta Pixel is used by many hospitals in the country, exposing millions of people to third parties and sparking class action lawsuits against the responsible organizations.”

(Bleeping Computer)

Parler accidentally doxxes VIP members while announcing Kanye’s Acquisition

The social media platform accidentally exposed the personal email addresses of some of its most elite members on Monday while making the announcement of the company’s acquisition agreement with the artist formerly known as Kanye West. Parler sent out an email that CC-ed a group of VIP members rather than BCC’ing them resulting in the email addresses being shared among all the VIP members, many of whom did not even know they were on the VIP list. Although this does not rate highly as a data breach, it is another embarrassment for the platform, which suffered an attack last year when hacktivists scraped all available public data on the platform and then uploaded it to the Internet Archive for safekeeping.

(Gizmodo)

Thanks to this week’s episode sponsor, SafeBase

Security questionnaires are a pain, and sharing sensitive documents takes too much back and forth. As a result, security can be wrongly viewed as a roadblock rather than a sales enabler. That’s where SafeBase comes in. Our Smart Trust Center makes it easy to showcase your security program, share sensitive documents, and streamline security reviews. It’s the missing piece of your security and sales workflow, and the only security tool that gives you time back. Find out more at safebase.com

Financial losses to synthetic identity-based fraud to double by 2024

Synthetic identities only exist as figments in a credit reporting bureau’s records, but fraud from these identities is expected to rise from a reported $1.2 billion in 2020 to $2.48 billion by 2024 in the US, according to an analysis published Thursday by identity verification vendor Socure. The identities are usually based on a real person, “but with a slight tweak to some piece of personally identifiable information, like a different date of birth or Social Security number.” A fraudster can then use the identity for a wide array of purposes, including different types of loan applications and credit cards. 

(CSOOnline)

Hacking group updates Furball Android spyware to evade detection

According to Bleeping Computer, “a new version of the ‘FurBall’ Android spyware has been found targeting Iranian citizens in mobile surveillance campaigns conducted by the Domestic Kitten hacking group, also known as APT-C-50.” This new version has been analyzed by ESET researchers, who have identified many similarities with earlier versions, but now comes with obfuscation and C2 updates. “This discovery confirms that ‘Domestic Kitten’ is still ongoing in its sixth year, which further backs the hypothesis that the operators are tied to the Iranian regime, enjoying immunity from law enforcement.” FurBall is distributed via fake websites that are visual clones of real ones. Victims are directed to them through direct messages, social media posts, emails, SMS, black SEO, and SEO poisoning. 

(Bleeping Computer)

Brazilian police arrest suspected member of Lapsus$ hacking group

The arrest, conducted by the Federal Police of Brazil, was part of a new law enforcement effort, dubbed Operation Dark Cloud. Few details were made about the suspect other than the fact that the person could be a teenager. “The Polícia Federal said it commenced its investigation in December 2021 following an attack on websites under Brazil’s Ministry of Health, resulting in the alleged exfiltration of 50TB of data and temporary unavailability of COVID-19 vaccination data of millions of citizens.”

(The Hacker News)

Texas sues Google for allegedly capturing biometric data of millions without consent

The lawsuit was announced by the state’s Attorney general’s office on Thursday. “The complaint says that companies operating in Texas have been barred for more than a decade from collecting people’s faces, voices or other biometric data without advanced, informed consent,” yet Google, through products like Google Photos, Google Assistant, and Nest Hub Max, have “has, since at least 2015, collected biometric data from innumerable Texans and used their faces and their voices to serve Google’s commercial ends,” the statement said, adding that “everyday Texans have become unwitting cash cows being milked by Google for profits.”

(Reuters)

Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.