WEEK OF AUGUST 29, 2022
Cosmetics giant Sephora to pay $1m+ privacy settlement
- One of the world’s biggest cosmetics retailers has agreed to pay $1.2 million in penalties and take corrective action after falling foul of the California Consumer Privacy Act (CCPA).
- Owned by French luxury goods giant LVMH, Sephora was accused of failing to disclose to consumers that it was selling their personal information and failing to process user requests to opt out of this sale via user-enabled global privacy controls.
- The firm did not correct these issues within the 30-day period stipulated by the CCPA.
- The CCPA is narrower in scope and jurisdiction than the GDPR. However, it represents the first attempt by a state to improve privacy protections for consumers, while handing them more rights over how their personal information is used.
LastPass hacked: Password manager with 25 million users confirms breach
- An unauthorized party had stolen “portions of source code and some proprietary LastPass technical information.”
- Incident responders have contained the breach, and LastPass says there is no evidence of further malicious activity.
- LastPass users will, of course, be concerned that a hacker could have got hold of the keys to their online kingdom: their passwords. However, LastPass has made it clear that, courtesy of the ‘zero knowledge’ architecture implemented, master passwords are never stored.
DoorDash discloses new data breach tied to Twilio hackers
- Food delivery firm DoorDash has disclosed a data breach exposing customer and employee data that is linked to the recent cyberattack on Twilio.
- DoorDash says that a threat actor gained access to the company’s internal tools using stolen credentials from a third-party vendor that had access to their systems.
- “DoorDash recently detected unusual and suspicious activity from a third-party vendor’s computer network. In response, we swiftly disabled the vendor’s access to our system and contained the incident,” explains the DoorDash security notice.
Major airline technology provider Accelya attacked by ransomware group
- Accelya – a technology firm providing services to Delta, British Airways, JetBlue, United, Virgin Atlantic, American Airlines and many more – confirmed Tuesday that two of the security firms it hired to address the incident discovered that company data was posted on a ransomware leak site.
- The AlphV/Black Cat ransomware group published data it allegedly stole from Accelya last Thursday. The group claimed to have stolen emails, worker contracts and more.
- A spokesperson for Accelya told The Record that the experts the company hired managed to “quarantine” the ransomware before it could spread further throughout their system.
Employee data exposed after North Dakota phishing attack
- A Workforce Safety & Insurance employee opened a malicious email attachment — an incident that led to cyber attackers accessing personal data on 182 individuals who had been seeking injured employee claims.
- Those messages included personal details related to processing 182 individuals’ injured employee claims, and the agency reached out to notify the affected individuals, WSI said in an FAQ about the incident.
- The state was able to detect the incident in time to contain the damage.
- After opening the malicious attachment, the WSI employee detected “unusual activity” on their computer and informed the WSI Help Desk. Their computer was then “secured and removed from the state network,” and WSI connected with the North Dakota Information Technology (NDIT) Cyber Analysis and Response team, which conducted a forensic analysis of the impacted device, WSI said.
Quantum ransomware attack disrupts govt agency in Dominican Republic
- The Dominican Republic’s Instituto Agrario Dominicano has suffered a Quantum ransomware attack that encrypted multiple services and workstations throughout the government agency.
- Local media reports that the ransomware attack occurred on August 18th, which has impacted the agency’s operation.
- “They ask for more than 600 thousand dollars. We were affected by four physical servers and eight virtual servers; virtually all servers,” IAD Director of Technology Walixson Amaury Nuñez told local media.
- The National Cybersecurity Center (CNCS), which has been assisting the agency recover from the attack, says that the IP addresses of the attackers were from the U.S. and Russia.