WEEK OF SEPTEMBER 19, 2022
Uber investigating breach of its computer systems
- Uber discovered its computer network had been breached on Thursday, leading the company to take several of its internal communications and engineering systems offline as it investigated the extent of the hack.
- The breach appeared to have compromised many of Uber’s internal systems, and a person claiming responsibility for the hack sent images of email, cloud storage and code repositories to cybersecurity researchers and The New York Times.
- An Uber spokesman said the company was investigating the breach and contacting law enforcement officials.
Starbucks Singapore says customer data illegally accessed in data leak
- F&B chain notifies members of its Rewards loyalty programme that customer details, including birthdates, residential addresses, and mobile numbers, have been illegally accessed and it is working with local authorities on the security incident.
- It said details related to its Rewards customer loyalty programme, such as stored value and credits, were unaffected.
- Credit card data also had not been compromised since it did not store such information, according to Starbucks.
- The retailer said local authorities had been informed and it was assisting them on the investigation. It also noted that while passwords were not compromised, customers were encouraged to reset their password immediately.
Akamai sees Europe’s biggest DDoS attack to date
- Akamai recently mitigated a distributed denial-of-service (DDoS) attack that set a new record for attacks targeting European organizations in terms of packets per second.
- Identified and thwarted on September 12, the assault peaked at 704.8 million packets per second (Mpps) and represented the second record-setting DDoS attack targeting the same customer over the past three months.
- In July, after being at the receiving end of 74 DDoS attacks, the organization was the target of a 659.6 Mpps DDoS assault. Since then, it was targeted with 201 other DDoS attacks, Akamai says.
- While it was not the largest to date, the September DDoS assault did set a new record for DDoS attacks targeting European entities, the internet giant notes.
U-Haul discloses data breach exposing customer driver licenses
- Moving and storage giant U-Haul International (U-Haul) disclosed a data breach after a customer contract search tool was hacked to access customers’ names and driver’s license information.
- Following an incident investigation started on July 12 after discovering the breach, the company found on August 1 that attackers accessed some customers’ rental contracts between November 5, 2021, and April 5, 2022.
- “After an in-depth analysis, our investigation determined on September 7, 2022, the accessed information includes your name and driver’s license or state identification number,” U-Haul told affected customers in notification letters sent to impacted individuals on Friday.
South Korea fines Google, Meta over privacy violations
- South Korea’s privacy watchdog has fined Google and Meta a combined 100 billion won ($72 million) for tracking consumers’ online behavior without their consent and using their data for targeted advertisements.
- South Korea’s Personal Information and Protection Commission said it fined Google 69.2 billion won ($50 million) and Meta 30.8 billion won ($22 million) after a meeting where officials agreed that the companies’ business practices might cause “serious” privacy infringements.
- The fines were the biggest ever penalties imposed by South Korea for privacy law violations, the commission said in a press release.
- Both companies refuted the commission’s findings and Meta indicated it could challenge its fine in court. The fines can be appealed through administrative lawsuits, which must be filed within 90 days after the companies are formally notified of the commission’s decision.
Google, Microsoft can get your passwords via web browser’s spellcheck
- Extended spellcheck features in Google Chrome and Microsoft Edge web browsers transmit form data, including personally identifiable information (PII) and in some cases, passwords, to Google and Microsoft respectively.
- While this may be a known and intended feature of these web browsers, it does raise concerns about what happens to the data after transmission and how safe the practice might be, particularly when it comes to password fields.
- Both Chrome and Edge ship with basic spellcheckers enabled. But, features like Chrome’s Enhanced Spellcheck or Microsoft Editor when manually enabled by the user, exhibit this potential privacy risk.