(In)secure digest: personal data newsletter, hacked state services and endangered farmers

07.07.2022

Back to blog list

(In)secure digest: personal data newsletter, hacked state services and endangered farmers.

The time has come to reveal some “classic” and non-trivial information security incidents. As usual, we’ve gathered some of the most impressive cases of the month in our digest – among them, for example, city contractor, whose employee lost the flash drive with personal data of all citizens; “free-of-secrets” newsletter from a university administration, Indian government increasing employees’ awareness in information security sphere. 

One more dangerous misconfiguration of a databa

Situation: POS system developer StoreHub kept data on an unprotected server. Thus, a data leak occured. As a result, any interested person could gain access to data on one million customers.

Case study: According to the cyber security specialists' report, Storehub company misconfigured one of its server, and due to it approximately 1,7 billion records and more than a terabyte of data has been put at a stake of being compromised.
StoreHub develops software for processing and registration of purchases, which is usually required in retail. Data leak not only concerns thousands of restaurants and shops, using POS-systems by StoreHub, but also data on their employees and clients, who made transactions via terminal as well.  Cyber experts obtained names, emails, phone numbers, addresses, information about purchases and even some confidential payment details in public access. The compromised data was obtained by experts in January 2022, and this fact was reported immediately to StoreHub management. However, the experts haven’t received a reply. It’s also known, that StoreHub's management had denied the fact of leak occurrence for some time, but lately made a statement, that vulnerability was eliminated soon after it was revealed.  

Personal data lost. Prerequisite is… a nice party the day before 

Situation: a private contractor hired to oversee Covid-19 relief payments to local households got drunk and lost a flashdrive, containing personal data of citizens of city of half a million people. 

Case study: A Japanese person worked on a municipal program on Covid-related pay-offs during the pandemic. The employee copied Amagasaki citizens’ personal data to a USB-device, as he intended to transmit the data to the company representatives, whose office is located in a neighbour town. Before the departure, the employee had decided to visit a restaurant with colleagues. He had spent an evening drinking in a restaurant, and after the party was over the man found out, that his bag was missing. Thus, the employee lost USB-flashdrive, containing data on names, birthdates, bank account numbers and tax declarations. During the press conference the city authority representatives admitted, that the employee’s actions caused serious damage to general public and apologized on behalf of the administration. By the way, police officers managed to identify the route of the employee, his bag with the flashdrive was obtained in an area, one kilometer away from the restaurant.  

 

 

 

 

 

 

 

 

 

 

 

 

Newsletter with a surprise.

Situation: Personal data of 15,000 students of Newfoundland’s university was made publicly accessible by mistake. 

Case study:  An unintended leak occurred due to a newsletter on the career development topic, conducted by university. Approximately one thousand students received emails, which contained personal data of other students: names, emails, student IDs, educational programs.  All victims were immediately notified about the incident. And all the recipients were strongly recommended to delete the letter.  University officials stated, that confidential data - concerning health state, social security numbers and financial issues - hasn’t leaked. But who knows, maybe the missing data will be sent next time? The university management apologized for the data leak and promised to reconfigure students’ data handling the related processes. 

 

Guide for “open” access and endangered farmers

Situation: India’s government published a confidential guide for state employees on the topic of data protection. The guide leaked to public access. 

Case study: The government published a document for 30 million employees, containing regulations on interaction with confidential data in terms of cyber security.  The described regulations require: usage of strong passwords, two-factor authentication, antivirus software, etc. The document was marked with “Limited access” tag and was aimed only for employees of government organizations’ usage. 

Nevertheless, “secret” document was somehow exposed for public access on a web-site. The person, who published the document on a web-site, probably, hasn’t read it in advance, because one of regulations, included in the guide’s body requires not to publish confidential data. India’s government struggle for cyber security definitely has sense. Recently, an expert found out, that government web-site by mistake revealed identification numbers of 110 million farmers, who annually receive pays-off from government. Intruders had an opportunity to easily access Indian farmers’ personal data and get their pays-off. The expert reported on this misconfiguration in January, however, the problem was fully eliminated only in May. 

Information security advice of the month: the new month has come, but most concerning information security issues are still the same. What if tomorrow a regulator will carry out a check, but personal data in the organization isn’t kept in a proper way, or some copies of top secret documents aren’t figured? In order not to twitch yourself and not to worry about occasional personal data leak, you may begin to monitor file storages with SearchInform FileAuditor. It’s free during first 30 days.