Friday Five: 3/30 Edition
Apple and GDPR, the Under Armour breach, and online banking fraud - catch up on the week's infosec news with this roundup!
1. 20 Suspect Hackers Arrested Over Online Banking Fraud by Charlie Osborn
A fairly successful week for cybercrime crackdowns this week was bookended by two Europol busts. The first, on Monday, led to the arrest of a man believed to be the mastermind behind Carbanak, malware that made criminals roughly $1.2 billion over the last few years. That was followed up by a joint bust of 20 hackers - nine in Romania and 11 in Italy - implicated in a phishing scam carried out on hundreds of banking customers. According to ZDnet the group, pretending to be tax agencies in emails, tricked victims into clicking on malicious links and giving up their online banking credentials. Europol had some help with this bust: The agency was assisted by its Joint Cybercrime Action Taskforce (J-CAT) and Eurojust, an agency of the European Union that deals with judicial cooperation in criminal matters.
2. Under Armour Says Data Breach Affected about 150 Million MyFitnessPal Accounts by Chloe Aiello
Another day, another breach... naturally. This one, at least in the grand scheme of things, is a big one. Approximately 150 million users of MyFitnessPal, one of the most popular web-based exercise and fitness social media apps, are being encouraged to change their password if they used it for more than just the app. Usernames, email addresses, and hashed passwords were leaked, according to Under Armour, which acquired the app in 2015. The company didn't say how an unauthorized party acquired the data. According to CNBC Under Armour said it only learned user data was accessed four days ago, meaning this is a relatively quick – and admirable – disclosure turnaround for the company.
3. Apple Revamps Privacy Controls to Comply With New European Law by Mark Gurman and Stephanie Bodoni
We knew it was coming: Apple said this week it would begin rolling out new privacy updates, specifically for its devices and iCloud services, in May to coincide with the EU’s General Data Protection Regulation (GDPR). From Bloomberg’s description it sounds like the company will unveil a site in which users can download a copy of their data that's shared with the company, delete their account, and give them more transparency into how Apple uses personal information. While the site won't be online for a few months users who download iOS 11.3 - released this week - will see a new screen touting how the company values users' privacy. With GDPR looming the move was expected. It’s some well-timed PR for the company as well, especially considering the privacy-related backlash that Facebook is dealing with regarding this month's Cambridge Analytica fiasco.
4. Power Company in India Hacked and Billing Data Ransomed for 10 Million Rupees by Lawrence Abrams
Hackers ransomed the billing data of thousands of power customers in India last week, an incident journalists in the nation are calling one of the first of its kind for the region. Attackers took the information from Uttar Haryana Bijli Vitran Nigam (UHBVN) - a power company there - and asked for 10 million Rupees, roughly $150,000 USD, from the state government in order to release it. According to BleepingComputer's Lawrence Abrams, who cites an article from The New Indian Express, the data is “purportedly being recovered by inputting from logbooks and other sources." It remains to be seen how long the effort will take and how successful it will be however.
5. As Atlanta Seeks To Restore Services, Ransomware Attacks Are On The Rise by Vanessa Romo
City of Atlanta employees finally got the word they could turn on their computers and printers on Tuesday, the first bit of good news following a cyberattack that rendered the city's computers practically useless last week. NPR had a short trend story on ransomware on Friday recapping the story and recent ransomware attacks that's worth a listen. While most of their systems are back online there are a handful that aren't. Citizens can't pay their water bill, the police can't use some databases, and the court is pushing off its caseload - at least for now. It's unclear if those systems are still impacted by the ransomware or if they're just dealing with repercussions of the attack. The biggest question mark to come out of this whole debacle is whether or not Atlanta actually paid the attackers. Their lips are apparently sealed.