Friday Five: 9/28 Edition
Ransomware hits the Port of San Diego, the EU pushes for a data audit of Facebook, and more - catch up with the week's infosec news with this wrap-up.
1. Twitter Sent User DMs to Developers by Mistake by Brian Barrett
Here's an interesting one that seemingly made a lot of headlines early in the week then fizzled out. Turns out a Twitter bug may have exposed millions of users' Twitter direct messages to a developer who - obviously - wasn't supposed to see them. The issue, which stemmed from the service's account activity API, technically only involved interactions with companies using Twitter for customer service, per Twitter. That doesn't change the fact that the issue lingered in the wild so long; according to the company it existed from May 2017 to September 10, 2018, nearly 16 months.
2. Port of San Diego victim of cyberattack by Jennifer Van Grove and Gary Robbins
Here's hoping the Port of San Diego doesn't become the next Atlanta. The port, which brings in roughly 3,000,000 metric tons of cargo a year was hit by a cyberattack this week, something that severely limited the agency's ability to permits and records requests, and other business services, according to the San Diego Tribune. Details around the attack are scant. While ransomware is believed to be the culprit, little else is known, other than the fact that Port officials didn't reveal the attack until Thursday and the first disruption occurred on Tuesday. Atlanta, in case you missed it, had to pay $2.6M to recover from a ransomware attack that brought its systems down, earlier this year.
3. Ogdensburg hospital terminates employees following breaches of patient information; says police not involved by Jimmy Lawton
Claxton-Hepburn Medical Center, a medical and surgical facility in Ogdensburg, a city on the St. Lawrence River, along the northern border of New York, said this week its enacted safeguards after its employees improperly accessed patient information. The hospital said Wednesday that it realized patient information had been breached, a violation of HIPAA, during a recent internal investigation. As is usually the case with incidents like this, there are more questions than answers. It's unclear exactly how many employees may have accessed the data, what the employees may have done with the data, or how much of it was accessed; Claxton-Hepburn would only say that it terminated the individuals who were responsible.
4. Uber to Pay Record $148 Million Fine for Concealing 2016 Data Breach by Dell Cameron
It's hard to believe that the news around Uber's mishandling of a breach years ago only came out last November. Perhaps that’s because the incident in question is so far in the rear view mirror. The breach, in which information on 57 million riders and drivers, including 600,000 drivers' license numbers, happened a year before that disclosure, in 2016. The company was no doubt happy to close the book on the debacle this week when it announced that it had settled with state law enforcement officials to the tune of $148 million. A handful of state attorneys from across the U.S. launched the investigation following the announcement.
5. EU lawmakers push for cybersecurity, data audit of Facebook by Lorne Cook
Lawmakers in the EU pushed Facebook this week to accept a "full and independent audit of its platform investigating data protection and security of personal data." That the EU parliamentary committee drafted a resolution for Facebook on Thursday, the same day it came out the company was harvesting phone numbers via two-factor authentication for targeted advertising, was truly coincidental and in reality, lends credence to the EU’s claims that Facebook’s “policies and actions potentially jeopardized citizens' personal data.” Thursday’s research, if you’re curious, comes via Northeastern University, Princeton University, and Gizmodo reporters and can be found here.