Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Is your email address part of a data disclosure?
Concerned that your email address is part of a data breach or disclosure? Check the free breach-tracking website service “Have I Been Pwnd” to check if your address is listed. If your email appears on any of the reports, be extra vigilant for attempted phishing or social engineering attacks that might leverage your online profile information, and be sure to change your email password at once.
More Twitter data disclosures from 2021 hacking incidents
On January 4, a file containing data for over 211 million Twitter users was published on a popular hacker forum at the bargain price of $2 (all figures USD). The data file contains email addresses, full names, screen names, follow counts, and account creation dates for the Twitter users.
The disclosure can be traced back to 2021. At that time, threat actors discovered a way of exploiting publicly-available Twitter APIs to harvest personal information. They created massive lists of email addresses and phone numbers that had been disclosed in previous data breaches at other companies, then took those lists and fed them into a Twitter API that allowed users to confirm whether they were associated with a specific Twitter ID. The hackers then used a second API to collect public Twitter data for the ID and merged all of the information to compile Twitter user profiles.
Though the 2021 vulnerabilities were patched in January 2022, this disclosure is just the latest in a flurry of disclosures of Twitter data in recent weeks. On December 26, for example, a hacker advertised an alleged data dump of 400 million records with a purchase price of $200,000. In that incident, the hacker called out Elon Musk directly, warning of potential GDPR-related fines if the data were to be released publicly. That hacker also provided a quick reference guide of ways to exploit the stolen data, including “SIM swap, Crypto scans, BEC scams, Phishing accounts,” etc., breathlessly declaring “I mean what you can do with this data is amazing.”
CISA director calls for “sustainable approach to cyber” to protect hospitals and schools
In a January 5 interview with Yahoo Finance at this year’s Consumer Electronic Show (CES 2023) in Las Vegas, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly called for the tech industry, consumers, and government to come together to help improve cybersecurity for all parties, while placing an emphasis on protecting hospitals and schools.
“We live in a world… of massive connections where that critical infrastructure that we rely upon is all underpinned by a technology ecosystem that unfortunately has become really unsafe.”
Highlighting recent attacks on the broader public sector, Easterly added: “We cannot have the same sort of attacks on hospitals and school districts that we’ve been seeing for years. We have to create a sustainable approach to cyber safety, and that’s the message that I’m bringing to CES.”
In particular, Easterly called out industry to take security by design more seriously, saying “We’ve essentially accepted as normal that technology is released to market with dozens or hundreds or thousands of vulnerabilities and defects and flaws… We’ve accepted the fact that cyber safety is my job and your job and the job of my mom and my kid, but we’ve put the burden on consumers, not on the companies who are best equipped to be able to do something about it.”
In another interview, quoted by Fox News, Easterly described hospitals and schools as “target rich, cyber poor,” suggesting that the broader public sector and small business will be an area of emphasis for CISA in 2023. “We have seen massive attacks on K-12 schools and hospitals and in all manner of small businesses, which are really the engine of the U.S. economy… What we want to do is to make sure that these entities, which don’t have a lot of resources, have the tools, the resources, the capabilities and the information to be able to protect themselves.”
Meta fined €390M for using personal data without authorization
Meta, the holding company for Facebook, Instagram, WhatsApp, and other Internet services, has been fined a total of €390M (about $558M CDN) for violation of multiple GDPR provisions. In a ruling released January 4, Ireland’s Data Protection Commission (DPC) announced fines to Meta Ireland of €210 million (about $300M CDN) for breaches of the GDPR relating to its Facebook service, and €180 million (about $258M CDN) for breaches in relation to its Instagram service. The ruling also gave 90 days for Meta Ireland to bring its data processing practices into GDPR compliance.
The fines relate to complaints received by the DPC in 2018. At that time, Meta Ireland introduced “contractual necessity,” a set of updated, privacy-focused terms of services for Facebook and Instagram in an attempt to justify Meta’s processing of user data just as the GDPR came into effect throughout Europe. While Meta had previously required user consent to access Facebook and Instagram services, under the revised changes, users were required to accept the company’s updated terms of service in order to continue to access the services – without clear consent provided for the processing of user data for behavioural analysis and personalized services. The ruling also concluded that, in introducing the updated terms, Meta Ireland bypassed the explicit consent requirement under the GDPR by adding a clause to the terms and conditions to include advertising.
Meta intends to appeal the ruling, saying they “strongly disagree with the DPC’s final decision,” and “also plan to challenge the size of the fines imposed.”