Apple suffers major info breach, data of 800 000 Swiss citizens exposed | #eBizWires

The biggest leak in the history of Apple appeared to be the fault of a trainee

In early February 2018, an unknown person posted iBoot source code on GitHub, the code responsible for iOS trusted boot process. The leak is the largest in the history of the company and makes it easier for attackers to hack the operating system of Apple devices.

Further investigation revealed a trainee was involved in the info leakage: his friends, who are experts in jail-breaking, asked him to steal a part of the code. All of the five friends had access to the hacked information. They weren’t planning on distributing the code or using it against Apple.

However, the situation quickly got out of control: one of the friends shared the info with another person who later published the stolen part of the code. At the request of the company, the publication was removed from GitHub, but that did not prevent the code from being spread across the Web.

iBoot source code is the most valuable and is carefully protected. The company will pay off $200 000 for failures and errors found during the system boot. This is the largest remuneration which can be possibly granted within the Apple vulnerability search program.

“Besides employees, their friends might get an access to protected information. The consequences of the info breach are financially disastrous. According to the Cost of Data Breach Study, the loss of customers makes an average American company pay 4.13 million dollars. Another 1.5-million-dollar sum is spent on investigation, rehabilitation and litigation,” commented Alexei Parfentiev, SearchInform analyst.

Personal data of 12 thousand bloggers uploaded to Amazon Web Services S3 cloud storage disclosed

Data in the cloud belonging to marketing firm Octoly was exposed in early January 2018. Included in the files was a backup copy of the database with information about marketing operations in Europe and North America.

The erroneous configuration of the cloud storage appeared to be the cause of the incident. As a result, the personal data of 12,000 bloggers promoting the products of such brands as Dior, Estée Lauder, Lancôme and Blizzard Entertainment was exposed. In addition to the bloggers’ personal data, client company information and commercial secrets were compromised.

While the backup copy was deleted a week after the discovery, regularly updated personal data remained accessible until 1 February, 2018. UpGuard experts say according to the cybersecurity risk score scale, the Octoly data leak scored 760 out of the maximum 950 points.

“The problem is that this type of leakage is difficult to detect. It may take months before the company learns about the loss of information. An error in the cloud storage settings is just one of many risks that threaten corporate information,” emphasises Alexei Parfentiev.

Data of 10% of the country’s population exposed by the largest telecommunication company in Switzerland

Swisscom mobile network acknowledged that at in the end of 2017 the personal data of about 800 000 clients (or every tenth Swiss citizen) was compromised. The incident was discovered during a routine check.

Representatives of Swisscom announced that the violators used the access rights of a sales partner. The company also reported on changes to the IS policy: access control was improved, numerous customer data requests at one session were disallowed and two-factor authentication for partners to access the data was introduced.

“Insider’s actions, deliberate or accidental, result not only in reputation loss, but also in financial damage, and the business needs comprehensive protection. According to Gartner, today about half of the world’s companies protect their business using DLP-systems, and in two years their number will grow to 85%. A modern DLP System helps to detect leaks intercepting events in real time,” said the leading analyst at SearchInform.

Personal info of 2,300 colleagues stolen by a former employee in California

On February 15, 2018 the California Department of Fish and Wildlife sent out a message within the organisation notifying the employees of an incident involving personal data theft.

The incident was discovered in the end of 2017, and it probably took the organisation two months to conduct a proper investigation. A former employee of the department uploaded the personal data of 2,300 colleagues, as well as contractors, to his personal portable device and took it outside of the corporate network.

“According to our research, 47% of information leaks occur due to the former employees’ activity, and the statistics are alarming. The dismissed employees should be included in the risk groups to prevent the company information leakage. Special software will help control the intention of the employees on the verge of quitting,” says Alexei Parfentiev.

Illegal access to state employees’ data revealed thanks to WhatsApp

The Service and Payroll Repository of Kerala (SPARK, India) database containing personal data of Kerala state officials was compromised and confidential information exposed.

A discussion about salaries of Kerala State Civil Supplies Corporation Limited employees was conducted via a WhatsApp group. The security breach was noted after an assistant manager complained about the distribution of his salary details over the messenger.

The violation of the access to the Supplyco Employee Information and Payroll System with records of employee personal data, credit reports and other information sparked the incident.

“Messengers are popular both for personal purposes and in the workplace. IS specialists think of them as another data leakage channel as well as a useful source of information. WhatsApp drew attention to the fact that the access rights were violated. Thanks to the ability to control the communication channel and employees’ activity, it’s possible to detect such incidents before the consequences get overly oppressive,” summed up the SearchInform specialist.

For more information, go to:  https://searchinform.com/threats/guideline-2/

About SearchInform

SearchInform is the leading information security company with offices in the CIS, Europe, the Middle East and Latin America. For over a decade the company has been a technological trailblazer focusing on contemporary cybersecurity threats, protecting business and government institutions against data theft and harmful human behavior.

More than 2,000 companies across all major economic domains, from banking and retail to machinery and fighter jet manufacturers, look to SearchInform for efficient holistic information security to defend against ever-improving threats and avoid damaging security breaches and other ominous consequences.

 

About eBizRadio

eBizRadio is a live multi- platformed social media service providing an online forum to the business community for holding conversations on the key issues related to specific businesses as well as availing a space for cross-business collaboration in response to key issues affecting the world of business. The place to go if you want to know about business and lifestyle
Author: eBizRadio
Tags

Login

Please enter the correct answer: *