Archive for August 2019 | Monthly archive page

Luscious.net loses 1million user details. According to the team at vpnMentor, an exposed database allowed access to Luscious account holders’ personal details. 

The accessible data included usernames, email addresses, activity logs, and location data for all 1.195 million users.

“Our team was able to access this database because it was completely unsecured and unencrypted,” writes the vpnMentor team. 

If Luscious users happened to use email addresses associated with their real names to register accounts, that information — tied to location data — could be more than enough to associate specific Luscious accounts with their owners. Users’ video uploads to the site were also accessible.

The breach was discovered on Aug. 15, and, after being notified by vpnMentor, Luscious fixed the issue on Aug. 19. That doesn’t mean, however, that no harm was done. 

“While the data breach is now closed,” write the researchers, “it’s still possible that other hackers could have accessed it earlier and extracted the same data we viewed.” 

“A greater issue of concern is the fact that many users joined Luscious on official government emails,” notes vpnMentor. “We found examples of this from users in Brazil, Australia, Italy, Malaysia, and Australia.”

The 2015 Ashley Madison hack demonstrated how this type of information is practically designed for blackmail. In that case, a dating site purportedly offering to put married men in touch with women was breached, and its database consisting of usernames and emails fell into the hands of hackers.

Organisation have had it easy for some time. Data breaches are increasingly being addressed with penalties backed by GDPR legislation. Some noted fines are:

British Airways was fined $328M. Facebook fined $5B for Cambridge Analytica data theft. $99M for Marriott Hotel

In Australia, the OAIC reports that it received 812 privacy complaints in 2018.

Entity Records Organization type Method 2019 Bulgarian revenue agency hack over 5,000,000 government hacked Canva 140,000,000 web hacked Capital One 106,000,000 financial hacked Desjardins 2,900,000 financial inside job Facebook 540,000,000 social network poor security Facebook 1,500,000 social network accidentally uploaded First American Corporation 885,000,000 financial service company poor security Health Sciences Authority (Singapore) 808,000 healthcare poor security Justdial 100,000,000 local search unprotected api Ministry of Health (Singapore) 14,200 healthcare poor security/inside job Quest Diagnostics 11,900,000 Clinical Laboratory poor security StockX 6,800,000 retail hacked Truecaller 299,055,819 Telephone directory unknown Woodruff Arts Center unknown arts group poor security Westpac 98,000 financial hacked Australian National University 19 years of data academic hacked

Here are a few links to fines noted.

https://www.abc.net.au/news/2019-07-08/british-airways-cybercrime-credit-card-hack-fine/11289738