Uber discloses data breach that may have affected 50,000 drivers

Uber suffered a data breach in 2014 that affected 50,000 Uber drivers across the U.S., the ride-sharing startup disclosed in a statement on Friday.

The company determined on September 17, 2014 that a third party could have accessed one of its databases. After Uber “changed the access protocols for the database” and looked into the situation, it learned through an investigation that someone apparently accessed one of its databases on May 13, 2014, wrote Katherine M Tassi, Uber’s managing counsel, privacy.

Supposedly, the information that may have been compromised included driver names and their driver license numbers, but the startup said that it is not aware of any “reports of actual misuse” of that data. The company said it will be contacting the drivers, issuing them memberships in identity-alert services and filing a lawsuit to obtain more information to learn who was the third party that accessed the database.

While this data breach is small compared to the mega breaches that affected JPMorgan Chase, Sony Pictures Entertainment and Anthem in recent months, it’s notable because it seems to be the first publicly known data breach affecting a ride-sharing service.

The data breach also highlights the importance of setting up proper identity management and access controls for a company’s infrastructure, something on which many security startups are concentrating their efforts. At this time, it’s unclear how an unauthorized party was able to access an internal database. However, it’s obvious that Uber will have to ensure better access-management policies for all points in its infrastructure if it wants to make its system less vulnerable to breaches.

The breach comes at a time when President Obama recently proposed a federal law that calls for companies to notify their customers within 30 days of the discovery of a hack. Uber’s discovery of its announced data breach appears to have fallen well outside the 30-day mark and as far as we know, only appears to have affected its own employees.

Scammers defraud TalkTalk users after UK ISP suffers data breach

The personal details of a number of TalkTalk customers have been stolen. In some cases, the details have been used to scam further information such as bank details from the victims.

TalkTalk is one of the biggest British internet service providers, with more than four million broadband customers. In an email to its customers, the ISP admitted to the breach late last year and said “a small, but nonetheless significant” number of its customers had been contacted by people pretending to be from TalkTalk.

According to a spokesman, the data was taken from TalkTalk’s systems, and the scammers quoted TalkTalk account numbers and phone numbers in order to convince victims to provide access to their computers. TalkTalk’s email suggested that this sometimes yielded sensitive information such as bank details, adding that “in some of these cases we know they may be using the information they have illegally obtained.”

It is so far not terribly clear how many customers’ data was stolen in the first place.

The Guardian reported that this admission lined up with its report in December of a possible data breach associated with one of TalkTalk’s Indian centers, which had resulted in some of the firm’s customers receiving scam calls. It also noted that one customer had been defrauded of more than $4,000 by the scammers.

TalkTalk stressed that bank account details and other sensitive information such as date of birth had not been stolen directly in the breach. In a statement, it said:

As part of our ongoing approach to security we continually test our systems and processes and following further investigation into these reports, we have now become aware that some limited, non-sensitive information about some customers could have been illegally accessed in violation of our security procedures. We are aware of a small, but nonetheless significant, number of customers who have been directly targeted by these criminals and we have been supporting them directly.

The ISP also said it was talking to the Information Commissioner’s Office – the British data protection regulator – and has “taken serious steps to remedy this.” The ICO said in a statement: “We are aware of a possible data breach involving TalkTalk and are making enquiries into the circumstances.”

This article was updated at 2.30am PT to amend “the data was taken from TalkTalk’s servers” to “the data was taken from TalkTalk’s systems”, per a correction from the spokesman. It was updated again at 3.30am PT to include the ICO’s brief statement.

Silicon Valley entrant Dtex Systems lands $15M to stop insider data leaks

It’s not everyday that a 15-year old company grabs a series A funding round. However, in the case of Dtex Systems, which plans to announce Wednesday that it took in a $15 million one, it makes sense. The company — formerly based in Australia and now in San Jose — will be needing that capital and an investment team to grow in the U.S. enterprise security market, explained Dtex Systems CEO Mohan Koo in an interview.

Dtex Systems hawks a security tool that can be installed in a company’s data centers. Most of its clients are on-premise, but Dtex can also be used for the cloud, Koo said. The tool contains a centralized management plane that distributes software-based micro agents throughout the network that record all user activity in its system.

Once the software agents log all that user-activity data, organizations should have a full audit trail on what every employee is doing. Dtex Systems’s data scientists can then crunch that data with their algorithms to detect anomalies that may indicate whether an employee is up to no good.

Dtex human analytics

Dtex human analytics

For example, Dtex Systems’s data science team has apparently learned from the information its gleaning that people who resign from their jobs behave differently during their last days of employment when it comes to how they access their organization’s applications or tools, Koo said. Using the Dtex tool, companies should be able to see this sort of atypical behavior and could prevent employees from stealing confidential data with them when they take off, he said.

“We built a library of 330 different behavioral events which lead to a security breach, and we can use those for customers,” said Koo.

This Silicon Valley newcomer (it opened its San Jose office a month ago) claims that the years it spent working with Asian and European companies to protect their data centers with threat-detection software gives it a leg up to other likeminded security companies, especially when it comes to privacy concerns, said Koo.

To work with companies in Germany and Spain who must comply under European privacy laws, Dtex Systems had to come up with a way to anonymize all that data, and it does so by separating the user-activity data from the names of employees, which get stored in an encrypted table with nondescript names like “user 1” or “user 2.” Companies run the Dtex tool to spot unusual employee behavior in the user-activity data, and if they find something that seems like a breach, “they can request the ID for a forensic investigation” and get to the bottom of the problem, said Koo.

Norwest Venture Partners and Wing Venture Partners drove the investment round with Wing Venture Partners’ founding partner Gaurav Garg joining the startup’s board along with Norwest Venture Partners’ senior managing partner Promod Haque.

Obama’s executive order calls for sharing of security data

President Barack Obama signed an executive order on Friday designed to spur businesses and the Federal Government to share with each other information related to cybersecurity, hacking and data breaches for the purpose of safeguarding U.S. infrastructure, economics and citizens from cyber attacks. He signed the order in front of an audience at Stanford University during his keynote address for the White House’s Summit on Cybersecurity and Consumer Protection.

Obama’s speech started off relatively light-hearted with the President pointing out how much technological innovation could be traced back to Silicon Valley and Stanford and even joking that the big webscale companies of [company]Yahoo[/company] and [company]Google[/company] “were pretty good student projects.”

Things took a turn to the dark side, however, with Obama segueing into the devastation that modern-day technology can bring as exemplified by the major data breaches we’ve seen at Sony Pictures Entertainment and insurance provider Anthem.

The new executive order is supposed to help nullify future attacks with the idea that companies have information related to data breaches that could be helpful to the Federal Government and vice versa.

“So much of our computer networks and critical infrastructure are in the private sector, which means government can’t do this alone,” Obama said. “But the fact is that the private sector can’t do it alone either, because it’s government that often has the latest information on new threats.”

With the new executive order, Obama wants both the private and public sector to create hubs where they can trade information with each other and respond to threats “in as close to real time as possible,” according to the executive order.

Obama insisted at several points throughout his speech (and in the executive order itself) the need to balance privacy concerns with national security concerns, a hot topic that has privacy advocates worried that giving government access to business and personal data will lead to intelligence agencies overstepping their boundaries.

“I have to tell you that grappling with how the government protects the American people from adverse events, while at the same time making sure that government itself is not abusing its capabilities, is hard,” said Obama.

Indeed, this delicate line between privacy and security led to senior executives from Google, Yahoo and [company]Facebook[/company] declining to attend the security summit. It’s no secret there’s been bad blood between these companies and the U.S. government ever since the leaked Edward Snowden documents detailed the government’s data-collection methods as they relate to the tech giants.

Ironically, Facebook earlier this week revealed its own collaborative-threat detection framework dubbed ThreatExchange, in which its purpose is to provide an online hub (hosted by Facebook, of course) where companies can exchange security-related information in order to prevent further data breaches and hacks. Among the companies participating with Facebook on the project are Pinterest, Tumblr, [company]Twitter[/company] and Yahoo.

While ThreatExchange allows the trading of security data, it’s probably not exactly what the U.S. government is looking for since its only available for businesses to tap into.

Whether the private sector wants to voluntarily disclose more information to the U.S. government in the name of security remains to be seen, but in the time being, it’s looking like companies are at least open to sharing information with each other sans government.

FBI: North Korea “got sloppy” with IP addresses in Sony hack

The FBI continued to insist Wednesday that North Korea was responsible for hacking Sony Pictures Entertainment, the Associated Press reported. FBI Director James Comey said at a New York cybersecurity conference that North Korea “got sloppy” when it attempted to use proxy servers that would mask the attacks.

Apparently, North Korea forgot to conceal some of its activities with the proxy servers, which resulted in the FBI discovering messages that were linked to IP addresses that North Korea “exclusively used,” Comey said.

When North Korea realized it made a mistake, it rectified the situation, but Comey said it was too late and the FBI “saw where it was coming from,” reported Wired.

The Sony data breach is also linked to North Korean-developed malware, which the isolated nation supposedly used to break into South Korean banks last year, he said.

While Comey shared a few more tidbits into the [company]Sony[/company] hack, he was hesitant to go into greater detail on how exactly the U.S. was able to pinpoint North Korea as the culprit beyond what he said because the U.S. has to “preserve our methods and sources.”

This will undoubtedly not please the security experts who have been raising concerns about the U.S. government’s story that North Korea was responsible, claiming the little evidence the FBI has shown so far does not prove its case. Security firm Norse Corp. recently showed the FBI its own forensics on the Sony hack, which the FBI reportedly brushed aside.

Addressing the skeptics, Comey said during the cybersecurity conference, “They don’t have the facts I have.”

Again, this seems to be a “take us at our word” situation with the FBI holding the details and releasing the occasional nugget of information to appease naysayers. It’s safe to say there’s been no smoking gun released so far.

Citing cybercrime, Obama unloads sanctions on North Korea

The United States is laying down additional economic sanctions on North Korea courtesy of an executive order issued by President Obama on Friday. The sanctions come in response to the U.S. Federal Bureau of Investigation’s decision to blame North Korea for the colossal hack against Sony Pictures Entertainment.

As part of the executive order, the U.S. Department of the Treasury singled out three North Korean entities, including the North Korean intelligence agency known as the Reconnaissance General Bureau, and ten individuals as “being agencies or officials of the North Korean government,” according to a U.S. Department of the Treasury announcement on the sanctions.

Among the ten individuals the Treasure Department lists are several North Korean government officials who represent the Korea Mining Development Trading Corporation, North Korea’s arms dealer, in countries including Iran, Russia and Syria.

“Today’s actions are driven by our commitment to hold North Korea accountable for its destructive and destabilizing conduct,” said Secretary of the Treasury Jacob J. Lew in the announcement.

The sanctions are the latest to hit North Korea, whose rogue behavior (on nuclear testing, for example) has earned multiple economic sanctions from the U.S. (and other countries) in recent years.

What makes these new sanctions stand out is the fact that they are attributed to North Korea’s alleged large-scale data breach as opposed to more common reasons for economic sanctions like human rights violations or war crimes.

While the U.S. has been gung-ho in saying North Korea is to blame for devastating [company]Sony[/company], several security experts have been disputing the FBI’s claims. The FBI has reportedly been meeting with security companies to discuss the possibility that North Korea was not responsible, but apparently the bureau has not been swayed with what it’s hearing.

The Daily Beast reported that security firm Norse Corp. recently presented to the FBI its own findings into the Sony hack that supposedly debunked claims that North Korea helmed the attack; the FBI apparently waved it off.

“They basically said thanks a lot and shook our hands and took off,” Kurt Stammberger, a Norse senior vice president, told The Daily Beast.

Feds issue final order over Snapchat privacy incidents, but no fine

What do regulators do when a popular app deceives users about photos that “disappear forever” and scrapes their contact list without permission? Not much.

On Wednesday morning, the Federal Trade Commission announced the approval of a final order against Snapchat, a popular messaging app that lets people send text and images that disappear after a few seconds.

The service, which initially gained notoriety as a teen sexting app, landed in hot water this spring after it became apparent that users could deploy easy workarounds to capture permanent copies of the photos that were supposed to “disappear forever.”

According to an FTC complaint published this spring, Snapchat not only deceived users with such false marketing promises, but it also collected information from iPhone contact lists without permission, and employed lax security measures that exposed 4.6 million users to a data breach.

This week’s order serves to formally implement the terms of the settlement that were announced in March. Notably, the terms do not include any sort of financial repercussions for the company or its executives.

Instead, Snapchat’s punishment consists of a 20-year consent decree, which requires the company to comply with a series of obligations, including the implementation of a privacy program.

Such decrees, which the FTC also has in force against tech companies like Facebook and Google, provide the agency with a means to slap down harsher penalties, including multimillion dollar fines, in the event of future privacy breaches.

The downside of the Snapchat consent decree, however, is that it may reinforce perceptions among Silicon Valley startups that it’s okay to blow off privacy precautions, since little of consequence happens to first-time violators. Indeed, earlier this year, the maker of an Android flashlight app secretly recorded the location of 50 million people, but faced no fine from the FTC.

The original headline of this story used the word “breach.” That word has been changed to “incidents” in light of the fact that the primary issue in the FTC case — the capturing of photos — was facilitated by third party apps, rather than by overcoming Snapchat’s security measures.

FBI doesn’t want companies to hack in retaliation

Major banks, retailers, manufacturers and other companies are fed up with the increasing amount of cyber attacks and are exploring hacking in revenge, something the FBI doesn’t seem too keen on, according to a Bloomberg report.

Based on the perception that the U.S. government is not doing enough to stop data breaches, some companies are looking to hack into criminal networks and take back their goods as well as stop future breaches. To help with the retaliation hacks, these companies are supposedly working with security firms.

Citing anonymous sources, Bloomberg reports that the FBI is investigating who took down the Iranian servers responsible for launching cyber attacks against major banks last year. Supposedly, [company]JPMorgan[/company] Chase (whose unpatched server led to a data breach earlier this summer) advocated such a move in a secret meeting in February 2013. But a spokeswoman told Bloomberg that the bank didn’t present any sort of official plan of attack during the meeting and merely wanted the U.S. government to do more to prevent these kinds of large-scale breaches.

Other attendees of the closed meeting in New York included members of the FBI, Treasury Department, [company]Citigroup[/company], [company]Goldman Sachs[/company] and the New York Stock Exchange, reports Bloomberg.

U.S. officials eventually learned that the Iranian servers at the center of the banking hacks went down due to a third party, and as a result the FBI “began investigating whether any U.S. companies violated anti-hacking laws in connection with the strike on those servers.”

Hacking oversea computer networks is apparently a sensitive subject for the U.S., and the president must sanction any such attack, according to leaked documents courtesy of Edward Snowden that the Bloomberg report cites. However, the news report states that the U.S. can bypass these types of “legally sensitive” attacks by instigating them from locations outside of the U.S. as opposed to inside.

Last week, North Korea’s internet went down a few days after the U.S. singled out the reclusive nation as responsible for wreaking havoc on [company]Sony[/company] Pictures Entertainment. At the time, a U.S. State Department spokeswoman told reporters that the U.S. was not able to confirm the hacking reports on North Korea. North Korea, however, is calling out the U.S. and President Obama for shutting down its internet and causing spotty coverage.

An un-patched server led to attackers infiltrating JPMorgan

JPMorgan Chase’s big hack this summer could have apparently been prevented if the mega-bank’s security team had properly updated a neglected server, according a report in The New York Times that cites unnamed sources.

The data breach supposedly took place this summer when a bunch of [company]JPMorgan[/company]’s security team left for the payment processing company [company]First Data[/company]. While it originally seemed that Russian hackers were responsible for the hack, the FBI said that’s not the case and no one really knows who caused it. Current evidence does not seem to lead to North Korea either, the Times report explained.

It’s common for banks to use two-factor authentication (the same security measure Apple decided to use after its iCloud was hacked, resulting in the leak of nude celebrity photos) as a way to secure their systems. In JPMorgan’s case, however, security staff forgot to upgrade one of the bank’s servers with the security verification process.

Security experts told the Times that because of the size of JPMorgan and other similar banks and the fact that these institutions acquire a lot of companies, it’s difficult to ensure that their entire networks are secure.

This is just one more reason to remember that you really ought to take time to make sure that all of your servers are patched up. As CloudPassage CEO Carson Sweet told me in late August, regarding the companies he’s been talking to, around 50 percent of servers spun up in the cloud have vulnerabilities because the original servers they were spawned from weren’t updated.