During April, the security world saw access rights violation, email redirection, phishing, fines and Facebook share price fall.
SearchInform has prepared this wrap-up of activity for the month.An error found in data access settings after four years of the system operating incorrectly

In March 2018, the U.S. Department of Health & Human Services reported an incident in QuadMed which operates first aid rooms in companies across the country. Organizations usually keep medical care related data of personnel in a general database. Medical records can be accessed by QuadMed employees and employees of the QuadMed client companies. The error in access settings compromised data of several thousand patients.

The incident affected three clients of the company: Hillenbrand, Stoughton Trailers logistics company, and Whirlpool Corporation, a household appliances manufacturer. As reported to the U.S. Department of Health and Human Services, the data of 4 549 patients could be leaked any minute.

Svitzer information leak due to redirect

Three employee accounts belonging to Svitzer Australia were forwarding email for 11 months. About 60 000 letters were sent to the external contacts due to redirection. The emails contained financial data including employee salary and commercial operations.

Personal information of more than 400 employees was exposed: tax file numbers, details about employees’ relatives and retirement account data. About 1000 employees work for Svitzer Australia. The first incident happened on 27 May, 2017. The redirection was disclosed and stopped on 1 March, 2018.

S.S. Lazio sent some transfer money to social engineers

Lazio has fallen prey to phishing. Having received a forged invoice, the club sent 2 000 000 euros to the fraudsters. The money for Stefan de Vrij’s transfer went to Feyenoord bank account details which appeared to be fake.

According to the Italian media the scammers knew that the deal was going to happen. The management of the club got tricked by social engineers who had sent an email on behalf of the Dutch club asking to put some money into their bank account.

Feyenoord didn’t receive the money and the management wasn’t aware of the email. The court ascertained that payment was received by the indicated bank but the account didn’t belong to Feyenoord. The account owner is allegedly a citizen of Spain.

Tesco Travel Money leaked personal data of 17 000 clients

Travelex, a foreign exchange company headquartered in London, reported that the personal data of 17 000 Tesco Travel Money clients was leaked. Orders made online or over the telephone put Travelex clients at risk of sharing confidential information.

Full names, date of birth, home and mobile phone numbers, addresses, including e-mail and IP addresses were stolen. The employee and client correspondence was compromised as well.

US Power company will pay $2.7 million for data leak

Pacific Gas and Electric, which supplies gas and electricity to 5.2 million households in California, will pay a record fine for the incident. The hackers gained remote access to critical infrastructure. As agreed between the management and the authorities the company will be fined $2.7 million.

Such critical assets as systems controlling access to substations and control centers as well as SCADA system (supervisory control and data acquisition) were exposed online for 70 days. Besides usernames the cryptographic information which could help to decipher passwords was kept unprotected. The uninterrupted operation of the unified energy system was compromised.

Facebook reputation recovery will cost Mark Zuckerberg $6 billion

Cambridge Analytica obtained personal data of 50 million users of Facebook. The information was collected with the help of psychological tests provided on Facebook. The data was allegedly needed for academic research. The British company misstepped in picking tools for the analysis while developing a strategy for US elections. The biggest social network leak supplied Cambridge Analytica with personal data which could be used to impact American voters during the election campaign.

The investigation was completed on 17 March 2018, although Mark Zuckerberg commented on the scandal only 5 days after. The founder of Facebook noted that the company forbade collection of friends’ data 4 years ago. After the incident initiated by Cambridge Analytica third-party programs will be allowed to access only names, photos and email address. A user agreement will be signed to procure publications and other profile data.

However, after the story got media coverage, the spontaneous #deletefacebook campaign began. The scandal made Facebook shares fall 6.8%, the company’s capitalization fell below $500 billion, and Mark Zuckerberg has already lost 6-billion dollars.

“Anyone who use clouds, email, messengers, maps risk sharing information with third-party recipients. The issue doesn’t necessarily concern password theft or aiding scammers,” comments Alexei Parfentiev, SearchInform analyst. “The user agreement should be examined – usually there are conditions indicated that the service can use any data for marketing analytics or other statistical purposes.

“We all know that social networks are designed for social interaction. At least some information posted online remains accessible to the whole world. As long as data is available to public, the ability to choose who may and who may not see it seems to be utopian.”