SearchInform has noted several incidents involving data leaks that happened in April 2018.

Alexei Parfentiev, a senior business analyst at SearchInform, unpacks the information.

The investigation into the non-payment of fees by the agency managing the duty-free store at the international airport in Trivandrum, India, has become major data leakage news.

According to the Commissioner of Customs, besides duty non-payment, the investigation also revealed the misuse of immigration data. The violation included document forgery and a disregard for national security measures. The agency used the passport data of some 13 000 passengers who had traveled between September and December 2017 for business/ commercial reasons, specifically the trade of foreign liquor.

The Central Bureau of Investigation, the National Investigation Agency and the State Excise Department will conduct a comprehensive investigation. The probe will most likely focus on collusion between customs officers and a private agency willing to obtain and divulge the flight manifest and immigration data.

Art piece featuring personal data of 346 000 Chinese citizens

Deng Yufeng, a 32-year old artist from Beijing, wanted to highlight the role of confidentiality and personal information and decided to use his art as a channel to communicate.

He purchased personal data on the Internet in order to turn it into an artwork. Yufeng obtained user data via the Chinese messenger QQ. It cost him $800 ($0.001 per person) to get names, phone numbers, users’ online shopping info, travel itineraries and license plates.

The concept of “346,000 Wuhan Citizens’ Secrets” did not go down well with authorities.

Wuhan police shut the exhibit in the local museum down two days after it was officially opened.

The artist was informed that he was being investigated for illegal gathering of data and if found guilty could face up to 7 years in prison according to Chinese law.

Swedish Academy admits leaking Nobel Prize laureates in literature

The Swedish Academy – the institution responsible for awarding the Nobel Prize in literature for 117 years – has admitted to another breach of laureates’ data confidentiality.

Laureates’ names have been leaked prior to the official ceremony on seven occasions already since 1996. Besides laureates’ names, the names of new academicians were leaked twice.
Dagens Nyheter was the first newspaper which reported multiple information leakages allowed by the Academy.

Documents in the possession of editors stated that info was manipulated by a source who had contacts in the Academy.

Having analysed the details, journalists concluded that the person who had divulged the names of the Nobel Prize laureates in literature appeared to be not only a prominent figure in Swedish culture, but also the husband of one of the academicians – Jean-Claude Arnault.

Due to scandals and schism among academicians in mid-April 2018, the permanent secretary of the Swedish Academy was forced to resign. Three more members announced their resignation.

Free access to Panera Bread clients’ data for 8 months

Client data belonging to that of Panera Bread, an American chain of bakery-caf├ęs, was leaked.

A file housing the info of 37 000 000 customers could have been freely accessed by anyone for more than half a year.

According to KrebsOnSecurity the records comprising names, email, addresses, dates of birth and bank card numbers of customers who placed orders online were exposed.

Although information security specialist Dylan Houlihan notified Panera Bread about the leak on 2 August, 2017, Mike Gustavison, Director of Information Security of Panera Bread, considered Dylan’s report to be a scam – it took him some time to approve the concern and begin looking for a solution.

Thai mobile operator TrueMove H leaked ID cards and passport numbers of 46 000 clients

The second largest mobile operator in Thailand stored data of 11 400 customers (local media reported there were 46 000 customers affected) using AWS cloud, where the folder could be easily accessed.
There was no protection or means to keep 32GBs of files out of sight. PDF and JPG documents, including passport scans, driver licenses and ID cards, belonging to the clients of the company were stored in the folders allotted for 2016 (14.5 GBs), 2017 (8.3 GBs) and 2018 (2.2 GBs).

Niall Merrigan, security researcher, stated that there was no guard against data theft. URLs could be easily sourced on the internet and all customers’ details downloaded.

Merrigan was even accused of hacking private data before reporting the incident. The managing director of Ascend Commerce, which runs the e-commerce platform iTruemart, said there could be no security system failure and that neither True nor Ascend Commerce were to blame.

For almost a month, client data was stored with no protection before being administered and accessed in the cloud.

The issue was solved on 12 April, 2018.

Apple leaks: 29 insiders are detected, 12 arrested

In the beginning of April Bloomberg published Apple’s post on data leak consequences, development plans and new products which haven’t been released officially yet.

It is stated that in March 2018 the company fired an employee guilty of divulging Apple’s software update strategy, discussed at the closed meeting. In 2017 the company detected 29 insiders involved in the data leakage. The company’s employees, contractors and suppliers were among them.

It is also noted that 12 people were arrested for illegally accessing Apple’s corporate network and stealing trade secrets. Such activity is regarded as federal crime and the violators might be sentenced and fined.

GDPR influence

“The actual situation seems to be illogical. On the one hand, the European Union’s new General Data Protection Regulation (GDPR) will come into force in May, and companies should have already developed the proper infrastructure as well as improved the information security tools therefore boosting the overall data protection system,” says Parfentiev.

“On the other hand, the companies’ approach hasn’t changed at all. Almost all the incidents listed happened to the international companies, and the data of the users from all over the world got compromised. What do these leaks have in common? Nonchalance.

Let’s be honest – it’s hardly possible to guarantee 100% protection against insiders or attacks, there are many weak spots, both internal and external which can facilitate data hacks and information theft. And when it happens, one should not only take all the responsibility for the incident, but make sure that the recovery mechanisms are elaborate and ready to be triggered any minute minimising risk for both corporate and personal data. The cases mentioned above definitely lack professional conscience. These mechanisms weren’t triggered at all or the measures were taken after the incident had been neglected for a long time. One of the situations described even features the fault, quite evident by the way, being denied by the company.

Anyway, information security is going to face global changes very soon – GDPR dictates the new rules. The regulations will surely affect business minds, corporate strategies and personal data safety. It’s going to be as amusing as it will be instructive to compare the security we have today to the approach we’ll have a year from now,” says Parfentiev.