This week, we discuss a massive data breach at Dailymotion, a very serious data breach at Europol, and the Met Police’s novel way of bypassing iPhone encryption.
Hello and welcome to the IT Governance podcast for Friday, 9 December. (Christmas is coming, the goose is getting fat. Please change your passwords before you all get hacked.)* Here are this week’s stories.
In a 6 December blog – the only mention of the incident across its sites as far as I can see – video sharing platform Dailymotion advised its users to change their passwords. “It has come to our attention that a potential security risk, coming from outside Dailymotion may have comprised the passwords for a certain number of accounts,” it said. “The hack appears to be limited, and no personal data has been comprised. Your account security is extremely important to us, and to be on the safe side, we are strongly advising all of our partners and users to reset their passwords.” Well, that doesn’t sound too bad. Potential risk… May have comprised (comprised? Perhaps they mean compromised) the passwords for a certain number of accounts… To be on the safe side… I wonder how many “a certain number” is, though. Let’s have a look at LeakedSource, shall we? They’ll know. Whoa! More than 87 million account details – including usernames and email addresses belonging to approximately 85 million users! Still, Dailymotion says “no personal data has been comprised” (again, I’m sure they mean compromised) so it’s probably not that bad. But according to bleepingcomputer.com, 18 million of the compromised (ahem) records have passwords listed. They’re encrypted so that’s something, but still, as a LeakedSource spokesperson told Bleeping Computer, “A determined hacker who wants to crack one person’s hash may still be able to.” Ouch. Now, I’m not saying that this is Dailymotion’s fault. Everyone gets attacked, and victim shaming does no one any favours. But how you react to a breach is very important – and if my company had lost the account details of 85 million customers, I‘m not sure I’d downplay it that much.
Europol, the European Union’s law enforcement agency, has admitted a “very serious incident” in which confidential information relating to terrorism investigations was accidentally put online. According to Dutch current affairs programme Zembla (and I admit my Dutch isn’t erg goed so I’ve used Google Translate), the data breach compromised more than 700 pages of police files relating to 54 investigations covering the period 2006 to 2008, and including analyses of the Hofstad group, the Madrid bombings, foiled attacks on aeroplanes involving liquid explosives and numerous terrorism investigations that have never been made public. Backup copies of the files were uploaded onto an Internet-connected hard drive without password protection by a Europol employee who took them home, in contravention of Europol rules. According to Reuters, Europol’s adjunct director Wil van Gemert said it did not appear that the dossier had been seen by anyone other than Zembla researchers, but he could not rule it out. An investigation is underway.
If you have any interest in data privacy, you’ll probably remember the trouble the FBI had breaking into an iPhone belonging to San Bernardino gunman Syed Farook earlier this year – and Apple’s resistance to the court order requiring it to assist the bureau. Here in the UK, the Metropolitan Police has formulated its own approach to accessing suspects’ phones without having to go to the trouble of decryption: mug them. According to the BBC, officers from Scotland Yard’s cybercrime unit realised that “crucial evidence” relating to a “credit card fraud racket” was held on suspect Gabriel Yew’s iPhone, but that it would be unobtainable unless the phone was unlocked. Undercover surveillance officers therefore waited for Yew to make a call before grabbing the phone from his hand. The BBC reports that the phone “revealed a motherlode of information” including “orders for fake cards and […] evidence linking him to four men who were subsequently convicted and a further 100 potential suspects.” Yew himself pleaded guilty to fraud and weapons offences last week, and was jailed for five and a half years.
Well, that’s it for this week. As ever: if you enjoy these podcasts, please share them using the hashtag #itgpodcast, and, until next time, remember that you can keep up to date with the latest information security news on our blog. And don’t forget to check out December’s book of the month, The Security Consultant’s Handbook by Richard Bingley. Distilling the author’s fifteen years’ experience as a security practitioner, and incorporating the results of some fifty interviews with leading security practitioners and a review of a wide range of supporting business literature, The Security Consultant’s Handbook provides a wealth of knowledge for the modern security practitioner. Save 10% if you buy by the end of the month.
Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.
* By rights, that intro should have said Christmas is coming, the goose is getting fat, please change your passwords before your other accounts are compromised because of your lax approach to password security but that doesn’t scan. I do know that unauthorised access isn’t the same as hacking.