Weekly podcast: Exactis, BetVictor, Ticketmaster, and GDPR complaints

This week, we discuss the apparent leak of 340 million data records, a vulnerability that exposed sensitive BetVictor data, a data breach affecting up to 40,000 Ticketmaster customers, and the number of GDPR complaints since 25 May.

Hello and welcome to the IT Governance podcast for Friday, 29 June 2018. Here are this week’s stories.

Exactis, a Florida-based marketing and data aggregation company, has reportedly exposed a database containing 340 million data records via a publicly accessible server.

According to Wired.com, the security researcher Vinny Troia discovered the database earlier this month via Shodan – the search engine that indexes Internet-connected devices such as servers and routers.

He contacted Exactis and the FBI, and the company made the data inaccessible to the public, he says.

The 340 million records – close to 2 terabytes of data – apparently contain personal information relating to hundreds of millions of Americans, including their “phone numbers, home addresses, email addresses, and other highly personal characteristics […] from interests and habits to the number, age, and gender of the person’s children”.

Troia commented: “It seems like this is a database with pretty much every US citizen in it […] it’s one of the most comprehensive collections I’ve ever seen.”

Although it’s worth emphasising that there’s no evidence that the information was inappropriately accessed, unauthorised disclosure – such as publicly exposing the data – would still count as a data breach.

Exactis is yet to confirm or comment on the incident, but if what Wired says is true, the breach would be one of the largest in history – far bigger than last year’s Equifax breach, which saw nearly 150 million consumers’ personal data exposed, although still some way off Yahoo’s record of 3 billion affected accounts.

However, what makes the Exactis dataset most interesting compared with Equifax’s and Yahoo’s is the level of detail it goes into. Although financial information and Social Security numbers are not present, Wired notes that each record includes “more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel”, which could certainly help fraudsters carry out social engineering attacks.

The security researcher Chris Hogben blogged this week about a vulnerability in the website of the bookmaker BetVictor that revealed confidential corporate data to anyone using its search function.

Hogben told Motherboard that the documents “contained extensive combinations of usernames and passwords for what looked like various back-end and administrative systems used by the company”.

Of the 19 username and password combinations Hogben discovered, 11 passwords featured in Troy Hunt’s Pwned Passwords dataset.

Hogben commented: “I think that’s the digital equivalent of leaving the key under the mat. Information about BetVictor’s back-end systems and portals — usernames, passwords, URLs — is there, just a few clicks away, right on the homepage.”

“With access to any of these systems,” he added, “it may be possible to access sensitive company information and potentially even user-specific data”.

Hogben contacted another researcher, Scott Helme, who verified his findings. He then messaged BetVictor’s security team, who removed the search feature from the website.

The popular ticket sales and distribution company Ticketmaster has notified the users of its UK site that their personal information may have been compromised after a malware infection on a support product hosted by Inbenta Technologies was found to be exfiltrating Ticketmaster customer data – including payment information – to an unknown third party.

The BBC reports that as many as 40,000 UK customers – who include users of the Ticketmaster International, GETMEIN! and TicketWeb websites – could have been affected by the incident.

According to Ticketmaster: “UK customers who purchased, or attempted to purchase, tickets between February [2018] and June 23, 2018 may be affected as well as international customers who purchased, or attempted to purchase, tickets between September 2017 and June 23, 2018.”

Ticketmaster immediately disabled the Inbenta product across all Ticketmaster websites when it discovered the incident on 23 June.

Ticketmaster has set up a website to answer customers’ questions and has offered them 12 months’ free identity monitoring. Users have also been advised to reset their passwords.

The Information Commissioner’s Office is investigating, and the National Cyber Security Centre is monitoring the situation. The BBC reports that Ticketmaster is “confident” it has complied with the GDPR.

Talking of the GDPR, a new report from the International Association of Privacy Professionals (the IAPP) offers an insight into the number of complaints some of the EU’s data protection authorities have received in the first month since the GDPR came into effect. The results vary greatly.

The Information Commissioner’s Office in the UK leads the way, having “received 1,106 data protection complaints or concerns” up to and including 18 June – although it’s not known how many are about the GDPR and/or Data Protection Act 2018 and how many relate to the Data Protection Act 1998.

Of the other countries that supplied information, France received 426 complaints, the Czech Republic approximately 400, Ireland 386 (and 547 breach notifications), the Netherlands 170 complaints, Romania 145, Slovenia 102, Bulgaria 91, Austria 81, Denmark 13, Malta 8, Estonia 7, Slovakia 4, Belgium 3 and Sweden 2.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.