Weekly podcast: Grammarly, Infraud and Octoly

This week, we discuss breaches at Grammarly and Octoly, and the arrest of leading members of the Infraud cyber crime group.

Hello and welcome to the IT Governance podcast for Friday, 9 February 2018. Here are this week’s stories.

Last Friday, Tavis Ormandy of Google’s Project Zero discovered what he called a “high severity bug” affecting the users of the popular spelling and grammar checker Grammarly.

According to Ormandy, Grammarly’s Chrome extension was exposing authentication tokens, potentially allowing anyone to log in to anyone else’s account and access all of their documents – and other data.

Ormandy notified Grammarly, which worked impressively quickly to fix the problem – probably realising that it could be held responsible for a huge breach of sensitive data unless it acted quickly.

It tweeted on Monday:

“We were made aware of a security issue with our extension on Friday and worked with Google to roll out a fix within a few hours.

“Thank you to @taviso and the team for finding and educating the community about the complexities of this bug. We will provide more updates soon.

“At this time, Grammarly has no evidence that any user information was compromised by this issue. The bug potentially affected text saved in the Grammarly Editor.

“This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the browser extension.

“The bug is fixed, and there is no action required by our users.

“We’re continuing to monitor actively for any unusual activity.”

Staying with data breaches, an unsecured Amazon Web Services S3 Cloud storage bucket belonging to Octoly – a Parisian marketing company – has exposed the personal information of more than 12,000 influential social media users or ‘creators’, according to UpGuard’s Chris Vickery.

Octoly supplies these so-called creators with beauty products, merchandise and gaming content from its clients – which include Dior, Estée Lauder, Lancôme and Blizzard Entertainment – in return for reviews on the likes of Instagram, Twitter and YouTube.

Unfortunately, however, the AWS bucket in which the creators’ details were stored was configured incorrectly, meaning they were accessible to anyone.

Compromised personal information included “the real names, addresses, phone numbers, email addresses – including those specified for use with PayPal – and birth dates for these creators, many of them otherwise anonymous in their online ventures. Also exposed are thousands of hashed user passwords, which, if decrypted, could lead to password reuse attacks against various online accounts belonging to creators, the usernames for which are also in the repository”.

That’s not all, though. As well as personal data, the bucket contained “a large amount of brand and analytical information, the disclosure of which could be damaging to Octoly’s business operations. Revealed within the files are the names of some six hundred major brands patronizing Octoly’s influencing services”.

Vickery rightly points out that there are a huge number of lessons to be learned from the incident. As he says:

“The ability to swiftly and decisively secure data in the event of a cyber incident is not just necessary to avoid financial and reputational damage critical to any business’s long-term fortunes. […] Ultimately, cyber resilience is necessary to protect the basic wellbeing and security of the individuals supplying their personal information to enterprises – the disclosure of which may increasingly be a dangerous outcome.”

The incident should be a timely reminder that when the GDPR comes into effect on 25 May, personal data breaches will be treated with considerably more severity than they are now, with fines of up to €20 million or 4% of annual global turnover – whichever is greater. Visit itgovernance.co.uk/gdpr for more information.

Finally, some good news: the US Department of Justice has announced that it has taken down the so-called Infraud cyber crime organisation and has charged 36 people over their involvement in the group. Thirteen suspects from Canada, Egypt, France, Italy, Macedonia, Pakistan, Russia, the UK and Ukraine are now in custody.

According to Deputy Assistant Attorney General David Rybicki of the Criminal Division: “Over the course of the Infraud Organization’s seven-year history, its members targeted more than 4.3 million credit cards, debit cards and bank accounts held by individuals around the world and in all 50 states. The actions of the Infraud Organization resulted in approximately $2.2 billion in intended losses and over $530 million in actual losses to U.S. financial institutions, merchants and consumers.”

An indictment unsealed this week claims the organisation – whose slogan was “In Fraud We Trust” – aimed to be “the premier online destination for the purchase and sale of stolen property and other contraband, such as victims’ personal and financial means of identification, and forged identification documents”. As of March 2017, its forum had nearly 11,000 members in total.

The group’s alleged activities included:

  • buying and selling stolen credit card numbers, financial information, social security numbers, passwords and other personally identifying information;
  • advertising services that facilitated these activities and related, illicit financial transactions; and
  • disseminating malware.

Deputy Assistant Attorney General Rybicki commented: “The charges and arrests announced today are a victory for the rule of law.”

That’ll do for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.