Weekly podcast: Hello Kitty, school ransomware and airport security concerns

This week, we discuss the reappearance of the exposed Hello Kitty database, a warning from Action Fraud about ransomware attacks on schools, and an unsecured airport system leaking passenger data.

Hello and welcome to the first IT Governance podcast of 2017. If it’s not already too late to say it: happy new year. Without further ado, here are this week’s stories.

In December 2015, security researcher Chris Vickery discovered via Shodan (the search engine that lets users find IoT devices, web servers, routers and suchlike) that an unprotected database containing 3.3 million Hello Kitty accounts was exposed online. Hello Kitty’s parent company, Sanrio, said that Vickery was the only person to have accessed the database, that “no data was stolen” and that “new security measures [had] been applied”.

Now, however CSO’s Steve Ragan reports that the database was copied before the configuration error was fixed and has now been added to the LeakedSource database of compromised records. Personal details affected include the account holder’s first and last name, birthday, gender, country, email addresses, encrypted password and password hint questions. On Tuesday, Sanrio “[dismissed] the latest news, despite sample records matching the previously exposed database”.

Action Fraud – the UK’s national reporting centre for fraud and cyber crime – has warned that education establishments in the UK are being targeted by ransomware attacks. Fraudsters claiming to be from the ‘Department of Education’ (apparently unaware that the real government department is the Department for Education) have been calling schools, asking for “the personal email and/or phone number of the head teacher/financial administrator” in order to send important documents. The emails include attachments that, once opened, will download malware that encrypts files until a ransom of up to £8,000 is paid.

Schools are of course not the only institutions to be targeted by ransomware attacks. It’s important for all organisations to ensure their antivirus is up to date, that files are regularly backed up and that all staff are trained to be aware of the risks of phishing.

While waiting for a flight recently, Symantec’s Candid Wueest discovered that an airport boarding gate was leaking information that could give attackers “full control over passenger bookings, cancel flights, and steal sensitive information with leaked booking codes”.

Wueest explained in a blog that one of the screens at his departure gate showed a timed-out web browser, so, feeling “curious and more than a little bored”, he tried to open the on-screen IP address on his phone. To his surprise, he got unrestricted access. “On the public-facing server,” he says, “there was a debug page [that] listed all database fields with information available about the next flight” including information about passengers on the standby list. This included “their complete booking reference codes, also known as passenger name record (PNR) locators.” With PNR codes and passenger names, Wueest explains, an attacker could “cancel the flight, rebook it for another date, or change customer details in their frequent flyer account [giving them] full control over passenger bookings and […] access to a lot of sensitive information that could also be used to carry out identity theft and phishing attacks.”

Wueest reported his concerns and the issue was fixed. As he comments, however: “Fixing the security weaknesses of travel booking systems is no easy task as the global booking systems are heavily interconnected and dependent on each other. In light of the new and soon to be applied General Data Protection Regulation (GDPR) in Europe, the topic of data protection is set to gain more traction in the future. Hopefully, for travelers everywhere, this will compel businesses to put more effort into protecting their customers’ personal data.”

IT Governance’s January book of the month is EU GDPR: An Implementation and Compliance Guide. The new General Data Protection Regulation, which comes into effect in less than 18 months, affects every organisation in the world that processes EU residents’ data. Failure to comply with the Regulation could result in fines of up to €20 million or 4% of annual global turnover – whichever is greater. If you’re yet to start your GDPR compliance project, EU GDPR: An Implementation and Compliance Guide provides a detailed commentary on the Regulation, explains the changes you need to make to your data protection and information security regimes, and tells you exactly what you need to do to avoid severe financial penalties. Save 10% if you order by the end of the month.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.