Weekly podcast: Imgur, Uber (again), Apple vulnerability, NHS Digital

This week, we discuss a data breach affecting 1.7 million Imgur users, the 2.7 million UK victims of the Uber breach, a major security flaw in macOS High Sierra, and a new investment in data security from the NHS.

Hello and welcome to the IT Governance podcast for Friday, 1 December 2017. Here are this week’s stories.

The image-sharing website Imgur – which until this week I have to confess I thought was pronounced as spelt: im-gur – has confirmed that 1.7 million users’ email addresses and passwords were compromised in a data breach in 2014. No personally identifiable information was affected.

According to a blog by its COO, Roy Seghal, a “security researcher who frequently deals with data breaches” (Troy Hunt) contacted Imgur on the afternoon of 23 November, having been “sent data that included information of Imgur users”. By the following morning, the company had confirmed that 1.7 million accounts had been compromised and determined that usernames and passwords were affected. It then began notifying affected users via their registered email addresses, telling them to reset their passwords, and published a public disclosure. As Troy Hunt tweeted, it’s pretty impressive to achieve all this in such a short space of time.

Contrast Imgur with Uber, which this week revealed that 2.7 million UK customers were affected in the breach it tried to conceal over a year ago. The Information Commissioner’s Office commented that it was “still waiting for technical reports which should give full confirmation of the figures and the type of personal data that has been compromised” and texpected “Uber to alert all those affected in the UK as soon as possible”. The National Cyber Security Centre, meanwhile, pointed out that: “Companies should always report any cyber attacks to the NCSC immediately. The more information a company shares in a timely manner, the better able we are to support them and prevent others falling victim”.

Apple has rushed out a fix for a security flaw that allows anyone to bypass locked settings on machines running the latest version of macOS High Sierra simply by entering the username ‘root’ – and no password – and clicking ‘unlock’ twice.

Lemi Orhan Ergin, a self-styled ‘software craftsman’, alerted Apple to the flaw via Twitter. He explained in a blog that IT staff at his company “stumbled on the issue while trying to help one of [his] colleagues recover access to his local admin account”.

News of the vulnerability spread quickly across Twitter, with numerous users demonstrating that they could replicate the issue, even after a reboot.

In its release notes, Apple said, simply: “A logic error existed in the validation of credentials. This was addressed with improved credential validation.”

Apple also issued this statement:

“Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

“When our security engineers became aware of the issue [on] Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

“We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”

Six months after the NHS’s IT systems were hobbled by the WannaCry ransomware pandemic, NHS Digital has announced that it will spend £20 million on a new Security Operations Centre to improve data security across the service. The investment will “provide enhanced monitoring of national services across health and care” and will boost existing NHS Digital services, including:

  • “A monitoring service which analyses intelligence from multiple sources and shares guidance, advice, threat intelligence and remediation to relevant contacts in health and care”;
  • “On-site data security assessments for NHS organisations, to enable them to identify any potential weaknesses and to get the best value from local investment”;
  • “Specialist support for any NHS organisation which believes it may have been affected by a cyber security incident”; and
  • “Ongoing monitoring of NHS Digital national systems and services.”

Dan Taylor, the head of NHS Digital’s Digital Security Centre, explained: ”The Security Operations Centre will enhance NHS Digital’s current data security services that support the health and care system in protecting sensitive patient information. […]

“By creating a national, near-real-time monitoring and alerting service that covers the whole health and care system, the SOC will drive economies of scale, giving health and care organisations additional intelligence and support services that they might not otherwise be able to access.”

Finally, the run-up to Christmas is by far the busiest period of the year for online shopping, which makes it an ideal time for cyber criminals: according to new research from Barclays, festive shoppers will lose an estimated £1.3 billion to online fraud this Christmas. Consumers and companies alike should therefore be interested to know that IT Governance’s book of the month for December is Security in the Digital World – an essential guide to protecting yourself from cyber criminals this winter. Save 10% if you order by the end of the month.

Well, that’ll do for this week. Until next time – which will be the last podcast of the year – you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.