Weekly podcast: Newcastle City Council, Myspace and Apple

This week, we discuss a data breach affecting adoptees in Newcastle, Myspace’s account recovery process, and a security update fixing 47 iOS flaws.

[soundcloud url=”https://api.soundcloud.com/tracks/334153015?secret_token=s-W0xjJ” params=”auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false&visual=true” width=”100%” height=”200″ iframe=”true” /]

Hello and welcome to the IT Governance podcast for Friday, 21 July 2017. Here are this week’s stories.

The personal information of 2,743 current and former adoptees, and their adoptive parents and social workers was compromised in a data breach at Newcastle City Council when a spreadsheet, which included the names, addresses and birthdates of adopted children, was accidently attached to an email to 77 people, inviting them to the council’s annual adoption summer party.

According to a statement: “The council was deeply concerned to learn of this breach. A thorough investigation was carried out into how this happened. A series of measures have been put in place to contain the breach, minimise potential distress to those affected and ensure that such breaches cannot happen in the future.”

The BBC reports that the member of staff who sent the email no longer works for the council.

The council’s Director of People Ewen Weir said: “I am truly sorry for the distress caused to all those affected. We will work closely with the affected families and individuals to support them at this trying time. The council takes data protection and confidentiality very seriously and has acted swiftly to understand what happened and who has been affected. This breach appears to have been caused by human error and a failure to follow established procedures. We are conducting a thorough review of our processes to identify what changes we can make to ensure that this never happens again.”

The Information Commissioner’s Office is investigating.

The once-popular social media site Myspace has fixed a security vulnerability that enabled anyone to access any account simply by knowing the account holder’s name, username and date of birth – information that’s not exactly hard to come by, as I’m sure you know. Last June, 360 million Myspace account details were listed for sale on the dark web by a criminal hacker known as ‘Peace’ – not that you have to frequent hacker forums to gain that sort of information: Myspace account holders’ names and usernames are visible on their profiles and it’s not exactly hard to find people’s birthdates online.

Security researcher Leigh-Anne Galloway discovered the vulnerability while trying to delete her own long-forgotten account. She explained that, although Myspace introduced stronger password security following the 2016 breach, its account recovery process was – shall we say – less robust. Despite asking forgetful users to fill in a number of boxes to regain access to their accounts, Myspace only actually verified three of them: the account holder’s name, username and date of birth.

Galloway “sent an email to Myspace in April documenting this vulnerability and received nothing more than an automated response”, prompting her to go public this week, after which Myspace was spurred into action, blocking access to the dubious account recovery page: the URL now redirects to a different page.

It commented:

“In response to some recent concerns raised regarding Myspace user account reactivation, we have enhanced our process by adding an additional verification step to avoid improper access. We take data security very seriously at Myspace. We plan to continue to refine and improve this process over time.”

Myspace’s popularity has waned to such an extent that it is scarcely used by its millions of account holders, many of whom simply abandoned their pages rather than shutting them down, and defected to the likes of Facebook. If you do think your Myspace account is still there, gathering dust, unloved and unused, now might be the time to delete it.

iPhone, iPad and iPod Touch users will have noticed that Apple released iOS 10.3.3 this week – an update that patches 47 security flaws, including several remote code execution vulnerabilities affecting WebKit – the open-source web browser engine that powers Apple’s Safari browser, among others – that could allow attackers to take control of your devices. A separate update for the macOS version of Safari also addresses these issues. Update at your earliest convenience.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.