Category: Uncategorized

Australia's Notifiable Data Breaches scheme will come into force next month. Here is what it means and how it will affect organisations, and individuals, in Australia.

WHAT IS THE NOTIFIABLE DATA BREACHES SCHEME?

Australia's Notifiable Data Breaches (NDB) scheme comes into effect on February 22, 2018, and as the legislative direction is aimed at protecting the individual, there's a lot of responsibility on each organisation to secure the data it holds.

The NDB scheme falls under Part IIIC of the Australian Privacy Act 1988 and establishes requirements for entities in responding to data breaches.

What that means is all agencies and organisations in Australia that are covered by the Privacy Act will be required to notify individuals whose personal information is involved in a data breach that is likely to result in "serious harm", as soon as practicable after becoming aware of a breach.

Tax file number (TFN) recipients, to the extent that TFN information is involved in a data breach, must also comply with the NDB.

In addition to notifying individuals affected, under the scheme, organisations must provide recommendations on how those affected should respond, as well as what to do now their information is in the wild. The Australian Information Commissioner, currently Timothy Pilgrim, must also be notified of the breach.

"The NDB scheme formalises an existing community expectation for transparency when a data breach occurs," Pilgrim told ZDNet. "Notification provides individuals with an opportunity to take steps to protect their personal information, and to minimise their risk of experiencing harm."

Intelligence agencies, not-for-profit organisations or small businesses with turnover of less than AU$3 million annually, credit reporting bodies, and political parties are exempt from the NDB.

WHAT CONSTITUTES A DATA BREACH?

In general terms, an eligible data breach refers to the unauthorised access, loss, or disclosure of personal information that could cause serious harm to the individual whose personal information has been compromised.

Examples of a data breach include when a device containing customers' personal information is lost or stolen, a database containing personal information is hacked, or personal information is mistakenly provided to the wrong person.

An employee browsing sensitive customer records without any legitimate purpose could constitute a data breach as they do not have authorised access to the information in question.

The NDB scheme uses the phrase "eligible data breaches" to specify that not all breaches require reporting. An example of this is where Commonwealth law prohibits or regulates the use or disclosure of information.

An enforcement body -- such as the Australian Federal Police (AFP), the police force or service of a state or a territory, the Australian Crime Commission, and the Australian Securities and Investments Commission -- does not need to notify individuals about an eligible data breach if its CEO believes on reasonable grounds that notifying individuals would be likely to prejudice an enforcement-related activity conducted by, or on behalf of, the enforcement body.

Although not required all the time to disclose a breach, a spokesperson for the AFP told ZDNet the AFP would be complying with its notification obligations in all circumstances where there are no relevant exemptions under the Act.

If the Australian Information Commissioner rules the breach is not bound by the NDB scheme, organisations may not have to disclose it any further.

In addition, data breaches that are notified under s75 of the My Health Records Act 2012 do not need to be notified under the NDB scheme as they have their own binding process to follow, which also lies under the umbrella of the OAIC.

DETERMINING SERIOUS HARM

As the NDB dictates an objective benchmark in that the scheme requires a "reasonable person" to conclude that the access or disclosure is "likely to result in serious harm", Melissa Fai, special counsel at Gilbert + Tobin, told ZDNet that in assessing the breach, an organisation should interpret the term "likely" to mean more probable than not -- as opposed to merely possible.

"Serious harm" is not defined in the Privacy Act; but in the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.

Information about an individual's health; documents commonly used for identity fraud including a Medicare card, driver's licence, and passport details; financial information; and a combination of types of personal information -- rather than a single piece of personal information -- that allows more to be known about an individuals can cause serious harm.

In assessing the risk of serious harm, entities should consider the broad range of potential kinds of harm that may follow a data breach.

THE NOTIFICATION PROCESS

Agencies and organisations that suspect an eligible data breach may have occurred must undertake a "reasonable and expeditious assessment" based on the above guidelines to determine if the data breach is likely to result in serious harm to any individual affected.

If an entity is aware of reasonable grounds to believe that there has been an eligible data breach, it must promptly notify individuals at risk of serious harm and the commissioner about the breach.

The notification to affected individuals and the commissioner must include the following information: The identity and contact details of the organisation, a description of the data breach, the kinds of information concerned, and recommendations about the steps individuals should take in response to the data breach.

Entities have 30 days to conduct an assessment if they are unsure a breach meets the threshold of an eligible data breach. As soon as they believe a breach is an eligible data breach, they must notify individuals and the commissioner as soon as practicable.

The NDB scheme, however, provides entities with the opportunity to take steps to address a data breach in a timely manner, and avoid the need to further notify -- including notifying individuals whose data has been somewhat exposed.

FAILING TO DISCLOSE A BREACH

Failure to comply with the NDB scheme will be "deemed to be an interference with the privacy of an individual" and there will be consequences.

Gilbert + Tobin's Fai explained that if an organisation is found to have hidden an eligible data breach, or is otherwise found to have failed to report an eligible data breach, such failure will be considered an interference with the privacy of an individual affected by the eligible data breach, and serious or repeated interferences with the privacy of an individual can give rise to civil penalties under the Privacy Act.

If the data breach that the organisation has failed to report is serious, or if the organisation has failed to report an eligible data breach on two or more separate occasions, Fai explained the OAIC has the ability to seek a civil penalty order against the organisation of up to AU$2.1 million, depending on the significance and likely harm that may result from the data breach.

"Of course, an organisation must also consider the risk of reputational damage to its brand and the commercial damage that might flow from that, particularly given the growing importance to an organisation's bottom line of consumer trust in an organisation's data management policies and processes and its ability to respond quickly, effectively, and with integrity to data breaches," Fai added.

"The effects of the data breach on Equifax last year and its response are a case in point."

THE ROLE OF THE INFORMATION COMMISSIONER AND THE OAIC

The commissioner has a number of roles under the NDB scheme, which includes receiving notifications of eligible data breaches; encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance; and offering advice and guidance to regulated organisations, and providing information to the community about the operation of the scheme.

The OAIC has published guidelines on the scheme, which also includes information on how to deal with the aftermath of a breach.

HOW DID THE NDB COME ABOUT?

The federal government finally passed the data breach notification laws at its third attempt in February 2017.

A data breach notification scheme was recommended by the Joint Parliamentary Committee on Intelligence and Security in February 2015, prior to Australia's mandatory data-retention laws being implemented.

HOW TO GET READY

According to Gilbert + Tobin, organisations should be at the very least getting familiar with what data they have, where it is kept, and who has access to it.

Assessing existing data privacy and security policies and procedures to make sure organisations are in a position to respond appropriately and quickly in the event of a data breach is also important.

"This should include a data breach response plan which works across diverse stakeholders in an organisation and quickly brings the right people -- such as from IT, legal, cybersecurity, public relations, management, and HR -- together to respond effectively," Fai told ZDNet.

It wouldn't hurt to continuously audit and strengthen cybersecurity strategies, protection, and tools to avoid and prevent data breaches.

"It is also important that an organisation's personnel are aware of the NDB scheme. Personnel need appropriate training, including to identify when an eligible data breach may have occurred and how to follow an entity's policies and procedures on what to do next," Fai explained, adding this also extends to suppliers and other third-parties that process personal information on their behalf.

DOES YOUR BUSINESS HAVE A EUROPEAN CONNECTION?

From May this year, the General Data Protection Regulation (GDPR) will come into play, requiring organisations around the world that hold data belonging to individuals from within the European Union (EU) to provide a high level of protection and explicitly know where every ounce of data is stored.

Organisations that fail to comply with the regulation requirements could be slapped with administrative fines up to €20 million, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The laws do not stop at European boundaries, however, with those in the rest of the world, including Australia, bound by the GDPR requirements if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.

The GDPR and the Australian Privacy Act share many common requirements, but there are a bunch of differences, with one crucial element being the time to disclose a breach.

Under the NDB scheme, organisations have a maximum of 30 days to declare the breach; under the GDPR, organisations have 72 hours to notify authorities after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

"In sum, if an Australian organisation is subject to the GDPR regime when it comes into effect in May this year, it needs to comply with its obligations under both regimes -- although the two regimes contain different requirements, they are not mutually exclusive," Fai added. "However, when it comes to data breaches, the high watermark of compliance is complying with the European regime."

HOW TO PREVENT A DATA BREACH

Any organisation that has purchased a security solution from a vendor knows that there is no silver bullet to completely secure an organisation.

"When it comes to data breaches, everybody is looking for something, a product, a process, a standard to prevent them completely. Unfortunately, this isn't possible," Symantec CTO for Australia, New Zealand, and Japan Nick Savvides told ZDNet.

"The first thing any organisation should do is understand that data breaches are not always preventable but they are mitigatable. Whether the data breach is a result of a compromise, malicious insider, or even a well-meaning insider accidentally leaking information, mitigations exist."

Breaking the mitigations into three parts, Savvides said the first is dealing with a malicious attacker, the second is having information-centric security which he said applies to all scenarios, and the third mitigation category is the response plan.

"Most organisations don't have very effective response plans for a data breach event. They might have a plan, but from what has been seen, the plans are generally very academic in nature rather than practical and often get bypassed in the case of a real event," he explained.

"Organisations need to have processes for having incidents reported, a clear plan on who to involve, what process to follow, and a clear PR message.

Savvides said it is clear that users value transparency and clear speech rather than ambiguous legalese responses some organisations have produced.

"The commencement of the scheme is also a timely opportunity for organisations to take stock of the personal information they collect and hold, and how it is managed," Pilgrim added. "By ensuring personal information is secured and managed appropriately, organisations can reduce the likelihood of a data breach occurring in the first place."

From:http://www.zdnet.com/article/notifiable-data-breaches-scheme-getting-ready-to-disclose-a-data-breach-in-australia/

Privacy is a human right, and businesses need to remember that. So do governments.

It should come as no surprise that when key industry bodies write submissions to government consultations they're self-serving. That's what such lobby groups are for, right?

But in its submission to the current consultation on developing a national Digital Economy Strategy, the Australian Chamber of Commerce and Industry (ACCI) has gone beyond the usual bleatings about tax breaks, more "flexible" employment conditions, and a call for the the government to pay for the vocational training that businesses have long since stopped doing for themselves.

The ACCI wants more access to government data.

"Other governments, such as the United Kingdom and Canada, are ahead of the Australian government in terms of open data," the ACCI writes in its submission [PDF].

"It is vital for businesses to have access to cohesive and complete public datasets. Datasets provided by the government that are more complete can, in turn, produce more accurate analytics, drive efficiencies and productivity in both the public and private sectors. If the range and breadth of raw government data increased, it would encourage digital integration between the public and private sector in Australia."

Leaving aside the question of whether such access really is "vital" rather than merely "useful", we should remember that it has been collected at taxpayers' expense. Nowhere does the ACCI suggest that businesses might pay for it, however. Nor do they suggest a modest increase in the corporate tax rate. Of course.

The ACCI also calls for more system integration and interoperability between government agencies, so that "data would be requested from businesses only once ... This could also be expanded to include data exchange capabilities between different international jurisdictions".

There are barriers to overcome, of course. The ACCI identifies, for example, "legislative restrictions; a culture of risk aversion; lack of national leadership for data sharing and release; and, [that] the extent of productive linking and integration of datasets varies substantially across jurisdictions."

Yet nowhere in the ACCI's submission is the word "privacy".

Nowhere is the phrase "data breach".

That's a worry, especially given the rapidly increasing ease but little-understood risks of the re-identification of supposedly de-identified data. Look no further than the recent re-identification of Australian health data that the government had published.

Privacy has taken a back seat to a lust for big data, according to Steve Wilson, vice-president and principal analyst with Constellation Research.

"Data scientists seem to think they can tick a privacy box and just get on with their analyses, perhaps because some consultant has said 'privacy is a positive sum game'," Wilson told ZDNet.

"Well no, privacy is about restraint. Privacy is mostly not about what we do with data, but what we don't do with data. Privacy considerations mean that the risk of some of big data's grand missions might just not be worth it."

Wilson believes that some people have a "fetish for data and open data", a largely unproven faith that all this data will lead to better evidence-based policy.

I agree.

"Big data is a dangerous, faith-based ideology. It's fuelled by hubris, it's ignorant of history, and it's trashing decades of progress in social justice," I wrote in 2014.

Since then little has changed, although it's possible that the increasing public awareness of the scale and scope of data collection, and the expanding news coverage given to data breaches, may change that. Australia's mandatory data breach notification laws come into force in just a few weeks. Wait and see.

"I don't believe we have properly accounted for the privacy risks," Wilson said.

"People have a human right to privacy, but I am not aware of any basic business right to obtain and process data."

From:http://www.zdnet.com/article/business-must-tone-down-its-lust-for-big-data/

The successful cyberattack exposed information belonging to millions of UK customers.

Carphone Warehouse has been slapped with a £400,000 fine for a data breach which led to the theft of information belonging to millions of customers.

On Wednesday, the UK Information Commissioner's Office (ICO) said the fine is one of the largest issued in the data watchdog's history.

In 2015, Carphone Warehouse said that a data breach had led to the theft and exposure of sensitive, personal information belonging to up to 2.4 million customers.

However, an investigation revealed that the security incident actually allowed unauthorized access to the data of over three million customers and roughly 1,000 employees.

The names, addresses, dates of birth, marital status and historical payment card details of customers were stolen alongside the names, phone numbers, postcodes, and car registration details of staff members.

The "sophisticated cyberattack" attracted the attention of the ICO, which said, "the personal data involved would significantly affect individuals' privacy, leaving their data at risk of being misused."

According to the agency, the UK mobile device retail giant's approach to data security was inadequate and Carphone Warehouse had failed to take "adequate steps" to protect data -- a serious breach of the Data Protection Act of 1998.

The data breach occurred as the cyberattackers were able to obtain login credentials through WordPress software which was not kept up-to-date and patched against vulnerabilities.

Carphone Warehouse also failed to keep other software up-to-date and did not carry out regular security tests. The company also did not identify and purge historic data properly -- which means that the firm may have kept information on file without cause.

"A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks," said Information Commissioner Elizabeth Denham. "Carphone Warehouse should be at the top of its game when it comes to cybersecurity, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures."

There have been no reported cases of customer or staff information sales or abuse to date and the company has fixed "some" of the problems highlighted by the ICO.

However, with data protection regulations set to become tougher in the UK with the introduction of the General Data Protection Regulation (GDPR), which requires protection by design, Carphone Warehouse -- and every other company in the country -- will need to do better than fix "some" problems to avoid future fines.

"There will always be attempts to breach organizations' systems and cyber-attacks are becoming more frequent as adversaries become more determined," Denham added. "But companies and public bodies need to take serious steps to protect systems, and most importantly, customers and employees."

From:http://www.zdnet.com/article/carphone-warehouse-fined-400000-over-2015-data-breach/

A database used by the Department of Homeland Security's Office of the Inspector General has been confirmed as breached, affecting 247,167 current and former employees and individuals associated with the department's previous investigations.

The United States Department of Homeland Security (DHS) has confirmed the breach of the DHS Office of Inspector General (OIG) Case Management System (CMS), affecting approximately 247,167 individuals employed by DHS in 2014, as well as individuals including subjects, witnesses, and complainants associated with DHS OIG investigations from 2002 through 2014.

DHS issued a statement on Wednesday after it sent the affected individuals a letter notifying them that they may have been impacted by a "privacy incident" relating to the CMS.

It held firm that the privacy incident did not stem from a cyber attack by external actors, and that "the evidence indicates that affected individual's personal information was not the primary target of the unauthorised transfer of data".

DHS said that on May 10, 2017, DHS OIG discovered an unauthorised copy of its CMS in the possession of a former DHS OIG employee as part of an ongoing criminal investigation.

"The privacy incident did not stem from a cyber attack by external actors, and the evidence indicates that affected individual's personal information was not the primary target of the unauthorised exfiltration," DHS wrote to those affected.

Notification letters were sent to all current and former employees who were potentially affected by the DHS Employee Data on December 18, 2017, and said that due to technological limitations, DHS is unable to provide direct notice to the individuals affected by the Investigative Data. It has asked those individuals to reach out to the department.

In the letter penned by DHS chief privacy officer Phillip S Kaplan, the department offered all individuals potentially affected by the incident 18 months of free credit monitoring and identity protection services.

"The Department of Homeland Security takes very seriously the obligation to serve the department's employees, and is committed to protecting the information in which they are entrusted," the department wrote. "Please be assured that we will make every effort to ensure this does not happen again."

DHS said it is implementing additional security precautions to limit which individuals have access to its information, as well as more stringent checks to identify unusual access patterns.

From:http://www.zdnet.com/article/over-240000-homeland-security-employees-case-witnesses-affected-by-data-breach/

The Australian Privacy Foundation (APF) has called out the federal government and the Office of the Australian Information Commissioner (OAIC) after failing to publish a report on the September 2016 incident that revealed Medicare Benefits Schedule and Pharmaceutical Benefits Scheme data was not encrypted properly.

The dataset was found by a team of researchers from the University of Melbourne and was subsequently pulled down by the Department of Health.

At the time, the OAIC announced it was investigating the publication of the datasets, however more than 12 months later, it is still investigating.

Of concern to the APF is that there has been no public report, nor warning about the bug in open data; no indication of when the report will be released; and no requirement to reconsider the misplaced trust in the de-identification of open data.

"You should be able to trust governments to care for sensitive personal data about yourself and your family. Clearly some of those who are handling this data either lack expertise, or are careless: It appears that 'Open Data' protections can be breached," a statement from the APF reads.

While the APF agrees there can be benefits from the sharing of health and other personal information among health care professionals and researchers, it said the sharing must be based on an understanding of potential risks.

"It must only occur within an effective legal framework, and controls appropriate for those risks," the APF continued.

"A 'Trust me, I'm from the government!' approach is a recipe for pain. So is sharing such sensitive data with government without full openness, transparency, and a legal framework that prevents them from misusing it out of the public eye."

The research team that re-identified the data in September 2016, consisting of Dr Chris Culnane, Dr Benjamin Rubinstein, and Dr Vanessa Teague, reported in December further information such as medical billing records of one-tenth of all Australians -- approximately 2.9 million people -- were potentially re-identifiable in the same dataset.

"We found that patients can be re-identified, without decryption, through a process of linking the unencrypted parts of the record with known information about the individual such as medical procedures and year of birth," Dr Culnane said.

"This shows the surprising ease with which de-identification can fail, highlighting the risky balance between data sharing and privacy."

The team warned that they expect similar results with other data held by the government, such as Census data, tax records, mental health records, penal data, and Centrelink data.

The large-scale dataset relating to the health of many Australians, under what the APF labelled as "the fashionable rubric of open data", included all publicly reimbursed medical and pharmaceutical bills for selected patients spanning the thirty years from 1984 to 2014. The data as released was meant to be de-identified, meaning that it supposedly could not be linked to a particular individual.

"Unfortunately, the government got it wrong: This weak protection can be breached," the APF added.

See also: Australian Privacy Foundation wants 'privacy tort' to protect health data

The Privacy Foundation believes the Department of Health and its minister should be held to account for the data being re-identifiable, as well as the OAIC, with APF expanding on its previous claims the agency led by Timothy Pilgrim was being "underfed".

"The OAIC should act like a watchdog, not like a rather timid snail," the APF said on Monday, hoping the appointment of a new Attorney-General after George Brandis was replaced by former Minister for Social Services Christian Porter in December will "provide adequate resources" to the agency.

As a result of the issues found by the University of Melbourne, in October 2016, the Australian government proposed changes to the Privacy Act 1988 that would criminalise the intentional re-identification and disclosure of de-identified Commonwealth datasets, reverse the onus of proof, and be retrospectively applied from September 29, 2016.

Under the changes, anyone who intentionally re-identifies a de-identified dataset from a federal agency could face two years' imprisonment, unless they work in a university or other state government body, or have a contract with the federal government that allows such work to be conducted.

The university team said the proposed legislation will have a chilling effect on research, and risks efforts to make sure open data is properly protected.

"Whilst open data is not a safe approach for releasing this type of data, open government is the right paradigm for deciding what is," the team said. "One thing is certain: Open publication of de-identified data is not a secure solution for sensitive unit-record level data."

Speaking a few months after the first batch of information was re-identified, Pilgrim said building trust with the public is key to the challenges big data presents for organisations, including government, and highlighted that trust is further challenged by the nature of secondary uses of data.

"Part of the solution, potentially a significant part I suggest, lies in getting de-identification right," he said during a data sharing and interoperability workshop at the GovInnovate summit in Canberra late 2016.

"This includes ensuring that government agencies, regulators, businesses, and technology professionals have a common understanding as to what 'getting it right' means.

"At the moment, that common clarity is not evident."

While Pilgrim said that de-identification can be a smart and contemporary response to the privacy challenges of big data, which he said aims to separate the "personal" from the "information" within data sets, the commissioner highlighted that there was no clear-cut definition of how far-removed personal identifiers needed to be before the dataset is considered de-identified.

"I stress as privacy commissioner that de-identification is not the only approach available to manage the privacy dimensions of big data, but we are keen to explore its potential when done fully and correctly," he said.

"That potential could include the ability to facilitate data sharing between agencies, and unlock policy and service gains of big data innovation, whilst protecting the fundamental human right to privacy.

"That is a great prospect, and one worth pursuing."

See also: OAIC and Data61 offer up data de-identification framework

Given the investigation into the MBS and PBS datasets is ongoing, the OAIC said on Monday it is unable to comment on it further at this time.

"The commissioner will make a public statement at the conclusion of the investigation," a statement from the OAIC reads.

"The OAIC continues to work with Australian Government agencies to enhance privacy protection in published datasets."

From:http://www.zdnet.com/article/privacy-foundation-trusting-government-with-open-data-a-recipe-for-pain/

The app maker's database wasn't protected with a password, leaving exposed its users' most private information.

Personal data belonging to over 31 million customers of a popular virtual keyboard app has leaked online, after the app's developer failed to secure the database's server.

The server is owned by Eitan Fitusi, co-founder of AI.type, a customizable and personalizable on-screen keyboard, which boasts more than 40 million users across the world.

But the server wasn't protected with a password, allowing anyone to access the company's database of user records, totaling more than 577 gigabytes of sensitive data.

The database appears to only contain records on the app's Android users.

The discovery was found by security researchers at the Kromtech Security Center, which posted details of the exposure alongside ZDNet. The data was only secured after several attempts to contact Fitusi, who acknowledged the security lapse this weekend. The server has since been secured, but Fitusi did not respond when we asked for comment.

ZDNet obtained a portion of the database to verify.

Each record contains a basic collected data, including the user's full name, email addresses, and how many days the app was installed. Each record also included a user's precise location, including their city and country.

Other records are significantly more detailed. The app has a free version, which per its privacy policy collects more data than the paid version, which the company uses to monetize with advertising.

More complete records also include the device's IMSI and IMEI number, the device's make and model, its screen resolution, and the device's specific Android version.

A large portion of the records also included the user's phone number and the name of their cell phone provider, and in some cases their IP address and name of their internet provider if connected to Wi-Fi. Many records contain specific details of a user's public Google profile, including email addresses, dates of birth, genders, and profile photos.

We also found several tables of contact data uploaded from a user's phone. One table listed 10.7 million email addresses, while another contained 374.6 million phone numbers. It's not clear for what reason the app uploaded email addresses and phone numbers of contacts on users' phones.

Several tables contained lists of each app installed on a user's device, such as banking apps and dating apps.

It's not unusual for on-screen keyboards to have wide-ranging access to some of the highest levels of Android permissions. Android will warn users that keyboards "may be able to collect all the text that you type, including personal data like passwords and credit card numbers." AI.type is no exception, with read access to contact data, text messages, photos and video access and other on-device storage, record audio, and full network access.

For its part, AI.type says on its website that user's privacy "is our main concern." Any text entered on the keyboard "stays encrypted and private," says the company.

But the database wasn't encrypted. We also found evidence that text entered on the keyboard does get recorded and stored by the company, though to what extent remains unclear.

The company also promises to "never share your data or learn from password fields," but we saw one table containing more than 8.6 million entries of text that had been entered using the keyboard, which included private and sensitive information, like phone numbers, web search terms, and in some cases concatenated email addresses and corresponding passwords.

Bob Diachenko, head of communications at Kromtech Security Center, warned of the dangers of using free apps.

"Theoretically, it is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online," he told ZDNet. "This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user."

"It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices," he added.

"It is clear that data is valuable and everyone wants access to it for different reasons," he said. "Some want to sell the data they collect, others use it for targeted marketing, predictive artificial intelligence, and cyber criminals want to use it to make money in more and more creative ways."

From:http://www.zdnet.com/article/popular-virtual-keyboard-leaks-31-million-user-data/

The attackers behind this form of file-encrypting malware -- which has similarities with Locky -- think that if the victim can set their own price, they're more likely to pay.

A new form of ransomware, which shares similarities with Locky, allows its victims to negotiate the price for retrieving their encrypted files.

Scarab ransomware was first uncovered in June, but during November, it was suddenly distributed in millions of spam emails, according to researchers at Fortinet. The emails were distributed by Necurs, the botnet infamous for spreading the highly-successful Locky ransomware.

The file-encrypting malware is deployed when the victim runs a VBScript application contained within a malicious email, which retrieves Scarab from payload websites. Researchers at PhishMe said the script contains similarities to the mechanism used to deliver Locky.

Those behind Scarab have also chosen to fill the source code of the ransomware with what appear to be references to Game of Thrones character Jon Snow.

Once installed and executed on the victim's computer, the malware will connect to a website that provides the attacker with the victim's IP address and other machine information -- likely to aid the attacker in keeping track of victims.

Even if the machine is taken offline during the process, the ransomware still encrypts the files with the .scarab file extension and presents the victim with a ransom note.

But rather than demanding a set fee to release the files, the attackers behind Scarab ask the victims to email them in order to negotiate a payment in bitcoin -- the cryptocurrency often used by attackers to collect ransom payments.

The use of an email address suggests the attackers aren't as sophisticated as those behind other forms of ransomware. However, they do seem to be working to the theory that if they allow the victim to set their own price for the ransom, they're more likely to receive a payment.

"The negotiation process encouraged by the Scarab ransomware is particularly interesting. While entering into negotiations definitely makes it more likely that a ransom of some kind will be paid, it also allows them to fluctuate demands depending on the value of bitcoin at that time," said Aaron Higbee, co-founder and CTO of PhishMe.

Researchers suggest the rise in the value of bitcoin has played a part in the shift to using this tactic. A fee of around one bitcoin was often set as the ransom demand during 2016, when the value of bitcoin was under $1000. At the time of writing, one bitcoin is worth over $16,000.

Attackers are likely to understand the average victim isn't going to have the funds to pay this fee, so by allowing the victim to suggest a price, those behind Scarab are more likely to guarantee a payday for their criminal work.

Those behind Scarab also attempt to show they can be trusted to hold up their end of the malicious deal with the use of a common tactic of ransomware distributors: offering to decrypt some files for free. They also provide instructions on how to obtain bitcoin in order so that they can receive payment from victims.

However, these aren't acts of community spirit. The attackers are criminals who are looking for profit by extorting a payment out of the unfortunate victim -- a reality hammered home by the ransom note, which says: "Decryption of your files with the help of third parties may cause an increased price." The attackers also add that by trying to use decryption tools, the victim "can become a victim of a scam".

Researchers are currently unsure if Scarab will be a temporary ransomware campaign -- like Jaff -- or if it will become a long-standing threat like Locky.

From:http://www.zdnet.com/article/this-ransomware-asks-victims-to-name-their-own-price-to-get-their-files-back/

Ride-sharing company reveals 380,000 in Singapore were affected by the massive data breach that compromised 57 million accounts globally, but says no fraud or misuse has been tied to these users.

Uber says an estimated 380,000 users in Singapore were impacted by the 2016 data breach that compromised 58 million accounts globally, but finds no incidents of fraud related to the attack.

The ride-sharing operator posted a statement on its website Friday with the update, noting that the figure was "an approximation rather than an accurate and definitive count". The number was determined from data extracted from its app or online site and based on codes assigned to specific countries, which might not always correspond with where the user actually lived, it explained.

Uber said it had taken "immediate steps to secure the data" when the breach was uncovered and blocked further unauthorised access. It added that affected customers need not take any action since there was no indication the breach had resulted in any fraudulent transactions.

"Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, or dates of birth were downloaded," it said. "We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection."

Reports emerged last month that some customers in Singapore found charges made to their Uber accounts and credit cards for rides they never took, including transactions made in the UK and US and in foreign currencies. The company said then that these were not linked to the global data breach, since details related to credit card numbers or bank account numbers were not believed to have been compromised in the attack.

Uber admitted to have concealed the data breach for more than a year, paying off hackers US$100,000 to delete the data and keep quiet about the incident.

In a note commenting on Uber's latest statement in Singapore, Sanjay Aurora, Asia-Pacific managing director for security vendor Darktrace, said the onus was on companies to safeguard their customers' data.

"The reality is that there is only so much individuals can do. Ultimately, the responsibility lies with the companies that are entrusted with users' sensitive data to defend it against cyberattacks," Aurora said.

"Time and time again, we have seen attacks of this scale--and larger--plague the news. The reality is that such breaches, whether Uber, Equifax, or Yahoo, could have been resolved at an early stage [and] well before real damage was done," he said, touting the need for artificial intelligence in helping companies identify and combat security threats.

Singapore authorities had said they were investigating Uber's security incident and would determine if the US company had breached local data protection laws. They also underscored the need for Uber to be transparent and to cooperate with local authorities.

From:http://www.zdnet.com/article/uber-says-data-breach-compromised-380k-users-in-singapore/

The classified data was later collected by Kaspersky software running on the staffer's home computer.

A former National Security Agency hacker has admitted to illegally taking highly classified information from the agency's headquarters, which was later stolen by Russian hackers.

Nghia Pho, 67, a Maryland resident who worked for the NSA's Tailored Access Operations, the agency's elite hacking unit, entered a guilty plea on Friday to charges of willful retention of national defense information.

The Justice Dept. confirmed the news in a statement on Friday. The New York Times was first to report the news.

Documents released by the Justice Dept. accuse Pho of removing top secret information from the agency over a five yer period through March 2015.

Pho held some of the highest levels of security clearance at the agency, including sensitive compartmented information and "need to know" clearance, reserved for only a fraction of the agency's staff.

Although the documents don't make it clear exactly what specific classified data and records were taken -- beyond hard copy and digital files stored in Pho's residence -- several earlier reports have pointed to hacking tools developed for offensive operations launched by the NSA, such as targeting foreign networks and systems for conducting surveillance.

News of the breach was first reported by The Wall Street Journal earlier this year, which said hackers working for Russian intelligence had obtained classified NSA data.

The hackers targeted the then NSA employee in 2015 when he opened the classified work on his home computer running Kaspersky antivirus software. Russian hackers are said to have targeted the employee after they identified the NSA files through the antivirus software.

The company's founder Eugene Kaspersky previously said he believes that his company's products were exploited to obtain files from Pho's computer.

Kaspersky admitted to collecting and uploading the classified data to its servers in Moscow, but only after several kinds of malware were found on Pho's computer. (Other antivirus products often upload suspicious data to its servers to analyze.)

Kaspersky, a Moscow-based security company, has repeatedly denied working with the Kremlin to conduct espionage. Eugene Kaspersky told ZDNet this week that his company would "move the business out" of the country if the Russian government asked it to spy.

Pho is expected to be sentenced in April, where he may receive the maximum sentence of ten years in prison. According to the Times, prosecutors are not asking for more than eight years.

The case is one of several major breaches at the NSA since the Edward Snowden disclosures in 2013.

Pho is among three employees to be charged, including Harold Martin, an NSA contractor, who was indicted for removing terabytes of secret data from the agency's headquarters, and Reality Winner, another contractor, who was indicted this year for leaking classified secrets to news site The Intercept.

Another major breach of data included the agency's trove of highly classified hacking tools, which were later used to launch a large scale, global ransomware attack. Earlier this year, hackers used the tools to silently infect Windows computers with a backdoor to then launch the WannaCry ransomware.

This week, ZDNet revealed the fifth and most recent breach of NSA data in as many years, including new details about the Ragtime surveillance program, which targets Americans' data.

From:http://www.zdnet.com/article/former-nsa-staffer-pleads-guilty-after-classified-data-theft/

The UK's controversial mass surveillance legislation will have to be tweaked to comply with EU law, but critics say the changes don't go far enough.

The UK government has been forced to revise parts of its controversial surveillance legislation.

Under the Investigatory Powers Act 2016, nicknamed the 'Snoopers Charter', communications companies can be required to retain customers' communications data for up to 12 months. The government describes communications data as the who, where, when, how, and with whom of a communication, but does not include what was written or said.

But in December last year the European Court of Justice (ECJ) ruled that the powers of the UK's surveillance legislation were too wide and did not comply with EU law.

In response to the ECJ ruling, the government now plans to make a number of changes, such as introducing a new independent body to authorise communications data requests. Previously, senior police were able to authorise requests.

The use of communications data will also be restricted to investigations into serious crime that would carry a sentence of six months or more. To get access to web surfing data, authorities need to be investigating a crime that carries a sentence of at least a year.

Additional safeguards will be added that must be taken into account before a Data Retention Notice can be given to a telecoms company, and it will be made clearer when people should be notified if their data is accessed.

However, the government insisted that the judgment does not apply to the retention or acquisition of data for national security purposes "as national security is outside of the scope of EU law". A consultation on the changes is underway, and will run for the next seven weeks.

The UK government argues that communications data is used in 95 percent of serious and organised-crime prosecutions, and has figured in every major counter-terrorism investigation over the last decade. Critics argue that rather than introducing surveillance of the entire population, the authorities would be more effective by targeting suspects more closely.

In a statement, privacy campaigners the Open Rights Group (ORG) called the change a "major victory".

"Adding independent authorisation for communications data requests will make the police more effective, as corruption and abuse will be harder. It will improve operational effectiveness, even if less data is used during investigations and trust in the police should improve," said the ORG's executive director Jim Killock.

The ORG and other privacy campaigners met with the government this week, and Home Office staff warned that without communications data, police would have to rely on more intrusive surveillance techniques. But Killock said it's better to have suspects placed under targeted surveillance measures, rather than having the population at large kept under tabs through retained communications data.

"The world has trade offs, and we would suggest that this is a good one," he said.

From:http://www.zdnet.com/article/snoopers-charter-government-forced-to-backtrack-on-data-access/