Security News Bites for the Week Ending June 23, 2023
Western Digital Blocks Unpatched Systems From Accessing Their Cloud
Western Digital’s My Cloud software allows owners of Western Digital storage systems to synchronize their data with the WD cloud. A 9.8 score bug was discovered last year. As a way to “encourage” users to patch their systems, WD is blocking unpatched systems from accessing the cloud. Sort of a nuclear option, but likely this is to both protect their cloud and other users’ data since they were hacked last month and the hackers flaunted the data they got. Credit: CSO Online
FTC Sues Amazon Over Dark Patterns
Dark patterns are a technique which makes things more difficult for customers do something when it is not in the company’s best interest for them to do that. In this case, it is to make it more difficult for customers to cancel their prime membership than to sign up for it. Many states have laws against dark patterns, which they and the FTC call deceptive trade practices. In Amazon’s case, you can sign up for prime with one or two clicks, but the FTC says they have a document of a process that Amazon calls Iliad that takes 11 pages to document all of the possible options customers might encounter when they want to cancel their prime membership. Since prime represents $25 billion in revenue to Amazon, you can understand why they want to make it hard for people to cancel. The FTC doesn’t care. Credit: Motherboard by Vice
Surprise: Companies Don’t Always Reveal Breaches
Zacks Investment Research disclosed a breach that occurred in late 2021-early 2022 affecting 820,000 customers. They said, at the time, that they did not think there was any customer personal information taken. This past weekend Have I been Pwned says they received a database of 8.8 million Zacks customer records from May 2020 – a breach which was NOT disclosed. The dump includes a lot of personal information, included hashed but not salted passwords. After this almost 9 million record dump was revealed Zacks said something to the effect that the passwords were encrypted. Zacks did a password reset on the 10 percent of the breached data but not the remaining 90 percent. I assume the GDPR police will be paying them a visit. They may claim that the passwords were encrypted hence no breach, but the names, addresses and phone numbers, among other data, was not encrypted. If you are breached you really need to come clean. Credit: Bleeping Computer
DNA Testing Company Lied About Dumping Samples
The Federal Trade Commission is claiming that genetic testing firm 1Health.io, AKA Vitagene, told people that they would dispose of their physical DNA samples as well as their health data, but didn’t. They also claim that the company did not secure the data that they claimed they didn’t have. Oh, yeah, the data was stored on Amazon S3 – without access controls. After the fact, the company figured out there was money to be made by selling customers’ data, so they changed their privacy policy but did not notify customers whose data they collected years earlier. The company claims this is government overreach (and they should, apparently, be allowed to sell people’s data after saying that they would not do that), but they agreed to a consent decree. Likely their lawyers told them that strategy would not hold up in court. Another word to the wise. Credit: The Register
Largest Public Pension fund in US Affected by MOVEit Breach
The fallout out from the MOVEit breach continues to expand. The most recent revelation is the country’s largest pension fund, CalPERS. This was, one more time, due to a third party who uses MOVEit. CalPERS manages more than $477 billion in assets. CalPERS sends the data to vendor PBI, who helps them manage payments to beneficiaries correctly. Expect to hear a lot more of these announcements in the coming weeks. Credit: The Record