Welcome to the weekly cybersecurity news round-up from GlobalSign! With all the activity happening, there’s seemingly no end to the amount of news. Make sure you check back here every Friday to stay up to speed with all the latest headlines in security and identity.
From a global government perspective this has been a very active week. Here in the U.S., the Department of Justice released an indictment that alleges the Chinese government was behind the massive Equifax breach. Then, the government of Israel revealed that all 6.5 million voters have just had their personal data leaked. In Japan, the defense ministry said that sensitive data on defense equipment may have been breached as a result of cyberattacks on Mitsubishi Electric Corp, a major supplier of the country’s defense and infrastructure systems. Finally, on Thursday Puerto Rico revealed it was involved in a phishing scam.
Read on for these stories and more: From business email compromise attacks (BEC), to raising the question of digital signatures on official ballots, to persistent poor password problems (how’s that for alliteration?) – and most especially, ransomware.
Top Global Security Stories
IT Pro Portal (February 14, 2020) – Estée Lauder hit with huge data breach
"Cybersecurity researcher Jeremiah Fowler of Security Discovery has uncovered a huge and completely unprotected customer database owned by the cosmetic giant Estée Lauder.
More than 440 million individual data entries were found sitting in plaintext in a cloud database. The records included email addresses and data from the local CMS. No payment data or sensitive employee information was compromised.
“This company has been a household name for over 70 years and had an annual revenue of $14.863 billion in 2019 – it seems logical that there would be a large dataset associated with the business,” Fowler wrote.
He added that he still hasn’t identified how many different people can be found in the database, instead rushing to alert the company to the issue. Estée Lauder managed to close the database within 24 hours of Fowler's alert, but it's unclear how long the data remained exposed."
Next Web (February 13, 2020) – Puerto Rico’s government fell victim to a $2.6M email phishing scam
“The government of Puerto Rico has revealed it fell victim to an email phishing scam, with the attackers making off with more than $2.6 million in stolen funds... There was no citizen data leaked in the case of Puerto Rico, so at least there's that. You know where the $2.6 million of phished funds is going to come out of, though: the people’s pockets.”
Slate (February 11, 2020) – That Enormous Equifax Hack Looks a Lot More Bizarre Now
“On Monday, the Department of Justice released an indictment that alleges the Chinese government was behind the 2017 breach of Equifax that led to 147 million people’s information being stolen. The indictment, which charges four members of China’s People’s Liberation Army with carrying out the breach, is, in a way, good news for those of us worried that our stolen information might be used to conduct identity fraud or financial theft. Historically, the Chinese government has not been very interested in stealing individuals’ money or working with organized crime groups who carry out financially motivated cybercrimes. Instead, the Chinese government appears to be collecting information for espionage purposes.”
Fast Company (February 10, 2020) – Every voter in Israel just had their data leaked in ‘grave’ security breach
“The leak happened through a vulnerability of the website promoting an app called Elector. The app itself, however, did not leak the data. The NYT says a flaw was found on the website of the app that allowed anyone to right-click on the website to view its source code. Inside that source code was the user names and passwords for the website’s admins. Anyone who found these usernames and passwords could then log into the site and download a database with information for every voter in Israel.”
Reuters (February 10, 2020) – Japan says defense data possibly breached after cyberattacks on Mitsubishi Electric
“The Japanese defense ministry said late on Monday that sensitive data on defense equipment may have been breached as a result of cyberattacks on Mitsubishi Electric Corp, a major supplier of the country’s defense and infrastructure systems.
The company has told the ministry that potentially stolen data included requirements for defense equipment that the ministry specified for contract bidders in October 2018, the ministry said in a statement.”
Yahoo! Finance (February 11, 2020) – GlobalSign Expands EU Trust Service Provider Status and Solutions and Also Begins Selling New PSD2-Compliant Solutions to Banks and Third-Party Payment Providers
“Global Certificate Authority (CA) and leading provider of identity and security solutions for the IoT, today announced the company has secured expanded EU Trust Service Provider status and is also now selling eIDAS-compliant qualified time stamps and eIDAS-compliant qualified web authentication certificates. In addition, GlobalSign has added PSD2-compliant certificates and seals to its list of offerings. With this expansion of both eIDAS-compliant and PSD2-compliant solutions, GlobalSign is now one of just two global CAs with this level of offerings.”
Other Industry Headlines
Like what you’re reading? Head to the Subscriber form in the sidebar to get insightful GlobalSign content delivered directly to your inbox.