Posts

In what has become an alarming security trend, yet another company has exposed millions of consumers’ profiles online due to a non-password protected web-based server. Ladders, a recruitment site that lets users create a profile that can be shared with potential employers, was using an Amazon-hosted web server to store the profiles; according to a security researcher who discovered the information exposed online—and according to confirmation from the company—13.7 million of those users’ complete profiles were available to anyone who knew to look for them.

While the information didn’t appear to contain Social Security numbers, everything else that you might list in a job application was there. Names, email addresses, physical addresses, work histories, educational level, even whether or not the applicant had a security clearance and in what field were all available.

Fortunately, the information was discovered by Sanyam Jain, who works for a non-profit that specifically looks for overexposed information and reports it. There’s no way of knowing if anyone with malicious intentions got to it beforehand, though. After receiving the report, Ladders took down the database within a short time.

Incidents like this one continue to happen, largely due to poor password security. In far too many of the cases of accidental overexposure or data leak, the company who posted their information didn’t realize the default setting was “open” to the public.

For users of any platform, there’s really no way to prevent this kind of oversharing of their information. Other than contacting the company’s IT department, asking if they host their databases on web-based servers, and then asking if that server is password protected—all of which the IT department is probably not going to share with a member of the general public—there’s not much that individuals can do. But here are some actionable steps:

  1. Establish a secondary email – In cases like this, a spammer could download the database and target the users with spam and potentially harmful emails. If you’re establishing online accounts, you might consider setting up an email address that you only use for those purposes. However, in this case, it must be one that you can still check routinely since the purpose of the account was to be notified about job opportunities.
  2. Password security – Even if the other company doesn’t quite have their passwords nailed down, that doesn’t mean you can’t be safer with good password security. Never reuse a password or make one that’s too easy—remember, humans don’t sit and “guess” your password, but rather, software that can make billions of guesses per second does the job for them. Also, it’s a good idea to change your password from time to time, especially on sensitive accounts.
  3. Don’t throw in the towel – Even if it feels like your information is exposed every single day, that’s not the case. Data breach fatigue is a documented problem, but don’t let the constant news of poor security practices keep you from locking down your information as much as possible.

Of course, the Identity Theft Resource Center is here to help. Speak to an identity theft advisor for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Imposter Scams Were the Most Reported Complaint in 2018

In New Scam, Criminals Pose as Government Pretending to Help With Identity Theft

Study Explores Non-Economic Negative Impacts Caused by ID Theft 

 

Why Has UCSD Failed to Notify HIV Patients of Data Breach?

Data breaches are already upsetting enough, especially when your highly-sensitive personally identifiable information is put at risk. But when it comes to data breaches and fraud, perhaps there’s no greater intrusion than to suffer a data breach of your medical information; somehow though, even that kind of intrusion pales in comparison to being victimized in a breach then victimized again by the company who failed to inform you about it.

Now imagine that the medical information that was breached is of the most private nature, one that could have serious consequences for the victims should it get out.

University of California-San Diego partnered with a health services industry organization known as Christie’s Place to recruit participants for a vital, worthwhile study. The study’s subjects were all HIV-positive women who were examined on their commitment to treatment based on experiences with domestic violence, trauma, mental illness, and substance abuse. Unfortunately, the entire case file for all of the study’s participants was left visible in the computer—accessible to literally anyone who worked or volunteered with Christie’s Place.

Somehow, this data breach has taken yet another upsetting turn: UCSD decided not to inform the patients that their information has been exposed. The details on who was behind that decision have not been very clear, but as of recent reports, the patients are still unaware.

There are some very unclear details emerging from this, including allegations of misconduct and even possible attempts to inflate the numbers of patients receiving support. However, none of those accusations has been proven. More information on those matters can be found here.

In the meantime, the very least that can be argued about this breach and the failure to notify is that patients have not been given an opportunity to take action to secure their information. Some of the participants also may have not shared news of their diagnoses with others, and a violation of this kind could have serious consequences for them. The university has stated that it will notify patients very soon, but there is no specific timeline for that to take place.


You might also like…

Imposter Scams Were the Most Reported Complaint in 2018

In New Scam, Criminals Pose as Government Pretending to Help With Identity Theft

Study Explores Non-Economic Negative Impacts Caused by ID Theft 

 

United States Customs and Border Protection (CBP) announced that it was victim of a data breach at the hands of a third-party partner. The information exposed included photos of license plates and travelers. CBP released a statement about the breach saying,

“In violation of CBP policies and without CBP’s authorization or knowledge, [a subcontractor] transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” CBP added. “The subcontractor’s network was subsequently compromised by a malicious cyberattack.”

The hack happened by accessing a database on the third-party’s server that was unauthorized by CBP to exist. Although the third-party who caused the breach was not directly named, The Washington Post reported that the subject line of the emailed statement included “Perceptics.” Perceptics is a company based in Tennessee whose website boast they have been “securing our nation’s boarders for more than 30 years.” They design technology for identifying vehicles and license plates for federal and commercial use.

CBP claims they have conducted a thorough search and have not found any of the stolen information on the dark web. This does not however mean the data is impossible to use for malicious acts. President and CEO of ITRC, Eva Velazquez, sums it up in her NBC7 interview saying, “These things, they stay in perpetuity. It is not going to disintegrate. So even in this moment, if there is not a way to monetize, that does not mean 10 years from now that (stolen information) might not be more valuable.”

While CBP noted their own databases were not affected by this attack, this is not the first data breach under the Department of Homeland Security. Early last year it was reported more than 240 thousand employee records were exposed by a former employee.

ITRC continues to monitor the trend of cybercriminals targeting large third-party versus smaller first party databases. Four million records were exposed in 2018 because of focused cybercrime efforts on vendor security. By targeting popular third-party vendors that work with multiple companies, criminals can collect even more personal identifying information in one attack.


You might also like…

Imposter Scams Were the Most Reported Complaint in 2018

In New Scam, Criminals Pose as Government Pretending to Help With Identity Theft

Study Explores Non-Economic Negative Impacts Caused by ID Theft