Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

What Identity Theft Can Look Like

A cautionary tale for privacy professionals; we tend to lose sight of the impact of a privacy breach on the individual in favour of the size of ransom demands and the sheer number of records exfiltrated. Australian Broadcasting Corporation (ABC) News brings us the story of a woman who was caught up in last year's Medibank data breach and initially shrugged it off. When she received an email referring to the sale of counterfeit Adidas products under her name, she assumed it was simply a related scam attempt and ignored it.

But things got very real when she was electronically served with papers from the US District Court for Florida outlining the Adidas case against her, followed by similar charges files by the National Basketball Association in the District Court for Illinois. Adidas and the NBA were given leave to run ex parte cases - that is, without the defendant being present - resulting in default judgements against her for $US1 million and $US200,000 respectively.

Sarah Luke, a single mother of four from Byron Bay in northern NSW, is now struggling to come to grips with her situation. In early December, her PayPal account was taken over in a credential stuffing attack and used to make hundreds of fraudulent transactions. However, Medibank states that none of its customers' passwords were compromised in its breach and it is therefore not liable for what happened to Ms. Luke. She has been forced to engage a US intellectual property lawyer on a retainer of $US10,000 and worries that if the judgements cannot be overturned she may lose her house and savings.

The complexities of this case have defeated the various agencies she has turned to. Unpicking the exact mechanism by which the PayPal account breach was accomplished, and whether either PayPal or Medibank is to any extent liable, will require a detailed forensic investigation, liikely without much cooperation from either company. Similarly, it may prove difficult for her to demonstrate that she had no involvement with the counterfeit Adidas sales.

The implications for consumers are clear - do everything you can to safeguard key accounts such as PayPal, eBay, bank accounts, email accounts and the like: unique, moderately complex, passwords for each account, stored in a password safe if necessary, coupled with a second authentication factor, preferably a security key or a time-based one-time token app like Authy, Google Authenticator or similar.

Ross, Hannah, Byron Bay breach victim told to pay Adidas, National Basketball Association $US1.2m by US courts, ABC News, 25 July 2023. Available online at https://www.abc.net.au/news/2023-07-25/byron-bay-data-breach-victim-adidas-nab-us-court-action-damages/102575726.

Australian Department of Home Affairs Exposes Data of Survey Respondents

In a story that combines elements of hubris, mea culpa and schadenfreude, the personal information of over 50 respondents to a small business survey on cybersecurity has been exposed by the Department of Home Affairs.

The names, business names, phone numbers and emails of the survey respondents were published on the Parliament web site in response to a question on notice posed by the shadow cyber security and home affairs, James Paterson, during May's budget estimates hearing. Among the responses to the question was a research report from 89 Degrees East which contained the unredacted names, business names, phone numbers and emails of respondents who indicated they wanted to learn more about the 'cyber wardens' program offered following last year's Optus and Medibank breaches.

However, this may be a case of the pot calling the kettle, etc., as last year a web site belonging to James Paterson had to be hastily taken down after it was found to be overrun by bots inserting thousands of ads for dubious or illegal products.

It can happen to the best of us, James.

Taylor, Josh, Home affairs cyber survey exposed personal data of participating firms, The Guardian, 25 July 2023. Available online at https://www.theguardian.com/technology/2023/jul/24/home-affairs-cyber-survey-exposed-personal-data-of-participating-firms.

Robertson, James and Matthew Elmas, James Paterson’s cyber hard line undermined as website is overrun by bots, The New Daily, 2 November 2022. Available online at https://thenewdaily.com.au/news/politics/2022/11/02/james-paterson-cyber-security-embarrassment/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.