Security News

On the same day yesterday, when the US-based telecom giant T-Mobile admitted a data breach, the UK-based telecommunication provider Virgin Media announced that it has also suffered a data leak incident exposing the personal information of roughly 900,000 customers. What happened? Unlike the T-Mobile data breach that involved a sophisticated cyber attack, Virgin Media said the incident was neither a cyber attack nor the company's database was hacked.

The Information Commissioner's Office has fined Cathay Pacific Airways £500,000 for leaky security that exposed the personal data of 9.4 million passengers - 111,578 of whom were from the UK. The breach, which occurred between October 2014 and May 2018, exposed passengers' names, passport and identity details, dates of birth, postal and email addresses, phone numbers, and travel history, as well as 430 credit card numbers, 27 of which were active. The unauthorised access was first suspected in March 2018, when Cathay's database suffered a brute force attack, and confirmed in May. A Cathay Pacific spokesman said at the time that the combination of data accessed varied for each affected passenger.

A software engineer on trial in the largest leak of classified information in CIA history was "Prepared to do anything" to betray the agency, federal prosecutors said Monday as a defense attorney argued the man had been scapegoated for a breach that exposed secret cyberweapons and spying techniques. A Manhattan jury heard conflicting portrayals of Joshua Schulte, a former CIA coder accused of sending the anti-secrecy group WikiLeaks a large portion of the agency's computer hacking arsenal - tools the agency had used to conduct espionage operations overseas.

Popular pharmacy chain Walgreens is warning that a bug in its official mobile app may have exposed sensitive data, including customers' full names and information on prescriptions for medications they are taking. While Walgreens did not detail the technical glitch, it said that the internal application error enabled certain personal messages, stored in a database, to be viewed by other customers who were using the mobile app.

Now an app developer called Mysk has discovered pasteboard's dark side - malicious apps could exploit it to work out a user's location even when that user has locked down app location sharing. In the simplest scenario, an iPhone user would take a photo, copy it between apps using the pasteboard, from which a malicious app could extract location metadata while comparing it with timestamps to determine whether it was current or taken in the past.

A lawsuit seeking class action status filed against UW Medicine in the wake of a data leak incident has been amended to reflect that at least one HIV patient allegedly had their data exposed. The lawsuit alleges UW Medicine, a Seattle-based academic medical system that includes several hospitals and a large physician practice, failed to properly protect PHI when it misconfigured a database, leaving nearly 974,000 patients' information exposed to the internet for several weeks.

KidsGuard comes from a company called ClevGuard that promises that its "Excellent products" will deliver "All the information" from a targeted device, including real-time location, text messages, browser history, photos, videos, recordings of phone calls, keylogger data for every keystroke entered and the app where it came from, and all the data from all the social apps - hopping over the end-to-end encryption of, for example, WhatsApp. ClevGuard says the app can also be used for iPhones without access to the device if you give it the target's iCloud credentials.

Samsung has admitted that what it calls a "Small number" of users could indeed read other people's personal data following last week's unexplained Find my Mobile notification. Several Register readers wrote in to tell us that, after last Thursday's mystery push notification, they found strangers' personal data displayed to them.

US President Donald Trump promised to pardon WikiLeaks founder Julian Assange if he denied Russia leaked emails of his 2016 election rival's campaign, a London court was told on Wednesday. The White House quickly issued a denial that Trump had dangled a pardon in exchange for help in the Russia controversy, which has cast a shadow over his first term in office.

If your computer is running any modern Intel CPU built before October 2018, it's likely vulnerable to a newly discovered hardware issue that could allow attackers to leak sensitive data from the OS kernel, co-resident virtual machines, and even from Intel's secured SGX enclave. Dubbed CacheOut a.k.a. L1 Data Eviction Sampling and assigned CVE-2020-0549, the new microarchitectural attack allows an attacker to choose which data to leak from the CPU's L1 Cache, unlike previously demonstrated MDS attacks where attackers need to wait for the targeted data to be available.