Tag: data breach

  • Massive data breach: 2.2 million Pakistani citizens’ personal information for sale online

    Massive data breach: 2.2 million Pakistani citizens’ personal information for sale online

    According to a report from Geo News, the personal data of 2.2 million Pakistani citizens has been compromised and put up for sale online. This breach occurred when hackers gained unauthorised access to a private company-made database that is utilised by hundreds of restaurants. 

    The hackers have even gone so far as to display some citizens’ data as samples in their online sale advertisement. In their claim, the hackers asserted, “We have hacked the databases of over 250 restaurants,” and they listed numerous food outlets. 

    The compromised citizen data includes contact numbers and credit card details. The affected software is widely used by many restaurants across the country. Furthermore, details such as the number of transactions and the amounts paid by citizens are available for purchase online. 

    The hackers are demanding 2 Bitcoins in exchange for the compromised citizen data, which equates to approximately $54,000, considering that one Bitcoin is valued at $27,000 based on market sources. In Pakistani rupees, this amounts to over Rs15 million. 

    As of now, the Federal Investigation Agency’s (FBR) cybercrime circle has not received any complaints regarding this incident. 

    It is worth noting that the federal government recently issued a directive advising all information technology (IT) and financial institutions, including regulators, to avoid collaborating with, installing, or using Indian-origin artificial intelligence (AI) and information and communication technology (ICT) products.  

    This advisory was issued due to concerns that these products could pose a constant, concealed, and force multiplier threat to Pakistan’s critical information infrastructure (CII). 

    The government shared this cybersecurity advisory with federal and provincial ministries and sectoral regulators. The advisory highlighted that globally, AI products and services are widely employed by various industries, including the financial and banking sectors, to accelerate their growth. 

    The document also noted that the fintech sector in Pakistan, along with some banks, was engaged with Indian-origin companies that offered IT products, cybersecurity solutions, and AI solutions.  

    The use of Indian security products and solutions was considered a potential threat to Pakistan’s CII, particularly the banking sector, due to the possibility of backdoors or malware collecting logs, data traffic analysis, and personal identifiable information (PII).  

    Additionally, it pointed out the risk of direct Indian ingress into Pakistan’s CII through technical means and access control with passive monitoring capability. 

  • Teen hacker causes millions in damages to Uber, Revolut, and Grand Theft Auto maker

    Teen hacker causes millions in damages to Uber, Revolut, and Grand Theft Auto maker

    During proceedings at a London court, prosecutors disclosed that a member of the hacking group Lapsus$, who is a teenager, successfully breached the security systems of Uber and fintech company Revolut.

    The individual in question, identified as Arion Kurtaj, allegedly gained unauthorised access to the personal information of approximately 5,000 Revolut customers in September 2022, while also inflicting damages amounting to nearly $3 million on Uber.

    Furthermore, the prosecution claims that Kurtaj proceeded to target Rockstar Games shortly after, hacking into their systems. In a Slack message addressed to all Rockstar staff, he purportedly threatened to disclose the source code of the highly popular video game franchise, Grand Theft Auto, which was under development for a forthcoming installment.

    Additionally, Kurtaj stands accused, alongside an unnamed 17-year-old co-defendant, of engaging in a blackmail scheme against BT Group (BT.L), the largest broadband provider in Britain, and EE, a prominent mobile network operator. This illicit activity reportedly took place between July and November 2021, during which the accused demanded a ransom of $4 million.

    Prosecutors assert that the duo, considered “key players” within Lapsus$, conducted a cyberattack on chipmaker Nvidia Corp (NVDA.O) in February 2022. They allegedly sought payment from Nvidia to prevent the public release of the company’s data.

    During the trial, prosecutor Kevin Barry revealed that the 17-year-old defendant had breached the cloud storage of the City of London Police, mere weeks after being apprehended in connection with the BT and EE hacking incident.

    According to Barry, Kurtaj later embarked on a solo cybercrime spree, commencing with the targeting of Revolut and subsequently Uber, followed by the intrusion into Rockstar Games’ systems.

    Kurtaj’s mental fitness to stand trial has been assessed by psychiatrists and found inadequate. Consequently, the jury will evaluate whether he committed the alleged acts, rather than delivering a traditional guilty or not guilty verdict.

    The charges leveled against Kurtaj encompass a total of 12 offenses, including three counts of blackmail, two counts of fraud, and six charges under the Computer Misuse Act.

    Meanwhile, the 17-year-old defendant is currently being tried for two counts of blackmail, two counts of fraud, and three charges under the Computer Misuse Act related to the hacking of BT and Nvidia. The defendant denies these charges but has previously pleaded guilty to two offenses under the Computer Misuse Act and one count of fraud.

  • Indian call centre scammers looted $10 billion from Americans in 2021

    Indian call centre scammers looted $10 billion from Americans in 2021

    According to Federal Bureau of Investigation (FBI) data, US citizens lost more than $10 billion in 2022 as a result of phishing calls made by illegal Indian call centres.

    The Times Of India stated citing FBI data that the majority of the victims of these fraud calls from Indian phishing gangs were senior US nationals over the age of 60 who lost more than $3 billion.

    The FBI has now sent a permanent representative to the US embassy in New Delhi following many incidences that were reported in 2022. To bust these gangs that have threatened to make India the hub of such illegal call centres, the representative will work closely with the CBI, Interpol, and the Delhi Police.

    So far in 2022, Americans have lost a total of $10.2 billion to such hoax calls, a 47 per cent increase over the $6.9 billion lost in 2021.

    Suhel Daud, the FBI’s South Asia director, told the publication that “romance-related” scams totaled INR 8,000 crore (PKR 217.7 billion) in 2021 and INR 8,000 crore (PKR 217.7 billion) in the final 11 months of 2022. Losses from “tech support” fraud have topped $3 billion in the last two years, with $347 million in 2021 and $781 million in 2022 so far.

    “It may not be a national security concern yet, but the reputation (of a country) is involved, and we don’t want India to suffer on that count,” Daud told the publication.

    He also stated that the FBI received 850,000 complaints regarding cyber crimes in 2021 and over 780,000 lakh complaints so far in 2022. Investment-related cybercrime ($3 billion), corporate email compromise ($2.4 billion), personal data breach ($1.2 billion), romance ($1 billion), and tech support ($781 million) were among the concerns.

  • How to identify and protect your mobile from cyber attacks

    How to identify and protect your mobile from cyber attacks

    Smartphones are ideal targets for hackers as they contain so much personal information all in one place, from email and phone contacts to banking and social media details. This information can be used by hackers to steal identities, sell them on the dark web, and perform a variety of other cybercrimes.

    Cybercriminals are always refining their methods, making their attacks increasingly difficult to spot. We have heard of the phone and call tapping but recently there has been a debate that if WhatsApp calls can be tapped.

    Can WhatsApp audio or video call be hacked?

    Bugging can occur at all kinds of levels from political worthies to average people with no technological wisdom. A cyber security expert claims that since nothing is impossible and no code is perfect, WhatsApp’s end-to-end encryption makes it safer.

    However, WhatsApp employs some of the best coders around, and the business has invested heavily in the security of its messenger. Therefore, for not-so-pro hackers, it is ‘almost impossible’ to hack WhatsApp.

    All WhatsApp conversations—video or audio—are encrypted from beginning to end. Although the implementation of that encryption can’t be examined for security because the app is closed-source.

    However, let’s presume it’s solid. Any video or audio data sent during your video chats that are end-to-end encrypted can only be decoded on the device you’re using to make the call. So even if anyone were to intercept the data, they couldn’t decrypt it, it’d be useless. Not ‘leakable’ in that manner.

    Unless you exploit your smartphone by doing these and have it compromised by:

    • Installing third-party apps or particularly APKs (not from the play store) which are modified by developers
    • Allowing hackers to install malware on your phone so they can access anything by clicking on a link
    • Installing fake WhatsApp, such as WhatsApp PLUS or GB WHATSAPP

    Man-in-the-middle (MITM) attacks or even data sniffing can be used to collect video processing from your device. However, a hacker must first get access, which it does by utilising social engineering to trick you into clicking links or downloading files.

    By simply copying the WhatsApp database file and encryption key from your phone by using some software, anyone may read your message.

    Each WiFi network adapter smartphone has a 12-character MAC address, a unique identification number that can be falsified. Hackers can use the MAC address of your phone to replicate your WhatsApp on their system.

    How to protect your WhatsApp account

    • Never give your phone to someone you don’t trust.
    • Keep your messages locked down with a different key so that no one else can see your messages.
    • Go to your WhatsApp settings and select “log-out from all browsers” or a comparable option if you are signed into numerous devices using your number to access WhatsApp Web.

    How to enable two-step verification

    To enable two-step verification, open WhatsApp > Settings > Account > Two-step verification > Enable.

    You will be prompted to create a password at this step, which will stop someone else from using your phone number for WhatsApp verification.

    Additionally, according to the experts, hackers won’t be able to track the user’s whereabouts if they don’t get access to any vital information.

    Phantom Calls

    A call is deemed Phantom if there is no one chatting from the other side. They all come from various numbers, and you won’t be able to hear any of them. You should report PTA if you frequently receive phantom calls. Most likely, a hacker is attempting to access your mobile device if you receive excessive random calls.

    Random messages

    We must have gotten several texts from unknown sources. Just checking a text message will not cause your phone to be hacked. You should use caution when clicking on links or using coupon coupons in communications, though. Consider whether the link looks authentic before clicking it to ensure that your personal information won’t be disclosed.

    Malicious links

    You can accidentally tap a malicious link and wind up installing spyware on your phone, that may transmit private information to hackers, if you are unable to identify this fake message. Or else, you can be taken to phishing websites that request information from your private accounts.

    Therefore, if you receive a text message advertising a great offer that requires you to click on a link in order to activate it, wait before doing so. As these links will direct you to a trap. This can considerably decrease the risk of someone hacking into your phone using messages.

    By avoiding suspicious links and only downloading apps from Apple and Google stores, we can reduce the risk of being hacked.

  • Facebook will now ask iOS users to allow data tracking for ‘better ads experience’

    Facebook will now ask iOS users to allow data tracking for ‘better ads experience’

    As per details, Facebook has started urging iPhone and iPad users to allow data tracking. The social media giant said that users should allow this for a better and personalized ads experience.

    Apple recently decided to ramp up privacy of its users, and gave users an option if they want to allow social media applications to track their data.

    Both companies are in some sort of war with each other, a war that has been raging for more than one decade now.

    The founder and CEO of Facebook Mark Zuckerberg recently termed Apple Inc. as the biggest competitor, and he said that the new privacy policy of Apple will cause “damage to the business of millions of users.”

    The very next day CEO of Apple Tim Cook, during a data privacy conference in Brussels, said: “If a business is built on misleading users, on data exploitation, on choices that are no choices at all, it does not deserve our praise. It deserves reforms.”

    The battle focuses on a unique device identifier on every iPhone and iPad called the Identifier for Advertisers (IDFA). Companies that sell mobile advertisements, including Facebook, use this ID to help target ads and estimate their effectiveness.

    With the latest iOS 14 update, each app that wants to use the tracker will have to seek permission from the user. Consequently, it will make the mobiles ads less effective.

    Facebook has already started warning investors that these changes will affect the business, and now the company is testing the effects of the new updates.

    Besides, form today when users will open the app, they will see a message box that will tell users why they must allow Facebook to track their data.

    “Allow Facebook to use your app and website activity?” and claims that Facebook uses that information to “provide a better ads experience.” It will then offer users a choice between “Don’t Allow” and “Allow.”

    No matter which selection users make on the Facebook prompt, if they choose not to allow tracking on the Apple pop-up, that choice will be final, and Facebook will honour it.

  • Marriott Hotels fined £18.4m for data breach that hit millions

    Marriott Hotels fined £18.4m for data breach that hit millions

    The United Kingdom’s (UK’s) privacy watchdog has fined the Marriott Hotels chain £18.4m for a hack that compromised the data of more than 339 million guests.

    The Information Commissioner’s Office (ICO) said names, contact information, and passport details may all have been compromised in a cyber-attack.

    The breach included seven million guest records for people in the UK. The ICO said the company failed to put appropriate safeguards in place.

    The first part of the cyber-attack happened in 2014, affecting the Starwood Hotels group, which was acquired by Marriott two years later. But until 2018, when the problem was first noticed, the attacker continued to have access to all affected systems, including:

    Names
    Email addresses
    Phone numbers
    Passport numbers
    Arrival and departure information
    VIP status
    loyalty program numbers

    On that basis, the ICO said Marriott had failed to protect personal data as required by the General Data Protection Regulation (GDPR).

    “The cyber-criminals had been in the systems for years and were effectively thrown into the merger deal without Marriott having a clue. Herein lies the issue, though – it seems that the hotel didn’t check what it was buying,” said cyber reporter, Joe Tidy.

    The ICO report makes clear Marriott beefed up the security of Starwood’s IT systems far too late and the hackers had free rein to move around, cherry-picking the data that would sell best on criminal forums.

    The fine is nothing like the £99m the ICO planned to issue, but it’s still a massive deterrent for future companies. It may make executives planning their next big mergers look more carefully and cautiously at the databases they’re about to acquire.

  • Google faces $5 billion lawsuit for tracking users’ incognito browsing data

    Google faces $5 billion lawsuit for tracking users’ incognito browsing data

    Google has been sued for allegedly tracking users’ internet searches of browsers set on ‘incognito mode.’

    The lawsuit has accused the Alphabet unit of secretly collecting information about what people search online and seeks at least $5 billion in damages.

    According to the complaint, filed in the federal court in San Jose, California, Google gathers data through Google marketing tools which include Google Analytics, Google Ad Manager, and other applications and website plug-ins, including smartphone apps. 

    “The data collection helps Google learn about users’ friends, hobbies, shopping habits, favourite foods, and even the most intimate and potentially embarrassing things they search online,” said the complaint.

    “Google cannot continue to engage in the covert and unauthorised data collection from virtually every American with a computer or phone,” the complaint added.

    Google’s spokesman, Jose Castaneda said that the company will defend itself against the claims. 

    “As we clearly state each time you open a new incognito tab, websites might be able to collect information about your browsing activity,” he said. 

    The complaint seeks at least $5,000 of damages per user for violations of federal wiretapping and California privacy laws.