From the Department of Homeland Security: January 22, 2019 Mitigate DNS Infrastructure Tampering This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 19-01, “Mitigate DNS Infrastructure Tampering”. Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information…
Alaska notifying at least 500,000 residents about data security breach previously disclosed in June
Update: The state subsequently revised its estimate to 87,000 letters. How did it get the numbers so wrong — apart from the question of why it has taken so long to send out notifications. This does NOT inspire confidence in the state’s ability to protect ePHI and to notify people promptly in the event…
Class action settlement reached in Sonic data breach case
There’s been a settlement reached in a Sonic breach first reported by KrebsOnSecurity in 2017. KFOR reports that the settlement notice includes a statement: “The Settlement includes all residents of the United States of America who made a purchase at any one of the 325 impacted Sonic Drive-In locations and paid using a credit or…
Youth-run agency AIESEC exposed over 4 million intern applications
Zack Whittaker reports: AIESEC, a non-profit that bills itself as the “world’s largest youth-run organization,” exposed more than four million intern applications with personal and sensitive information on a server without a password. Bob Diachenko, an independent security researcher, found an unprotected Elasticsearch database containing the applications on January 11, a little under a month…
Why doesn’t Twitter have a way to notify them of leaks or concerns outside of a bug bounty program?
L33tdawg writes: Twitter has owned up to a privacy goof that exposed some Android users’ private tweets. That would be bad enough if the problem existed for an hour, or a day, or a month. But unfortunately for Twitter (and affected users) the problem was present from November 3 2014 until January 14 2019. That’s…
Privacy breach hits 45,000 recipients of Ontario’s disability support program
Kristin Rushowy reports: Ontario’s social services minister has apologized after the Mississauga disability support program office mistakenly emailed the private information of 45,000 people to 100 recipients. “On December 20th, due to a clerical error, the Mississauga ODSP office unintentionally shared some individuals’ information over email,” said Lisa MacLeod in a statement. [..] The December…