Sep 27, 2019
This week's cybersecurity headlines include a new DoorDash data breach and the latest fallout from the Dunkin' Donuts 2015 data breach.
CNET: New York Sues Dunkin’ Donuts Over Hack Affecting Thousands of People
By: Alfred Ng
"New York is suing Dunkin' Donuts over its failure to disclose a data breach in 2015 affecting nearly 20,000 people who had signed up for the company's loyalty program. The lawsuit alleges Dunkin' Donuts failed to protect its customers (PDF), and knew about the cyberattacks for years before warning the public."
TechCrunch: DoorDash confirms data breach affected 4.9 million customers, workers and merchants
By: Zack Whittaker
"DoorDash has confirmed a data breach. The food delivery company said in a blog post Thursday that 4.9 million customers, delivery workers and merchants had their information stolen by hackers. The breach happened on May 4, the company said, but added that customers who joined after April 5, 2018 are not affected by the breach. It’s not clear why it took almost five months for DoorDash to detect the breach. DoorDash spokesperson Mattie Magdovitz blamed the breach on 'a third-party service provider,' but the third-party was not named. 'We immediately launched an investigation and outside security experts were engaged to assess what occurred,' she said. Users who joined the platform before April 5, 2018 had their name, email and delivery addresses, order history, phone numbers and hashed and salted passwords stolen."
Ars Technica: Google Play Apps Laden with Ad Malware were Downloaded by Millions of Users
By: Sean Gallagher
"This week, Symantec Threat Intelligence's May Ying Tee and Martin Zhang revealed that they had reported a group of 25 malicious Android applications available through the Google Play Store to Google. In total, the applications—which all share a similar code structure used to evade detection during security screening—had been downloaded more than 2.1 million times from the store."
Gizmodo: A Nevada Law That Fines Companies for Selling Private Data Is About to Go Into Effect
By: Dell Cameron
"Starting next Tuesday, Nevada residents may choose to opt-out of having their personal information resold by online businesses. A privacy bill, signed into law this May, requires website operators to respond to requests from consumers and halt the sale of their personal information within 60 days—or potentially face strict fines."
Newsweek: Hacker Takes Over Couple's Smart Home, Plays Vulgar Music and Raises Temperature to 90 Degrees
By: Jake Maher
"Smart-home technology allows residents to remotely control everything from the lighting to the thermostat, and see who's ringing their doorbell. While it's often touted as a means to keep homes secure, a Milwaukee couple say they felt anything but safe after a hacker took over their smart home."
Ars Technica: Magecart Skimmers Seen Targeting Routers for Customer Wi-Fi Networks
By: Sean Gallagher
"Threat researchers at IBM X-Force IRIS have spotted activity by a known group of criminal Web malware operators that appears to be targeting commercial layer 7 routers—the type typically associated with Wi-Fi networks that use "captive portals" to either charge for Internet access or require customers to sign in."
Reuters: You Have the Right to be Forgotten by Google - but Only in Europe
By: Foo Yun Chee
"Google will not have to apply Europe’s “right to be forgotten” law globally, the continent’s top court ruled on Tuesday in a landmark case that has pitted personal privacy rights against freedom of speech. The victory for the U.S. tech titan means that, while it must remove links to sensitive personal data from its internet search results in Europe when required, it does not have to scrap them from searches elsewhere in the world."
CNET: Hackers Set Up a Fake Veteran-Hiring Website to Infect Victims with Malware
By: Corinne Reichert
"A website pretending to help find jobs for US military veterans was found to be infecting their computers with malware, Cisco's Talos Security Intelligence and Research Group said Tuesday. The website was called hiremilitaryheroes.com, a Talos blog post said, and asked users to download a fake installer app that deployed malware and malicious spying tools."
Verge: Ring Experimented with Activating All Nearby Cameras After a 911 Call
By: Jay Peters
"Amazon’s Ring was working on a feature that would automatically activate cameras on nearby Ring doorbells so that they would begin recording and streaming video when someone called 911, according to emails seen by CNET. These recordings could, in theory, then be used by law enforcement to help with investigations. This feature doesn’t appear to be something the company is pursuing right now, however, according to a Ring comment provided to CNET."
Ars Technica: Google Takes Hard Line, Refuses to Pay French News Sites Despite New Law
By: Timothy B. Lee
"Google won't pay anything to French news organizations for the privilege of linking to their articles, the search giant announced on Wednesday. France is the first country to implement a Europe-wide directive intended to squeeze cash out of technology giants. The copyright overhaul, approved by the European Parliament in March, requires EU countries to give news organizations stricter control over the use of excerpts of their articles. But the European-level law was light on details, allowing individual countries to decide exactly what rights news organizations would get."