Eight months ago, Panera Bread was warned that they were leaking up to 7 million customers' data. They fixed it yesterday. Kinda.

On August 2, 2017, security researcher Dylan Houlihan contacted Panera Bread to warn them that their customer loyalty website had a serious defect that allowed attackers to retrieve the names, email and physical addresses, birthdays and last-four of the credit cards for up to seven million customers. Read the rest

Fedex bought a company that stored 119,000 pieces of scanned customer IDs in a public Amazon cloud server, shut the company down, left the scans online for anyone to download

Fedex acquired a company called Bongo International in 2014; Bongo specialized in helping North American companies sell overseas and after the acquisition, Fedex renamed the company FedEx Cross-Border International. Read the rest

Leaked Equifax documents provided to US Senate reveal that they dumped all our drivers' licenses, too, but Equifax says it's OK, so...

A leaked set of disclosures made by Equifax to the US Senate have revealed that the breach of 145.5 million Americans' sensitive financial data was even worse than suspected to date: in addition to data like full legal names, dates of birth, Social Security Numbers, and home addresses, it appears that Equifax also breached drivers' license numbers and issue-dates. Read the rest

Thanks to "consent" buried deep in sales agreements, car manufacturers are tracking tens of millions of US cars

Millions of new cars sold in the US and Europe are "connected," having some mechanism for exchanging data with their manufacturers after the cars are sold; these cars stream or batch-upload location data and other telemetry to their manufacturers, who argue that they are allowed to do virtually anything they want with this data, thanks to the "explicit consent" of the car owners -- who signed a lengthy contract at purchase time that contained a vague and misleading clause deep in its fine-print. Read the rest

Vtech covered up a leak of data on 6.3m children and their families, then tried to force us not to sue - the FTC just fined them $0.09/kid

Vtech is the Taiwanese kids' crapgadget vendor that breached sensitive data on 6.3 million children and their families, lied about it and covered it up, then added a dirty EULA to its products that made us promise not to sue them if they did it again. Read the rest

Democratic Senators propose federal breach disclosure law with 5-year prison sentences for covering up data-loss

The Data Security and Breach Notification Act (S2179) was introduced by three Senate Commerce Committee Democrats, Bill Nelson [D-FL], Richard Blumenthal [D-CT] and Tammy Baldwin [D-WI] in the wake of the revelation that Uber hid a breach involving 50,000,000 riders and 7,000,000 drivers for over a year after paying hush-money to the criminals who stole the data. Read the rest

Uber admits it breached 57,000,000 accounts, then bribed the hackers to cover it up, now they're paying a top ex-NSA lawyer to teach them transparency

Uber's Chief Security Officer Joe Sullivan and his top aide have both been forced out of the company in an act of penance for the revelation that the company suffered a breach in October 2016 in which hackers stole personal data from 50,000,000 riders and 7,000,000 drivers, including 600,000 drivers' US driving license numbers; Uber says the disgraced employees acted alone when they then paid the hackers who stole the data $100,000 to hush it up. Read the rest

Discus breached 17.5 million user accounts in 2012, then did everything right about it in 2017

This weekend, we learned that Discus -- the commenting system we once used here on Boing Boing -- suffered a breach in 2012 in which 17.5m user accounts (email addresses, signup names, account activity dates and some unsalted, weakly encrypted passwords) were stolen. Read the rest

Equifax's dox of America: Sign up for "free" monitoring, get billed forever

Equifax dumped dox on 143 million Americans (as well as lucky Britons and Canadians!), sat on the news for five weeks, let its execs sell millions in stock, and then unveiled an unpatched, insecure WordPress site with an abusive license agreement where you could sign up for "free" credit monitoring for a year, in case someone used the immortal, immutable Social Security Number that Equifax lost control over to defraud you. Read the rest

Equifax waited 5 weeks to admit it had doxed 44% of America, did nothing to help us while its execs sold stock

From mid-May to July 2017, Equifax exposed the financial and personal identifying information of 143 million Americans -- 44% of the country -- to hackers, who made off with credit-card details, Social Security Numbers, sensitive credit history data, driver's license numbers, birth dates, addresses, and then, in the five weeks between discovering the breach and disclosing it, the company allowed its top execs to sell millions of dollars' worth of stock in the company, while preparing a visibly defective and ineffective website that provides no useful information to the people whom Equifax has put in grave financial and personal danger through their recklessness. Read the rest

Swedish transport agency breach exposes millions, from spies to confidential informants

The Swedish Transportstyrelsen (Transport Agency) botched its outsourcing to IBM, uploading its records to IBM's cloud and then emailing cleartext copies to marketing managers, unvetted IBM employees in the Czech Republic and others. Read the rest

IBM reports data breaches were up 566% (4B docs!) last year

Information security is a race between peak indifference to surveillance and the point of no return for data-collection and retention. Read the rest

Political leaks disrupt Ecuadoran election

Opponents of Ecuadoran president Rafael Correa -- himself a prolific and shrewd social media campaigner -- have had their social media accounts hacked and used to dump embarrassing transcripts purporting to show their party in disarray and romantic scandals in their personal lives. Read the rest

Bible references make very weak passwords

An analysis of passwords found in the 2009 breach of Rockyou -- 32 million accounts -- finds a large number of Biblical references ("jesus"," "heaven", "faith", etc), including a number of Bible verse references ("john316"). Read the rest

What we can learn from 2016: the year of the security breach

Ryan McGeehan, who specializes in helping companies recover from data-breaches, reflects on the worst year of data breaches (so far) and has some sound practical advice on how to reduce your risk and mitigate your losses: some easy wins are to get your staff to use password managers and two-factor authentication for their home computers (since everyone is expected to work in their off-hours, most home computers are an easy way to get into otherwise well-defended networks); and stress-test your network for breach recovery. Read the rest

300 million Adultfriendfinder accounts breached

Adultfriendfinder, "the world's largest sex & swinger community," has suffered a major breach, leaking 300,000,000 accounts' worth of personal information, namely email addresses, passwords, usernames, IP addresses and browser information. Read the rest

This week in terrifying, mind-boggling password breaches

800,000 usernames and passwords from Brazzers, a giant porn site; 98 million passwords from Rambler.ru ("Russia's Yahoo") and, coming soon, the entire user database for VKontakte/VK.com, Russia's answer to Facebook. Read the rest

More posts