14 February 2020

IRM Weekly Cybersecurity Roundup: Facebook dating service delayed and more

Want the IRM weekly cybersecurity roundup sent straight to your inbox? Sign up to our newsletter.

Facebook dating service postponed due to GDPR concernsFacebook dating service delayed

The new Facebook dating services has been unexpectedly postponed after regulators inspected the Dublin office and raised concerns over data protection compliance.

The release date for the Facebook dating service was originally aptly planned for the eve of Valentine’s Day. The inspection of the social media giant’s head office took place after the regulator, the Irish Data Protection Commission, understood that the app was going to be launched in the European Union.

Another reason for the delay is that Facebook did not provide the regulator with a data protection assessment as required.

The Facebook dating service has already gone live in America, which matches people based on their profile variables (interests, preferences and friend group, for example).

You can read more here.

Estée Lauder victim to data breach

A researcher has come across an unprotected customer database owned by cosmetics company Estée Lauder.

The database included over 440 million individual data entries in plaintext in a cloud database. Information included email addresses and data from their customer management system.

After being notified, Estée Lauder managed to close down the database in 24 hours of the alert from the researcher.

You can read more here.

Chinese Flag Equifax BreachChinese military hackers responsible for Equifax breach

Four members of the People Liberation Army hacking unit have been charged with the 2017 Equifax cyber-attack which led to the theft of 150 million customer credentials.

Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei have been charged on nine counts including computer fraud, economic espionage and wire fraud for hacking.

According to evidence in court, the suspects allegedly spent weeks looking for sensitive PII after they discovered a vulnerability in the online complaint system.

You can read more here.

25% of Iranian internet taken down by cyber-attack

The NetBlocks internet observatory confirmed a disruption to 25% of the country’s internet network on the morning of February 8th.

The disruption is thought to be due to the activation of “DEZHFA” which is Iran’s initiative to repel a cyber-attack on the country’s infrastructure. A spokesperson for the telecommunications infrastructure company confirmed on Twitter than a DDoS attack had been “normalised”.

You can read more here.

“BlueFlag” vulnerability found in older Android models

A critical vulnerability has been identified in older Android models which affects the Bluetooth subsystem.

The flaw affects Android 8.0 to 9.0 and allows remote attacks within proximity to execute arbitrary code as long as Bluetooth is enabled. This allows attackers to deliver malware and steal data.

The flaw has now been patched as of February 2020 and users are being advised to install the latest available security patch.

You can read more here.

Quick-fire updates

99 flaws fixed in Windows and Microsoft: The latest patch release has highlighted twelve “critical” flaws and three of these have been known to the public in recent weeks. For example the CVE-2020-0674 flaw was indexed three weeks ago but the patch has only been released this week. Read more here.

Teesside Council’s systems hit by cyber-attack: Whilst there is no evidence that the attacks on the Redcar and Cleveland Council’s website led to loss of personal data, a request has been put in for the council’s IT infrastructure to be reviewed. Read more here.