Breach Roundup: Amazon Settles US FTC InvestigationsAlso: SAS Extortion, Skolkovo Foundation Hacked, Salesforce 'Ghost Sites'
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week: Amazon settled multiple privacy and cybersecurity investigations with the U.S. Federal Trade Commission, Scandinavian Airlines received a $3 million extortion demand from hackers who are probably Russian but masquerading as Sudanese, and apparently Ukrainian hacktivists stole data from Russia's Skolkovo Foundation. Also, researchers pointed out the danger of Salesforce "ghost sites," a Pennsylvania commercial real estate group had a data breach, an Indian electricity supplier acknowledged a ransomware attack and Toyota's cloud misconfiguration affected more people than previously thought.
Amazon Pays $25 Million US FTC Civil Penalty
E-commerce giant Amazon is set to pay a $25 million civil penalty to the U.S. Federal Trade Commission to settle an investigation into the company's Alexa voice assistant products alleging violations of children's privacy and that Amazon held onto users' geolocation data after consumers requested its deletion.
Under a Wednesday settlement that still requires approval by a federal judge, Amazon also agreed to delete personal information from Alexa profiles of children under the age of 13 that have been inactive for 18 months. The agency said more than 800,000 children under 13 have their own Alexa profiles. In a complaint filed in Seattle federal court, the FTC said Amazon until September 2019 "retained children’s voice recordings and transcripts indefinitely" unless a parent actively requested deletion.
"Alexa's default settings still save children's (and adults') voice recordings and transcripts forever, even when a child no longer uses his Alexa profile and it has been inactive for years," the agency's complaint states.
The agency said Amazon until mid-2019 deceived parents who requested deletion by retaining written transcriptions of children's Alexa interactions even after the deletion request. The company also made Alexa recordings accessible to 30,000 employees for 13 months ending in September 2019, the FTC said, despite half of those employees lacking a business need for such access.
The agency also said Amazon between January 2018 and early 2022 retained the geolocation data of users of the Alexa App in secondary locations "insulated from consumers' deletion requests."
As part of its settlement agreement, Amazon must have a privacy program monitored by a third party and active for the next 20 years for Alexa App geolocation information.
"Today's settlement sends a message to all those companies: Machine learning is no excuse to break the law. Claims from businesses that data must be indefinitely retained to improve algorithms do not override legal bans on indefinite retention of data," wrote FTC Democratic Commissioner Alvaro Bedoya in a statement joined by the commission's two other Democrats, Rebecca Slaughter and Chair Lina Khan.
Amazon in an emailed statement said the settlement requires it to make "a small modification to our already strong practices" and that it disagrees with FTC's claims.
The Alexa agreement came the same day that Amazon settled a separate FTC investigation for $5.8 million into the cybersecurity and privacy practices of the company's Ring subsidiary (see: Ring Settles FTC Allegations of Poor Cybersecurity, Privacy).
Scandinavian Airlines Extortion Demand
The flag carrier for Denmark, Norway and Sweden received via Telegram an extortion demand of $3 million on Monday from the hacker group "Anonymous Sudan" to put an end to ongoing distributed denial-of-service attacks. The demand is a nearly thousand-fold escalation of an earlier extortionate request. Scandinavian Airlines "is too greedy to even pay $3,500," the hacking group said in a May 26 Telegram post.
Anonymous Sudan asserts its ongoing DDoS campaigns against the airliner and other targets is retaliation for a January incident in which a Danish far-right politician burned a copy of the Quran outside the Turkish embassy in Stockholm.
Swedish cybersecurity firm Truesec said Anonymous Sudan is a Russian information operation. Trustwave in March found "a very strong possibility that Anonymous Sudan is a subgroup of the pro-Russian threat actor group Killnet."
Anonymous Sudan in February managed to make some passengers' data visible to other passengers, an incident the airliner said involved contact details, previous and upcoming flights and the last four digits of payment cards. The attacks don't appear to have deterred passengers. SAS on Thursday reported 36% growth in passenger demand during the second quarter of this year compared to the same period in 2022. "We are looking forward to a busy summer season and to flying our passengers to their holiday destinations," it said. It has counseled customers unable to access boarding passes online to go to an airport kiosk.
Russia's Skolkovo Foundation, the 2010 brainchild of then-President Dmitry Medvedev, said Monday on Telegram that hackers self-identifying as the Ukrainian Cyber Front had gained access to a file hosting service. The U.S. federal government sanctioned the foundation in August 2022 for supporting the development of advanced military and space technologies.
A Twitter account asserting that it represents the Ukrainian Cyber Front posted a link to documents it said came from the foundation. "We have all the documents and the project source codes," the tweet stated.
Salesforce 'Ghost Sites'
Researchers uncovered hackers stealing data from improperly deactivated Salesforce portals, or "ghost sites," that remain accessible and vulnerable to risk. Varonis Threat Labs said in a Wednesday report that attackers were manipulating the
Host header to gain access to personal information and business data.
Customers sometimes abandon rather than deactivate their Salesforce portals when they're no longer needed, putting the ghost sites at further risk because they're not patched. One common way this occurs is during a migration to a portal infrastructure. Many companies modify their DNS records so the URL of the previous portal points to the new infrastructure. "From the users' viewpoint, the Salesforce site is gone, and a new community page is available," wrote Varonis researchers. But the old Salesforce site still pulls data from the company.
The ghost sites are still active in Salesforce. Attackers can access them by manipulating a
Host request so Salesforce responds by serving up the site under its original URL. Attackers can also look for internal URLs by searching archived DNS records, Varonis researchers wrote.
Pennsylvania commercial real estate investor Onix Group said Friday it is notifying individuals of a ransomware incident in March that affected its healthcare and hotel businesses. Customers of Addiction Recovery Systems, Cadia Healthcare, Physician's Mobile X-Ray, and Onix Hospitality Group had data including Social Security numbers, birthdates and scheduling, billing and clinical information stolen by hackers. Ransomware hackers accessed the company's network for seven days starting March 20. Onix isn't revealing the number of affected individuals.
Indian Electricity Supplier
A municipal electricity supplier in the Indian state of Madhya Pradesh suffered a ransomware attack on May 22 that disrupted employee communications and online services.
The ransomware attack on Madhya Pradesh Power Management Co. affected an internal system employees use for communications, file sharing and resource management. The state-owned company generates power and manages energy transmission and distribution in the central Indian state. A representative told The Economic Times that energy operations were not affected.
Update on Toyota
Toyota says its mid-May admission of a cloud misconfiguration in subsidiary Toyota Connected Corp. caused by human error is more extensive than previously thought. The Japanese carmaker on Wednesday said a cloud environment for dealers in Asia and Oceania, excluding Japan, was also accessible to third parties between October 2016 and last month. Affected information includes addresses, names, phone numbers, email addresses and vehicle identification numbers. The subsidiary manages the carmaker's remote assistance and smartphone connection offerings.
Toyota previously acknowledged the cloud settings exposed location data belonging to more than 2 million Japanese customers, although it said the data by itself could be used to identify individual car owners (see: Toyota Exposed Auto Location of 2M Japanese Customers).
Other Coverage From Last Week
- Sports Warehouse Fined $300,000 Over Payment Card Data Theft
- Hackers Exploited Zero-Day Bug for 8 Months, Barracuda Warns
- Ukrainian CERT Warns of New SmokeLoader Campaign
- Cyberattack Diverts Patients From Rural Idaho Hospital
- Dark Pink Ramps Up Cyberespionage Attacks, Hits New Targets
- Apple Patched System Integrity Protection Bypass Flaw