Privacy , Risk Management

For the second time in less than two weeks, a set of data released by the Australian government has been taken offline over fears it wasn't securely anonymized, posing a possible privacy risk.

See Also: Hide & Sneak: Defeat Threat Actors Lurking within Your SSL Traffic

The data comprises a census of Australian federal employees that was conducted over May and June by the Australian Public Service Commission. The online survey, which gauges opinions about a range of aspects concerning public service employment, is administered by an employee research company, ORC International.

This was the fourth year the survey was conducted, covering 105 agencies and almost 97,000 respondents. The data is aggregated and supposed to be scrubbed to ensure no responses can be traced back to an individual, according to a fact sheet.

Numeric Code Problems

Names are not collected as part of the census. But five questions are mandatory, which include gender, age, location of workplace and two questions related to their civil service employee classification, similar to a rank. The census itself is voluntary, but employees are encouraged to complete it.

There was one significant change to the federal census this year: Individual federal agencies were identified by a numeric code. The data was published on a website that's part of a large initiative to make government-collected information more accessible to the public.

But the census data was removed from that website after concerns the numeric code could be used, in part, to link responses back to individual public servants, according to The Canberra Times.

In a statement provided to Information Security Media Group, the APSC asserted it was incorrect to call the incident a data breach. It maintained that it did not publish individually identifiable information, and that no individual could be identified with certainty. Still, the agency felt it was necessary to remove the data pending a review.

"We decided that extra care should be taken to ensure individual officers could not be inadvertently identified if cross-referenced with a range of other publicly available data," according to a statement.

Linkage Attacks

The APSC declined to make officials available for an interview, so it wasn't possible to learn more technical details about what errors the agency may have made in anonymizing data. The Canberra Times noted the data had been downloaded 58 times before it was taken offline.

Anonymizing large data sets is a complex problem. The worry is that other information contained in a data set could be combined with public clues that could enable the discovery, or at minimum a good guess, of the data that has been masked, referred to as so-called linkage attacks.

Australia's Department of Health recently encountered the same problem. The agency published a large data set covering 30 years worth of medical and pharmaceutical claims for about 10 percent of Australia's population (see Australian Health Breach Exposes Danger of 'Anonymous' Data).

In that incident, patient ID numbers and those for medical service providers were encrypted. But researchers at the University of Melbourne found a weak algorithm was used to encrypt the service provider IDs. They cracked the service provider ID codes, which are the same as those that appear on invoices that go to Medicare, Australia's national health service.

The data set was taken offline pending a review and an investigation by Australia's Privacy Commissioner. The government also quickly responded, amending the Privacy Act 1988 to make it an offense to de-anonymize government data.

But as most technologists know, illegality rarely deters hackers. Also, once insecure data has been released, it's impossible to pull back. The APSC says it expects the data to be re-released in the next week.

The latest edition of the ISMG Security Report leads off with BankInfoSecurity Executive Editor Tracy Kitten analyzing the PCI Security Standards Council's new requirements that are designed to help thwart attempts to defeat encryption in point-of-sale devices.

Also in the report, you'll hear:

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Be sure to check out our Sept. 30 and Oct. 4 reports, which respectively analyze why cybercrime is on the rise and Republican presidential candidate Donald Trump's cybersecurity platform. The next ISMG Security Report will be posted on Monday, Oct. 10.

Theme music for the ISMG Security Report is by Ithaca Audio under the Creative Commons license.

Fraud , Payments Fraud

A Michigan credit union's bold move to block members from using their debit and credit cards at all Wendy's locations following a malware attack won't do much to stop fraud. But it does send a strong message that the financial institution doesn't think the fast-food chain has been honest about its efforts to protect its customers.

See Also: Disrupt Attack Campaigns with Network Traffic Security Analytics

On Oct. 6, Jackson, Mich.-based American 1 Credit Union noted in a blog post that it did not believe Wendy's had successfully removed all the point-of-sale malware that infected its system in the fall of 2015, resulting in the compromise of POS devices at more than 1,000 Wendy's locations nationwide.

"While Wendy's has reported that the malware responsible for the cyberattacks has been disabled at all franchise locations affected by the data breach, community members have still been reporting fraudulent activity on their accounts, even after reissuance of their debit or credit card," American 1 says in its blog post. "Therefore, in order to protect member accounts, the credit union made the decision to decline all credit and debit card transactions at any Wendy's location until further notice."

In May, Wendy's said it believed that fewer than 300 of its franchises had been impacted by the attack. Then in July, the fast-food chain revised that number to more than 1,000 and said its POS systems were compromised by two separate waves of malware attacks.

American 1 claims more than 18,000 of its members' cards have been compromised because of the Wendy's hack. What's more, the credit union says its fraud losses linked to the Wendy's breach now equal losses stemming from the 2014 Home Depot breach.

"During the Home Depot cyberattacks, over 4,200 cards were reissued," American 1 says. "Of the stolen funds returned to members' accounts, only 11 percent of that amount was covered by insurance, with American 1 paying for the remaining 89 percent of losses out of pocket. ... Until we are confident that our members' cards are no longer at risk when used at Wendy's, we will continue declining the transactions."

More About PR Than Security

The credit union's response to the Wendy's breach is an interesting PR move, but not one that's likely to have much impact on reducing fraud unless its members actually stop trying to use their cards at Wendy's. That's because once a card is swiped at a POS, even if the transaction is declined, if the POS system or network is infected, the card number and details can still be compromised.

Still, I give the Michigan financial institution credit for making a bold statement and bringing valid concerns about POS security to the public's attention.

Wendy's didn't respond to my request for comment, so I can't confirm any of the credit union's claims that the restaurant chain still has an active breach or has been breached again.

I did, however, hear from one Midwest card issuer and two other sources who claimed that fraud linked to Wendy's has been ongoing since January, and that it's very likely that the breach has not been contained.

On the other hand, two other issuers - one in the Midwest and the other on the West Coast - tell me that fraud linked to Wendy's is no longer impacting their customers.

But former bank CISO, David Shroyer, who now works as managing director of information and cybersecurity for Queen Associates, an IT consultancy and staffing agency, tells me it's possible that Wendy's rid its system of the initial malware but failed to close all the doors hackers used to infect the system, leaving the network open to attack. Another possibility is that Wendy's contained the breach and removed all of the malware but inadvertently reinfected the network by restoring systems with corrupt backup files.

"If you don't get it all out, you're always going to be infected," Shroyer says. "You have to make sure you're scrubbing all of your environments. Otherwise, you're going to reinfect yourself. That means making sure you're cleaning up the entire disaster-recovery environment. If that backup drive is infected, you reinfect yourself when you load the backups. ... This is where air-gapping and scanning your DR come into play. The DR needs to be scanned for the same types of threats that happen in my production department. And never back up until that's clean."

If you work for a card issuer that's still seeing fraud linked to Wendy's, I encourage you to post a comment below or reach out to me directly at This email address is being protected from spambots. You need JavaScript enabled to view it..

I'd also like to get your reaction to American 1's decision to block all card payments at Wendy's. Do you think other issuers should make similar announcements if they believe a particular retailer has failed to contain a breach?

Data Breach , Privacy

Yahoo's failure to spot a massive breach of its systems in late 2014, leading to the theft of information relating to at least 500 million users, could cost the company's shareholders $1 billion.

See Also: Eight Capabilities IT Pros Should Look for in a CASB

Verizon in July made an offer to acquire Yahoo for $4.83 billion in cash. But a New York Post report, citing unidentified sources, says that Tim Armstrong, CEO of Verizon's AOL unit, "is getting cold feet" over the deal and now demanding a $1 billion discount.

One source tells the newspaper: "He's pretty upset about the lack of disclosure and he's saying 'can we get out of this or can we reduce the price?'" Apparently, the reports of Yahoo's compliance with a secret U.S. government order to spy on some email accounts isn't having the same effect.

Of course, this could just be tough talk designed to cut a better deal, although Verizon is also weighing whether it would need to set aside a $1 billion fund to deal with expected future liability related to the Yahoo breach, the newspaper reports.

Both Verizon and Yahoo declined to comment on that report.

Obviously, Verizon hasn't run away from the deal, so it believes it still has something to gain via the acquisition. By combining Yahoo with AOL, which it acquired 16 months ago for $4.4 billion, Verizon could challenge Google and Facebook for a bigger share of online advertising revenue.

Scant Long-Term Breach Repercussions

If Yahoo's sale price was slashed, however, it would be quite an unusual impact for a data breach. And the prospect is already being cited as a cybersecurity and privacy wake-up call.

"Could Yahoo's $1bn 'discount' be the most costly cyber event ever?" asks Surrey University computer science professor and cybercrime expert Alan Woodward via Twitter. "How much is privacy actually worth?"

Historically, the market hasn't punished breaches. "There can be some very pronounced short-term effects," said developer Troy Hunt, who runs the free Have I Been Pwned? breach-alert service, speaking Oct. 6 at the ScotSoft conference in Edinburgh, Scotland.

For example, London-based telecommunications company TalkTalk's stock price plunged in October 2015 as details about a data breach - its third one that year - began to emerge.

Here's how @TalkTalk stock has performed on London exchange before/after Oct. 2015 breach. (Source: Google Finance) pic.twitter.com/FN05FLDvsL

But relatively few businesses face long-term repercussions from a breach. LinkedIn, for example, is currently second on the Have I Been Pwned list of the biggest known breaches of all time - 165 million accounts stolen - and is in the midst of being acquired by Microsoft for $26.2 billion in cash.

What's a little historical mega-breach between business friends?

There are some exceptions. When bitcoin exchanges get breached and bleed cryptocurrency, for example, they tend to go out of business. So do some security firms. For example, Dutch certificate authority DigiNotar issued bad certificates in 2011 and subsequently went bankrupt. But other security firms that suffered breaches, such as Bit9 and RSA, are still soldiering on.

Still Fumbling the Basics

One truism about cybersecurity is that despite an organization's best efforts - having a clear security mandate from the top, maintaining a proactive information security posture and making appropriate investments in people, processes and technology - it could still be breached.

But many breaches have revealed that organizations failed to get the security basics right. This week, for example, the U.K.'s Information Commissioner's Office - the country's privacy watchdog - released the details of its investigation into TalkTalk's October 2015 breach. It found that the company's failure to catalog its IT infrastructure, apply a 3.5-year-old security patch to a MySQL database or block SQL injection attacks had allowed an attacker to steal personal data relating to 100,000 customers "with ease." As a result, TalkTalk was slapped with a record fine of £400,000 ($511,000).

The fine imposed on TalkTalk was "ridiculous," Hunt said. "It was .02 percent of their revenue, which is like the money they'd lose down the back of the couch and not even notice."

The ICO said its fine took into account TalkTalk's cooperation with investigators, subsequent security improvements, as well as it reporting in February that the breach had already cost it £50 million ($76 million) and led to the loss of 100,000 customers. The ICO can only impose a maximum fine of £500,000 ($615,000).

Bigger Fines Coming Soon

Beginning in May 2018, European privacy regulators can impose fines of up to 4 percent of a firm's global annual revenue or €20 million ($22.5 million) - whichever is greater - thanks to the EU's new General Data Protection Regulation.

Any business that has customers in Europe - such as TalkTalk and Yahoo - must comply with the new regulation, which also requires organizations to notify authorities quickly, if they discover they've been breached.

Whether the GDPR will lead more organizations to take security seriously - before they get badly breached - remains to be seen. But if that doesn't convince them, the potential $1 billion drop in Yahoo's sale price just might.