Report Wire

Tag: data breach

  • Cyber ​​Attack, Data Breach Among Top Risks For Businesses In India: Survey |

    New Delhi: Cyber ​​attacks and data breaches are the top business risks for organizations in India, according to the 2023 Global Risk Management Survey. Cyber ​​attacks and data breaches were placed seventh in the 2021 business risks survey.

    Global professional services firm Aon collected inputs from around 3,000 risk managers, c-suite leaders, treasurers, talent professionals, and other executives from 61 countries and territories to identify the most pressing business challenges. (Also Read: Free Aadhaar Update Deadline Extended: Check List Of Required Documents To Do The Same)

    The biennial survey said that India's dependence on technology is likely to increase with the widespread adoption of digital infrastructure like the Unified Payments Interface, Aadhaar, and Open Network for Digital Commerce. (Also Read: Poco X6 5G Gets A Significant Price Drop On Flipkart: Check Details)

    “With increasing digitisation, cybercrimes continue to become rampant with costs and complexities associated with such breaches forcing organizations to look at risk mitigation and transfer mechanisms to better manage cyber risks,” the survey noted.

    Business interruption and failure to attract or retain top talent were marked as the second and third biggest risks facing organizations in India, respectively.

    “There is a compelling need for Indian businesses to leverage advanced data analytics and experts to understand and manage the dynamics of integrated risks,” said Nitin Sethi, Chief Executive Officer of Talent Solutions in India at Aon.

    Failure to meet customer needs, rapidly changing market trends, supply chain disruptions, and personal liabilities were marked down the list as other critical challenges for businesses in India.

  • Amid allegations of information breach, Centre says CoWIN portal has ‘full’ safety measures

    Express News Service

    NEW DELHI: The CoWIN portal has full safety measures and sufficient safeguards for information privateness, the centre mentioned on Friday within the Lok Sabha.

    However, the Minister of State for Health and Family Welfare Satya Pal Singh Baghel didn’t verify whether or not there was any case of violation of privateness of information on the CoWIN portal, regardless of being requested by Bharatiya Janata Party MP Hema Malini.

    “There were media reports recently of an apparent breach of Co-WIN data of beneficiaries who have received COVID-19 vaccination in the country,” Baghel mentioned in a written reply.

    However, he mentioned that actions had been instantly taken on this regard.

    In June this yr, there have been reviews of alleged information leak of private info of individuals, together with some opposition leaders and bureaucrats. This was the second occasion of alleged information leak from the CoWIN portal, India’s COVID-19 vaccination monitoring platform. Such a breach was additionally reported in 2022. The authorities had denied it again then and had mentioned it was “safe and secure.”

    In the written reply, Baghel mentioned the portal has “complete security measures and adequate safeguards for data privacy with Web Application Firewall (WAF), Anti-DDoS, SSL/TLS (regular vulnerability assessment) Identity and Access Management.”

    Listing the steps, he mentioned all Co-WIN APIs for each authorities and personal sector had been deactivated instantly thus utterly limiting Co-WIN entry.

    Media response on the Co-WIN information breach was issued instantly informing that the Co-WIN portal is totally secure with sufficient safeguards for information privateness.

    A gathering was taken with CERT-In (Indian Computer Emergency Response Team) to debate necessities for investigation by CERTIn and points on Co-WIN Platform safety. A grievance narrating the incident was made to the National Cyber Crime Cell.

    He mentioned additional steps had been additionally taken to make sure extra security of information on the CoWIN portal. These included two-factor authentication options (Password & OTP) whereas login by the customers (service suppliers) was put in place on Co-WIN. All log trails of customers are captured and saved within the Co-WIN database securely. Password reset has been completed for all providers offered on Co-WIN, the minister added.

    NEW DELHI: The CoWIN portal has full safety measures and sufficient safeguards for information privateness, the centre mentioned on Friday within the Lok Sabha.

    However, the Minister of State for Health and Family Welfare Satya Pal Singh Baghel didn’t verify whether or not there was any case of violation of privateness of information on the CoWIN portal, regardless of being requested by Bharatiya Janata Party MP Hema Malini.

    “There were media reports recently of an apparent breach of Co-WIN data of beneficiaries who have received COVID-19 vaccination in the country,” Baghel mentioned in a written reply.googletag.cmd.push(operate() googletag.show(‘div-gpt-ad-8052921-2’); );

    However, he mentioned that actions had been instantly taken on this regard.

    In June this yr, there have been reviews of alleged information leak of private info of individuals, together with some opposition leaders and bureaucrats. This was the second occasion of alleged information leak from the CoWIN portal, India’s COVID-19 vaccination monitoring platform. Such a breach was additionally reported in 2022. The authorities had denied it again then and had mentioned it was “safe and secure.”

    In the written reply, Baghel mentioned the portal has “complete security measures and adequate safeguards for data privacy with Web Application Firewall (WAF), Anti-DDoS, SSL/TLS (regular vulnerability assessment) Identity and Access Management.”

    Listing the steps, he mentioned all Co-WIN APIs for each authorities and personal sector had been deactivated instantly thus utterly limiting Co-WIN entry.

    Media response on the Co-WIN information breach was issued instantly informing that the Co-WIN portal is totally secure with sufficient safeguards for information privateness.

    A gathering was taken with CERT-In (Indian Computer Emergency Response Team) to debate necessities for investigation by CERTIn and points on Co-WIN Platform safety. A grievance narrating the incident was made to the National Cyber Crime Cell.

    He mentioned additional steps had been additionally taken to make sure extra security of information on the CoWIN portal. These included two-factor authentication options (Password & OTP) whereas login by the customers (service suppliers) was put in place on Co-WIN. All log trails of customers are captured and saved within the Co-WIN database securely. Password reset has been completed for all providers offered on Co-WIN, the minister added.

  • WhatsApp denies knowledge breach report

    Meta-owned instantaneous messaging platform WhatsApp on Monday denied a report on an alleged knowledge leak that mentioned cellphone numbers of practically 500 million customers from around the globe had been leaked, together with in India.

    “The declare written on Cybernews is predicated on unsubstantiated screenshots. There is not any proof of a ‘data leak’ from WhatsApp,” a WhatsApp spokesperson mentioned.

    On Saturday, CyberNews, a cyber security-focused publication, revealed a report stating {that a} menace actor was promoting a database containing cellphone numbers of greater than 487 million WhatsApp customers. Of this, practically 6.2 million cellphone numbers belonged to customers in India. Screenshots of the alleged database containing the breached cellphone numbers didn’t make clear if the database additionally included the names and every other particulars of the customers who owned the cellphone numbers.

    Following the report, Jurgita Lapienytė, the chief editor of CyberNews, additionally tweeted that there was no proof of a hack. “There’s no proof WhatsApp has been hacked. The leak could be a scrape, however that doesn’t imply it’s any much less harmful for the affected customers,” she wrote.

    Security experts stated that even without an elaborate set of details, like names or other identification, leaked databases — if confirmed — are often purchased by cyber criminals, who use these phone numbers to initiate scams that may include phishing, identity theft and other related activities.

    “Phone number harvesting is a very common practice today, and hackers often find clients such as telemarketers — who purchase such databases to sell their products. Even without a name attached to a number, such databases still find plenty of customers,” mentioned Sandip Kumar Panda, founder and chief government of Bengaluru-based cyber safety agency, InstaSafe Technologies.

    However, Panda added that with knowledge breaches turning into commonplace, it’s also essential to authenticate the veracity of breach-related claims.

    “Meta, as a publicly-listed international agency, is certain by compliance to reveal any knowledge breach. Given that they’ve denied the breach up to now, the alleged database is basically speculative, and we’ve got not discovered any conclusive proof concerning the leak being genuine,” he mentioned.

    Catch all of the Technology News and Updates on Live Mint.
    Download The Mint News App to get Daily Market Updates & Live Business News.

    More
    Less

  • Data Protection Bill: Even govt will likely be held accountable for breach, says supply

    By PTI

    NEW DELHI: The Digital Personal Data Protection Bill may also maintain the federal government liable in case of a knowledge breach, a authorities supply mentioned on Saturday.

    The supply mentioned that the invoice will solely cowl facets round digital information because the Ministry of Electronics and IT’s mandate is to take care of digital and our on-line world.

    “The bill is mainly to make those entities accountable that are monetising data. In case of a data breach even the government is not exempted,” the supply mentioned.

    The draft Digital Personal Data Protection Bill has exempted sure entities notified as information fiduciaries by the federal government from numerous compliances, together with sharing particulars for the aim of information assortment.

    The draft has give you numerous provisions to make sure information dealing with entities acquire information with the specific consent of people (or information principals) and use it just for the aim for which it has been collected.

    The draft has proposed a penalty of as much as Rs 500 crore in case information fiduciaries or entities processing information on their behalf violate any provision of the invoice.

    ALSO READ | Govt proposes penalty of as much as Rs 500 cr for breach below Data Protection Bill

    “The Central Government may by notification, having regard to the volume and nature of personal data processed, notify certain Data Fiduciaries or class of Data Fiduciaries as Data Fiduciary” to whom the sure provisions of the Act shall not apply, the draft mentioned.

    The provisions take care of informing a person concerning the objective for information assortment, assortment of youngsters’s information, danger evaluation round public order, and appointment of a knowledge auditor, amongst others.

    The invoice proposes to exempt government-notified information fiduciaries from sharing particulars of information processing with the info house owners below the “Right to Information about personal data”.

    READ | Centre proposes six sorts of penalties below draft Data Protection Bill

    The supply mentioned that there have been frivolous purposes below the Right to Information Act which overburden authorities departments and due to this fact the government-notified entity has been exempted from the RTI clause.

    Elaborating on guidelines to permit information switch outdoors India, the supply mentioned information switch and storage in different nations will likely be achieved based mostly on mutual settlement and recognition of one another.

    NEW DELHI: The Digital Personal Data Protection Bill may also maintain the federal government liable in case of a knowledge breach, a authorities supply mentioned on Saturday.

    The supply mentioned that the invoice will solely cowl facets round digital information because the Ministry of Electronics and IT’s mandate is to take care of digital and our on-line world.

    “The bill is mainly to make those entities accountable that are monetising data. In case of a data breach even the government is not exempted,” the supply mentioned.

    The draft Digital Personal Data Protection Bill has exempted sure entities notified as information fiduciaries by the federal government from numerous compliances, together with sharing particulars for the aim of information assortment.

    The draft has give you numerous provisions to make sure information dealing with entities acquire information with the specific consent of people (or information principals) and use it just for the aim for which it has been collected.

    The draft has proposed a penalty of as much as Rs 500 crore in case information fiduciaries or entities processing information on their behalf violate any provision of the invoice.

    ALSO READ | Govt proposes penalty of as much as Rs 500 cr for breach below Data Protection Bill

    “The Central Government may by notification, having regard to the volume and nature of personal data processed, notify certain Data Fiduciaries or class of Data Fiduciaries as Data Fiduciary” to whom the sure provisions of the Act shall not apply, the draft mentioned.

    The provisions take care of informing a person concerning the objective for information assortment, assortment of youngsters’s information, danger evaluation round public order, and appointment of a knowledge auditor, amongst others.

    The invoice proposes to exempt government-notified information fiduciaries from sharing particulars of information processing with the info house owners below the “Right to Information about personal data”.

    READ | Centre proposes six sorts of penalties below draft Data Protection Bill

    The supply mentioned that there have been frivolous purposes below the Right to Information Act which overburden authorities departments and due to this fact the government-notified entity has been exempted from the RTI clause.

    Elaborating on guidelines to permit information switch outdoors India, the supply mentioned information switch and storage in different nations will likely be achieved based mostly on mutual settlement and recognition of one another.

  • This web site reveals how TikTook, Instagram might monitor your knowledge

    A web site named InAppBrowser.com claims that it might probably reveal how platforms like TikTook and Instagram might doubtlessly see your delicate knowledge, together with deal with, passwords and bank card data, with out your consent. The web site has a device that can let customers know the way standard social media platforms are injecting “JavaScript code into third-party web sites that trigger potential safety and privateness dangers to the consumer”.

    According to the tool’s developer, Felix Krause, InAppBrowser.com has a simple tool to “list the JavaScript commands executed by the iOS app rendering the page”.

    InAppBrowser.com is designed for everyone to confirm for themselves what apps are doing inside their in-app browsers.

    “To do that device your self, open an app you need to analyse, share the url, faucet on the hyperlink contained in the app to open it after which learn the report on the display,” he mentioned in a blog post. “I have decided to open source the code used for this analysis, you can check it out on GitHub. This allows the community to update and improve this script over time,” he added.

    Earlier this week, he warned that Chinese short-form video app TikTook could also be monitoring all keyboard inputs and faucets by way of its in-app browser on iOS. 

    TikTook stated in a press release that Krause’s conclusions in regards to the firm are “incorrect and deceptive”. 

    “Contrary to its claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting and performance monitoring,” the corporate stated.

    Krause additionally carried out a examine on the iOS app of Instagram and Facebook the place he discovered that each these apps can monitor on-line exercise utilizing the in-app browser to open third-party hyperlinks, as an alternative of utilizing Apple’s in-built safari browser.

    These apps, the researcher says, inject “their JavaScript code into each web site proven, together with when clicking on advertisements. Even although pcm.js doesn’t do that, injecting customized scripts into third get together web sites permits them to observe all consumer interactions, like each button & hyperlink tapped, textual content picks, screenshots, in addition to any kind inputs, like passwords, addresses and bank card numbers.”

    (With inputs from IANS) 

     

     

    Catch all of the Technology News and Updates on Live Mint.
    Download The Mint News App to get Daily Market Updates & Live Business News.

    More
    Less

    Subscribe to Mint Newsletters

    * Enter a legitimate e mail

    * Thank you for subscribing to our e-newsletter.

    First article

  • Microsoft says new breach found in probe of suspected SolarWinds hackers

    SAN FRANCISCO: Microsoft stated on Friday an attacker had gained entry to one among its customer-service brokers after which used data from that to launch hacking makes an attempt in opposition to prospects.

    The firm stated it had discovered the compromise throughout its response to hacks by a group it identifies as answerable for earlier main breaches at SolarWinds and Microsoft.

    Microsoft stated it had warned the affected prospects. A duplicate of 1 warning seen by Reuters stated the attacker belonged to the group Microsoft calls Nobelium and that it had entry throughout the second half of May.

    “A sophisticated Nation-State associated actor that Microsoft identifies as NOBELLIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscriptions,” the warning reads partially. The U.S. authorities has publicly attributed the sooner assaults to the Russian authorities, which denies involvement.

    When Reuters requested about that warning, Microsoft introduced the breach publicly.

    After commenting on a broader phishing marketing campaign it stated had compromised a small variety of entities, Microsoft stated it had additionally discovered the breach of its personal agent, who it stated had restricted powers.

    The agent might see billing contact data and what companies the purchasers pay for, amongst different issues.

    “The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign,” Microsoft stated.

    Microsoft warned affected prospects to watch out about communications to their billing contacts and think about altering these usernames and e-mail addresses, in addition to barring outdated usernames from logging in.

    Microsoft stated it was conscious of three entities that had been compromised within the phishing marketing campaign.

    It didn’t instantly make clear whether or not any had been amongst these whose information was seen by means of the help agent, or if the agent had been tricked by the broader marketing campaign.

    Microsoft didn’t say whether or not the agent was at a contractor or a direct worker.

    A spokesman stated the most recent breach by the menace actor was not a part of Nobelium’s earlier profitable assault on Microsoft, wherein it obtained some supply code.

    In the SolarWinds assault, the group altered code at that firm to entry SolarWinds prospects, together with 9 U.S. federal businesses.

    At the SolarWinds prospects and others, the attackers additionally took benefit of weaknesses in the way in which Microsoft applications had been configured, based on the Department of Homeland Security.

    Microsoft later stated the group had compromised its personal worker accounts and brought software program directions governing how Microsoft verifies consumer identities.

    A White House official stated the most recent intrusion and phishing marketing campaign was far much less severe than the SolarWinds fiasco.

    “This appears to be largely unsuccessful, run-of-the-mill espionage,” the official stated.

    Scott McConnell, a spokesman for Homeland Security’s Cybersecurity and Infrastructure Security Agency, stated the defensive group “is working with Microsoft and our interagency companions to judge the influence. We stand prepared to help any affected entities.”

    A SolarWinds spokesperson stated, “The latest cyberattack reported by Microsoft does not involve our company or our customers in any way.”

    Subscribe to Mint Newsletters * Enter a sound e-mail * Thank you for subscribing to our e-newsletter.

    Never miss a narrative! Stay related and knowledgeable with Mint.
    Download
    our App Now!!

    Topics

  • Personal data of 1,29,000 customers stolen in knowledge breach, says Singapore’s Singtel

    Image Source : PTI Personal data of 1,29,000 customers stolen in knowledge breach, says Singapore’s Singtel 
    Personal data of about 1,29,000 clients of Singapore’s main telecom firm Singtel has been stolen after a latest knowledge breach of a third-party file sharing system, the corporate mentioned.

    Singtel, an affiliate of Bharti Airtel, has accomplished preliminary investigations into the breach and established which information on the Accellion file switch equipment (FTA) had been accessed illegally, reported Channel News Asia on Wednesday, citing the corporate’s information launch.

    Singtel’s Group CEO Yuen Kuan Moon has apologised to clients for the info breach and warranted that knowledge privateness is paramount and assist in mitigating the potential dangers.

    The stolen private data consists of the purchasers’ National Registration Identity Card numbers and a mixture of names, dates of delivery, cellular numbers and addresses, the group mentioned.

    In addition, checking account particulars of 28 former Singtel staff and bank card particulars of 45 workers members of a company buyer with Singtel cellular strains had been taken.

    “Some data from 23 enterprises, together with suppliers, companions and company clients, was additionally stolen. The firm has began notifying all affected people and enterprises to assist them and their workers handle the doable dangers concerned and take acceptable follow-up motion,” Singtel mentioned.

    Apologising to the purchasers over the incident, Yuen mentioned, “While this knowledge theft was dedicated by unknown events, I’m very sorry this has occurred to our clients and apologise unreservedly to everybody impacted.

    “Data privateness is paramount, now we have dissatisfied our stakeholders and never met the requirements now we have set for ourselves.

    “Given the complexity and sensitivity of our investigations, we’re being as clear as doable and offering data that’s correct to the most effective of our information. We are doing our degree greatest to maintain our clients supported in mitigating the potential dangers,” the CEO mentioned.

    Singtel mentioned a “large part” of the leaked knowledge consists of its “inside data that’s non-sensitive corresponding to knowledge logs, take a look at knowledge, studies and emails”.

    Accellion FTA, which Singtel used as a third-party file sharing system, was the goal of a classy cyberattack, exploiting a “previously unknown vulnerability”, mentioned the telecom. When it was first alerted to exploits in opposition to the system in December final 12 months, Singtel “promptly applied” a sequence of patches offered by Accellion to “plug the vulnerability”, it mentioned.

    On January 23, Accellion suggested {that a} new vulnerability had emerged that rendered the sooner patches utilized in December ineffective.
    Singtel instantly took the system offline, and the FTA system has been saved offline since January 23, mentioned the corporate.

    “On January 30, Singtel’s attempt to patch the new vulnerability in the FTA system triggered an anomaly alert. Accellion informed thereafter that the system could have been breached,” it mentioned.

    The telecom’s investigations later confirmed the breach and recognized January 20 because the date it had occurred.

    “On February 9, Singtel established that files were taken as a result of the breach and informed the public two days later on February 11,” mentioned the corporate.

    On Wednesday, Singtel mentioned it was appointing a worldwide knowledge and data service supplier to offer id monitoring companies for gratis to affected clients to assist them “manage potential risks”.

    This service displays public web sites and “non-public places” on the Internet, and notifies customers of any uncommon exercise associated to their private data. Singtel’s core operations and capabilities stay “unaffected and sound” because the incident includes a standalone system offered by a third-party vendor, Yuen assured.

    “Information security remains our highest priority and you have my commitment that we are conducting a thorough review of our systems and processes to strengthen them,” he added.

     
    Latest World News

  • Phone numbers of practically 500 million Facebook customers up on the market by way of Telegram bot

    Mobile cellphone numbers of practically 500 million Facebook customers are up on the market by way of a Telegram bot, based on a report by Motherboard. The knowledge consists of numbers of round 6 lakh Indian customers, based on safety researcher Alon Gal, who first highlighted the issue on his Twitter account.
    According to Gal, the consumer who’s working the bot is exploiting a Facebook vulnerability that was reported in 2020 and patched as nicely. But the vulnerability allowed anybody to entry the cellphone numbers linked to each Facebook account throughout all nations. It was exploited to create a database of Facebook consumer accounts and their cell phone numbers, which is now being offered by way of the bot.

    This isn’t the primary time a problem has been reported with regard to how Facebook secures consumer knowledge, particularly with regard to cell phone numbers. It was reported again in 2019 that cell phone numbers of practically 419 million Facebook customers have been discovered on an unprotected server, which the corporate had admitted was an issue and had later mounted.
    It is price noting that the info supplied by Telegram bot is from 2019.  But provided that loads of individuals don’t replace cellphone numbers yearly, the data being offered is probably going correct. The safety researcher has reported that customers from over 100 nations are affected. In India over 6,162,450 customers are impacted by this.
    According to Motherboard, if somebody has an individual’s cellphone quantity, then they will discover their Facebook user-ID with the assistance of Telegram bot. But to be able to entry the data, they are going to be required to pay. The one that created the Telegram bot is promoting a cellphone quantity or Facebook ID for $20, which is round Rs 1,460 in India. The bot can be promoting Facebook customers’ knowledge in bulk. For 10,000 credit, the bot is charging $5,000 (round Rs 3,65,160), provides the report.

    In early 2020 a vulnerability that enabled seeing the cellphone quantity linked to each Facebook account was exploited, making a database containing the data 533m customers throughout all nations.
    It was severely under-reported and immediately the database grew to become rather more worrisome 1/2 pic.twitter.com/ryQ5HuF1Cm
    — Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021
    Gal notes it is a severe privateness concern. He additionally mentioned the difficulty was severely under-reported when it was first highlighted and immediately the database has grow to be rather more worrisome. He advised Motherboard, the info can be utilized for “smishing and other fraudulent activities by bad actors,” including that Facebook ought to notify customers of this downside.