/ This Week in Data Breaches

This Week in Data Breaches: Amazon, Uber, USPS, and More

November has been yet another month filled with data breach revelations and the ongoing failure of tech giants and government agencies to secure and protect consumer data.

Here we round up the latest in data news.


Amazon Exposes Names and Emails

On Wednesday, November 21, some Amazon customers received word that their names and email addresses had been compromised by a “technical error.” Amazon sent emails to customers who were affected but declined to release information on the number of email addresses that were exposed. While not as severe as other leaks, exposed names and email addresses could potentially make users more vulnerable to phishing attacks and password reset attempts.

Read more here.

Uber Fined $1.17 Million for Breach

Following Uber’s settlement with California’s Attorney General in September for $148 million, British and Dutch authorities announced new fines for the company this week totaling $1.17 million. In the UK, the Information Commissioner’s Office handed down a $491,294 fine. In the Netherlands, the Data Protection Authority imposed a $679,257 fine for the 2016 data breach. The penalties come after regulators found that Uber exposed the personal information of 2.7 million users in the UK and another 174,000 in the Netherlands. While Uber’s 2016 breach and the ICO’s subsequent penalty falls under the UK’s Data Protection Act of 1998, under the GDPR companies will face significantly higher monetary penalties moving forward.

Read more here.

USPS Exposes Data on 60 Million Customers

An anonymous researcher found a vulnerability in a United States Postal Service API that exposed data on over 60 million USPS customers. The vulnerable USPS API, which allows businesses to connect the company’s “Informed Visibility” service to additional third-party platforms, allowed the researcher to pull data on millions of customers by sending wildcard requests to the affected server and made it possible for any usps.com customer to view the account details of millions of other users. Included in this data was near real-time package tracking, email addresses, usernames, and phone numbers. USPS was alerted to the issue over a year ago but didn’t patch the vulnerability until it was reported on the website KrebsOnSecurity.

In a statement, the USPS said, “Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”

Read more here and here.

Instagram Passwords Compromised

Instagram, whose parent company is Facebook, accidently exposed the passwords of an unreported number of users. An Instagram feature that allows users to download a copy of their data displayed plain text passwords in the page URL, potentially compromising the accounts of users who utilized the tool. Ironically, the feature was released in April following the implementation of European Union’s new General Data Protection Regulation. Instagram notified a “very small number” of affected users and quickly fixed the bug.

Read more here.

Voxox Leaks Millions of SMS Two-Factor Codes

Voxox, a communications company, left a database of millions of text messages publicly exposed that included password reset links, two-factor verification codes, and more. The unsecured server was discovered by German security researcher Sebastien Kaul and was visible on Shodan, a search engine for publicly accessible databases.

The leak highlights the vulnerability of SMS-based two-factor authentication methods, as accounts can easily be hijacked by hackers intercepting two-factor codes in real-time. TechCrunch found that the database contained over 26 million text messages, and included two-factor codes for companies such as Badoo, Booking.com, and Fidelity Investments.

Read more here.

Healthcare.gov Exposes Data on 75,000

A data breach in October at Healthcare.gov, the ACA healthcare exchange website, exposed data on over 75,000 people, including the last four digits of Social Security numbers, immigration status, and insurance plan details. The Department of Health and Human Resources initially announced the breach last month without disclosing exactly what information had been exposed before releasing more details this month. Upon discovering the breach, Healthcare.gov immediately shut the affected portal down and fixed the security vulnerability. In a letter released on November 7, the Health Insurance Marketplace said they still “don’t know whether all of this information was actually accessed or misused.”

Read more here.

Facebook Appeals UK Data Ruling

Facebook announced that it will appeal a $644,400 fine imposed by the UK’s Information Commissioner’s Office for its role in the Cambridge Analytica scandal. In July, Elizabeth Dunham, the information commissioner, said in an interview that “Facebook has failed to provide the kind of protections they are required to under the Data Protection Act.” Facebook’s appeal comes after the ICO failed to find evidence that UK citizens were among the users impacted by Cambridge Analytica’s data harvesting, even though it was originally reported that data on 1.1 million UK citizens had been exposed. Facebook’s decision to appeal the ruling has been widely criticized and comes on the heels of continued revelations about the company’s questionable business practices.

Read more here.


Bloom: Take Back Control of Your Data

At Bloom, we are giving you the tools to take back control of your data.

Bloom enables you to own, authorize the use of, and protect your data using the latest advancements in blockchain technology. With Bloom, the risk of your data being exposed in a data breach or leak is greatly reduced. No more centralized data storage. No more selling off your data to the highest bidder. No more risking identity theft. Your identity, and your highly sensitive personal and financial information, is securely safeguarded on your own personal device using cutting-edge cryptography.

Download the Bloom mobile app here or sign up on desktop here.

More on Privacy and Data Security from Bloom