Breach Brief – Macy’s, Adidas

Macy’s department stores has reported a data breach of customer data. The breach affects Macy’s online customers and exposed names, addresses, phone numbers, email addresses, birthdays, and credit and debit card numbers with expiration dates. Macy’s pointed out that it does not store credit verification values (CVV) or Social Security numbers in its online customer profiles. Macy’s has reported the data breach and exposed card numbers to payment processors Visa, MasterCard, American Express and Discover. Macy’s has not said how many customers are impacted.

According to Macy’s the breach took place between April 26 and June 12. The company reported that an “unauthorized third party” had obtained usernames and passwords and were able to log into Macy’s and subsidiary’s Bloomingdale’s shopper’s online profiles. It is not known how the hackers got the information. Macy’s reported the breach in a letter to the New Hampshire Attorney General’s Office on July 2nd.

Macy’s has frozen any customer profiles with suspicious activity until the customers change their passwords.

“We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures,” the company said in a statement. “Macy’s, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services.”

 

Adidas

Adidas, maker of sportswear and equipment, issued a warning to online shoppers in the U.S. that their personal information may have been compromised as a result a suspected data breach.  Adidas first became aware of the incident on June 26 and analysts are saying that potentially millions of customers could be affected.

A preliminary investigation revealed that the hacker may have stolen customer’s contact information, usernames and encrypted passwords. Adidas does not believe any credit card or health and fitness information was compromised.

A statement on Adidas’ website read; “According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords. Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.” The company is in the process of notifying affected customers.

Celebrity Cyber Report – Oprah Winfrey, Akon,

Apple, making a push into the streaming television market, scored a major coup by signing Oprah Winfrey to a multi-year deal to produce streaming content. The Wall Street Journal reported that Winfrey is expected to become part of Apple’s billion dollar push into direct-to-consumer video streaming.  Although what Oprah will produce has not yet been determined the programming is expected to debut in 2019.  

Apple stated to Reuters, “Together, Winfrey and Apple will create original programs that embrace her incomparable ability to connect with audiences around the world.”

Apple is in stiff competition with streaming giants Netflix and Amazon to produce original streaming content. Apple has signed other big name celebrities including Reese Witherspoon, Steven Spielberg, Octavia Spencer and Kevin Durant to produce shows for their platform.

Even with this huge deal Apple is in hardball competition with Netflix and Amazon. Former President Barack Obama and former first lady Michelle Obama signed a deal to produce content for Netflix. Netflix and Amazon have both invested heavily in their streaming content by spending $6.3 and $4.5 respectively in 2017 alone.  

Akon

Singer Akon (Courtesy Dagency)

Singer Akon is jumping into the cryptocurrency game. The singer announced at the Cannes Lions International Festival of Creativity  the launch ofAkoin” to finance his “Akon Crypto City,” a 100 percent crypto-based city in Africa.

According to the Page Six website Akon said  “I think that blockchain and crypto could be the savior for Africa in many ways because it brings the power back to the people, and brings the security back into the currency system, and also allows the people to utilize it in ways where they can advance themselves, and not allow government to do those things that are keeping them down.”

According to the Akoin website Akon Crypto City is being developed in African on land donated by the President of Senegal. The city will be modeled on the fictional country of Wakanda from the movie “Black Panther.” According to Akon the new city will offer everything any normal city would including homes, retail businesses, parks, universities and schools.

The singer, who is of Senegal-descent, has moved his career efforts to giving back to African communities in recent years. In 2015 Akon  launched Akon Lighting Africa in an effort to solve chronic shortages of electricity in African nations.

 

Breach Brief – Exactis

Who is Exactis and what do they know about me? That is the question you need to be asking.  No, you haven’t heard of Exactis but they may have exposed some of your most personal information to hackers. You, along and the everybody else in the U.S.

Exactis is a major data gathering company based in Palm Coast, FL. The Exactis website describes the company as a compiler and aggregator of business and consumer data. Exactis claims to have a store of information it refers to as a “universal data warehouse” that contains 3.5 billion consumer, business and digital records. Exactis claims these records are updated monthly. According to Exactis’ LinkedIn profile it is a privately owned company with only 10 employees. Exactis gathers this information from cookies on personal computers. credit and debit transaction records and other sources.

Now you should ask what do they know about me? The exposed records contains more than 400 different characteristics that include whether the person smokes, what their religion is and whether they have dogs or cats. But, according to Wired.com some of the information is inaccurate or outdated.

Your next question is; how did this happen? According to security researcher Vinny Troia the company leaked the data of 340 million individuals by storing it on an unsecured server accessible through the internet. According to Wired.com Troia discovered what he describes nearly two terabytes of data. 

Troia reported the data breach to both Exactis and the FBI. Exactis reacted by securing the data so that it’s no longer accessible.

But now ask; did criminals know this? Did they access the information? The answer to that question is unknown. But since Exactis has not admitted to the data breach and it is no longer accessible no one really know how many people are affected. According to Wired.com Troia found two versions of the database each holding an estimated 340 million records. This number breaks down into 230 million consumers records  and 110 million on business contacts.  

But Marc Rotenberg, the executive director of the non-profit Electronic Privacy Information Center said,  “The likelihood of financial fraud is not that great , but the possibility of impersonation or profiling is certainly there. Rotenberg stated that while some of the data is available in public records, much of it appears to be the sort of non-public information that data brokers aggregate from sources like magazine subscriptions, credit card transaction data sold by banks, and credit reports. “A lot of this information is now routinely gathered on American consumers,” Rotenberg adds.

 

 

Breach Brief – Ticketfly, MyHeritage

Concert ticketing service Ticketfly reported last week that it was hit by a major data breach involving the personal information of 26 million customers.

According to Ticketfly “some customer information has been compromised including names, addresses, emails, and phone numbers.” Tech news blog Engadget reported that the hacker behind the attack has uploaded much of the data to a public server and is threatening to release more.

Prior to the breach Ticketfly was warned of a flaw in its systems by the hacker. According to Motherboard.com the hacker notified Ticketfly then requested a ransom of one bitcoin in exchange for a fix. When the ransom was not paid as requested Ticketfly suffered the consequences.

Ticketfly has not said if customer’s credit card information and passwords has been compromised. However, the hacker has threatened to release more information if the ransom is not paid.

At the time this article was written the website is back online. Ticketfly is owned by San Francisco based Eventbrite.

MyHeritage.com

 

 

 

MyHeritage, an Israeli based genealogy and DNA testing service, has suffered a major data breach of its user information. According to a MyHeritage statement over 92 million customer account details were found on a server outside of MyHeritage. The data is that of of people who signed up to use the service right up to the day of the breach, October 26, 2017.

MyHeritage stated that the chief information security officer “received a message from a security researcher that he had found a file named myheritage containing email addresses and hashed password, on a private server.” Hashed passwords are encrypted representations of passwords. This means companies don’t have to store the actual password on their network but, depending on the algorithm used, hackers could still crack them.

MyHeritage claims that no other user data, such as credit cards, were compromised and DNA data are stored separate systems.

Celebrity Cyber Report – Jordan Peele, Barry Jenkins

Oscar winning director Jordan Peele

Get Outproducer Jordan Peele has signed a deal that will give Amazon first pick of any new television series coming out of Peele’s Monkeypaw Productions company. Monkeypaw is responsible for “Get Out” and the Key & Peele comedy series. Peele gained fame as half of the comedy team of Key & Peele before winning an Oscar for Best Screenplay, the first African-American to win the award.

Peele has wasted no time and already has a list projects lined up for production. Among them are a documentary series based on the Lorena Bobbitt incident and a series titled “The Hunt,” the story of Nazi hunters in 1970s New York.

Peele also signed a similar first-look deal with Universal Pictures last year for his movies including a Twilight Zone reboot.

In a statement Peele said “I couldn’t be more excited about this new relationship with Amazon. They’ve been a fantastic partner to Monkey Paw over the last year because they’re committed to the same kind of fun and culturally relevant television we are.” 

Peele’s next project is “BlacKkKLansman” produced by Peele, Jason Blum of Blumhouse Productions, and Spike Lee. The film is about a black cop infiltrating the Ku Klux Klan and recently debuted at the Cannes Film Festival. 

 

Oscar winning director Barry Jenkins

Barry Jenkins

Barry Jenkins, Oscar-winning writer and director ofMoonlight,” has agreed with Amazon to produce 11 episodes of the “Underground Railroad.” The dramatic series is based on the highly touted alternate-history book of the same name. The deal is actually an extension of last year’s effort to adapt the book into a dramatic series. Amazon like what it received and has moved forward with the series. Jenkins directed a single episode of “Dear White People” for Netflix.

 Jennifer Salke, Amazon Studios chief said in a statement, “It’s an absolute gift to have Barry Jenkins commit to directing all the episodes for our upcoming limited series The Underground Railroad. Barry’s eye for character and sustained exhilarating, emotional storytelling style ensures that this project is in the right hands. We can’t wait to get started and bring this significant story to our Prime Video audience.

Amazon has not yet announced a premiere date for the series but expect it sometime in 2019 on Prime Video.

 

 

 

 

 

ALERT! Reboot Your Router NOW! – ALERT!

The FBI has issued an urgent warning and request to everyone who owns a home router to reboot the device to thwart a Russian cyber attack. Cisco security researchers at the company’s cyber intelligence unit by the name of Talos warned of the attack by malware named VPNFilter.  According to Talos VPNFilter has infected an estimated 500,000 consumer routers in 54 countries. Routers targeted are Linksys, MikroTik, Netgear and TP-Link, and potentially others.

On Friday the FBI warned that anyone with a small office or home office router (SOHO) reboot their devices to stop the malware. Rebooting is simply turning the device off and then back on again.

According to the FBI the threat is  “significant.” The FBI warning stated that the malware, once it has infected the router, could stop the router from working, collect user information from any device connected to it and possibly block network traffic.

The Justice Department  has reported that the malware is connected to a Russian government backed cyber espionage group that’s been called Sofacy, APT 28 or Fancy Bear by researchers. 

The problem is that the FBI can’t determine how VPNFilter is getting on people’s systems. By rebooting the router owners can disrupt the malware and delete parts of it’s code. However, the router can be reinfected.

As part of the operation to shutdown the malware attack the FBI, armed with a court order, seized control of a key server in the Kremlin’s global botnet of hacked routers.

The seizure destroys VPNFilter’s ability to reactivate after a router reboots, according to Vikram Thakur, technical director at Symantec. “The payload itself is non-persistent and will not survive if the router is restarted,” said Thakur. “That payload will vanish.”

You can check the security of your router free by visiting  F-Secure.com Router Check.

See also: Oregon FBI Tech Tuesday: Building a Digital Defense Against the “VPNFILTER” Malware

 

 

Celebrity Cyber Report – What’s Up with R.Kelly and Spotify?

R-kelly.com

 Spotify, the most popular music streaming service, recently stopped promoting R. Kelly’s music along with rapper XXXTentacion from its playlists as part of its new policy on hateful content and conduct.  Now it seems that Spotify is admitting it may have been wrong.

According to a Spotify spokesperson the R&B balladeer’s music will remain on Spotify but the service will not actively promote it.  The objective of the policy is to remove anything that “expressly and principally promotes, advocates, or incites hatred or violence against a group or individual based on characteristics, including, race, religion, gender identity, sex, ethnicity, nationality, sexual orientation, veteran status, or disability.”

According to Spotify bad behavior by an artist can impact the decisions they make.  Jonathan Prince, Vice-President of Content and Marketplace Policy will head a committee that will decide what behavior is considered bad enough to exclude an artists from promotion. 

The committee focused on R.Kelly because of child pornography charges from 2008, multiple allegations of sexual abuse and accusations of coercion and holding women in a so-called sex “cult.” Already this year the singer has been hit with sexual abuse allegations from four additional women. While the popular singer has not been charged with a crime media coverage of the allegations against him have not gone away. Last month the #MuteRKelly campaign began an effort to hold the singer accountable and became a part of the larger #TimesUp effort to fight sexual harassment across several industries. Kelly has blamed the accusations on the media saying it is an attempt to “distort my character” and has denied holding women in a “cult.”

In addition to Spotify Pandora has also downgraded R.Kelly’s music. The streaming service said in a statement that, “Pandora’s policy is to not actively promote artists with certain demonstrable behavioral, ethical or criminal issues. We approach each of these scenarios on a case-by-case basis to ensure we address components true to Pandora’s principles while not overreaching and avoiding censorship.”  Apple Music has also been pulling R. Kelly’s material from its own featured playlists.

Spotify has now began to re-think it’s actions. Spotify’s CEO, Daniel Ek said Wednesday that the music-streaming service “screwed up” and could have done a better job informing the world about its playlist ban.

Ek spoke during an onstage interview at Recode’s Code Conference in Ranch Palos Verdes, CA. “I think we rolled this out wrong and could have done a better job communicating it. The goal for this was to make sure we didn’t have hate speech on the service. It was never about punishing one individual.” Ek went on to say, “What we wanted to be was just transparent. If you are talking about being KKK and doing that kind of stuff, I think it’s pretty obvious that we don’t want you on the service.”

Spotify’s action did not go unnoticed. Backlash came not only from Pulitzer Prize-winning rapper Kendrick Lamar but reportedly sparked criticism among some of Spotify’s own employees.

R.Kelly was not the only artists affected by the new policy. Spotify also blocked the promotion of music by rapper XXXTentacion who was charged with aggravated battery of a pregnant woman. Lamar, a vocal supporter of XXXTentacion, threatened to pull his music from Spotify in response to the policy. 

Critics say that Spotify’s new policy is nearly impossible to enforce fairly. The conduct policy has proved to be especially onerous to hip-hop artists and executives, the best-selling genre in the U.S. music industry. Executives are questioning why the two acts singled out are black, while plenty of white men with histories of violence were not equally punished.

Spotify has been pushed by various groups to remove other artists from its playlists over accusations of abuse. The list includes popular rock group the Red Hot Chili Peppers, Chris Brown and Eminem

Breaking It Down

I, for one, applaud the action by Spotify. We have to ask ourselves a question as a society; what are our children learning and from who? We need to hold these people, popular artists and athletes, accountable for their behavior. We cannot on one hand applaud their music or athletic prowess and then allow them to behave in ways that give people the idea they are above the law or norms of acceptable behavior. You child will see this behavior and eventually mimic it. We already see it everyday. We need to send the message that if you act like an asshole then we will treat you like one. If we can cancel ‘Roseanne” we should be able to block the works of rappers and artists who are charged with crimes. Yeah, I know, innocent until proven guilty. right. But the bottom line is these people need to know our children are watching and following their style and actions. And if the artist or athlete is using drugs or beating up women what are children likely to think? We need to stop playing this game where we entertain the right to free expression as a license to make money and act like a jerk. No. Spotify and other streaming services and record labels should warn these artists that their behavior must meet certain standards or they can go back to peddling their CD’s on street corners. This isn’t censorship by any means. Spotify did not ban R.Kelly or XXXTentacion. The just stopped promoting their work. Its nothing new here. Professional sports franchises suspend, or cut players all the time for bad behavior off the field. Ask Ray Rice! Why can’t we do the same for the stage?

Breach Brief – Chili’s

Popular restaurant chain Chili’s has issued a statement reporting a data breach of its payments system. According to the statement Chili’s became aware of the breach on May 11th of this year and admitted that some customer’s payment information was compromised. The data breach is believed to impact patrons who ate at the chain between March and April of 2018.  Chili’s is owned by Dallas-based Brinker International, Inc.

The breach is believed to have been carried out by malware inserted into payment systems that gathered payment information including credit and debit card numbers as well as cardholder names. The company has not specified which of its 1,600 locations were affected by the data breach or how many customers are impacted.

Officials of the restaurant chain have contacted both law enforcement and third-party forensic experts as part of the investigation. Chili’s reports it’s trying to provide fraud resolution and credit monitoring services for affected customers and it will share more information as it becomes available. The company will notify customers affected by the breach and plan to offer free identity theft protection services through ID Expert’s MyIDCare. The company is advising customers to be vigilant for possible fraudulent charges on their credit or debit cards and for indications  of identity theft.

Brinker International also owns Italian eatery Maggiano’s which is unaffected by the breach.

Tidal Suspected of Falsifying Streaming Numbers

It seems Tidal music streaming service continues to have problems. The company has been called out for suspect financials and false claims about the number of subscribers, among other issues. Now it seems that Tidal may be falsifying the number of downloads for two of its biggest stars.

According to the Swedish newspaper Dagens Næringsliv (DN) Tidal has misrepresented the amount of plays Beyoncé’s Lemonade and Kanye West’s The Life of Pablo had by “several hundred million” false plays. More plays means more money for the two artists one of which is married to Tidal’s owner JayZ.  

DN reported receiving a hard drive filled with play data from Tidal that included play times, song titles, user IDs and country codes. DN asked the Norwegian University of Science and Technology for a data analysis. In the published executive summary, the school claims “there had in fact been a manipulation of the data at particular times due to the large presence of similar duplicate records occurring for a large percentage of the user base that was active at any given time.”

Three Tidal subscribers were contacted by DN about data that said they played the albums. The records showed that one subscriber played The Life of Pablo 96 times in a single day, 54 plays occurred in the middle of the night. According to the subscriber that would’ve been “physically impossible.”

Another Tidal subscriber was shown to have streamed Beyoncé’s 46-minute album 180 times in 24 hours. That claim was also denied. Just doing the math reveals that would add up to nearly 8,280 minutes. There are only 1,440 minutes in 24 hours.

Tidal has challenged the validity of the data on the hard drive. But according to DN, the data matches exactly with information Tidal sent to record labels.

According to the university, given the nature of the manipulation, its not likely this was an outside attack or a bug in the software code but rather internal meddling. Tidal is accused of accessing subscriber accounts to play tracks of The Life of Pablo over 150 million times. According to the report the plays occurred at exactly the same times; 2am and 5am. Beyonce’s Lemonade was also streamed at the same second and millisecond.

The result of this alleged manipulation comes down to money. Payouts to Sony added up to $4 million between April and May 2016. Lemonade, released in April of 2016, accounted for $2.5 million of that. Tidal reportedly paid Universal nearly $3 million between February and March 2016. The Life of Pablo accounted for $2.4 million. But, again, more play equals more money for the artists.

In response Tidal denies any wrongdoing. A Tidal spokesperson said DN’s article was a “smear campaign,” adding that, “We expect nothing less from them than this ridiculous story, lies and falsehoods. The information was stolen and manipulated and we will fight these claims vigorously.”