Home Security Vendor Sued After Technician Spied on Customers in ‘Intimate Moments’

Users of ADT home security systems have filed a class action against the vendor after discovering that a technician used his own credentials to set up the hardware and then spied on them.

ADT Pulse is a complete home security package including smart locks, an alarm system and surveillance cams, all controllable from a handy smartphone app.

“Our highly trained, certified technicians will professionally install your ADT security system,” according to the official ADT website. “Once installed, your technician will test your system to be sure it is working properly, and show you how it works for easy use from day one.”

What the website doesn’t say is that rogue employees might set up the system in such a way that they can later access the customer’s homes, or spy on them “in their most private and intimate moments,” according to the lawsuit filed by Alexia Preddy and Shana Doty, both of Texas, named as lead plaintiffs in the suits.

Which is exactly what happened, according to the filings.

Preddy was a teenager when the Dallas-area technician who had installed their indoor security camera granted himself remote access by adding his personal email address to her account, Preddy claims. The employee then used that access nearly 100 times to spy on her and other household members, the Sun Sentinel reports.

A news release from the Dallas-based Fears Nachawati Law Firm says that ADT “failed to provide rudimentary safeguards” to prevent employees from gaining remote access to the customers’ cameras over a seven-year period.

ADT reportedly failed to fix vulnerabilities in its smartphone and smart-watch apps, “leaving not only the lone Dallas technician but potentially countless other ADT employees with the ability to secretly open locks at homes and view security camera footage,” the suit states.

“The mental and emotional impact this revelation has had on every person receiving these calls from ADT is immeasurable,” it adds. “Moments once believed to be private and inside the sanctity of the home are now voyeuristic entertainment for a third party. And worse, those moments could have been captured, shared with others, or even posted to the internet.”

ADT allegedly notified customers of the breaches, then tried to buy their silence, according to the court papers.

The vendor is not at its first run-in with such accusations. In 2028, the company reportedly agreed to pay multi-million dollar settlements in Illionis, Arizona, Florida and California over vulnerabilities that allowed hackers to access home security systems.

Military Active-Duty Personnel Are 76% More Likely to Report Identify Theft, FTC Reports

A five-year analysis of data gathered by IdentityTheft.gov reveals that “active duty service members are 76% more likely than other adults to report that an identity thief misused an existing account,” and “nearly three times as likely” to report the fraudulent use of a debit card to steal funds from their bank account.

The findings, based on identity theft reports filed between 2015 and 2019, also suggest that service members are experiencing more identity-theft related crimes than non-military consumers.

The FTC report delves deeper, concluding that military personnel are 22% more prone to falling victim to new account fraud than the general population. Additionally, one-fifth of active troops state they “have already experienced two or more types of identity theft.”

Why? Identity theft crimes are not always easy to spot, and overseas troops do not have the time or means to tackle the early warning signs, and, most of the time, bills and credit card charges are sent to old addresses.

Regrettably, almost 14% indicate that a close relative or acquaintance is responsible for stealing their identity, compared to 7% of non-military adults.

“Reports suggest that this often happens when people have access to important documents or financial records left behind during military assignments” the FTC said.

There is some good news, however. Many active duty troops report they have taken some precautions. 50% say they review their credit reports and 40% note that they have placed a fraud alert after reporting identity theft.

What does the FTC recommend? Recovering from an identity-theft related crime is no stroll in the park. In a worst-case scenario, it can take years for a victim to patch up their identity and recover financially. Service members are recommended to follow good cyber hygiene practices and regularly check their finances. Additional protective measures are advised:

• Immediately report stolen or lost credit cards
• Check your bank account for unauthorized transactions
• Temporary lock or freeze your card for online transactions
• Don’t share your PIN or passwords and do not provide personal information via email or phone
• Enable an active duty alert on your credit reports if you are deploying on an overseas mission

Bank of America Notifies SBA Loan Applicants of Potential Data Leak

This week, the Bank of America revealed that personal data of some of its customers may have been exposed when they uploaded their Paycheck Protection Program (PPP) loan application to the bank’s testing platform.

According to a notification letter filed with the California Attorney General’s Office, “on April 22, the Bank uploaded some clients’ loan application information to the SBA’s test application platform, which authorized lenders and their vendors also use to test their loan submission processes”.

During the uploading, the organization discovered that the information included in the PPP loan application may have been visible, “for a limited period of time,” to other “lenders and their vendors authorized by SBA to participate in the program.”

Among the information that may have been viewed, bank officials listed the following:

• Business owner name, address, Social Security number and citizenship
• Business address, contact information and tax identification number (TIN)

Bank of America did not disclose the number of impacted clients. However, it did say that, ”more than 305,000 Paycheck Protection Program (PPP) loan applications with the SBA” have been processed, “providing more than $25 billion in financial relief for small businesses in need.”

“There is no indication that your information was viewed or misused by these lenders or their vendors,” the bank added. “And your information was not visible to other business clients applying for loans, or to the public, at any time.”

What safety measures has the bank implemented? Besides conducting an internal investigation to minimize any financial impact for applicants, Bank of America “has arranged for a complimentary two-year membership for an identity theft protection service.”

What can affected business owners do? The bank recommends for applicants to review their credit reports and account statements over the next 24 months, and notify bank officials of any suspicious or unauthorized transactions related to Bank of America accounts.

Additional precautionary measures are also advised:

• Don’t provide personal identifiable information over the phone or online unless you have previously identified the identity of the individual
• Shred any pre-approved credit offers to which you do not respond
• Regularly change existing passwords and PIN numbers for your accounts
• Immediately report stolen or lost credit or debit cards

Hackers Stole 220GB of Data in Toll Group Ransomware Attack

Following the revelation that the Toll Group, an
Australian transportation company with a global reach, was compromised with
ransomware a second time in less than six months, new information has come to
light. Hackers stole massive amounts of data, in addition to locking systems
with ransomware.

The initial attack took place on Jan. 31, and the company
needed a few months to restore operations fully. News of the second attack came
May 12, and the Toll Group confirmed it’d fallen victim to a ransomware known
as Nefilim.

Like with the initial attack, the company refused to deal
with the hackers or pay any kind of ransom, following recommendations of law
enforcement and cybersecurity specialists. But the second attack was different,
because it looks like the attackers spent a good deal of time in the
infrastructure, exfiltrating data.

“Following our announcement last week that a ransomware attacker had stolen data contained on at least one Toll corporate server, our ongoing investigation has established that the attacker has now published to the dark web some of the information that was stolen from that server,” said the company on its blog.

“As a result, we are now focused on assessing and
verifying the specific nature of the stolen data that has been published. As
this assessment progresses, we will notify any impacted parties as a matter of
priority and offer appropriate support.”

According to a report on Data Breach Today, some of the stolen data was published on the dark web, showing that the attackers are serious about their intentions. A total of 220GB was stolen, including financial reports, invoices, and much more.

For now, it’s unclear how the Toll Group will choose to
continue, but it seems like it’s a bigger problem than the January attack, and
there is no clear end in sight.

Facebook Fined $9 Million in Canada Over ‘False’ Privacy Claims

After incurring billions of dollars in fines from international regulators over the Cambridge Analytica scandal, Facebook faces yet another penalty – albeit a much smaller one – over ‘false’ data privacy claims.

Canada’s Competition Bureau says Facebook mishandled user information by giving the impression that users could control who could see and access their personal information when using privacy features. The penalty? CAD 9 million CAD (USD 6.5 million USD/EUR 5.9 million).

“Facebook did not limit the sharing of users’ personal information with some third-party developers in a way that was consistent with the company’s privacy claims,” the Bureau said.

Facebook also allegedly let third parties, including advertisers and developers, access personal information of users’ friends by connecting to other apps via the social network. Despite allegedly scrapping this practice years ago, the Bureau says it found evidence that it continued into 2018 with some companies doing business with Facebook.

“This personal information included content users posted on Facebook, messages users exchanged on Messenger, and other information about identifiable users,” according to the press release issued by the Competition Bureau this week.

In response to these allegations, Facebook said it “did not agree” with the findings of the investigation, but wanted to enter a consent agreement so the matter could be resolved quickly.

“Although we do not agree with the Commissioner’s conclusions, we are resolving this matter by entering into a consent agreement and not contesting the conclusions for the purposes of this agreement,” a Facebook spokesperson told Reuters.

The Bureau nonetheless said it acknowledged the social network’s “voluntary cooperation” in resolving this conundrum.

Home Chef Confirms Data Breach Incident Affecting 8 Million Customers

Meal kit services have been on popular demand during the lockdown phase of Covid-19. Earlier in the week, Home Chef confirmed a security incident that exposed the personal information of allegedly 8 million customers.

The impacted data includes email addresses, names, phone numbers, encrypted passwords and the last four digits of credit card numbers used to place orders online.

While the company confirmed that they “do not store complete credit or debit card information,” “other account information such as frequency of deliveries and mailing address may also have been compromised.”

To make matters worse, the announcement follows a previous report related to a malicious group called Shiny Hunters that was already selling user databases from 11 companies (including Home Chef) on the dark web for between $1,500 and $2,500.

How is the company addressing the data breach?

On their FAQ page, Home Chef states that, “as soon as we learned of this incident, we took prompt and aggressive steps to investigate and communicate with the Home Chef community,” and is emailing impacted customers. “We are taking action to investigate this situation and to strengthen our information security defenses to prevent similar incidents from happening in the future.”

What should impacted customers do?

While the leaked account passwords are encrypted, it’s recommended for all users to change login credentials by following the steps below:

• Visit www.homechef.com
• Click on “Log in”
• Access account information and select the “Change Your Password” function

All customers are advised to remain vigilant and monitor their Inboxes for unsolicited emails and phishing attacks. Negative effects of a data leak can haunt victims for years. If you use the same login credentials for other online platforms, change passwords on all of them.

Be wary of any suspicious phone calls, and don’t provide personal information such as Social Security numbers, bank account or credit card information to any individuals claiming to be from the company.

“Remember that we will never ask you to send sensitive information over email, and you can make any necessary changes to your accounts by logging into your account directly on our website,” the company said.

U.S. Treasury’s FinCEN Warns of Medical Scams Exploiting COVID-19

The US Financial Crimes Enforcement Network (FinCEN) is
warning companies and financial institutions of a sudden rise in medical scams related
to the COVID-19 pandemic, in the first series of alerts regarding this issue.

The U.S. Treasury and FinCEN are acting on information from
a few sources, including public reports, Bank Secrecy Act data, and law
enforcement partners. Depending on the affected industry, the type of scam
differs in scope and methods.

The biggest problem right now comes from scams that tout
COVID-19-related cures, tests, vaccines, and associated services being offered
to the public, which actually don’t exist.

“Examples of fraudulent medical services include claims
related to purported vaccines or cures for COVID-19, claims related to products
that purportedly disinfect homes or buildings, and the distribution of
fraudulent or unauthorized at-home COVID-19 tests,” states the advisory.
“Some of these scams may be perpetrated by illicit actors who recently formed unregistered
or unlicensed medical supply companies.”

Another issue is directly related to disruptions in the
demand and shipping of certain goods, with criminals looking to defraud consumers
and companies by not delivering the ordered merchandise. Affected products
include test kits, masks, drugs and other goods.

Finally, FinCEN and the Department of Justice (DOJ) have
received numerous reports of people and companies either hoarding products or price
gouging. Both of these practices are illegal under the Defense Production Act.

FinCEN is asking all financial institutions to use the
details in the advisory and indicate a connection between the suspicious
activity and other recent activities. Furthermore, they have to report any
information regarding reporting COVID-19-related crimes and reminds financial
institutions of certain BSA obligations.

Covve Contacts App Data Breach Exposes 23 Million Emails Addresses and Other Private Details

An open Elasticsearch database belonging to a company
named Covve leaked online, impacting around 23 million email addresses and
other personal details.

Troy Hunt, the researcher behind the Have I Been Pwned
portal, wrote
a while back about a data breach he dubbed “db8151dd” after one of the unique
global identifiers used inside the database. It’s a 90GB trove of personal
information that has millions of entries, with personal information. The
weirdest part was that nobody knew where it came from.

Now, the source of that data breach was identified as
coming from Covve, which has a popular contacts app, with CRM features,
business cards, and more. Covve recently acknowledged a security incident.

“Data belonging to approximately 90,000 users was
compromised by a 3rd party who gained unauthorized access to a legacy system
before it was decommissioned in early January,” said Covve on their blog.
“This system related to the now-retired Covve web app. It appears at this stage
that contact data such as name and contact details were accessed, that the data
cannot be directly associated with specific users, and no user passwords were
compromised.”

The biggest problem with this data breach is that it
affects people who had nothing to do with the app. For example, if someone had
your phone number and email address and used the Covve app, your data was
leaked just the same.

And since the Covve app scraped the Internet for details
on contacts people added into the app, the size of the breach becomes all the
more evident. Unfortunately, users can’t do a whole lot about this problem,
especially since the breach affects mostly people who have nothing to do with
the app.

Scammers Leverage Contact Tracing Measures, FTC Warns

The US Federal Trade Commission (FTC) issued a warning Tuesday regarding the way scammers could take advantage of contact tracing to steal personal information.

A key strategy for preventing further spread of COVID-19, contact tracing allows local and state health departments to identify people who have been in contact with infected people, while also monitoring and promoting proper care routines.

An official contact tracer will also work closely with a confirmed patient to get the names and phone numbers of any individuals who may have come in close contact with him.

In some cases, individuals who did come in contact with someone who has tested positive for COVID-19 might first receive a text message from the health department notifying them that they will be contacted by a specific phone number for further instructions.

As scammers usually do their homework and are aware of the latest developments in the pandemic, fraudsters are now posing as contact tracers sending out phony text messages asking recipients to click on embedded links. The FTC warns that, by clicking on the link, you simply assure that the scammers gets access to your personal and financial information. The best course of action is to ignore and delete any of these messages.

It’s also important to remember that the official who phones in will not ask for personal information, such as your Social Security number, credit card numbers, bank account and payments. Anyone who does is a scammer.

The FTC also recommends filtering unwanted text messages from unknown senders or spam, or checking with your wireless provider for tools or services that may allow you to do it.

You can also take additional precautionary measures, including:

• Enabling multi-factor or two-factor authentication for your online accounts
• Keeping your operating systems and devices up-to-date
• Backing up your data in case of any malware or ransomware attacks

Brazil’s Natura & Co Cosmetics Accidentally Exposes Personal Details of 192 Million Customers

Nobody gets a free pass when it comes to data breaches. Natura, one of Brazil’s largest cosmetics companies, accidentally exposed the personal identifiable information (PII) of nearly 192 million customers.

The leaky database, discovered last month by Safety Detectives led by cybersecurity researcher Anurag Seg, was hosted on two unprotected US-based Amazon servers, and contained between 272GB and 1.3TB of data belonging to the company.

In yesterday’s report, the researchers noted that more than “250,000 customers that had previously ordered beauty products from the website had their personal information made available to the public without Natura’s knowledge.”

To make matters worse, payment information of 40,000 shoppers “related to a third-party company, Wirecard, was also publicly available for over 2 weeks.”

Upon discovery, the team immediately notified the company, which managed to secure its servers and remove any private date from public view. However, the researchers published their findings in the report, revealing the extent of the data leak:

• Full name, mother’s maiden name and date of birth
• Nationality, gender and telephone numbers
• Natura.com.br login credentials including hashed passwords
• Welcome email template
• Username and nickname
• MOIP account details
• API credentials including unencrypted passwords
• Previous purchases
• Email and physical addresses
• Access token for wirecard.com.br

The exposed login credentials (usernames and hashed passwords) could allow hackers “to find the correct password for each user by brute forcing the hash and obtaining full access to customers’ accounts,” the analysists said.

Attackers could also inflict financial damage to shoppers by exploiting the leaked physical addresses, phone numbers, and other PII. In one scenario, researchers said a bad actor could use the “mother’s maiden names to answer security questions and potentially access email accounts and cloud services that could in turn be used maliciously to gain deeper access to someone’ private information.”

“The risk of phishing and phone scams is also raised by the Natura data leak,” while leveraging the welcome email templates could aid potential phishing scams, leaving victims “under the false impression the email originated from Natura.”

As a reminder, a recent analysis of consumer behavior revealed a worrying trend: 42% of consumers believe the information available in their online account is not “valuable enough to be worth a hacker’s time.” Cyber-crooks profit from the common notion that no cyber-criminal would be after personal information stored on a cosmetics company website or other source.

Last year, cosmetic giants Yves-Rocher and Sephora also made headlines with data breaches that exposed the personal details of millions of their customers. In Sephora’s case, the stolen data was posted for sale on the dark web.

Posts navigation

1 2 3 4 5 6 7
Scroll to top