(Not) Safe Digest: COVID Patient Leaks and Intruder at Zoom Ministerial Meeting

Hello! Continuing the tradition, we collected “classic” and non-trivial information security incidents, which were reported by foreign and Russian media in November.

And by the way, all those involved – Happy International Day for Information Protection!

They have

Aeromining

What happened: Airport staff in the Italian city of Lamezia Terme discovered anomalies in the work of IT systems and turned to the transport police. During the investigation, the police found an Ethereum mining farm in the technical premises, connected to the airport’s electrical grid.

Who is guilty: The miner was a 41-year-old technician from the contractor Sacal, which operates airports in the province of Calabria. The man was responsible for the operation of the computer infrastructure of the air hub. He installed malware and used Sacal’s IT power to mine cryptocurrency. CCTV cameras helped to track the attacker. The media do not write about the punishment, but we assume that at least the man lost his job at Sacal.

Coupon Millionaire

What happened: $ 10 million worth of gift certificates are missing from Microsoft’s online store.

Who is guilty: Thief ended up company engineer Volodymyr Kvashuk (citizen of Ukraine), and his “dark deeds” remained unnoticed for seven months. To hide traces, he connected to the platform through the accounts of colleagues and used “services for mixing bitcoins” (they allow you to “mix” digital currency from different sources in one large storage and thereby ensure the privacy of its owners). With the proceeds, the engineer bought a house on the lake and a Tesla car. He transferred another $ 2.8 million to his bank accounts. And in order not to get caught by the tax, he indicated in the declaration that the bitcoins were presented to him by a relative.

The fraud was nevertheless revealed, although the investigation, according to law enforcement officers, was not easy and required special knowledge of cybersecurity from the police. As a result, Kvashuk was fired, the court sentenced him to nine years in prison for 18 crimes. He must pay the company $ 8.3 million. And after being imprisoned, he can be deported to Ukraine.

“Cultural exchange

What happened: California Santa Clara County Sheriff’s Office caught in the trade in weapons permits. The person involved in the case was the head of Apple’s security service.

Who is guilty: The Santa Clara District Attorney’s Office has charged Apple security chief Thomas Moyer and two sheriff’s deputies with bribery. According to the investigation, the top manager of the company agreed with the sheriff’s office to “exchange” four licenses for concealed carrying of weapons for 200 new Apple iPads worth $ 70,000.

Moyer’s lawyer said the defendant was going to transfer the tablets to the sheriff’s office as part of a joint training project. And this fact is not related to Moyer’s application for a permit to carry weapons. The case is just beginning, but it is clear that 14 years of work at Apple is unlikely to save an employee from firing. And the case eloquently proves that the control of top managers is an urgent information security problem, and not excessive suspicion.

“I just have to ask!”

What happened: Dutch journalist Daniel Verlaan connected to a closed Zoom meeting of EU defense ministers, which noticeably embarrassed officials.

Who is guilty: Verlaan learned about the meeting from Twitter, where Dutch Defense Minister Anka Bijlevelda posted a series of photographs of her working from home during a conference. The photo showed her laptop screen with a PIN code to access the call. This allowed the journalist to join the conversation. After a short dialogue with the shocked ministers, he passed out with the words: “I apologize for interrupting your conference, I am leaving.”

It is not yet clear whether Verlaan will be punished for breaking the closed meeting. Dutch Prime Minister Mark Rutte has publicly spoken out about the incident, pointing out the blunder of Bijlevelda and the security service, which is supposed to stop such cases.

Online meetings have become a practice not only for politicians, but also for telecommuting employees since the first wave of coronavirus. It would seem that a secret meeting of this format has no place in Zoom, which has been repeatedly accused of vulnerabilities. But, as we see, rakes are generously scattered there and around him.

Failed test

What happened: In open access found themselves personal data from 16 million Brazilians with COVID-19, including information about President Jair Bolsonaro, seven ministers and 17 state governors.

Who is guilty: The leak was made by an employee of the hospital. Albert Einstein, who posted a table on GitHub with usernames, passwords and access keys to the systems of the Brazilian Ministry of Health. It also contained names, addresses, medical history, and medication regimens. As the man said, he uploaded the data for testing, and then forgot to delete it. After the incident, officials changed passwords and access keys to the systems of the Ministry of Health. And what will happen to the would-be tester is still unknown.

We have

No smoke – there is a leak

What happened: Share hit 1 GB archive containing 652 internal documents of the manufacturer of tobacco heating systems IQOS. They contain customer data, presentation templates and communication scripts for salespeople.

Who is guilty: Most of the files have one author. According to information security researchers, the documents leaked from the work computer of one of the IQOS employees or were stolen from the corporate file server. In any case, the name of the owner of the documents can serve as a key to locating the source of the leak.

Mystery shopper

What happened: Intruder hacked nine online store accounts and placed orders for goods at the expense of their owners. The case was ruined by vigilant security.

Who is guilty: The thief was a resident of Yekaterinburg. He bought logins and passwords from the accounts on the Internet. The man changed the registration data in his personal accounts and made several purchases, paying with someone else’s electronic money. Thanks to the information security service, out of nine attempts to place an order, only one was successful for the “buyer”. In eight cases, the security service blocked the order – it was alarmed that the “owner” of the account was arranging delivery to another region not related to the place of registration.

As a result, the Kirovsky District Court of Yekaterinburg sentenced the thief to a fine of 200 thousand rubles.

Related gesture

What happened: In Bashkiria from the microcredit company LLC MKK “Kreditka” flowed away personal data of 44 borrowers.

Who is guilty: The leak was discovered by prosecutors during a scheduled inspection of the organization. It turned out that the employee of “Credit” sent customer profiles by email at the request of a relative. The woman was not embarrassed that this information is a trade secret by law. A criminal case was initiated.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *