recommended reading

Sensitive Data Leaks from Sex Toy, Marketing Database and Security Clearance Applications

REDPIXEL.PL/Shutterstock.com

In case you missed our coverage this week in ThreatWatchNextgov’s regularly updated index of cyber breaches:

Smart Vibrator Maker to Pay Customers For Privacy, Security Concerns

Personally identifiable information exposed in data breaches usually refers to names, emails, credit card numbers or maybe Social Security numbers. By that bar, collecting information about the frequency of vibrator use would be extremely personal.

As part of a class action lawsuit, Standard Innovation, maker of the We-Vibe smart vibrator and its smartphone app, agreed to pay about $3.75 million to people who purchased the device and used the app, reported The Telegraph.

The We-Vibe vibrators are billed as “couples vibrators” that use a Bluetooth connection and a smartphone app to control the device. But last fall at DEF CON, a pair of hackers demonstrated that some other person could remotely seize the connection and turn it on and off at will, and discovered the device sent temperature and intensity information back to the manufacturer, according to the Guardian.

In the settlement, Standard Innovation denied wrongdoing and claimed its data collection complied with the law. The company also agreed to destroy any data collected through its app, according to The News & Observer.

DOD, USPS Employee Records Exposed in Marketing Database Leak

A marketing database of millions of U.S. corporate employees includes the records of Defense Department, U.S. Postal Service and other federal government and military personnel.

Business services company Dun & Bradstreet confirmed to ZDNet it owned the database, which it said it sold to “thousands” of other firms for marketing purposes, but the exposure wasn’t from its systems.

The 52.2GB file included 33.7 million email addresses, as will as some names, job titles, phone numbers and other contact information for people at U.S.-based corporations. It also included data about the companies, like number of employees and location.

The personally identifiable information for more than 100,000 DOD employees and more than 88,000 U.S. Postal Service employees, as well as U.S. Army, Air Force and Veterans Affairs Department personnel, were included.

“When you look at that list and ask ‘How would the US military feel about this data - complete with PII and job title - being circulated,’ you can't help but feel it poses some serious risks,” wrote Troy Hunt, a researcher behind the Have I Been Pwned breach database, who analyzed the data.

Such detailed information about companies can help bad actors create very targeted spear-phishing campaigns.

Sensitive U.S. Military Personnel Data Exposed

A backup drive used by a U.S. Air Force lieutenant exposed sensitive information about thousands of U.S. military personnel, including a spreadsheet of open investigations and applications for renewing national security clearances.

Mackeeper security researchers found gigabytes of files online not protected by a password, according to ZDNet. They found Social Security numbers, names, ranks and addresses for 4,000 officers, as well as lists of officers and their security clearance level.

The files also contained the kind of information that could subject people to blackmail. For example, the files include detailed descriptions of investigations of discrimination, sexual harassment and bribery, such as a major general being accused of accepting $50,000 a year from a sports commission, according to a Mackeeper blog post on the discovery.

The stash also included two completed Standard Form 86 for two four-star generals, ZDNet said. Those forms require extremely personal details: entire work histories, lists of family and friends, financial records, and disclosures about mental health and drug and alcohol use—and the type of information stolen about 21.5 million federal employees in the Office of Personnel Management breach discovered in April 2015.

Log-in information for the Defense Department’s Joint Personnel Adjudication System, a database of security clearances that uses the NIPRNET unclassified network, also appears in the files.

The drive, which appears to have belonged to a lieutenant, was taken offline after being notified by the security team, though it’s unclear how long it was available or whether others accessed it.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.