Sensitive Data Leaks from Sex Toy, Marketing Database and Security Clearance Applications

In case you missed our coverage this week in ThreatWatch, Nextgov’s regularly updated index of cyber breaches:

Smart Vibrator Maker to Pay Customers For Privacy, Security Concerns

Personally identifiable information exposed in data breaches usually refers to names, emails, credit card numbers or maybe Social Security numbers. By that bar, collecting information about the frequency of vibrator use would be extremely personal.

As part of a class action lawsuit, Standard Innovation, maker of the We-Vibe smart vibrator and its smartphone app, agreed to pay about $3.75 million to people who purchased the device and used the app, reported The Telegraph.

The We-Vibe vibrators are billed as “couples vibrators” that use a Bluetooth connection and a smartphone app to control the device. But last fall at DEF CON, a pair of hackers demonstrated that some other person could remotely seize the connection and turn it on and off at will, and discovered the device sent temperature and intensity information back to the manufacturer, according to the Guardian.

In the settlement, Standard Innovation denied wrongdoing and claimed its data collection complied with the law. The company also agreed to destroy any data collected through its app, according to The News & Observer.

DOD, USPS Employee Records Exposed in Marketing Database Leak

A marketing database of millions of U.S. corporate employees includes the records of Defense Department, U.S. Postal Service and other federal government and military personnel.

Business services company Dun & Bradstreet confirmed to ZDNet it owned the database, which it said it sold to “thousands” of other firms for marketing purposes, but the exposure wasn’t from its systems.

The 52.2GB file included 33.7 million email addresses, as will as some names, job titles, phone numbers and other contact information for people at U.S.-based corporations. It also included data about the companies, like number of employees and location.

The personally identifiable information for more than 100,000 DOD employees and more than 88,000 U.S. Postal Service employees, as well as U.S. Army, Air Force and Veterans Affairs Department personnel, were included.

“When you look at that list and ask ‘How would the US military feel about this data - complete with PII and job title - being circulated,’ you can't help but feel it poses some serious risks,” wrote Troy Hunt, a researcher behind the Have I Been Pwned breach database, who analyzed the data.

Such detailed information about companies can help bad actors create very targeted spear-phishing campaigns.

Sensitive U.S. Military Personnel Data Exposed

A backup drive used by a U.S. Air Force lieutenant exposed sensitive information about thousands of U.S. military personnel, including a spreadsheet of open investigations and applications for renewing national security clearances.

Mackeeper security researchers found gigabytes of files online not protected by a password, according to ZDNet. They found Social Security numbers, names, ranks and addresses for 4,000 officers, as well as lists of officers and their security clearance level.

The files also contained the kind of information that could subject people to blackmail. For example, the files include detailed descriptions of investigations of discrimination, sexual harassment and bribery, such as a major general being accused of accepting $50,000 a year from a sports commission, according to a Mackeeper blog post on the discovery.

The stash also included two completed Standard Form 86 for two four-star generals, ZDNet said. Those forms require extremely personal details: entire work histories, lists of family and friends, financial records, and disclosures about mental health and drug and alcohol use—and the type of information stolen about 21.5 million federal employees in the Office of Personnel Management breach discovered in April 2015.

Log-in information for the Defense Department’s Joint Personnel Adjudication System, a database of security clearances that uses the NIPRNET unclassified network, also appears in the files.

The drive, which appears to have belonged to a lieutenant, was taken offline after being notified by the security team, though it’s unclear how long it was available or whether others accessed it.