The U.S. government data breach announced last week began a year ago, giving the perpetrators plenty of time to access federal employees’ personal information, according to the NSA. Also in recent GRC news: A new bill would give Europeans the same data protection rights as American citizens, and a flaw in popular mobile apps could leave billions of data records vulnerable.
NSA: U.S. security clearance data hack began a year ago
The recently discovered breach into the security clearance computer system of the Office of Personnel Management (OPM) began a year ago, according to new information disclosed by the National Security Agency (NSA).
The substantial amount of time between the start of the breach in the summer of 2014 and its discovery earlier this month allowed hackers the ability to accomplish a far-reaching cyberattack, NSA general counsel Stewart Baker told The Washington Post.
The OPM’s security clearance network contains personal and financial information on millions of current, former and prospective federal employees.
The White House has not publicly disclosed whom they suspect executed the breach, but unidentified U.S. officials speculate the perpetrators were hackers sponsored by the Chinese government, according to the Post. Senior U.S. officials say that in the past 12 to 18 months, the Chinese government has started building large databases containing Americans’ information for counterintelligence purposes.
Bill extends U.S. data protection rights to Europeans
A bipartisan bill introduced last week in the U.S. Senate will, if passed, extend to Europeans the same rights American citizens have under the Privacy Act of 1974. The Senate bill would allow Europeans to take legal action against U.S. agencies that misuse their private data. Some members of the European Parliament said that the legislation will not only restore the trust of both American and European citizens in the wake of Edward Snowden’s revelations, but also kick off future data-sharing deals between the E.U. and U.S. governments, according to Politico.
One detail that needs to be cleared up before the bill is put to a vote is whether everyone in the EU — and not just citizens — would be covered under the new law.
Mobile app flaw could leave billions of records vulnerable
German security researchers have discovered a flaw in the way thousands of popular mobile apps store information online, leaving about 56 million pieces of unprotected data vulnerable to attackers. The exposed information includes passwords, addresses and location data. Researchers declined to name the vulnerabile applications, but said they include popular ones available from the Apple and Google app stores.
The issue lies in the way most mobile app developers authenticate users when storing their data online. Most app developers use a default option that allows hackers easy access to the app — and a user’s private data, the security researchers reported.
“In almost every category we found an app which has this vulnerability in it,” Siegfried Rasthofer, one of the researchers, told Reuters. Those categories include messaging, gaming, social networking and bank transfer apps. The researchers predicted that the number of records affected will likely be in the billions.
Feds probe Cardinals for hacking into private Astros network
The FBI and the U.S. Department of Justice are investigating officials from the St. Louis Cardinals for hacking into the private computer system of the Houston Astros to steal information on Astro players. Data stored in the Astros’ internal network included trade discussions, player evaluations and scouting methods.
Law enforcement officials believe a Cardinals staffer accessed the Astros database by trying out passwords that Jeff Luhnow — a former Cardinals executive who is now an Astros general manager — used during his stint in St. Louis. Federal officials are uncertain on who committed the act.
Experts say that while cyberespionage is common among U.S. companies, this is the first known occurrence in the professional sports world. It could also result not only in disciplinary measures by Major League Baseball, but also criminal charges for the violation of the Computer Fraud and Abuse Act of 1986, a federal law.