Archive for the ‘personally identifiable information’ Category

Airline tracks Twitter user’s real-world ID, publishes her flight number

August 9th, 2019
Airline tracks Twitter user’s real-world ID, publishes her flight number

Enlarge

A security consultant who took to Twitter to call out inappropriate comments made by a Southwest Airline flight attendant received a surprising response when the airline’s official Twitter account included her flight number in its reply while the flight had yet to take off.

The consultant, peeved that the airline tracked down her real-world identity and then broadcast her location, sent a follow-up saying the number amounted to personally identifiable information that the airline was obligated to keep private. The airline’s response: flight numbers aren’t PII. The conversation started out with a tweets like this one, reporting that an attendant on the flight she was boarding was making jokes some passengers found to be offensive:

A Southwest representative using the name Emilia responded with this:

Read 7 remaining paragraphs | Comments

Posted in personally identifiable information, Policy, Privacy, southwest airlines | Comments (0)

Still available via Google Analytics: Data slurped from 4 million browsers

July 24th, 2019
Still available via Google Analytics: Data slurped from 4 million browsers

Enlarge (credit: Aurich Lawson / Getty)

Six days after Ars revealed an online service selling links to tax returns, prescription refills, and reams of other sensitive information collected from more than four million browsers, the data remains available to existing customers—thanks, in part, to essential assistance from Google Analytics.

In a July 11 email, Nacho Analytics founder and CEO Mike Roberts told customers the site suffered a permanent data outage after its third-party supplier was no longer available. The site would no longer accept new customers or provide new data, he said, but customers who kept accounts open would still be able to access any existing data they bought previously.

As the redacted screenshots below demonstrate, the existing data is imported directly into customers’ Google Analytics accounts. That existing data can include the same sensitive information that led to Nacho Analytics being shut off in the first place. The first image shows the names of medical patients who obtained lab results through a Dr. Chrono, a patient care cloud platform that contracts with medical services. The one below that shows non-public project management issues taken from inside Tesla’s network, funneled to Nacho Analytics, and then imported into Google Analytics.

Read 7 remaining paragraphs | Comments

Posted in Biz & IT, data, personally identifiable information, PII, Privacy | Comments (0)

3 men cop to $21 million vishing and smishing scheme

March 11th, 2019
Handcuffs on a nondescript blue background.

Enlarge (credit: Klaus with K)

Three Romainian citizens have pleaded guilty to carrying out a scheme that used recorded messages and cellphone texts to trick thousands of people into revealing their social security numbers and bank account information, federal authorities said.

The "vishing" and "smishing" scams are variations of phishing that use voicemails and SMS messages instead of email, federal prosecutors in Atlanta, Ga., said on Friday. From 2011 to 2014, the three Romanians compromised computers located in the US and installed interactive voice response and bulk emailing software on them. The hacked computers initiated thousands of phone calls and text messages that tricked recipients into disclosing personal information including account numbers, PINs, and social security numbers.

"When a victim received a telephone call, the recipient would be greeted by a recorded message falsely claiming to be a bank," federal prosecutors said. "The interactive voice-response software would then prompt the victim to enter their PII. When a victim received a text message, the message purported to be from a bank and directed the recipient to call a telephone number hosted by a compromised Voice Over Internet Protocol server. When the victim called the telephone number, they were prompted by the interactive voice response software to enter their PII."

Read 4 remaining paragraphs | Comments

Posted in Biz & IT, fraud, personally identifiable information, phishin, Smishing, vishing | Comments (0)