US senator proposes jailing execs, fining companies for data breaches

When it comes to breaches, bing, bang, boom!

First, Dell disclosed a “potential cybersecurity incident” and a mandatory reset of passwords for all Dell.com accounts. Next, Dunkin Donuts disclosed a credential stuffing attack (pdf) that may have allowed third parties to log into DD Perks accounts and access the data tied to those accounts. And then Marriott tried the old release-breach-news-on-Friday trick.

If Marriott had hoped the Friday-announced news of Starwood’s guest reservation database being breached would cycle out of the news system quickly, then it was likely disappointed. For starters, the breach affected up to 500 million people; Marriott’s investigation revealed there had been “unauthorized access to the Starwood network since 2014.” Oh, and it’s sorry for the four-year-long breach.

But apparently sorry and the offer of “useless credit monitoring” no longer cuts it for Sen. Ron Wyden (D-Ore.). Now it’s time to start jailing senior executives and handing out heavy multi-billion dollar fines to make companies start taking privacy seriously, he told Gizmodo.

And Sen. Charles Schumer (D-N.Y.) wants Marriott to pay “for new passports for customers whose passport number were hacked.”

In other data breach news, researchers from HackenProof found a 73 GB breach (pdf) consisting of an unprotected database with millions of records of U.S. citizens and companies. One instance exposed personal info of 56,934,021 – data such as names, employers, job titles, email and physical addresses, phone number and IP addresses. The same database had over “25 million records with more of a ‘Yellow Pages’ details directory: name, company details, zip address, carrier route, latitude/longitude, census tract, phone number, web address, email, employees count, revenue numbers, NAICS codes, SIC codes, and etc.” It was unclear precisely to whom the database belonged.

Other notable breaches from the past week include 300,000 exposed records on Urban Massage customers and 32 million customer records from Sky Brasil.

Other cybersecurity news

Ransomware attack on Moscow’s new cable car

Moscow’s new cable car line was shut down almost immediately after opening due to a ransomware attack. It opened to the public on Tuesday, but by Wednesday all 35 eight-seat cable cars shut down after ransomware infected the servers of the agency managing the cable car line. It was running again on Thursday.

For people who might consider paying a ransom demand to unlock infected devices, Bleeping Computer pointed out that doing so “could land you in trouble for violating U.S. government sanctions.”

Over 50,000 printers hacked in prank to drum up more YouTube subscribers

Over the past week, more than 50,000 printers spewed out a message asking people to subscribe to PewDiePie’s YouTube channel. HackerGiraffe claimed responsibility for the attacks and detailed how the hack went down by simply exploiting the ability to send commands to printers connected to the internet using PRET.

It took cops seven miles to pull over sleeping driver’s Tesla in autopilot mode

The California Highway Patrol had to figure out how to pull over a Tesla Model S, which was allegedly driving 70 mph, after the driver appeared to be asleep. It turned into “a complex, seven-minute operation in which the officers had to outsmart the vehicle’s autopilot system because the driver was unresponsive.” At the end of the seven-mile pursuit and stop, the driver failed a field sobriety test.

New form of identity theft involving DNA service?

Lastly, there’s this from F-Secure’s Mikko Hypponen:

Saw this on a forum: > Someone had fraudulently > purchased a 23andMe kit > on my card (weird, right?) Maybe a new form of identity theft? If you know your DNA was left at a crime scene, submit the DNA to a genealogy service under someone else’s credit card and identity?

— Mikko Hypponen (@mikko) December 1, 2018