Bitglass Security Spotlight: Google, GDPR, & Homeland Security


This post was originally published here by Will Houcheime.

Here are the top cybersecurity stories of recent weeks: 

  • Google fails GDPR guidelines, fined $57 million
  • U.S. Homeland Security issues hijack warnings
  • Unprotected server exposes four million applications
  • 24 million sensitive banking documents exposed
  • Over 100 million casino bets leaked


Google fails GDPR guidelines, fined $57 million

The French data protection administration, CNIL, issued Google a fine of $57 million following its failure to conform with the General Data Protection Regulation (GDPR) guidelines. According to the CNIL, Google did not provide enough information to users regarding data consent policies; Googled also limited control of how the information was to be used. Google experienced complaints in May 2018 made by the non-profit organizations None of Your Business and La Quadrature du Net. This is the biggest fine to be issued by the GDPR.

U.S. Homeland Security issues hijack warnings

The U.S. Department of Homeland Security recently issued an emergency directive about DNS hijacking originating from Iran. Government agencies were encouraged to audit DNS records for unauthorized changes and password updates; they were also told to employ multi-factor authentication for all of their accounts. While the details are technical, the fact remains that government organizations are regularly targeted by other nation-states. 

Unprotected server exposes four million applications

A non-profit agency, AIESC, deemed the “world’s largest youth-run organization,” recently had over 4 million intern applications exposed via an unprotected server. Independent security researcher, Bob Diachenko, discovered the documents on an Elasticsearch database. According to Diachenko, “opportunity applications” which included personally identifiable information (PII), such as the applicant’s name, date of birth, gender, and reasons for internship application, was susceptible to unauthorized access. In addition, the database also included the time and date of rejected applications.

24 million sensitive banking documents exposed

A group of the US’s biggest banks had more than 24 million financial and banking documents exposed following a server security letdown. The debunked documents were composed of tens of thousands of loans and mortgages. The accessed server, which ran an Elasticsearch database, housed a decade of confidential data, including loan agreements, scheduled repayments, and sensitive financial and tax documents.

Over 100 million casino bets leaked

Over 108 million bets were leaked by an online casino group, including the details of customers’ deposits, withdrawals, and other personal information. Security researcher, Justin Paine, found the unprotected information on an Elasticsearch server. The discovered online betting portal was meant to be protected by Elasticsearch, a portable, high-grade search engine, which companies install to promote more efficient data indexing. Certain financial details, such as payment cards, were left partially unprotected.

To learn about cloud access security brokers (CASBs) and how they can protect your enterprise from data leakage, misconfigurations, and more, download the Definitive Guide to CASBs below.



No posts to display