Techdirt. Stories filed under "breach"

Techdirt. Stories filed under "breach" Easily digestible tech news... http://www.techdirt.com/ en-us Techdirt. Stories filed under "breach"http://www.techdirt.com/images/td-88x31.gifhttp://www.techdirt.com/ Tue, 6 Nov 2012 07:44:40 PST Epic's 'Music First' Approach: Delay Album Release; Drop Band When They Leak It Mike Masnick http://www.techdirt.com/articles/20121105/07291120932/epics-music-first-approach-delay-album-release-drop-band-when-they-leak-it.shtml http://www.techdirt.com/articles/20121105/07291120932/epics-music-first-approach-delay-album-release-drop-band-when-they-leak-it.shtml release their latest album for free all over the internet, after some sort of dispute with Epic over the release date. The band was already considered one of the top authorized downloaded bands on BitTorrent due to earlier releases it had put online for free itself. However, with Epic trying to take a standard "slow down and wait" approach, the band posted its new album to various file lockers and started tweeting out links, noting that "the label will be hearing the album for the first time with you."

Last week, the band posted a screenshot of an irate email from the label about this. Epic notes not only that is it absolutely furious about the leak, but that (1) the release is a breach of contract; (2) since Epic owns the copyright, the label considers the leak to be infringing; (3) the band's decisions have "financially damaged Epic"; (4) even though Epic still intended to release the album, the album would not count towards the recording commitment in the band's contract and (5) while Epic still intended to collect money for the sale of the album (which, again, would not count towards the recording commitment), Epic would not cover the cost of recording the album.

Those last two points are the really interesting ones to me. If it's not counting the album towards the recording commitment, and it now refuses to pay for the cost of the album, it seems wrong to then still consider it something that Epic gets to sell and to keep all the revenue from.

Either way, it appears that won't be an issue, because just a few weeks after that email was sent, Epic officially began the process of dropping Death Grips from the contract. This probably won't surprise many people, though it will be interesting to see if Epic retains "ownership" of the work in question or if Death Grips is able to get back control of its masters. That said, Epic's "statement" about this move is absolutely hilarious for being obviously, blatantly, false:

Epic Records is a music first company that breaks new artists. That is our mission and our mandate. Unfortunately, when marketing and publicity stunts trump the actual music, we must remind ourselves of our core values. To that end, effective immediately, we are working to dissolve our relationship with Death Grips. We wish them well.

First of all, Death Grips had already "broken" without Epic's help. Second, since when has a major label ever really cared about "the actual music" as compared to the ability to make money off of it with marketing and publicity stunts? And, really, if it were just about "the music," then why would it have freaked out so much when the band made "the music" available for free?

Permalink | Comments | Email This Story
]]> uh-what? http://www.techdirt.com/comment_rss.php?sid=20121105/07291120932 Tue, 17 May 2011 19:07:00 PDT France Suspends 3 Strikes Monitoring Following Data Breach Mike Masnick http://www.techdirt.com/articles/20110517/02075514296/france-suspends-3-strikes-monitoring-following-data-breach.shtml http://www.techdirt.com/articles/20110517/02075514296/france-suspends-3-strikes-monitoring-following-data-breach.shtml had been hacked, though, in reality it appears to be much more of a simple data breach caused by TMG poor setup. The breach left open a lot of details of the tracking system, including IP addresses linked to the whole 3 strikes process. In response, it appears that Hadopi has "temporarily suspended" its work with TMG, perhaps to measure the damage and see if it can actually learn to lock down its computers. In the meantime, however, as TorrentFreak points out, there are no other providers doing this monitoring -- meaning that (at least for a little while), it appears 3 strikes monitoring has stopped in France.

Permalink | Comments | Email This Story
]]> oops http://www.techdirt.com/comment_rss.php?sid=20110517/02075514296 Wed, 4 May 2011 12:02:00 PDT Sony Blames Anonymous For Latest Hack... Mike Masnick http://www.techdirt.com/articles/20110504/11175714141/sony-blames-anonymous-latest-hack.shtml http://www.techdirt.com/articles/20110504/11175714141/sony-blames-anonymous-latest-hack.shtml latest data breach: Anonymous. Sony is claiming it found a file named "Anonymous" on the server, with the non-group's phrase "We are Legion" in the file:

"The attacks were coordinated against Sony for exercising its rights in a civil action in the United States District Court in San Francisco against a hacker," Sony chairman Kazuo Hirai said in the letter.

"What is becoming more and more evident is that Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes."

Of course, those two sentences don't seem to match. Anonymous isn't known (at all) for trying to steal credit card information for criminal purposes. Its entire purpose is more along the lines of vigilante protests. Also, Anonymous may be the easiest "group" in the world to frame. Because it's not a group and anyone and everyone can be a part of it, you just put a file named "Anonymous" somewhere along with the phrase "We are Legion" and clueless dupes assume it was "the" Anonymous rather than a bunch of organized crime hackers searching for credit card details. It very well could have been an Anonymous operation, but it seems like Sony should have a bit more proof before making such a definitive statement on the matter.

Permalink | Comments | Email This Story
]]> easiest-framing-ever http://www.techdirt.com/comment_rss.php?sid=20110504/11175714141 Tue, 3 May 2011 06:57:56 PDT Things Get Worse And Worse For Sony As Another Massive Data Breach Detected Mike Masnick http://www.techdirt.com/articles/20110502/23490314123/things-get-worse-worse-sony-as-another-massive-data-breach-detected.shtml http://www.techdirt.com/articles/20110502/23490314123/things-get-worse-worse-sony-as-another-massive-data-breach-detected.shtml yet another massive data breach, this time for Sony Online Entertainment (SOE) users. SOE is their online multiplayer games offering. It sounds like a similar issue to the PSN hack, again with lots of data being taken. Making matters worse, apparently for players outside the US, Sony kept credit card numbers and/or bank details in an "outdated database" (read, one not properly secured or encrypted, apparently). And... Sony is now admitting that the breach occurred a few weeks ago, so this info has probably already been put to use. So, we've got the rootkit, the PSN and now the SOE issue. Who actually willingly pays Sony for anything any more?

Permalink | Comments | Email This Story
]]> this-is-why-you-don't-trust-rootkitters http://www.techdirt.com/comment_rss.php?sid=20110502/23490314123 Fri, 5 Nov 2010 03:28:56 PDT If You Discover A Privacy Data Breach, You Probably Shouldn't Wait Three Months To Tell Users Mike Masnick http://www.techdirt.com/articles/20101103/22495711713/if-you-discover-a-privacy-data-breach-you-probably-shouldn-t-wait-three-months-to-tell-users.shtml http://www.techdirt.com/articles/20101103/22495711713/if-you-discover-a-privacy-data-breach-you-probably-shouldn-t-wait-three-months-to-tell-users.shtml waited until June to tell users. The company has now been fined $300,000 for not promptly notifying users, though that does seem like a rather low number considering how many records were apparently exposed...

Permalink | Comments | Email This Story
]]> fined http://www.techdirt.com/comment_rss.php?sid=20101103/22495711713 Thu, 12 Aug 2010 16:31:13 PDT Company That Had The Largest Ever Credit Card Data Breach... Apparently Breached Again [Update] Mike Masnick http://www.techdirt.com/articles/20100812/15223610610.shtml http://www.techdirt.com/articles/20100812/15223610610.shtml largest ever security breach in terms of the number of credit card numbers exposed. They were successfully targeted by the same guys who had also set the previous record for largest credit card data breach, so you could question whether the issue was just a sophisticated group of hackers or poor security at Heartland (or, possibly, a combination of both). Either way, it looks like Heartland may still have some issues. Carlo sends over the news that a new security breach has been discovered at a restaurant in Austin, Texas that appears to involve someone hacking into the network between the restaurant and Heartland. It's not yet clear if this goes beyond that one restaurant, but this can't look good for Heartland.

Update: Heartland got in touch to let us know that this appears to be an issue outside of Heartland's system, and that Heartland is not the target of the investigation into the breach. Heartland's press release is basically pointing out that the weakness was with the restaurant's credit card security, not its own.

Permalink | Comments | Email This Story
]]> hits-you-in-the-heartland http://www.techdirt.com/comment_rss.php?sid=20100812/15223610610 Tue, 15 Jun 2010 20:35:10 PDT Could AT&T's iPad Email Leak Really Be A Much, Much More Serious Security Breach? Mike Masnick http://www.techdirt.com/articles/20100615/0042179819.shtml http://www.techdirt.com/articles/20100615/0042179819.shtml security glitch by AT&T, that allowed hackers to figure out the email addresses of 114,000 iPad users. A few people in the comments mocked this news, claiming that such info was pretty much meaningless, as email addresses are hardly private info these days. Of course, that ignored the connection of the email address to the fact that you bought an iPad. But now, some are realizing the potential security problems with this may be significantly worse. Slashdot point us to a story where someone walks through how poor security choices by the various mobile operators means that knowing the information revealed by the glitch can actually reveal much, much more. As the blog post walks through the details, it concludes that potentially, the data from the breach in some cases (though, not all) could then be used to figure out a lot more:

So yeah, knowing someone's ICCID can give you their full unpublished billing name, their cellular phone number (and hence their home address), their current location on a realtime basis, their voicemail, and if you're prepared to follow them around (within a few miles) then you get all their phone calls and SMS messages too.

There is a later edit, when he realizes that the voicemail/phone calls/SMS stuff might not be that big of a deal, since the iPad is not a phone device, but it's still instructive of how a "simple" data breach can lead to much more in certain circumstances.

Permalink | Comments | Email This Story
]]> doesn't-sound-good http://www.techdirt.com/comment_rss.php?sid=20100615/0042179819 Thu, 10 Jun 2010 01:05:26 PDT Script Kiddie Botnet Operators Ask For Jobs From Security Company That Shut Them Down Mike Masnick http://www.techdirt.com/articles/20100607/0109289707.shtml http://www.techdirt.com/articles/20100607/0109289707.shtml showed up at the offices of a security researcher who helped bring them down... asking for a job. The article highlights how the researcher, Luis Corrons, basically had figured out who was running the botnet after one of the operators made a mistake and revealed his home computer... which actually was not far from where Corrons worked. It was shut down at the end of last year, but a few months later, Corrons had an interesting experience:

In late March Mr Corrons was preparing for a meeting at Panda's Bilbao lab with a journalist and took a moment to dodge downstairs to get a drink. On the way down he passed two young men coming up.

One asked if he was Luis Corrons. He said yes while wondering who they were.

They introduced themselves which left him no wiser. Then, one of them said; "I'm Ostiator and this is Netkairo."

"It was then I realised these guys were the ones that were arrested in the Mariposa case," he told the BBC. "I thought they wanted to teach me a lesson."

Instead, they asked him for a job, saying that the shutdown of the botnet had "robbed them of their livelihood." Apparently, the two guys started following Corrons on Twitter, sending messages his way and commenting on his blog, before asking for work again. They finally brought in one of the guys for an interview, noting that they wouldn't hire anyone involved in criminal activity. The guy responded that he hadn't been charged with anything. However, Corrons also quickly realized that the guy barely had any technical skills -- pointing out that he didn't write the bot, he just ran it:

"He got really annoyed at that moment, when we told him he was not good enough," said Mr Corrons. Subsequent discussion revealed just how poor their skills were.

"They were given the botnet with all the stuff they needed," said Mr Corrons. "Using it was like using any other program."

So, for the script kiddies out there, perhaps before asking for a job from the security researchers who bring your botnet down, you do a bit of work to make sure you have the actual skills.

Permalink | Comments | Email This Story
]]> didn't-work http://www.techdirt.com/comment_rss.php?sid=20100607/0109289707 Mon, 7 Jun 2010 02:26:51 PDT Once Again, Court Says If There's No Real Harm, There's No Legal Recourse For Privacy Breach Mike Masnick http://www.techdirt.com/articles/20100604/1533169700.shtml http://www.techdirt.com/articles/20100604/1533169700.shtml there was no case. Odd that this applies to things like privacy, but when you see a similar situation with copyright, no one ever has to show any actual harm. Either way, it looks like courts are continuing to follow this particular line of thought, as a lawsuit against Gap for losing private data has been rejected under the same line of thinking. This also almost certainly means that all those class action lawsuits against Google for possibly collecting some WiFi data, are completely dead in the water. In those cases, the plaintiffs don't even show any evidence that their data was collected, let alone give any proof of harm.

Permalink | Comments | Email This Story
]]> why-doesn't-that-apply-elsewhere? http://www.techdirt.com/comment_rss.php?sid=20100604/1533169700 Tue, 18 Aug 2009 05:42:47 PDT Looks Like The Guy Who Set The Record For Largest Credit Card Breach Was Breaking His Own Record Mike Masnick http://www.techdirt.com/articles/20090818/0047085910.shtml http://www.techdirt.com/articles/20090818/0047085910.shtml new winner in the battle to see who was responsible for the largest ever credit card breach. Until that time, the honor had gone to a series of department stores owned by TJX (TJ Maxx, Marshalls, etc.). That involved info on 94 million credit card holders. Not bad. But the newer deal, involving Heartland Payment Systems appeared to effect well over 100 million. Now, you may have seen the news reports this week that have upped that total to 130 million, as part of the announcement of indictments against three individuals for illegally accessing the data. But, what's fascinating is that the one guy in custody, Albert Gonzalez, was already in custody for his role in the TJX hack (along with some other retailers). Oh, and there's also the tidbit about how he was a government informant, handing over info on (you guessed it) the underworld involved in stolen credit card numbers.

Permalink | Comments | Email This Story
]]> raising-the-bar http://www.techdirt.com/comment_rss.php?sid=20090818/0047085910 Fri, 23 Jan 2009 13:51:05 PST TJX Offers One-Day Sale To Make Up For Massive Data Breach Carlo Longino http://www.techdirt.com/articles/20090123/1055363506.shtml http://www.techdirt.com/articles/20090123/1055363506.shtml earlier this week, TJX held the record for the biggest-ever data leak, for its effort to lose track of some 94 million people's credit card info to a group of hackers. Just to recap, the company lost all the data largely through sheer incompetence, by encrypting its stores' WiFi networks with the easily broken WEP standard, and not having enough security in place to keep the hackers out of its central database after they'd gotten on the network at a single store. Even more astounding was the fact that TJX transmitted credit-card info to banks without any encryption. It was the banks that were largely left holding the bag for all the fraudulent purchases made with the stolen credit-card numbers, while several of the criminals behind the breach were charged, too. What punitive action was taken against TJX? It had to pay a $41 million fine to Visa, but got off with no fine and a wrist slap from the Federal Trade Commission. But apparently the company really wanted to make things up to consumers, so it offered a one-day 15 percent off sale in its US and Canadian stores this week. Wow, so generous, especially to do it in the post-holiday, lets-clear-out-everything-we-didn't-sell-before-Christmas season. You could probably forgive TJX for thinking this would make up for everything, though, since data-leak settlements and punishments are generally toothless and do little to encourage companies to take serious steps to stop the leaks.

Permalink | Comments | Email This Story
]]> how-generous http://www.techdirt.com/comment_rss.php?sid=20090123/1055363506 Thu, 6 Dec 2007 00:43:27 PST Canadian Passport Website Falls For Oldest Privacy Breach On The Web Mike Masnick http://www.techdirt.com/articles/20071205/190901.shtml http://www.techdirt.com/articles/20071205/190901.shtml had exactly that security vulnerability, allowing the guy who discovered it to see the passport application data of other applicants simply by adjusting the URL. It's never nice to hear about a security flaw (especially on a gov't website with all sorts of private info), but it actually induces a bit of nostalgia to hear of such a basic security flaw showing up in the wild yet again.

Permalink | Comments | Email This Story
]]> that-one-again? http://www.techdirt.com/comment_rss.php?sid=20071205/190901 Mon, 29 Oct 2007 18:19:10 PDT Remember How TJX Was The Worst Data Breach In History? Well, It Was Actually Worse Mike Masnick http://www.techdirt.com/articles/20071026/172147.shtml http://www.techdirt.com/articles/20071026/172147.shtml worse than previously expected. We saw it with Choicepoint. We saw it with the VA. It seems to always happen. In fact, with the now infamous TJX breach, we'd already mentioned that the problems were worse than originally announced -- making it the largest such breach ever reported. This wasn't surprising once you found out just how incompetent the company was -- failing to comply with nearly all of the credit card company's security guidelines and leaving their entire system wide open to anyone who could hack a simple insecure WEP WiFi system (something that's quite easily done). The data from the breach (unlike many other widely announced breaches) has already been used in numerous frauds, costing upwards of $60 million. With such astounding incompetence and a breach so large, should it come as any surprise that even the updated breach numbers weren't complete? That's right, thanks to documents being filed in the lawsuits against TJX, it's now coming out that the breach has impacted even more people than was earlier announced. Of course, the question still remains whether or not the punishment the company receives will matter. It doesn't seem like anything is really done to stop companies from being so careless, and there's no indication that's going to change in this case either.

Permalink | Comments | Email This Story
]]> stunning-incompetence http://www.techdirt.com/comment_rss.php?sid=20071026/172147 Fri, 13 Jul 2007 10:39:00 PDT More People Busted With Credit-Card Numbers From TJX Breach Carlo Longino http://www.techdirt.com/articles/20070712/204012.shtml http://www.techdirt.com/articles/20070712/204012.shtml 200,000 credit cards from the TJX breach that was disclosed earlier this year. Recovering the credit-card numbers at this point does little more than link the fraudsters to the breach, but they're said to have been used to rack up more than $75 million in fraudulent charges. The people busted here didn't apparently participate in the theft of the credit-card data, but bought them from "known cybercriminals in Eastern Europe" and then used the numbers to make counterfeit cards. In any case, they're way more productive than another group of Florida scammers busted back in March, who only managed to rack up $8 million worth of goods at Sam's and Wal-Mart. Since banks get left holding the bag for this type of fraud, expect more lawsuits as they look to recover their losses from TJX's astounding level of incompetence.

Permalink | Comments | Email This Story
]]> cha-ching http://www.techdirt.com/comment_rss.php?sid=20070712/204012