UK Government Fined Over Honors List Data Breach

UK Government Fined Over Honors List Data Breach

The UK’s data watchdog has slapped the British government with a hefty fine for exposing the addresses of individuals chosen to receive honors. 


The Information Commissioner’s Office (ICO) said that the safety of hundreds of 2020 New Year Honors recipients had been placed in jeopardy after their personal data was published online.


“On 27 December 2019 the Cabinet Office published a file on GOV.UK containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honors list,” said the ICO in a statement released Thursday. 


Among the figures impacted by the unauthorized disclosure of personal information were musician Elton John, TV chef Nadiya Hussain, former NHS England chief executive Simon Stevens, former director of public prosecutions Alison Saunders, and cricketer Ben Stokes. 


The addresses of the honorees were available online for two hours and 21 minutes. During that period, the information was accessed 3,872 times. 


“After becoming aware of the data breach, the Cabinet Office removed the weblink to the file. However, the file was still cached and accessible online to people who had the exact webpage address,” said the ICO.


Three complaints were received from the ICO by individuals whose data was exposed in the incident. A further 27 people contacted the Cabinet Office to raise concerns over the personal safety of the honorees following the breach. 


The ICO found that officials at the Cabinet Office had breached UK data protection laws by failing to put in place “appropriate technical and organizational measures” to prevent the publication of the addresses.


On Thursday the ICO fined the Cabinet Office £500,000 (approximately $661K) over the data debacle. 


“The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety,” said the ICO’s director of investigations, Steve Eckersley.


“The fine issued today sends a message to other organizations that looking after people’s information safely, as well as regularly checking that appropriate measures are in place, must be at the top of their agenda.”



Source: Infosecurity
UK Government Fined Over Honors List Data Breach

US Issues Cybersecurity Directive for Airlines and Railroads

US Issues Cybersecurity Directive for Airlines and Railroads

Nearly all railroads and airlines in the United States have been ordered to report cybersecurity breaches to the federal government. 


Under the new Transportation Security Administration–issued mandate, rail operators, airport operators, and airline operators will be required to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 24 hours of detection.


All three types of operators will also have to designate a cybersecurity coordinator. The mandate applies to both passenger and freight railroads.


Other requirements included in the mandates are that railroad operators must complete a vulnerability review to determine how susceptible they are to cyber-attacks. They must also create and implement a cybersecurity incident response plan.


The fresh security regulations were announced by senior officials at the US Department of Homeland Security (DHS) on Thursday and will come into force on the last day of this month. 


“Cybersecurity incidents affecting transportation are a growing, evolving and persistent threat,” Victoria Newhouse, TSA’s deputy assistant administrator, told the House Transportation Committee on Thursday. 


“Across US critical infrastructure, cyber threat actors have demonstrated their willingness and ability to conduct malicious cyber activities targeting critical infrastructure by exploiting the vulnerability of operational technology and information technology systems.”


Several cyber-attacks targeting the rail sector have been reported over the past twelve months. They include a ransomware strike on Toronto’s transit agency, a breach of New York’s Metropolitan Transportation Authority’s computer systems, and an attack on the Transportation Authority in Ann Arbor, Michigan. 


The new rules echo similar mandates directed at improving the security of America’s pipelines, which were issued by the Biden administration in the wake of the cyber-attack on Colonial Pipeline. 


“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” Department of Homeland Security Secretary Alejandro Mayorkas said.


“DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”


The Wall Street Journal reports that the new mandates will affect roughly 90% of passenger rail systems in the US and 80% of freight railways.




Source: Infosecurity
US Issues Cybersecurity Directive for Airlines and Railroads

Logiq.ai Tackles Observability Problem With LogFlow

LogFlow addresses data risks associated with machine data pipelines.
Source: DarkReading
Logiq.ai Tackles Observability Problem With LogFlow

CVE-2021-38909

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209706.
Source: NIST
CVE-2021-38909

CVE-2021-29867

IBM Cognos Analytics 11.1.7 and 11.2.0 could allow an authenticated to view or edit a Jupyter notebook that they should not have access to. IBM X-Force ID: 206212.
Source: NIST
CVE-2021-29867

CVE-2021-29719

IBM Cognos Analytics 11.1.7 and 11.2.0 could be vulnerable to client side vulnerabilties due to a web response specifying an incorrect content type. IBM X-Force ID: 201091
Source: NIST
CVE-2021-29719

CVE-2021-29756

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site request forgery (CSRF) in the My Inbox page which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 202167.
Source: NIST
CVE-2021-29756

CVE-2021-29716

IBM Cognos Analytics 11.1.7 and 11.2.0 could allow a low level user to reas of the application that privileged user should only be allowed to view. IBM X-Force ID: 201087.
Source: NIST
CVE-2021-29716

CVE-2021-20493

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 197794.
Source: NIST
CVE-2021-20493

CVE-2021-20470

IBM Cognos Analytics 11.1.7 and 11.2.0 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 196339.
Source: NIST
CVE-2021-20470