Wednesday 29 July 2015

Pro-Encryption Arguments from Access Now’s Crypto Summit 2015

Global digital freedom advocate Access Now held its first Crypto Summit on July 15 in Washington, DC. The event examined the intersection of encryption and government as a matter of United States policy and for its domestic and international implications.
Access Now, Electronic Frontier Foundation, Citizen Lab, Crypto Summit, pro-encryption, law, government backdoors
[Image: EFF Photos]

A session titled “What is the Law and What Should it Be?” brought together panelists Nate Cardozo, Electronic Frontier Foundation; Carrie Cordero, Georgetown University Law Center; Jamil Jaffer, George Mason University Law School; and Sarah McKune, Citizen Lab, who debated the necessity, legality and (im)possibility of government backdoors for encrypted communications.

Some of our favorite pro-encryption arguments from the discussion include:
Encryption is becoming more and more popularized, more ubiquitous, more accessible. But the fact that it’s more accessible is also the reason why those of us in civil society are becoming more secure. Because there are certain barriers to entry for civil society groups and activists to actually enhance their digital security. So the more encryption is implemented by design, the more it’s built in, the less impediments there are to civil society actually using this for their work” (McKune, 16:10-16:37).
“I keep all of my contraband in a safe. When law enforcement wants to search my safe, which they do, they get a warrant—a search warrant. And what do they do? They try and crack the safe, they get a blow torch, they get the best safe cracker. What they don’t do is go to Brinks and say, with the next safe you sell, you have to give us the combo” (Cardozo, 25:26-25:53).
“I’ve heard the concern and the criticism that people in the privacy community and the security community who are concerned about [encryption] are not willing to admit that this can and will be a barrier to law enforcement, that in fact some people will be hurt, some people may even die because of the deployment of encryption. I’m not afraid to say that. What I haven’t heard from the other side is the fact that people can and will and do die because of the failure to deploy encryption, whether it is the battered spouse who is killed after her husband gets into her phone, whether it’s the person who’s shot for their phone, which would be a worthless brick if encryption were turned on, whether it’s the human rights activist in Burma—I can think of many, many other examples where thanks to encryption, people survive. So, are you willing to admit, Ms. Cordero and Mr. Jaffer, that encryption saves lives as well?” (audience member Kevin Bankston, Open Technology Institute, 35:38-36:43).
Any public debate should account for international human rights law and that includes the right to freedom of expression, it includes the right to benefits of scientific progress, of which encryption and other digital advancements are and the UN Special Rapporteur on Freedom of Expression has addressed this issue and he is very concerned about efforts such as these to undermine digital security standards that encryption helps support. I think we need to take into account that international human rights law perspective as well, which the United States is itself trying to advance in many different fora. If we weaken that or don’t follow that ourselves, it’s definitely going to put us in a difficult spot when we try to advocate the same to repressive regimes such as China” (McKune, 1:08:59-1:09:47).
“We have not gone dark. We are simply going from what is the best Golden Age of Surveillance to…the Silver Age of Surveillance. Because it is still so much more surveillance and so much more access than the government has ever had to the communications of everybody including criminals than it had prior to the internet or even prior to encryption” (audience member, 1:12:56-1:13:25).
To watch the full debate of “What is the Law and What Should it Be?” and other Crypto Summit panels, go to

Monday 27 July 2015

EPIC Files Complaint Against Uber's Approach to Privacy

Lately, Uber has been making headlines worldwide—a suspension in France, protests in South Africa, the defeat of a mayor in New York City.

The world is embroiled in a debate over the extent to which Uber should coexist with traditional taxi services and the louder the conversation becomes, the more distracted users are from the real issue: privacy.

Yes, Uber can feel like a win-win for driver and passenger alike, but its convenience comes at a cost.

Last month, the Electronic Privacy Information Center (EPIC) filed a complaint with the United States Federal Trade Commission regarding the presentation and content of Uber’s revised Privacy Policy, which went into effect July 15. The complaint criticized as deceptive a May 28 statement from Uber which claimed “users will be in control: they will be able to choose whether to share the data with Uber” when in fact, several clauses of the Privacy Policy show just how little control users have over their data. 

Uber, Privacy Policy, Android Uber permissions, data, New York City
Farewell, privacy: Uber's permissions for Android
Of note, Uber retains the right to track user location, regardless of permissions, and Android users must opt-in to all data requests in order to use the service:

  • If you permit the Uber app to access location services through the permission system used by your mobile operating system (“platform”), we may also collect the precise location of your device when the app is running in the foreground or background. We may also derive your approximate location from your IP address.

  • The iOS platform will alert you the first time the Uber app wants permission to access certain types of data and will let you consent (or not consent) to that request. Android devices will notify you of the permissions that the Uber app seeks before you first use the app, and your use of the app constitutes your consent.
EPIC has further taken issue with Uber’s excessive collection of data, which ranges from contacts in a user’s phone to device information to permanent log records, especially given the young company’s questionable record regarding security, which includes launch parties that share private data and a 2014 breach of drivers’ records that took 4 months to discover and another 5 months to disclose

Recent breaches from Anthem to OPM prove that hackers know where to go for data that matters. Uber’s database of 8 million users worldwide has been described as “a sitting duck for hackers” and as its records of who-went-where-when-and-with-whom-and-what balloons, it only grows more desirable.

EPIC’s request includes an investigation into Uber’s business practices, a cessation of contact information collection and the deletion of location data upon trip completion, measures that would make Uber’s database far less attractive to hackers and far less marketable for the company itself.

Because, who knows what Uber might do with all that data? Determine the best city for a one-night stand? Orchestrate a massive political campaign? Offer it to the mayor of New York? The possibilities are endless.

Thursday 23 July 2015

Ashley Madison Breach Redefines Ethical Hacking

Hackers known as the Impact Team have compromised the personal information of 37 million members of cheating website Ashley Madison. To date, two users' personal information has been revealed.
Avid Life Media, Ashley Madison, Krebs on Security, Impact Team, data breach, hack, Dr. Eve, digital privacy, full delete
Krebs on Security revealed part of the Impact Team's message.

The Impact Team's motivation? To shut the website down.

At issue is Ashley Madison's "full delete" feature, an option that charges users to remove all evidence of their existence from the website. 

According to Krebs on Security, the Impact Team justified their actions: “Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and  address, which is of course the most important information the users want removed.

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

Ashley Madison countered the claim in a July 20 acknowledgement of the hack: “Contrary to current media reports, and based on accusations posted online by a cyber criminal, the “paid-delete” option offered by does in fact remove all information related to a member’s profile and communications activity. The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes.” 

A closer look reveals “full delete” is just the tip of Ashley Madison’s privacy shortcomings.

In a 2012 Inc. interview, Ashley Madison founder and CEO Noel Biderman referred to his website as a “sociology experiment” and to himself as the “gatekeeper” of its data: “We realized we have so much anonymous data and we could go through our data to show the true reasons men and women have affairs, what their demographics are, whether there really is a two-year itch or a seven-year-itch.”

The fact is, hacked or not, users of Ashley Madison have long been defined by their data. Ashley Madison’s media page is littered with analyses of aggregate data. For South Africa alone, which has 175,000 users, the company has published information about when men and women login, the search terms they use and the neighborhoods of Cape Town they predominate. 

Even more disconcerting, the data has not been kept in-house. South Africa’s Dr. Eve, a couples and sex therapist, made no secret of her relationship with Ashley Madison in 2014: “In the last 18 months I have been privileged to be utilizing the database of AM for my research into Cyber Infidelity.” Dr. Eve’s research resulted in Cyber Infidelity: The New Seduction, a book that terms Ashley Madison as Dr. Eve’s “new home” and features Biderman’s praise on the front cover.

Biderman once boasted, “We’ll help you meet someone and not get caught. If you want to be clandestine, we’re an intelligent choice.” His assertion now rings hollow.

The Impact Team has asked Ashley Madison to make a choice: shut down or risk users’ privacy. Given its previous treatment of user data and lack of reaction to what has been leaked so far, Ashley Madison appears to be choosing self-interest over privacy, lending a whole new meaning to “the most recognized name in infidelity.”

Friday 17 July 2015

Airbnb’s Kindness Campaign Overlooks Unkind Privacy Policy

Airbnb, Brian Chesky, Mankind, kindness, privacy policyGo look through their windows so you can understand their views.
Sit at their tables so you can share their tastes.
Sleep in their beds so you may know their dreams.

Airbnb’s recent ad campaign purports to explore the kindness of strangers but comes across as a little, well, unsettling.

Airbnb has defended its campaign: “Kindness is the foundation of our entire community—Airbnb hosts aren’t just sharing their homes, they’re sharing part of themselves. When guests open their doors, they’re opening their hearts and minds as well.”

In the words of Airbnb co-founder Brian Chesky, “The breakthrough of Airbnb is that it does more than give you a place to sleep—it changes the way you experience the world because when we trust in the kindness of our fellow man, we discover that the world isn’t such a scary place after all.”

All this talk of kindness is enough to make you forget that Airbnb is also a successful venture capital-backed startup, valued at $25.5 billion and third to Uber and China’s Xiaomi Corp. Its ability to raise $1.5 billion in a private funding round last month was a feat that has been matched only by Uber, China’s Alibaba, and Facebook.

Airbnb’s website boasts more than 35 million guests and 1.2 million listings in more than 34,000 cities and 190 countries worldwide. Airbnb is big and is only expected to get bigger, which is perhaps why the company has chosen to focus on kindness rather than the implications of having a significant portion of the world’s population on its platform.

Nearly simultaneous with the kindness campaign, Airbnb released updated versions of its Terms of Service and Privacy Policy earlier this month, which went into effect for new users July 6 and will go into effect for existing users on August 6.

The Privacy Policy includes few changes and is hardly unique, but is a good reminder of how not private data can be when engaging with a global platform. Of note:

Airbnb collects and analyzes your information whether you are logged in or not: “Airbnb uses cookies and other similar technologies, such as mobile application identifiers, on the Platform. We may also allow our business partners to use their cookies and other tracking technologies on the Platform. As a result, when you access or use the Platform, you will provide or make available certain information to us and to our business partners. While you may disable the usage of cookies through your browser settings, we do not change our practices in response to a "Do Not Track" signal in the HTTP header from your browser or mobile application.”

“By using the Platform, you consent that Airbnb, in its sole discretion, may, either directly or through third party companies and individuals we engage to provide services to us, review, scan, analyze, and store your communications, whether done manually or through automated means.”

“We may also receive, store and process Log Data, which is information that is automatically recorded by our servers whenever you access or use the Platform, regardless of whether you are registered with Airbnb or logged in to your Airbnb account, such as your IP Address, the date and time you access or use the Platform, the hardware and software you are using, referring and exit pages and URLs, the number of clicks, pages viewed and the order of those pages, and the amount of time spent on particular pages.”

Facebook and Google are likely sharing and collecting your information as well:  We receive, store and process information that you make available to us when accessing or using our Platform and Services. Examples include when you link your account on a third party site (e.g. Facebook) to your Airbnb account, in which case we will obtain the Personal Information that you have provided to the third party site, to the extent allowed by your settings with the third party site and authorized by you.”

“Some portions of the Platform implement Google Maps/Earth mapping services, including Google Maps API(s). Your use of Google Maps/Earth is subject to Google's terms of use and Google's privacy policy, as may be amended by Google from time to time.”

Airbnb is prepared to share your information with the government: “We will use commercially reasonable efforts to notify users about law enforcement requests for their data unless providing notice is prohibited by the legal process itself, by court order we receive, or by applicable law; or based on information supplied by law enforcement, we, in our sole discretion, believe: (a) that providing notice could create a risk of injury or death to an individual or group of individuals, (b) that the case involves potential harm to minors, or (c) that harm or fraud could be directed to Airbnb, its Members, the Platform, or Services.”

Your information is Airbnb’s asset to sell: “If Airbnb undertakes or is involved in any merger, acquisition, reorganization, sale of assets or bankruptcy or insolvency event, then we may sell, transfer or share some or all of our assets, including your Personal Information. In this event, we will notify you before your Personal Information is transferred and becomes subject to a different privacy policy.”

Airbnb claims no responsibility for your privacy: “No method of transmission over the Internet, and no method of storing electronic information, can be 100% secure. So, we cannot guarantee the absolute security of your transmissions to us and of your Personal Information that we store.”

What is most significant about Airbnb’s Privacy Policy is how commonplace it has become. The websites users around the globe have come to rely upon for everyday life are collecting, analyzing, sharing and selling our Personal Information—and making a tremendous profit in the process. If Airbnb’s kindness campaign comes across as a bit unsettling, it’s because we—the data subjects—know just what it feels like to have our windows looked through, our tables sat at and our beds slept in. Kindness, to us, is the opportunity to choose whom we invite into our lives.

Wednesday 15 July 2015

Nigeria’s Cybercrime Law Leapfrogs Freedom of Expression

Nigeria, Cybercrime Law, Goodluck Jonathan, Cybercrime Prohibition and Prevention Act, CNBC Africa
In May, outgoing Nigerian president Goodluck Jonathan signed the Cybercrime Prohibition and Prevention Act into law. The much-awaited legislation was passed by the Senate and House of Representatives in 2014, lacking only presidential approval.

The Act establishes clear punishments for offenses including unlawful access to a computer, unlawful interception of communications, unauthorized modifications of computer data, system interference, misuse of devices, computer-related forgery and fraud, and identity theft and impersonation, as well as child pornography, cyberstalking, cybersquatting, cyberterrorism, racism and xenophobia. It is expected to curb Nigeria’s current practice of losing $2.5 billion a year to cybercrime.

A July 7 conversation on CNBC Africa brought together Niyi Ajao, Executive Director of Technology at the Nigeria Inter-Bank Settlement System (NIBSS); Ayotunde Coker, Managing Director of Rack Centre; and Yemi Saka, Partner of Advisory Service at Ernst & Young West Africa to praise the benefits of the Cybercrime Act for the financial sector. Ajao argued that “the Act we have now has come at the right time.” Saka applauded the legislation as a “right first step to take;" he and Coker advocated that the next step is an education and awareness campaign, to better inform users of how passwords and personal devices can be compromised, and also to let cybercriminals know that their actions will no longer go unnoticed.

The Information Security Society of Africa-Nigeria (ISSAN) responded favorably as well: “We are delighted that Nigeria has joined the few countries in Africa and indeed, the world at large, to have a law which provides effective, unified and comprehensive legal, regulatory and institutional framework for the prohibition, detection, prosecution and punishment of cyber-crime in the country, while also ensuring the protection of computer systems and networks, electronic communications, data and computer programs, intellectual property and piracy rights.

“For sure, it is no longer business as usual for cyber criminals. From the petty criminals operating in cybercaf├ęs to the big time hackers, email scammers and other computer-based fraudsters, the law stipulates heavy penalties which the criminals should be made aware of before they embark on their ‘suicide’ mission.”

The endless stream of praise, however, has overlooked the Cybercrime Act’s undeniable willingness to compromise freedom of expression and privacy. While there remains some uncertainty as to the final iteration of the law, key clauses in the 2014 legislation include:

  • A service provider shall, at the request of the relevant authority referred to in subsection (1) of this section or any law enforcement agency:
(a)    Preserve, hold or retain any traffic data, subscriber information or related content, or
(b)   Release any information required to be kept under subsection (1) of this section (21).
  • The right to “order a service provider, through the application of technical means to collect, record, permit, or assist competent authorities with the collection or recording of content data associated with specified communications transmitted by means of a computer system” (22).
  • The Attorney-General of the Federation will “provide appropriate legal framework, guidelines and mechanism for the blocking of offensive or inappropriate web-sites” (24).
  • The Act applies “outside Nigeria, where the victim of the offence is a citizen or resident of Nigeria” (33).

Nigeria’s Cybercrime Act advocates for conformity with the African Union Conventions on Cybersecurity, which is precisely where it has gone wrong. We said it in February and we’ll say it again: the African Union’s approach to cybersecurity is too vague, gives too much power to states and infringes upon freedom of expression and privacy. Nigeria’s legislation cracks down on cybercrime by creating a surveillance state that requires service providers to collect, record and release information; enables the government to disappear that which is offensive; and even extends Nigeria’s power beyond its boundaries.

The digital age has frequently posited that Africa is unique in its capacity to leapfrog into the technological future; Nigeria’s Cybercrime Act, however, exposes the limitations of this notion. If the solution to unfettered cybercrime is to eliminate human rights, there are clearly some steps that have been overlooked.

Thursday 9 July 2015

Google Faces Pressure to Go Global With ‘Right to Be Forgotten’

Consumer Watchdog, a consumer advocacy group, has sent a letter to the United States Federal Trade Commission, asking for Americans to share in Europe’s ‘Right to Be Forgotten.’  
Google, Right to Be Forgotten, US, Europe, France, CNIL, Consumer WatchdogFor over a year, Europeans have been empowered by a court ruling to ask Google to remove search engine results that link to inadequate, irrelevant, no longer relevant or excessive personal information. To date, 280,709 requests have been made to remove 1,020,941 URLS; of these, 41% have been removed. In determining which requests to honor, Google weighs personal safety against public interest. In other words, unknown victims are likely to have outdated links removed, public figures are not.

For example, Google granted a Swedish woman’s request to remove links to pages showing her address and an Italian crime victim’s request to remove links to pages discussing the crime, but denied the requests of a UK media professional who regretted content he had posted and a well-known Polish business person who wanted to disassociate himself from a lawsuit. 

Whether links are removed or not, information will continue to exist on the internet—Google merely controls what shows up in its search results. Consumer Watchdog Privacy Project Director John M. Simpson sees the Right to Be Forgotten as a return to the days of Privacy By Obscurity. In his letter, he argued, “Before the Internet if someone did something foolish when they were young—and most of us probably did—there might well be a public record of what happened. Over time, as they aged, people tended to forget whatever embarrassing things someone did in their youth…This reality that our youthful indiscretions and embarrassments and other matters no longer relevant slipped from the general public’s consciousness is Privacy By Obscurity. The Digital Age has ended that. Everything—all our digital footprints—are instantly available with a few clicks on a computer or taps on a mobile device.” 

Simpson proceeded to berate Google for claiming to respect privacy despite not offering Americans the simple protections it offers Europeans: “Google’s own experience in Europe demonstrates that Right To Be Forgotten requests can be managed in a way that is fair and not burdensome for Google.”

Had Simpson spoken with Isabelle Falque-Pierrotin of France’s National Committee on Informatics and Liberty (CNIL), he may have thought twice about making a model of Google’s behavior in Europe. On June 12, CNIL gave Google 15 days to change its delisting practices or risk facing sanctions (a fine of 150,000 Euros). At issue is Google’s practice of limiting the Right to Be Forgotten to country-specific versions of the website, which means that a request submitted in Germany could only be removed from and a request submitted in the United Kingdom from

CNIL states, "In accordance with the CJEU judgement, the CNIL considers that in order to be effective, delisting must be carried out on all extensions of the search engine and that the service provided by Google search constitute a single processing."

Consumer Watchdog is right to ask Google to protect America's Right to Be Forgotten, especially following the company's recent decision to remove requested links to revenge porn. However, the consumer advocacy group needs to set its sights higher than current European practice. In a globalized world with VPNs increasingly the norm, a Right to Be Forgotten on one country's version of Google is only a click away from being very much remembered.

Tuesday 7 July 2015

Facebook Looks to Grow User Base and Ad Revenue From South African Office

Facebook’s ever-expanding reach turns to Africa with last week’s opening of a sales office in Johannesburg. The company plans to focus on Kenya, Nigeria and South Africa before branching out to 9 other countries across East, West and Southern Africa.

In the words of Nicola Mendelsohn, Facebook’s Vice President of Europe, the Middle East and Africa:

Facebook, Africa, South Africa, ad revenue, exploitation, emerging markets “We are inspired by the incredible ways people and businesses in Africa use Facebook to connect. This momentum in Africa comes on top of strong advertiser partnerships and excellent adoption of our products across all regions. In Q1 2015‚ 52% of our total ad revenue came from outside the US and Canada. But we’re just getting started.

“Africa is important to Facebook‚ and this office is a key part of our strategy to expand our investment and presence across EMEA. Facebook is already a central part of people’s lives in Africa‚ and with more than a billion people in Africa‚ we want to do more to help people and businesses connect.”

According to Reuters, Facebook’s first quarter revenue ($3.5 billion) was nearly all advertising ($3.3 billion), 70% of which was from mobile advertising. Facebook’s first-ever Africa office reflects the company’s growing push to capitalize on revenue beyond the United States and Canada; in the last year, international advertising revenue increased 36%.  

Currently, 120 million of Africa’s one billion residents are Facebook users, already an increase of 20 million as compared to 9 months ago. That there is a growing market is unquestionable, but considering half the continent's inhabitants are offline, tapping into it will take some effort.

As such, recent Facebook developments imply that the company is determined to succeed in this endeavor. Facebook now offers its services via Facebook Lite, a stripped down version of the platform, and, a low-cost, controlled version of the internet. Nearly simultaneous with the opening of the South Africa office, Facebook unveiled a new, simpler logo, specifically designed to be mobile-friendly, the platform of choice in Africa and other emerging markets. The company has even begun to explore the possibility of utilizing drones to bring the internet to those who would otherwise go without.

In short, Facebook will not rest until it can claim the entire earth’s population as users. In light of this fact, it is rather disconcerting that the company altogether abandoned its pretense of altruism this week. Whereas’s website decries the importance of giving “the unconnected majority of the world the power to connect,” Facebook’s newfound presence in Africa appears to be revenue-driven.

The Johannesburg office, headed by Nunu Ntshingila, is strictly composed of business and advertising sorts looking to grow Facebook’s all-important ad revenue. Facebook knows that African ads will not carry the price tag of North American ads and also hopes to better understand the African market in order to encourage well-known international brands to reach out to a new audience, according to Re/code. Yes, Facebook has arrived with a workable business plan.

It is an understatement to say that Facebook has altered the way users approach the internet. In the current climate of data breaches and cyber espionage, we would expect to be sharing less of ourselves on the internet, yet Facebook has convinced us to share more. Facebook’s presence in Africa will provide an entirely new set of users to recruit, data to collect and revenue to enjoy.

Facebook’s arrival in Africa is yet another example of the tech industry outpacing government. In this case, because African governments have been unable to adequately connect their populaces to the internet, they will find themselves overly reliant on Facebook in the years to come.

Thursday 2 July 2015

Lessons Learned: June 2015 Data Breaches

data breach, OPM, IRS, Zomato, Japan Pension Service, Houston Astros, LastPass, Kaspersky
Governments, restaurants, cybersecurity firms and even baseball teams made the cyberattack headlines this past June. The 10 data breaches below are recent examples of what to do (take any and all security precautions), what not to do (open phishy email attachments or recycle passwords) and just how bad a breach can be (OPM). Know of a data breach we missed? Add it in the comments below.
  • Employees that opened a phishing email attachment at the Japan Pension Service unleashed a virus that claimed the personal data of 1.25 million people. The pension IDs and names of all were stolen; the addresses and birth dates of some were also compromised. 
  • Anand Prakash hacked into Indian-based restaurant search engine Zomato, accessing personal data such as private Instagram photos, to prove it could be done. Zomato fixed the glitch upon learning about it from Prakash, preventing any (known) wrongdoing.
  • Internal Revenue Commissioner John Koskinen of the United States Internal Revenue Service testified in response to hackers accessing the tax information of 104,000 Americans. He shared that the breach was largely attributed to a lack of multifactor authentication, systems updates and security upgrades—all of which had been suggested prior to the attack.
  • The (most likely) Chinese breach of the Office of Personnel Management has already been labeled one of the worst in United States history. The personnel files and background check information of up to 18 million current and former federal government employees and contractors were compromised, revealing a nearly endless supply of personal information: social security numbers, addresses, arrest and financial records, mental illness history, drug and alcohol use and more. If you’re hoping for a silver lining, here it is: the US has finally committed to using https encryption by default for all federal websites by the end of 2016.
  • Hackers used malware to steal credit card information over a 4 month period from customers at Manhattan’s Eataly. Breaches on small retailers have become a common occurrence, as the security tends to be relatively easy to penetrate, and sometimes serve as a test ground before hacking larger entities. Point of sale breaches have increasingly become an issue in North America, where chip technology has yet to catch up with the rest of the world.
  • Kaspersky Lab, the cybersecurity powerhouse, was breached by hackers in an attempt to learn how to infiltrate systems more surreptitiously. The attack showed that even Kaspersky is penetrable, but also that the company has action steps for such an event. A detailed report addressed user concerns: “Kaspersky Lab is confident that its clients and partners are safe and that there is no impact on the company’s products, technologies and services.” 
  • Personal details in UK-based Brabantia’s customer database were compromised; the company assured customers that financial data such as banking and credit card numbers were stored by an external company and, therefore, safe.
  • User information of password service LastPass was compromised, if not breached, in a much-needed reminder that proper precautions prevent major debacles. In the words of LastPass: Our security and processes worked as designed, and customer data was, and is, protected.”  
  •  Missing Link Networks Inc., a credit card processor and point-of-sale vendor most closely associated with California wineries revealed that customer names, credit and debit card numbers, billing addresses and dates of birth were compromised for all transactions processed in April 2015. The breach motivated Missing Link Networks to move to a token system to avoid storing credit card numbers in the future. 
  • Major League Baseball’s Houston Astros were breached by the St. Louis Cardinals; compromised is private internal database information regarding trades, statistics and scouting reports. The key to the success of this unsophisticated breach? General Manager Jeff Luhnow and other Cardinals-turned-Astros used the same password in both offices.