January 25, 2023

Meta Fined More Than $600 Million For Facebook and Instagram Privacy Breaches

January 5, 2023

Facebook and Instagram parent company Meta has been issued two fines by the Irish Data Protection Commission. The fines, totalling 390 euros (606 million dollars) were given as users were forced to agree to personalized adverts, breaching privacy rules. Fines issued to Meta by the Data Protection Commission exceed $1 Billion USD, with WhatsApp potentially facing additional fines.  

Data Security Perspective: Companies must ensure that they comply with all data protection laws, as huge fines will be issued. 

Scripps Health, Avalon Healthcare Reach Settlements After Data Breaches

January 3, 2023

Healthcare company Avalon Health has reached a $200,000 settlement with the state of Oregon and Utah concerning data breaches. The data breaches occurred in 2020 and led to threat actors gaining access to the PII and health data of 14,500 employees and patients after a phishing attack. In addition to the fine, the settlement requires Avalon to create a security program with policies and procedures to ensure compliance with data privacy laws. Along with Avalon, Scripps Health, another healthcare company, has also been fined for a data breach. In 2021 a ransomware attack led to hospital outages, with threat actors gaining access and stealing patient data. Scripps has been fined $3.5 million for the breach and reportedly lost $112.7 million in lost revenue due to the attack. 

Data Security Perspective:  Organizations dealing with sensitive information, especially health data, need to have practices in place to prevent any breach or exposure of that data. Many companies are facing huge fines due to not having appropriate security programs in place.

Deezer Admits Data Breach That Potentially Exposed Over 220 Million Users' Info

January 4, 2023

Music Streaming platform Deezer has announced that they suffered a data breach that may have exposed the data of over 220 million users. The breach occurred in 2019 when a third-party partner experienced a breach. The data, sold on a cybercrime forum, contained user information, including names, dates of birth, and email addresses from across Europe, The United States, and South America. 

Data Security Perspective:  Using a third party can sometimes create data exposure and breach risk. Companies should ensure that when using a third party, they have adequate security measures. Additionally, affected users should be aware of any fraudulent activity that may arise from having their information exposed. 

McGraw Hill's S3 Buckets Exposed 100,000 Students' Grades and Personal Info

December 20, 2023

Education company McGraw Hill has suffered a data breach due to exposed S3 buckets. The misconfigured buckets contained information on over 100,000 students and source code and keys, totaling over 22 terabytes of data. The exposed data included names, email addresses, grades, performance reports, and syllabus material. The misconfigured bucket appears to have been exposed since as early as 2015. 

Data Security Perspective: Misconfigured S3 buckets commonly cause data exposures. S3 users should configure buckets with appropriate security configurations and monitor them for compliance. The Open Raven Data Security Platform and Magpie, our open-source CSPM, can alert users to misconfigurations and other security policy violations.

Related Magpie Rules:  aws-storage-s3-default-encryption-kms.yaml | aws-storage-s3-bucket-default-lock-enabled.yaml | aws-storage-s3-bucket-level-public-access-prohibited.yaml | aws-storage-s3-bucket-public-write-prohibited.yaml | aws-s3-best-practices.yaml