[Security Weekly] H&M Faces $41 Million GDPR Fine Over Employee Privacy Violation

2nd Week of October 2020


1. H&M fined $41 million under GDPR over employee privacy violation

A German subsidiary of Hennes & Mauritz AB (H&M), the second-largest fashion retailer in the world, was issued a fine of €35.2 million (roughly $41 million) by the Hamburg Commissioner for Data Protection and Freedom of Information (Hmb BfDI) over the misuse of sensitive employee data.

The fine was solely directed at Bayern-based subsidiary H&M Hennes & Mauritz Online Shop AB & Co. KG, making it the fourth-largest GDPR fine in history and the second-largest against a single legal entity.

Since 2014, the company had been storing sensitive information on their employees’ private lives, including their physical and psychological health conditions, religious beliefs, family issues, and vacation experiences. All this information was collected from one-to-one conversations between the employees and their supervisors, routinely held after coming back from vacations and personal leaves. Some of the information was accessible by dozens of managers.

According to GDPR guidelines, most of these collected data were deemed completely unnecessary for business use, making the collection and storage of such data a serious violation of the employees’ civil rights. Apart from facing the fine, H&M has agreed to compensate all employees who have been working or had worked at the impacted subsidiary since May 2018, when GDPR became effective.

Looking for an encryption solution to meet GDPR compliance? Check out D’Amo.

Sources: BBC, Business Insider, Infosecurity


2. Unpatchable hardware flaw exposes Macs and MacBooks to security attacks

Various security researchers claimed that they were able to gain control over macOS devices by utilizing a combination of two pre-existing vulnerabilities for jailbreaking iOS devices: Checkm8 and Blackbird. The flaw affects all macOS devices built with the Apple T2 Security Chip, including the iMac 2020, iMac Pro, Mac Pro 2019, Mac mini 2018, MacBook Air 2018 and later, MacBook Pro 2018 and later.

The Apple T2 Security Chip is a Secure Enclave Processor (SEP) built alongside the main Intel processors, serving as both a co-processor and a security chip. Not only does it partially relieve the burden of the main processors, it also handles sensitive data, processing cryptographic operations, database encryption, TouchID authentication, and database encryption.

This new flaw can be exploited by simply inserting a USB-C cable along with jailbreak software Chckra1n version 0.11.0 into one of the vulnerable devices. This would automatically take over the device when it reboots, allowing the attacker to gain access to sensitive data, recover encrypted data, and inject malware.

Since this is a hardware-based flaw, it cannot be patched with software updates. Users of the vulnerable devices must take extra precautions by never leaving their devices unattended in public places. Organizations that use large numbers of Macs and MacBooks must also protect their offices from outsiders.

Sources: ZDNet, Threatpost


3. Food delivery service Chowbus suffers data breach impacting 800,000 customers

US-based Asian food delivery service Chowbus suffered a data breach that compromised the private records of customers and listed restaurants. With presence in the US, Canada, and Australia, Chowbus users can use its mobile app to order food from their local Asian food restaurants and have it delivered to their doors.

On October 5, Chowbus users reported on Twitter about receiving an email that contained the download links to two CSV files from the Chowbus’ database. The first file contained the names, phone numbers, addresses, and commission rates for 4,300 listed restaurants on the platform. The second file contained the names, phone numbers, home addresses, and email addresses of 803,350 customers.

Chowbus Founder and CEO Linxin Wen immediately issued a statement to all customers confirming the data breach, while reassuring them that their passwords and credit card information were safe. As of now, it is still unclear who the attackers were. Experts suspect that it could be a revenge attack from a former employee of the company.

Sources: SiliconANGLE, Infosecurity


4. International Maritime Organization shuts down web services following cyberattack

The International Maritime Organization (IMO) issued a press release disclosing that it had suffered a cyberattack, forcing it to shut down its main website along with other web services. The IMO is a regulatory body of the United Nations in charge of setting policies and laws with regards to shipping, maritime safety and security, and maritime environmental protection.

The attack took place on October 1, forcing the organization to immediately shut down all impacted systems to prevent the attack from spreading. The IMO claimed to have one of the most sophisticated security systems. With its main servers located in the UK, it routinely tests its backup and restoration servers in Switzerland.

The source of the attack remains unclear, and the IMO did not disclose whether it was a ransomware attack or not. It does appear that the organization has successfully restored its systems with its extensive restoration measures.

This attack occurred at an ironic time when the IMO had been under fire after introducing a new policy called “IMO 2021”, requiring all ship operators to invest in proper cybersecurity measures. It also came a week after the world’s fourth-largest shipping firm CMA CGM was hit by ransomware.

Sources: gCaptain, ZDNet


5. Chinese hacker group launches rare UEFI firmware attack against NGOs

A Chinese-speaking hacker group was discovered by Kaspersky to be involved in a large-scale UEFI firmware attack against diplomats and NGOs around Asia, Europe, and Africa, with its focus being to gather diplomatic and strategic information related to North Korea.

UEFI (Unified Extensible Firmware Interface) is embedded in the motherboard of all computers, allowing for hardware modifications and serving as the interface between the hardware and the OS (i.e. Windows, macOS). In simple words, an infection on the UEFI is an infection on the hardware, making it immune to factory resets. As scary as it sounds, compromising a UEFI is extremely rare and difficult because it either requires direct access to a machine, or demands sophisticated attacks on the supply chain where the UEFI firmware is modified to automatically inject malicious code.

According to Kaspersky, only two computers were infected directly. However, the modified UEFI installed a malicious application to the computer after every restart, and quickly spread the malware to a number of carefully selected devices that belonged to diplomats and NGO members that have connections to North Korea.

This is the second case of UEFI firmware attack discovered by Kaspersky. The first one was launched by state-sponsored Russian hackers back in 2018.

Sources: Cyberscoop, ZDNet


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Car, Energy, Factory, City Solutions: Penta IoT Security