Security News

T&T Supermarket, Canada’s largest Asian grocery store chain, has shut down its website after a cyberattack that may have exposed the personal information of 58,000 people.

The company says “unauthorized users” hacked into their website on June 6, 7, 11 and on June 14 to 17.

Customers placing online orders or applying for jobs may also have been tricked into downloading malware onto their computers.

T&T, which is owned by Loblaws, says affected customers could have had their user names, passwords, email addresses, cellphone numbers, street addresses as well as their names compromised.

But the company says it does not collect credit card information, driver’s licenses, birth dates or social insurance numbers through its website.

T&T said it temporarily suspended its website and has brought in security experts to conduct an investigation.

Meanwhile, the company will be contacting affected customers and is advising those who may have been exposed to change their passwords and run an antivirus on their computers.

T&T, which is based in Richmond, B.C., has three locations in Toronto — two in Scarborough and one in the Port Lands — as well as several locations in the GTA, including Vaughan, Markham, Richmond Hill and Mississauga.

Affected customers can contact T&T at pr@tntsupermarket.com or 1-855-296-2342.

http://www.thestar.com/news/article/1014944--t-t-supermarket-website-hacked?bn=1

Jennifer Stoddart, Canada’s privacy commissioner, wants businesses to improve the way they store customers’ personal information – or face being named and shamed in her annual report.

In the 2010 report released this week, she scolds Staples Business Depot for its weak privacy protection practices, such as storing print and copy orders for a one-year period.

She had recommended keeping orders only long enough to let clients address any quality issues – and dismissed the argument that information was stored securely by a third party, requiring consent for disclosure.

“Although Staples says it will inform customers that online submissions will be stored for one year, it is our Office’s view that this information is being retained longer than necessary,” her report said.

The Staples audit, which uncovered 10 issues that required follow-up action, was triggered by customer complaints that personal information remained on computers returned to the store.

The data had not been erased adequately before the computers were resold. And while the retailer later adopted a wipe and restore process, it was not effective for all devices.

Stoddart’s position: If Staples is unable to remove all customer data from a particular manufacturer’s device, it is unacceptable to resell that device.

Online privacy is a big concern for the commissioner, who was reappointed late last year. The growing threats – and our ignorance of them – are described in vivid language that is a delight to read.

“Many people don’t know they’re leaving a trail of digital breadcrumbs when they click their way through websites and from website to website,” she says in the report.

“They don’t know that these crumbs are stored, analyzed and accessible. And they don’t understand that this information may be used in ways they never imagined.

“How many people actually read privacy policies? How knowledgeable are people about securing their home computers or networks?”

She talks about some people living their lives like reality TV stars, enthusiastically sharing even their most intimate thoughts and images online.

Others, who aren’t digital exhibitionists, may still give up plenty of information about themselves.

“By using loyalty cards, for instance, they’re actively trading personal data for retail discounts or other goodies. And that’s just what people do consciously.

“Beneath that lies a whole other layer that most people know little about, including the massive data collection that occurs when people browse Internet websites or make online purchases.”

Here’s a troubling statistic: While private-sector organizations are urged to report data breaches, only 44 incidents were reported last year. That’s down from 58 in 2009 and 65 in 2008.

Companies don’t have to report major data breaches to the privacy watchdog or to individuals affected by them. A bill to bring in mandatory reporting died on the order paper before the last election.

Consumers should have the right to know if personal information entrusted to an organization is disclosed without authorization – with possible harm to their finances, reputation, job opportunities or creditworthiness.

In a complaint resolved by her office, a man checked his credit report and noticed an inquiry from a credit card issuer he’d never dealt with before.

Someone had fraudulently applied for a card in his name. But the application was rejected because some personal information was incorrect.

The credit card company couldn’t remove the inquiry, but was able to have it considered a “soft” inquiry, which was only visible to the complainant and had no impact on his credit score.

In contrast, a “hard” inquiry would be included on that person’s credit report and viewed by other credit granting organizations for years to come.

I applaud Stoddart’s efforts to improve the privacy literacy of Canadians and warn companies about careless data handling.

In Saturday’s column, I’ll talk about a privacy breach by Canada’s biggest home services firm, Direct Energy, which was discovered by a reader and brought to my attention.

Ellen Roseman writes about personal finance and consumer issues. You can reach her at eroseman@thestar.ca.

Source: http://www.moneyville.ca/article/1012911--roseman-why-is-staples-keeping-our-private-purchase-data?bn=1

The hacker group LulzSec is claiming it released log-in information for 62,000 private internet accounts Thursday, including Facebook, Paypal, dating sites, Xbox Live and Twitter.

The list is mostly American accounts but includes hundreds of Canadians, including a CBC journalist from Prince Edward Island, a P.E.I. government worker in the Department of Justice and Safety, and several from the federal government.

Other countries whose citizens were hacked include the United Kingdom, Australia, New Zealand and Brazil.

On its Twitter account, LulzSec said it uploaded the file to a file-sharing site Thursday morning. The site took it down, but it was uploaded again Thursday evening and taken down once more. LulzSec reported thousands of downloads before it was removed.

The group's Twitter feed contains bragging from people who claim to have taken the information and logged on to people's personal sites: taking money from PayPal accounts, replacing dating site profile pictures with pornographic images, and engaging in chats on other people's Facebook.

"Envelope yourself in the sickening realization that you secretly love f--king someone's Facebook life beyond repair," says one tweet from LulzSec.

LulzSec was also in the news this week after claiming it took down the website of the CIA.

Source: http://news.ca.msn.com/top-stories/facebook-paypal-accounts-released-by-hackers

An Edmonton-based online video game company is the latest victim of hacking.

BioWare said hackers tapped into the server for the Neverwinter Night forum and compromised the account names, passwords, email addresses and birth dates of about 18,000 users. No credit card data was taken.

In April, a massive security breach on the Sony Playstation Network affected over 100 million online accounts.

Technology expert Jesse Hirsh believes the BioWare breach was carried out by the same group of hackers.

"I mean these are the same people who hacked the federal Conservative party website around 10 days ago," Hirsh said.

"Just yesterday they hacked the Central Intelligence Agency. Really a huge range of targets, that for the most part, doesn't really have any political or even financial motivation. For the most part, they claim they're doing it just for kicks."

BioWare customers affected by the breach have either had their accounts disabled or their passwords reset.

Source: http://www.cbc.ca/news/canada/edmonton/story/2011/06/16/edmonton-bioware-hackers.html

Cyberattacks waged via the Internet are the fastest growing form of espionage, Canada's spy agency says.

The Canadian Security Intelligence Service also warns that the energy, financial and telecommunications sectors are becoming increasingly vulnerable to attack.

In its annual public report, CSIS says it investigated threats against critical systems last year by foreign countries, terrorists and hackers.

Internet-based tools and techniques offer a secure and low-risk means of conducting espionage, the spy service says.

“Increasingly, cyber-related tools and techniques have been added to the methods utilized by hostile actors to attack public- and private-sector systems,” says the report tabled Monday in Parliament.

“CSIS focuses its investigations on politically motivated threats or incidents where the integrity, confidentiality or availability of the critical information infrastructure is affected.”

Internet access at the Treasury Board and Finance departments was cut off in January after what officials called “an unauthorized attempt” to break into their networks.

A routine assessment of both departments last year revealed they had not been following all of the government's information technology security requirements.

CSIS is aware that certain foreign agencies are conducting intelligence operations within Canada, the service's director, Dick Fadden, says in a foreword to the report released Monday.

The spy agency did not respond to a request to interview him.

In a speech last year, Mr. Fadden said state-sponsored espionage against Canada was being conducted at levels equal to or greater than during the Cold War.

Canada is attractive to foreign spies because it's an innovative leader in areas such as agriculture, biotechnology, communications, mining and the aerospace industry, he said.

“Certainly, China has often been cited in media reports as an example of a country that engages in such activity but it would not be exclusive to that country. Just as the Internet is global, so is the cyber threat,” Mr. Fadden said.

Attackers target computer systems to acquire technology, intellectual property, military strategy and commercial or weapons-related information, as well as details of national strategies on a variety of domestic and foreign issues, the CSIS annual report says.

It cites public information describing the use of botnets – networks of compromised machines that can be purchased or rented by potential attackers – as well as rogue e-mails, Twitter and other social networking services to launch attacks.

“CSIS is aware that this cyber-based variant is the fastest growing form of espionage, that the threat of cyberattacks is one of the most complicated issues affecting the public and private sectors and that attacks on the latter have grown substantially and are becoming more complex and difficult to detect.”

The report notes that terrorists and other extremists use online resources – including e-mail, chat rooms, instant messaging, blogs and video-sharing sites – to plan, co-ordinate and execute operations.

“The cyber-related capabilities of various extremist groups have been publicly described as limited at present, but their abilities are developing and evolving,” the report says.

“This was not a concern in the early days of CSIS as there was no broad, worldwide use of the Internet to speak of. Communication between individuals and groups that were targets or persons of interests was much more difficult than it is today and much easier for organizations such as ours to track.”

Terrorism, primarily Islamist extremist violence, remains the greatest threat to the safety and security of the West, including Canadians, adds the report.

 Downloadthe CSIS report

Source: http://www.theglobeandmail.com/news/politics/internet-espionage-on-the-rise-csis-says/article2059676/

A Twitter account that claimed to have hacked the Conservative Party website this week suggested Wednesday it also hacked a party database, and posted names and emails online it said were from that database.

The account, LulzRaft, posted this message Wednesday morning:

"The conservatives said no contributor data was accessed..I wonder where this sample came from then!" and linked to a page on the public text-sharing website Pastebin that listed names and email addresses under the heading "Donation Contributors – A Small Sample."

The list contained more than 5,600 entries, with some names repeated with different email addresses. Donation amounts were not listed, and it is unclear where the names and addresses are from or whether all the names represent donors.

The list appeared to have been removed from the site by midday. Based on the way the information on the posted list was organized alphabetically, it appears the full database that was breached could contain the personal information of tens of thousands of people.

In an email message to the CBC, the anonymous LulzRaft said they deliberately released only a sample of what they obtained, and withheld other information such as addresses and passwords.

The emailer denied any malicious intent or political bias, insisting their objectives were to expose the weakness in the site, and perhaps advance the cause of "more freedom of speech/information online."

The message called the breach of the Conservative website "simply a hack of opportunity."

"We stumbled across the vulnerability. The other parties [sic] sites didn't appear vulnerable," the message said.

Data's source not clear

The information was posted online a day after Conservative Party spokesman Fred DeLorey said Tuesday’s hack was limited only to the party website and did not affect the party’s vast database with personal information about the party’s members.

One database maintained by the Conservative Party, referred to as CIMS, for Constituency Information Management Systems, is a key element of the party's ability to fundraise and campaign effectively across Canada.

It contains detailed personal information collected by the party from not only party members and donors, but also more casual party supporters, as well as voters who may not support the party.

It is unclear whether the information posted Wednesday comes from the database or from the hacked conservative.ca website, which is hosted by a third party.

An old email address belonging to former CBC technology columnist Tod Maffin is among those on the list.

Maffin told CBC News that five years ago he donated $5 to several different political parties while researching a feature for CBC Radio about the parties' online fundraising efforts. He believes this is the only reason this old email address could be on this list.

Party spokesman DeLorey did not respond Wednesday to requests for comment.

Political donations in Canada are not private. Anyone who donates to a political party in Canada has his or her name and the amount of the donation reported to Elections Canada, which in turn puts this information into a searchable database available at the Elections Canada website.

Wednesday's breach involves email addresses, which are not collected by Elections Canada.

The LulzRaft Twitter account also posted a message Wednesday morning saying "the funny thing is, we had more trouble using the conservative party CMS [content management system] then we did hacking the site…literally."

Husky also hacked

LulzRaft also tweeted a link Wednesday to Husky Energy's website, myhusky.ca, which displayed a message under the header "Conservative Appreciation Day," that referred to Tuesday's choking hoax.

"Due to yesterdays Harper hoax, we feel it is necessary to show conservatives that we care. So today, June 8, we will be providing free gas to all conservatives. Just use the coupon code 'hash-browns'," the message on myhusky.ca's front page said.

Graham White, a Husky spokesperson, was unaware of the apparent prank until contacted by CBC News, and confirmed it was a hack. "This is definitely not a Husky initiative," he said. The message was taken down minutes after he was alerted.

On Tuesday, a fake news release appeared on the website that said Prime Minister Stephen Harper had been rushed to hospital after choking on a hash brown at breakfast.

The story posted under the news release section of the website had Ottawa buzzing and people talking about it on Twitter. The Prime Minister’s Office quickly confirmed that it was a fake and that Harper was fine.

In addition to the fake "breakfast incident" report, a link at the bottom of the party's web page was altered to point to the LulzRaft Twitter account.

Messages on that Twitter page referred to the stunt. "Any bets on how long until anyone notices my 'special article'?" a tweet posted Tuesday morning said, with a link to the Conservative website.

Passwords that appeared to be related to party website were posted under the LulzRaft account on a public text sharing site in a post dated June 7.

The LulzRaft Twitter account bio makes reference to LulzSec, which in recent weeks has claimed responsibility for the hacking of sites and databases belonging to high-profile multinational corporations such as Honda and Sony, public broadcaster PBS and even the FBI.

It is unclear what relationship there is, if any, between LulzRaft and LulzSec.

Source: http://news.ca.msn.com/top-stories/hacker-claims-conservative-database-breach

Prime Minister Stephen Harper was the victim of a hoax Tuesday.

Erroneous information on the hacked Conservative Party website said Harper was rushed to the Toronto General Hospital after choking on a hash brown.

“He took his daughter Rachel to school (in Ottawa) this a.m., came into work and I’m currently sitting across from him,” Harper’s director of communications, Dimitri Soudas, told the Toronto Star Tuesday.

Soudas confirmed that there was “unauthorized access” to the party’s website.

The Prime Minister’s Office was quick to refute the story, but not before at least one Toronto radio station reported it as fact.

The phony posted bulletin said Harper was rushed to TGH by helicopter after his wife called 911.

“He was eating breakfast with his kids when a piece of hash brown lodged in his throat, blocking air reaching his lungs,” stated the bulletin, which suggested Harper would make a full recovery but miss important meetings during the interim.

The Conservative Party is reported to be investigating how the website was hacked.

Source: http://www.thestar.com/news/canada/politics/article/1003855--federal-conservatives-website-hacked-reports-of-harper-choking-on-hash-brown-false?bn=1

Michael Binetti, a lawyer who specializes in commercial litigation and competition law with Affleck Greene McMurtry LLP, received a call telling him about the missing information on Saturday.

The 31-year-old was concerned when he heard the news that his personal information might no longer be confidential and could potentially be used by someone to get fraudulent credit cards or establish a fake identity.

“It’s disheartening to know that a company that big can’t keep track of a CD-ROM with confidential information on it,” he told the Star. “I don’t want to be in some situation where some rogue is applying for credit in my name . . . And then I have to prove he’s the imposter.”

“With big organizations there is a certain risk anyway. But it’s disappointing to hear that some courier somewhere has these CD-ROMs and they (the bank) can’t find them.”

Binetti said he was told by a Scotiabank representative the CD-ROMs were mislaid Wednesday and that the bank thought they had been lost internally.

However, the representative said the bank was warning clients just in case so they could monitor their accounts and make sure there was no fraudulent activity. Said Binetti: “What choice did they have? I’m not going to give them credit for being proactive.”

Binetti said he was also told to have a personal credit check done to see if there were any new credit cards listed that he hadn’t applied for.

Other bank clients also contacted the Star to express concern.

In an email to the Star, Scotiabank confirmed the CD-ROMs were missing, calling the incident an “extremely rare occurrence.”

“The parcel containing the three CDs has gone missing while in internal mail between two Scotiabank departments,” Joe Konecny, a media spokesman for the bank, said in the email.

“Based on our investigation, we believe that the CDs were misdirected in internal mail and we have no reason to believe that this incident puts our customers at risk.

“We are notifying customers as a precaution. The Canadian privacy commissioner has also been advised.”

Scotiabank also confirmed the discs contained the names, mailing address, social insurance numbers, registered account type and account numbers for clients. They, however, did not contain account balances or other financial or employment information, according to Scotiabank.

But how many people have been affected remains unclear. Scotiabank would only say a “small percentage” of clients had their confidential information on the CD-ROMs.

The discs were to be sent to the Canada Revenue Agency as part of the bank’s requirements to provide such information to the agency. The bank has strict processes and procedures in place to protect customer privacy and confidentiality, the statement added.

But that doesn’t ease Binetti’s mind. “The lesson for consumers is don’t assume because you’re dealing with a big organization that they have control over your information the whole time,” he said.

Source: http://www.healthzone.ca/health/article/1003204--scotiabank-clients-fear-identity-theft-after-personal-data-lost