17 October, 2024
Meta fined $101.5M for 2019 breach that exposed hundreds of millions of Facebook passwords
Reset your clocks: Meta has been hit with yet another privacy penalty in Europe. On Friday, Ireland’s Data Protection Commission (DPC) announced a reprimand and a €91 million fine — around $101.5 million at current exchange rates — after concluding a multiyear investigation into a 2019 security breach by Facebook’s parent company.
The DPC opened a statutory inquiry into the incident in question in April 2019 under the bloc’s General Data Protection Regulation (GDPR) after Meta, or Facebook as the company was still called back then, notified it that “hundreds of millions” of users’ passwords had been stored in plaintext on its servers.
The security incident is a legal issue in the European Union because the GDPR requires that personal data is appropriately secured.
After investigating, the DPC has concluded that Meta failed to meet the bloc’s legal standard since the passwords were not protected with encryption. It created a risk as third parties could potentially access people’s sensitive information stored in their social media accounts.
The regulator, which leads on oversight of Meta’s GDPR compliance, also found Meta broke the rules by failing to notify it of the breach within the required time frame (the regulation generally stipulates breach reporting should take place no later than 72 hours after becoming aware of it). Meta also failed to properly document the breach, per the DPC.
Commenting in a statement, deputy commissioner Graham Doyle wrote: “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”
Reached for a response to its latest GDPR sanction, Meta spokesperson Matthew Pollard emailed a statement in which the company sought to play down the finding by claiming it took “immediate action” over what had been an “error” in its password management processes.
“As part of a security review in 2019, we found that a subset of FB [Facebook] users’ passwords were temporarily logged in a readable format within our internal data systems. We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly,” Meta wrote. “We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry.”
Meta had already racked up a majority of the largest GDPR penalties handed out to tech giants so the latest sanction merely underscores the scale of its problems with privacy compliance.
The penalty is notably stiffer than a €17 million fine the DPC handed to Meta in March 2022 over a 2018 security breach. The Irish regulator has had a change of senior management since then. However the two incidents are also different: Meta’s earlier security lapses affected up to 30 million Facebook users compared to the hundreds of millions whose passwords were said to have been exposed as a result of its failure to secure passwords in 2019.
The GDPR empowers data protection authorities to issue fines for breaches where the amount of any penalty is calculated based on factors such as the nature, gravity and duration of the infringement; the scope or purpose of the processing; and the number of data subjects affected and level of damage suffered, among other considerations.
The highest possible penalty under the GDPR is 4% of global annual turnover. So, in Meta’s case, a €91 million fine may sound like a significant chunk of change — but it remains a tiny fraction of the billions the company could theoretically face, given its annual revenue for 2023 was a staggering $134.90 billion.
Hacker claims data breach of India's eMigrate labor portal
A hacker claims to be selling an extensive database associated with an Indian government portal meant for blue-collar workforce emigrating from the country.
Launched by India’s ministry of external affairs, the eMigrate portal helps Indian labor legally emigrate overseas. The portal also provides emigration clearance tracking and insurance services to migrant workers.
According to a listing on a known cybercrime forum that TechCrunch has seen, the pseudonymous hacker published a small portion of the data containing full names, email addresses, phone numbers, dates of birth, mailing addresses and passport details of individuals who allegedly signed up to the portal.
TechCrunch verified that some of the data published by the hacker appears genuine. Similarly, TechCrunch validated the phone numbers found in the published data using a third-party app. One of the records pertained to an Indian government foreign ambassador, whose information in the sample matches public information. A message sent by TechCrunch to the ambassador via WhatsApp went unreturned.
It is unclear whether the data was obtained directly from the eMigrate servers or through a previous breach. The hacker did not share the exact details of when the breach allegedly occurred, but claims to have at least 200,000 internal and registered user entries.
At the time of publication, India’s eMigrate portal says about half a million people were granted emigration clearance in 2023.
When reached by email about the data breach, India’s computer emergency response team, known as CERT-In, told TechCrunch that it was “in [the] process of taking appropriate action with the concerned authority.” India’s ministry of external affairs did not respond to multiple requests for comment.
This is thought to be the latest cybersecurity incident affecting the Indian government in recent months. Earlier this year, TechCrunch exclusively reported on a data leak affecting the Indian government’s cloud service that spilled reams of sensitive information on its citizens. Soon after, it was discovered that scammers had planted online betting ads hidden on Indian government websites.
Scammers found planting online betting ads on Indian government websites
Newsletter writer covering Evolve Bank's data breach says the bank sent him a cease and desist letter
The situation around a data breach that’s affected an ever-growing number of fintech companies has gotten even weirder. Evolve Bank & Trust announced last week that it was hacked and confirmed the stolen data has been posted to the dark web. Now Evolve has sent a cease and desist letter to the writer of a newsletter who has been covering the ongoing situation.
Jason Mikula, author of respected industry publication Fintech Business Weekly, told TechCrunch that he received a cease and desist letter from the bank telling him not to share files from the dark web with any allegedly impacted fintech companies.
Mikula told TechCrunch that he wasn’t actually doing such sharing but he was offering to do so and did see some of the files. Looking at hacked information is a common practice among journalists when reporting on security breaches as a way to confirm that a breach happened and what was taken.
In this case, Mikula said he’s connected with four people who have access to some of the files that were stolen in the breach and posted on the dark web and has reviewed some of the data himself.
The crux of the problem is that not all the impacted fintechs have received details about what information was stolen in the breach, according to Mikula’s industry sources.
“As I understand it, some fintechs hadn’t gotten ‘confirmation’ from Evolve about what had been breached and thus hadn’t acted to mitigate risk or inform users,” Mikula told TechCrunch.
Mikula believes that “seeing the files would let them (1) confirm the breach had happened and examples of what data fields were included and (2) allow them to identify specific customers that had been impacted,” he said.
Mikula was posting information on the fintechs confirmed to be involved on X and reporting on it in his newsletter. So much so that X users like Parrot Capital have heaped praise upon him. “Jason has been providing better customer service for those affected by the Evolve Bank breach than anyone else,” Parrot posted on X.
Mikula said yesterday he “woke up to the C&D.” He added that he was reporting on the situation responsibly and would continue to do so. TechCrunch has reached out to Evolve for comment.
Meanwhile, while Evolve was sending letters from lawyers to Mikula, on July 1, a group of senators publicly urged those involved with a fintech in trouble, Synapse, to act. They want Synapse’s owners, its fintech and bank partners — including Evolve — to “immediately restore customers’ access to their money.” Synapse was pressured to file for Chapter 7 bankruptcy in May, liquidating its business entirely. Customers have been frozen out ever since.
The senators implicated both the partners and investors of the company as being responsible for any missing customer funds. The senators’ letter alleges that $65 million to $95 million worth of funds are missing, but Synapse and all other players, including Evolve, assert that if this is true, they are not the ones responsible. They are all pointing fingers at others.
The letter was addressed to W. Scott Stafford, president and CEO of Evolve Bank & Trust, but was also sent to major investors in bankrupt banking-as-a-service startup Synapse, as well as to the company’s principal bank and fintech partners.
Want more fintech news in your inbox? Sign up for TechCrunch Fintech here.
Want to reach out with a tip? Email me at [email protected] or send me a message on Signal at 408.204.3036. You can also send a note to the whole TechCrunch crew at [email protected]. For more secure communications, click here to contact us, which includes SecureDrop (instructions here) and links to encrypted messaging apps.
HealthEquity says data breach is an ‘isolated incident’
On Tuesday, health tech services provider HealthEquity disclosed in a filing with federal regulators that it had suffered a data breach, in which hackers stole the “protected health information” of some customers.
In an 8-K filing with the SEC, the company said it detected “anomalous behavior by a personal use device belonging to a business partner,” and concluded that the partner’s account had been compromised by someone who then used the account to access members’ information.
On Wednesday, HealthEquity disclosed more details of the incident with TechCrunch. HealthEquity spokesperson Amy Cerny said in an email that this was “an isolated incident” that is not connected to other recent breaches, such as that of Change Healthcare, owned by the healthcare giant UnitedHealth. In May, UnitedHealth CEO Andrew Witty said in a House hearing that the breach affected “maybe a third” of all Americans.
HealthEquity detected the breach on March 25, when it “took immediate action, resolved the issue, and began extensive data forensics, which were completed on June 10.” The company brought together “a team of outside and internal experts to investigate and prepare for response.” The investigations determined that the breach was due to the compromised third-party vendor account having access to “some of HealthEquity’s SharePoint data,” according to Cerny.
Contact Us
Do you have more information about this HealthEquity breach? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
SharePoint is a set of Microsoft tools that allows companies to create websites, as well as store and share internal information — essentially an intranet.
Cerny also said that “transactional systems, where integrations occur, were not impacted,” and that the company is notifying partners, clients and members, and has been working with law enforcement as well as experts to work on preventing future incidents.
TechCrunch asked Cerny to specify what personally identifiable and “protected health” information was stolen in this breach, how many people have been affected and what partner was involved. Cerny declined to answer all of these questions.
Earlier this year, HealthEquity reported that the company and its subsidiaries “administer HSAs and other CDBs for our more than 15 million accounts in partnership with employers, benefits advisers, and health and retirement plan providers.”
HealthEquity data breach affects 4.3M people
HealthEquity is notifying 4.3 million people following a March data breach that affects their personal and protected health information.
In its data breach notice, filed with Maine’s attorney general, the Utah-based healthcare benefits administrator said that although the compromised data varies by person, it largely consists of sign-up information for accounts and information about benefits that the company administers.
HealthEquity said the data may include customer names, addresses, phone numbers, their Social Security number, information about the person’s employer and the person’s dependent (if any), and some payment card information.
HealthEquity provides employees at companies across the United States access to workplace benefits, like health savings accounts and commuter options for public transit and parking. At its February earnings, HealthEquity said it had more than 15 million total customer accounts.
In its data breach notice, HealthEquity said it discovered the data breach after finding unauthorized access in an “unstructured data repository” outside of its core network that contained customers’ personal and health information. Some of the stolen data also includes information about diagnoses and prescriptions, the company said.
The notice said that the breach occurred because a user account of one of HealthEquity’s vendors was compromised and their password stolen, which was used by the malicious hacker to access the data repository.
When reached for comment, HealthEquity would not name the third-party vendor. The company previously told TechCrunch that the compromised third-party vendor account had access to “some of HealthEquity’s SharePoint data,” referring to Microsoft SharePoint, which allows companies to create their own internal intranets.
Several other companies in recent years, including Activision, Snowflake, and Worldcoin, have experienced security incidents because of employee password theft, often by way of password-stealing malware, which scrapes the passwords and credentials found on an employee’s computer. Some password-stealing malware can skirt multifactor authentication, a security feature that can block some password theft attacks, by stealing session tokens, which are stored on an employee’s computer to keep them persistently logged in. When stolen, session tokens can be used to gain access to the company’s network as if the hacker was that employee.
HealthEquity spokesperson Stacie Saltzgiver reiterated that the data breach was an “isolated incident” and confirmed that it was unrelated to the recent breaches of customer data held by cloud giant Snowflake.
HealthEquity has published a data breach notification on its website. When TechCrunch checked the website notice, HealthEquity had included hidden “noindex” code on the page that tells search engines to ignore the web page, effectively blocking affected individuals from finding HealthEquity’s data breach notice in search results.
When asked by TechCrunch, the company’s spokesperson did not comment on the inclusion of the code.
HealthEquity data breach affects 4.3 million people
HealthEquity is notifying 4.3 million people following a March data breach that affects their personal and protected health information.
In its data breach notice, filed with Maine’s attorney general, the Utah-based healthcare benefits administrator said that although the compromised data varies by person, it largely consists of sign-up information for accounts and information about benefits that the company administers.
HealthEquity said the data may include customer names, addresses, phone numbers, their Social Security number, information about the person’s employer and the person’s dependent (if any), and some payment card information.
HealthEquity provides employees at companies across the United States access to workplace benefits, like health savings accounts and commuter options for public transit and parking. At its February earnings, HealthEquity said it had more than 15 million total customer accounts.
In its data breach notice, HealthEquity said it discovered the data breach after finding unauthorized access in an “unstructured data repository” outside of its core network that contained customers’ personal and health information. Some of the stolen data also includes information about diagnoses and prescriptions, the company said.
The notice said that the breach occurred because a user account of one of HealthEquity’s vendors was compromised and their password stolen, which was used by the malicious hacker to access the data repository.
When reached for comment, HealthEquity would not name the third-party vendor. The company previously told TechCrunch that the compromised third-party vendor account had access to “some of HealthEquity’s SharePoint data,” referring to Microsoft SharePoint, which allows companies to create their own internal intranets.
Several other companies in recent years, including Activision, Snowflake, and Worldcoin, have experienced security incidents because of employee password theft, often by way of password-stealing malware, which scrapes the passwords and credentials found on an employee’s computer. Some password-stealing malware can skirt multi-factor authentication, a security feature that can block some password theft attacks, by stealing session tokens, which are stored on an employee’s computer to keep them persistently logged in. When stolen, session tokens can be used to gain access to the company’s network as if the hacker was that employee.
HealthEquity spokesperson Stacie Saltzgiver reiterated that the data breach was an “isolated incident” and confirmed that it was unrelated to the recent breaches of customer data held by cloud giant Snowflake.
HealthEquity has published a data breach notification on its website. When TechCrunch checked the website notice, HealthEquity included hidden “noindex” code on the page that tells search engines to ignore the webpage, effectively blocking affected individuals from finding HealthEquity’s data breach notice in search results.
When asked by TechCrunch, the company’s spokesperson did not comment on the inclusion of the code.
Hacker claims data breach of India's eMigrate labor portal
A hacker claims to be selling an extensive database associated with an Indian government portal meant for blue-collar workforce emigrating from the country.
Launched by India’s ministry of external affairs, the eMigrate portal helps Indian labor legally emigrate overseas. The portal also provides emigration clearance tracking and insurance services to migrant workers.
According to a listing on a known cybercrime forum that TechCrunch has seen, the pseudonymous hacker published a small portion of the data containing full names, email addresses, phone numbers, dates of birth, mailing addresses and passport details of individuals who allegedly signed up to the portal.
TechCrunch verified that some of the data published by the hacker appears genuine. Similarly, TechCrunch validated the phone numbers found in the published data using a third-party app. One of the records pertained to an Indian government foreign ambassador, whose information in the sample matches public information. A message sent by TechCrunch to the ambassador via WhatsApp went unreturned.
It is unclear whether the data was obtained directly from the eMigrate servers or through a previous breach. The hacker did not share the exact details of when the breach allegedly occurred, but claims to have at least 200,000 internal and registered user entries.
At the time of publication, India’s eMigrate portal says about half a million people were granted emigration clearance in 2023.
When reached by email about the data breach, India’s computer emergency response team, known as CERT-In, told TechCrunch that it was “in [the] process of taking appropriate action with the concerned authority.” India’s ministry of external affairs did not respond to multiple requests for comment.
This is thought to be the latest cybersecurity incident affecting the Indian government in recent months. Earlier this year, TechCrunch exclusively reported on a data leak affecting the Indian government’s cloud service that spilled reams of sensitive information on its citizens. Soon after, it was discovered that scammers had planted online betting ads hidden on Indian government websites.
Scammers found planting online betting ads on Indian government websites
Newsletter writer covering Evolve Bank's data breach says the bank sent him a cease and desist letter
The situation around a data breach that’s affected an ever-growing number of fintech companies has gotten even weirder. Evolve Bank & Trust announced last week that it was hacked and confirmed the stolen data has been posted to the dark web. Now Evolve has sent a cease and desist letter to the writer of a newsletter who has been covering the ongoing situation.
Jason Mikula, author of respected industry publication Fintech Business Weekly, told TechCrunch that he received a cease and desist letter from the bank telling him not to share files from the dark web with any allegedly impacted fintech companies.
Mikula told TechCrunch that he wasn’t actually doing such sharing but he was offering to do so and did see some of the files. Looking at hacked information is a common practice among journalists when reporting on security breaches as a way to confirm that a breach happened and what was taken.
In this case, Mikula said he’s connected with four people who have access to some of the files that were stolen in the breach and posted on the dark web and has reviewed some of the data himself.
The crux of the problem is that not all the impacted fintechs have received details about what information was stolen in the breach, according to Mikula’s industry sources.
“As I understand it, some fintechs hadn’t gotten ‘confirmation’ from Evolve about what had been breached and thus hadn’t acted to mitigate risk or inform users,” Mikula told TechCrunch.
Mikula believes that “seeing the files would let them (1) confirm the breach had happened and examples of what data fields were included and (2) allow them to identify specific customers that had been impacted,” he said.
Mikula was posting information on the fintechs confirmed to be involved on X and reporting on it in his newsletter. So much so that X users like Parrot Capital have heaped praise upon him. “Jason has been providing better customer service for those affected by the Evolve Bank breach than anyone else,” Parrot posted on X.
Mikula said yesterday he “woke up to the C&D.” He added that he was reporting on the situation responsibly and would continue to do so. TechCrunch has reached out to Evolve for comment.
Meanwhile, while Evolve was sending letters from lawyers to Mikula, on July 1, a group of senators publicly urged those involved with a fintech in trouble, Synapse, to act. They want Synapse’s owners, its fintech and bank partners — including Evolve — to “immediately restore customers’ access to their money.” Synapse was pressured to file for Chapter 7 bankruptcy in May, liquidating its business entirely. Customers have been frozen out ever since.
The senators implicated both the partners and investors of the company as being responsible for any missing customer funds. The senators’ letter alleges that $65 million to $95 million worth of funds are missing, but Synapse and all other players, including Evolve, assert that if this is true, they are not the ones responsible. They are all pointing fingers at others.
The letter was addressed to W. Scott Stafford, president and CEO of Evolve Bank & Trust, but was also sent to major investors in bankrupt banking-as-a-service startup Synapse, as well as to the company’s principal bank and fintech partners.
Want more fintech news in your inbox? Sign up for TechCrunch Fintech here.
Want to reach out with a tip? Email me at [email protected] or send me a message on Signal at 408.204.3036. You can also send a note to the whole TechCrunch crew at [email protected]. For more secure communications, click here to contact us, which includes SecureDrop (instructions here) and links to encrypted messaging apps.