Security News Survey – April 12, 2019

A look at a security flaw among hotel booking websites, an update on Yahoo’s data breach settlement, and a second TRITON critical infrastructure attack.

The weather is starting to warm up here in the Northern Hemisphere, and it’s about time! With Spring in full swing and summer ahead, many folks are starting to plan a beach getaway or a mountain escape. If you’re planning to be one of these travelers, you might want to think twice about booking your hotel online.

Most hotel booking sites leak guests’ personal data

New research has revealed that two-thirds of hotel booking websites are leaking guests’ personal information to third parties. The study investigated more than 1,500 hotels across 54 countries and found that 67 percent of the hotels were putting information like names, email addresses, home addresses, phone numbers, and even passport numbers at risk of compromise.  According to the research, these emails contain a direct link to the guest’s reservation page, which doesn’t require a login. And it seems the booking code attached to the link is often shared with different service providers, like social networks, analytics services, advertising services, and more. This “security flaw” is being addressed by most of the hotels, according to the researchers.

Yahoo data breach settlement

Yahoo has spent the better part of the last five years dealing with the fallout from data breaches the company suffered in 2013 and 2014. And, if we all recall, the former breach impacted every Yahoo user at the time—all three billion of them. Yahoo, now owned by Verizon, has been negotiating various legal battles resulting from these breaches, including a class action lawsuit that seems to be nearing a settlement. This week, Yahoo proposed a new settlement with victims of the 2013 data breach for a total sum of $117.5 million, after a judge rejected the company’s previously proposed $50 million offer. The settlement encompasses credit monitoring services, attorney’s fees, out-of-pocket expenses resulting from identity theft or fraud, and more. The proposed figure is still under review by the judge but, if accepted, the settlement will become the largest payment for a data breach to-date, beating out last year’s Anthem settlement by a $2.5 million.   

TRITON strikes another critical infrastructure target

A second critical infrastructure facility has been hit by attackers leveraging TRITON (aka TRISIS), a malware discovered in 2017 after an attempt to infiltrate and destroy a petrochemical plant in Saudi Arabia. The same security reachers who documented the 2017 attack now report that TRITON has again been seen in action, this time in an unidentified critical infrastructure target. Although we don’t know the type of facility or its location, the researchers did share that the facility shut down before severe damage could occur. We’ll have to wait to see if the researchers are able to share more details in the coming weeks.

Intrusions that focus on industrial control systems (ICS) can cause crippling if not catastrophic damage. In the 2017 attack, attackers leveraged TRITON not just to paralyze the petrochemical plant, but to trigger an explosion. The attackers were extremely sophisticated and, according to researchers, likely supported by a nation-state. Thankfully, it seems neither attack has been successful in its end goal, but the fact that TRITON has popped up again, and apparently in another critical infrastructure target, suggests that we haven’t seen the last of the hacking group behind these attacks.