[ad_1]
Kristijonas Kaikaris, the company director, provided the latest information on the theft and sale of CityBee customer data on Tuesday.
CityBee said Monday that the company was doing everything it could to remove the data posted from the forum.
However, this has not been done so far, and the consumer haxor Early Tuesday morning in the forum announced that it is selling all the information stolen by a thousand. USD in bitcoins.
The seller added several screenshots of the supposedly available data. They show the first and last names of CityBee customers, email addresses, phone numbers, residential addresses of those who provided this information, driver’s license numbers, and personal identification numbers.
It seems that data related to the use of CityBee cars is also being sold: the history of reservations and car parking. A total of 114,253 thousand were stolen. people’s personal data, including their encrypted passwords.
Experts, after evaluating the stolen data now offered to potential buyers, conclude that customer passwords are just as easy to crack.
K. Kaikaris, who claimed that stolen customer data that was registered before February 2018, explained on Monday that the security of CityBee customers will not be affected in any way: the passwords used have not been made public and they are carefully protected.
Arno Strumila / 15min photo / Kristijonas Kaikaris, director of CityBee
He also told a special press conference on Tuesday that the system is much more secure than in 2018, that passwords are encrypted differently and it is much more difficult to crack.
However, specialists, after evaluating the stolen data and now offered to potential buyers, conclude that customer passwords are just as easy to crack.
CityBee deemed customer passwords insecure using the SHA1 cryptographic algorithm, and many of the affected users’ passwords were allegedly accessed within seconds.
In other words, the password hash function (Hash) was not used with the so-called “salty” (Salt) parameter. This double storage generally prevents hackers from applying even the smartest password guessing techniques.
Artūras Orševskis, Director of Technology Consulting at KPMG Baltics, writes on Facebook: “A poor encryption algorithm was used, as a result of which the vast majority of passwords are cracked.
It took me a few hours to generate Citybee Top 10 one-word password database. “
„Reuters“ / „Scanpix“ nuotr./Programišiai
Both A. Orševskis and Marius Pareščius, the director of the public institution “Information Security”, recommend changing passwords in used applications and systems as soon as possible. Ideally, passwords should be different everywhere.
Request to change passwords
CityBee updated the incident information Tuesday. As new facts became clearer, CityBee added its customers who signed up for the company’s system through 2018. On February 22, it requested a change to their passwords both on CityBee and other systems if the same password was used or a similar one.
K.Kaikaris confirmed that CityBee customer data released by programmers last night and offered for purchase has been expanded: addresses and phone numbers have appeared.
“It is very important that there is no data on payment cards, because CityBee does not collect that data,” noted K. Kaikaris.
CityBee is also developing a special hotline. All those who registered in the company’s system until 2018. February 22, you can already ask questions by email. by mail [email protected]. A hotline will also be established soon.
Arno Strumila / 15min photo / Kristijonas Kaikaris, director of CityBee
“We are very sorry. I personally suffered, my family, friends. For the moment, our priority is customers, so we have created a direct line.
We are cooperating with the police, cyber security experts and we are explaining the circumstances ”, confirmed on Tuesday the director of the company, K. Kaikaris.
All customers who signed up before February 22, 2018 must change their password. Changing passwords on other systems is also recommended, as they often overlap. Also, passwords must be more complex.
K. Kaikaris finds it strange that the data is released now, even though it was stolen three years ago; however, many things are still being tried to find out.
“Criminals are monitoring public space and what is said shows that they are seeking profit,” Kaikaris said, adding that the programmers did not come to CityBee with, for example, ultimatums.
Investigations launched
Already Creation of Citybee Victims Group, which states that its sole purpose is “to bring together people who have been affected by a personal data breach and bring a class action.”
And police have launched a pre-trial investigation into CityBee customer data for the stolen car-sharing service.
The pre-trial investigation is carried out for illegal interception of electronic data and illegal connection to the information system.
It is being carried out by the Criminal Police Office in cooperation with the company, the Police Department said Tuesday.
The State Data Protection Inspectorate urged victims to change their passwords and not give in to dishonest provocations to pay ransoms.
“We ask people not to be tempted by proposals to acquire hijacked data, but to report such proposals to the police through the portal www.epolicija.lt”, the Police Department report reads.
Police also warn against sharing or distributing stolen data and links to where it can be obtained.
The State Data Protection Inspectorate (VDAI) has also announced that it is launching an investigation into the theft of user data stolen from CityBee. He urged victims to change their passwords and not give in to scammers’ provocations to pay ransoms.
Irmanto Gelūno / 15min nuotr./ reinCitybee “
“We are currently working with all the authorities involved in the incident to prevent as much as possible the further illegal processing of personal data, as well as to advise people to take the security measures on which they depend, in particular, to change passwords, not giving in to provocations, following us and the police information about this incident, ”said Raimondas Andrijauskas, director of the Inspection.
According to the service, a meeting of representatives of the SDPI, the Ministry of Justice and other institutions on the incident is scheduled for Tuesday.
“There is no doubt that private personal data is an invaluable asset and its theft is very sensitive. The State Data Protection Inspectorate has to react with lightning speed in this situation, so we are in direct contact and we are waiting looking forward to the outcome of the investigation, so that, if necessary, we can also adopt the legal data protection regulations. Gray areas cannot stay here, “says Justice Minister Evelina Dobrovolska.
Victims involved in this data security incident can contact the VDAI via general email. [email protected]specifying the keyword CityBee in the research field. Since SDPI will initiate an investigation on its own initiative into data breaches at the company, there is no need for victims to file separate complaints.
VDAI applicants should indicate that their data may have been leaked, everything else will be identified by VDAI during the investigation and will be personally contacted by potential victims. The decision will also be made public.
The SDPI points out that, according to the General Data Protection Regulation, an organization that has suffered a data security breach must immediately take all measures to remedy the situation. Among other things, no later than 72 hours. notify the SDPI and inform the people involved in this incident whose data may have been affected.
[ad_2]
