Welcome to This Week’s [in]Security. This week: PCI Telephony updates. Record setting post-GDPR breach at Starward/Marriot. Breaches at Dell, Atrium Health, Sky Brasil, Dunkin Donuts, Sotheby's Home, Data & Leads, and an unidentified ElasticSearch server. Uber fined. Back-dooring Oz. Nosy CRA workers. Criminal volunteers on open-source project and Trojans code to steal crypto-wallets. And, Faking DNA evidence.
Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.
PCI updates on telephony and VoIP:
Possibly the largest post-GDPR breach goes to the Starwood hotel chain (acquired by Marriott in 2016) was breached for a third time. The prior breaches were limited to their POS systems. This breach of their guest reservation database went undetected for four years and affects 500M guests and included contact information, date of birth, travel information, passport numbers, AES encrypted payment card data. Reports are uncertain if the the encryption keys were compromised. The breach was detected in September and reported to the SEC in November. There is no word if any required GDPR filings were made. Based on Marriot's annual report the fines under GDPR could approach $1B. Reports at:
NIST publications: