New survey sheds light on US password hygiene. Update on the Pegasus Scandals in Spain. Data breach reported to IKEA Canada.

In one look.

  • New survey sheds light on US password hygiene.
  • Update on the Pegasus Scandals in Spain.
  • Data breach reported by IKEA Canada.

New survey sheds light on US password hygiene.

Just in time for World Password Day, a survey conducted by insights and analytics firm Ipsos on behalf of Google shows that 84% of Americans are very concerned about the security and privacy of their personal data. on the Web. More than a third of respondents said they had been affected by a data breach. Ipsos reports that while 92% of those respondents changed their passwords after being exposed, in general, many Americans still engage in behaviors that could put their online information at risk.

About two-thirds of respondents admit to reusing the same password for multiple online accounts, and one-third say they have shared their password with someone else. A fifth use passwords that are easy to guess, and more than half include personal information such as names or dates of birth in their passwords. On the positive side, 73% of respondents say they use multi-factor authentication and about 44% use password management services. The pandemic and the resulting increase in online activity does not appear to have had much of an impact on password hygiene, as the majority of respondents say their behavior has not changed.

Update on the Pegasus Scandals in Spain.

As noted earlier, digital rights group Citizen Lab recently discovered that the phones of dozens of pro-independence supporters in Spain’s Catalonia region were infected with Pegasus spyware. According to Gabriel Rufián, a leading member of a Catalan pro-independence party, senior Spanish intelligence official Paz Esteban admitted in a closed-door meeting that the Spanish National Intelligence Center (CNI) had hacked into the mobile phones of “some” targeted politicians. , Safety Week reports. However, Esteban says the CNI had the required judicial authorization for the surveillance. Rufián said: “They (the CNI) admit the espionage, but say it was carried out against far fewer people than those cited by Citizen Lab.”

When the surveillance first came to light, Catalan separatists suggested CNI was likely behind the hack. Spanish officials have insisted that CNI is not allowed to tap phones without judicial authorization, but admitted that secrecy laws prevent the agency from confirming whether or not it is using Pegasus. Although the CNI and the Spanish ombudsman said they would investigate the hacks, Esteban Beltrán, Amnesty International’s director for Spain, said: “This committee, characterized by its secrecy and obscurantism, cannot be considered as the appropriate place to investigate allegations of human rights violations”.

To complicate matters further, earlier this week the Spanish government discovered that the mobile phones of Prime Minister Pedro Sánchez and Defense Minister Margarita Robles had also been infected with Pegasus last year. The revelations have Spaniards wondering just how widespread espionage is and who might be behind it. Citizen Lab Principal Investigator John-Scott Railton said, “Being a victim doesn’t preclude you from being an aggressor when it comes to Pegasus.”

Report: IKEA Canada experiences a data exposure incident.

IKEA Canada has revealed that an employee improperly accessed customer records during an unspecified search and the data of up to 95,000 customers may have been exposed. World News reports that the company has submitted a data breach report to the Office of the Privacy Commissioner of Canada.

Erfan Shadabi, cybersecurity expert at comforte AG, believes the incident highlights the need for both exfiltration controls and, of course, encryption:

“The data breach incident that IKEA Canada disclosed about an employee who ‘searched’ and accessed sensitive customer information heightens the threat posed by ‘inside work’. When we hear of careless handling of sensitive information, we begin to wonder how secure our own data is within the many different data ecosystems that house and process it. Employees are generally granted some level of trust with company data, even if they do not have access to all information within the organization. Working from the inside with an implicit level of trust means the inside work has more time to develop and execute an effective exfiltration strategy.

“The answer to countering this threat is to recognize how vulnerable organizations are from within and to adopt security postures like Zero Trust, which deny implicit trust to users, devices and other entities, regardless of their location within the network.

“Also, protect all sensitive company data with more than just perimeter security, even if you think the impenetrable vault you’ve stored everything in is foolproof. sensitive information in case security actors the internal or external threat would end up in your data ecosystem.”

Erich Kron, Safety Awareness Advocate at KnowBe4, thinks IKEA Canada actually caught an incident that many organizations simply wouldn’t have noticed:

“Privacy is a difficult challenge for any organization, especially when dealing with internal employees who often need some of this information to perform their legitimate duties. In this case, it appears that the data has no not stolen by cybercriminals, but accessed by an inside source. IKEA quickly gathered the facts, assessed the issue, and took steps to ensure the data remained under the organization’s control.

“To their credit, IKEA spotted the type of data access that many organizations would not have noticed, and by providing the information to the Office of the Privacy Commissioner of Canada, allowed potential victims to take the necessary measures to protect themselves. store layout, tracking when and where data may have been accessed, especially by an internal employee, can lead down an ever-meandering path full of false flags and unnecessary distractions, often resulting in the discovery of nothing useful.

“Organizations should ensure that they periodically confirm the type of data employees can access and should limit it to the minimum necessary to perform their jobs. In addition, penetration testing should be performed to check for vulnerabilities within the network and the Data Loss Prevention (DLP) helps reduce the risk of sensitive data being deleted from the network.”