Security
Atos in Advanced Talks with Airbus for Sale of Big Data and Cybersecurity Division Amidst Financial Restructuring
Paris, January 3, 2024 – Atos, the French multinational information technology service and consulting company, has made a significant announcement regarding its ongoing financial restructuring efforts. The company is currently in advanced negotiations with Airbus concerning the sale of its Big Data and Cybersecurity (BDS) division, a move that could potentially alleviate some of the financial pressures it faces.
In a detailed press release, Atos outlined the challenges it has been grappling with, particularly highlighting the need to settle and refinance its substantial debt. The tech giant has been transparent about the financial difficulties that have led to the decision to divide its operations into two separate entities.
The first entity, named Tech Foundations, will inherit the traditional IT facilities management business, which has been operating at a loss. The second, Eviden, will encompass the group’s burgeoning advanced technology businesses, including the BDS division that is now the subject of sale discussions.
The split was first announced in the summer of 2023, when Atos revealed its plans to sell Tech Foundations to EPEI, a holding company owned by Czech billionaire Daniel Křetínský. However, the completion of this transaction has been delayed, and Atos has admitted that there is “no certainty” that the negotiations with EPEI will result in a finalized agreement.
With time-sensitive financing deadlines looming, Atos has been compelled to consider the divestiture of other assets. The sale of the BDS division to Airbus is seen as a “decisive component” that could enable the remaining businesses within the company to maintain their strategic interests and stability.
The press release by Atos further disclosed that two parties have expressed interest in acquiring stakes in the BDS division, which is a part of Eviden. One unnamed group is contemplating a minority stake, while Airbus has set its sights on a full acquisition.
Airbus’s interest in Atos’s BDS is not new. In early 2023, the aircraft manufacturing behemoth initiated discussions to acquire a 29.9% stake in Eviden. However, those talks were abandoned in March 2023. Now, Airbus is back at the table with a focus on the complete takeover of the BDS branch.
Atos has confirmed that it will enter a due diligence phase with Airbus, allowing for a comprehensive examination of the BDS division’s accounts. Airbus’s offer is based on an estimated valuation of the division between 1.5 to 1.8 billion euros. This valuation encompasses the entirety of the BDS division, signaling Airbus’s commitment to a potential full-scale acquisition.
The proposed sale of Atos’s BDS division to Airbus marks a critical juncture for the IT company as it seeks to navigate through its financial constraints. The outcome of these negotiations could have far-reaching implications for Atos’s future operations and financial health. The tech industry and investors alike will be watching closely as Atos and Airbus proceed with their due diligence and potential transaction in the coming months.
Privacy
Massive Intelligence Database Leak in Bangladesh Exposes Sensitive Personal Data
In a startling breach of privacy and security, the National Telecommunication Monitoring Center (NTMC), a key intelligence agency in Bangladesh, has suffered a significant data leak. This incident has led to the exposure of a vast array of personal information belonging to countless individuals.
The leaked data is extensive and varied, encompassing names, professions, blood groups, parents’ names, phone numbers, call durations, vehicle registrations, passport details, and even fingerprint photos. Unlike common database leaks that occur frequently, this data is tied to an intelligence database, raising serious concerns about the implications for those affected.
For several months, the NTMC, which plays a pivotal role in monitoring cell phone and internet activity in Bangladesh, had inadvertently made this sensitive information accessible through an unsecured database. The situation escalated when anonymous hackers targeted the database, erasing details from the system and claiming to have absconded with the data trove.
WIRED conducted a verification of a sample of the data, confirming the authenticity of real-world names, phone numbers, email addresses, locations, and exam results. The intent behind the collection of such data remains unclear, with some records appearing to be tests or incomplete. The NTMC has not issued any comments in response to inquiries about the leak.
Security researcher Viktor Markopoulos from CloudDefense.AI was the one to uncover the unprotected database. He linked it back to the NTMC and discovered login pages for a national intelligence platform in Bangladesh. Markopoulos suspects a misconfiguration led to the exposure. Within the database, over 120 indexes of data were found, each storing different logs, including entries labeled “sat-phone,” “sms,” “birth registration,” and “Twitter.”
The majority of the exposed data consists of metadata, which reveals the “who, what, how, and when” of communications. While actual phone call audio was not disclosed, metadata could show calling patterns and contacts, which can be incredibly revealing.
Some of the logs, such as the “birth registration” index, contained detailed personal information including names in English and Bengali, birthdays, places of birth, and parents’ details. Another log, named “finance personal details,” included names, cell phone numbers, bank account details, and even account balances. National ID numbers and cell phone operators’ names were frequent in the data structures, along with lists of base transceiver stations and references to “cdr,” possibly indicating call detail records.
Jeremiah Fowler, a security consultant and co-founder of Security Discovery, reviewed the database and confirmed its connection to the NTMC. He highlighted the presence of IMEI numbers in the data, which could potentially be used to track or clone devices.
The NTMC has not acknowledged the leak, nor has it responded to WIRED’s questions regarding the purpose of the data collection and the extent of the information gathered. The Bangladesh government’s press office and the Bangladesh High Commission in London have also remained silent on the issue. Markopoulos reported the exposed data to Bangladesh’s Computer Incident Response Team (CIRT) on November 8, which acknowledged the report and thanked him for disclosing the “sensitive exposure.” The CIRT informed WIRED that they had notified the NTMC of the issue.
Before the publication of this article, the database was taken offline. However, Markopoulos noted that on November 12, the database was wiped clean, and a ransom note appeared, demanding 0.01 bitcoin (approximately $360) to prevent the public disclosure and deletion of the data. This type of ransom demand is not uncommon for exposed databases.
The NTMC, established in 2013 from a previous monitoring body, is described on its website as providing “lawful communication interception facilities” to other agencies in Bangladesh. Reports suggest that up to 30 agencies are linked to the NTMC through APIs, incorporating records from mobile operators, passport and immigration services, among others.
A telecoms expert with experience in Bangladesh, who chose to remain anonymous, alleged that the NTMC’s surveillance capabilities exceed those in many European countries, citing the absence of stringent data protection laws in Bangladesh.
The leak comes at a time when Bangladesh is experiencing political unrest, with the government cracking down on opposition ahead of the 2024 elections. A local researcher, who also requested anonymity, expressed concerns over increased surveillance and targeting of individuals in the lead-up to the elections.
This incident underscores the critical need for heightened awareness and education on digital rights and safety, especially for activists and those at risk of government surveillance. As the country grapples with fundamental rights issues, the protection of digital privacy remains a pressing concern.
Security
Millions of Medical Records Exposed in a Series of Data Breaches
In a disturbing revelation of privacy violations, Perry Johnson and Associates, a company providing transcription and dictation services to Northwell Health, has been the source of a significant data breach. The breach, which was first disclosed in a letter dated November 3, 2023, involved unauthorized access to files containing sensitive health information of patients, including the author of the letter. This breach is part of a larger pattern of cyberattacks targeting healthcare providers and their associates.
Personal Health Information Compromised
The compromised data includes a wide array of personal health information (PHI) such as names, birth dates, addresses, medical record numbers, and detailed medical conditions. The unauthorized party reportedly had access to the system between March and May of 2023, during which they engaged in a downloading spree of sensitive files. The breach affected almost 10 million people across multiple healthcare providers in various states.
Lack of Apology and Adequate Measures
The letter from Perry Johnson and Associates failed to include an apology but stated that the company takes the incident “very seriously” and promised to update their systems to prevent future breaches. This response raises questions about why more robust security measures were not in place beforehand.
In a similar incident, East River Medical Imaging informed patients of a breach between August 31 and September 20, where unauthorized access to documents could have exposed names, contact information, and even images from medical tests. Like Perry Johnson and Associates, East River Medical Imaging assured patients that they take privacy and security seriously but offered no concrete mitigation for the loss.
The Risks Beyond Financial
The theft of medical information carries risks that extend far beyond financial harm. According to Andrea Downing, co-founder of The Light Collective, a grassroots activist organization advocating for responsible medical data stewardship, “People can be targeted based on their health vulnerabilities and become easy fodder for medical fraud.” The medical information of nearly 10 million people would be a treasure trove for drug marketers, insurance companies, and manufacturers of illegitimate medical devices. Unlike financial information, medical history cannot be replaced or reset.
Regulatory Response and Penalties
The US Health and Human Services Office for Civil Rights is responsible for investigating incidents affecting more than 500 people. Currently, they are looking into more than 500 breaches reported last year. However, the penalties imposed on companies for such violations often amount to minimal fines, which are insignificant compared to the companies’ revenues and the potential damage caused by the breaches.
The Need for Stronger Laws and Community Approach
The article suggests that tougher laws are necessary to ensure that companies implement changes to protect sensitive data. Downing advocates for a community approach where patient representatives are involved in setting up the security infrastructure. The idea is that a collective effort might lead to more robust and effective data protection measures.
Who is Perry Johnson and Associates?
Perry Johnson and Associates, the company at the center of the breach, is part of a network of tech-related corporations founded by Michigan businessperson Perry Johnson. The current CEO, identified as Jeffrey Hubbard, describes himself as a “Chief Executive and Health Tech Care Innovator” on his LinkedIn profile. However, the company’s leadership has been circumspect about its operations, and inquiries about the breach have been met with limited responses.
A History of Data Security Negligence
The current situation echoes the author’s 2005 Newsweek story, “Grand Theft Identity,” which highlighted the cybersecurity problem that has only worsened over the years. Despite the transition to electronic medical records and assurances of enhanced security, the healthcare industry continues to grapple with significant data breaches.
In conclusion, the series of data breaches underscores the urgent need for improved cybersecurity measures in the healthcare industry. As millions of individuals face the consequences of exposed medical data, the call for stronger regulations and a community-based approach to data security becomes increasingly critical.
Privacy
23andMe Data Breach Exposes Millions of Users’ Genetic Information
23andMe, a leading genetic testing company, has been grappling with the aftermath of a data breach that was first reported in October. As the company continues to disclose more details, the situation has become increasingly complex, leaving users uncertain about the extent of the fallout.
In early October, 23andMe acknowledged that attackers had gained unauthorized access to some user accounts by exploiting the company’s DNA Relatives feature, an opt-in social sharing service. Initially, the extent of the breach was unclear, with the company not disclosing the number of affected users. However, it was later revealed that hackers were selling data on criminal forums, which appeared to originate from over a million 23andMe users.
A recent U.S. Securities and Exchange Commission (SEC) filing by the company clarified that the breach affected “a very small percentage (0.1 %) of user accounts,” which translates to approximately 14,000 of their more than 14 million customers. This number, however, did not account for the additional users whose data was scraped via the DNA Relatives feature.
On Monday, 23andMe confirmed to TechCrunch that the attackers had harvested the personal data of about 5.5 million individuals who had opted into DNA Relatives. An additional 1.4 million users had their Family Tree profile information accessed.
The compromised data included display names, most recent logins, relationship labels, predicted relationships, and percentage of DNA shared with DNA Relatives matches. For some users, the breach was more severe, with ancestry reports, chromosomal match details, self-reported locations, ancestor birth locations, family names, profile pictures, birth years, and links to self-created family trees also being exposed. The 1.4 million impacted DNA Relatives users had their Family Tree data specifically targeted, with display names, relationship labels, and in some cases, birth years and self-reported location data stolen.
Katie Watson, a spokesperson for 23andMe, explained that the company was “only elaborating on the information included in the SEC filing by providing more specific numbers.”
The company has attributed the account breaches to a technique known as credential stuffing, where attackers use leaked login credentials from other services that were reused on 23andMe. Following the incident, 23andMe enforced a password reset for all users and began requiring two-factor authentication. Other genetic services like Ancestry and MyHeritage have also started to promote or require two-factor authentication in the wake of 23andMe’s breach.
Despite the company’s explanation, some users, including Rob Joyce, the U.S. National Security Agency cybersecurity director, have expressed skepticism. Joyce, who uses unique email addresses for each account, noted on his personal X (formerly Twitter) account that his 23andMe credentials were unique and could not have been exposed in another leak. He later revealed that his unique 23andMe email address was compromised in a separate MyHeritage data breach in 2018, which may have been linked to the 23andMe breach due to a past partnership between the two companies.
The incident highlights the risks associated with user data sharing between companies and features that promote social sharing, especially when the data is deeply personal and tied to one’s identity.
Brett Callow, a threat analyst at the security firm Emsisoft, commented on the need for better policies, stating, “We need standardized and uniform disclosure and reporting laws, prescribed language for those disclosures and reports, regulation and licensing of negotiators. Far too much happens in the shadows or is obfuscated by weasel words. It’s counterproductive and helps only the cybercriminals.”
In a separate development, 23andMe user Kendra Fee pointed out that the company is notifying customers about changes to its terms of service related to dispute resolutions and arbitration. The company claims the changes will facilitate a quicker resolution of disputes and streamline arbitration proceedings. Users have the option to opt-out of the new terms by notifying the company within 30 days of receiving notice of the change.