Hackers Get Hacked: Cyber Security Today for January 27, 2025

Share post:

Opening Headlines:

  • “Volkswagen data breach exposes sensitive data of 800,000 electric cars.”
  • “Upper Canada School Board hit by a data breach compromising banking details.”
  • “Mastercard’s lack of transparency over a security flaw sparks criticism.”
  • “Hackers get hacked: A fake malware builder tricks 18,000 script kiddies.”


This is Cyber Security Today . I’m your host, Jim Love.

Volkswagen Data Breach and Mozilla Petition
A major data breach at Volkswagen has exposed the location data of 800,000 electric cars, raising serious concerns about privacy. The breach also tied this information to personal data, affecting Volkswagen, Audi, SEAT, and Škoda drivers.

The breach resulted from a misconfigured Amazon cloud database, leaving terabytes of sensitive data, including precise location histories and contact details, vulnerable online for several months. A whistleblower brought the issue to light, and while Volkswagen’s team fixed the problem in late 2024, the damage was already done.

This incident is part of a larger debate over privacy in the automotive industry. Mozilla has criticized carmakers for invasive data practices, calling them the worst product category for privacy. 

Mozilla says, “it underscores a far more troubling reality: car companies are brazenly collecting vast amounts of data about drivers — through a web of sensors, microphones, cameras, and the phones, apps, and other connected services in your car.”

Their advocacy has led to regulatory action, including an FTC warning to carmakers and new rights for drivers to delete their data. Mozilla is now urging consumers to demand stronger protections through a petition they are circulating. 

For listeners concerned about privacy, it’s a reminder to question what data your car collects and to support initiatives pushing for transparency in data practices.

There’s a link to Mozilla’s petition in the show notes. 

Upper Canada School Board Data Breach
A data breach at the Upper Canada District School Board (UCDSB) has exposed sensitive personal and financial information. The breach, discovered on January 18th, compromised names, addresses, and banking details.

The school board is still investigating the full extent of the breach, but officials have warned that the leaked information could lead to identity theft. Cybersecurity experts and law enforcement have been engaged to assess and address the situation, while affected individuals are receiving notifications.

Data breaches in public institutions like schools are becoming more common. They have extremely sensitive data and often have outdated systems and a lack of resources in their small IT departments. It makes schools, healthcare and other civic infrastructure easy targets – and as a result, they are all facing more and more attacks.

In the case of schools parents are probably still reeling from the earlier PowerSchools attack that exposed the records of school children throughout North America. 

In these cases, parents need to push for transparency about the threats and demand assistance with monitoring, but must also take the time to educate their children about online risks now that their data is exposed. 

This is also a wakeup call to all levels of government that public institutions must do more to protect sensitive data as they remain prime targets for cybercriminals.

Mastercard Transparency Failure
Mastercard is under fire for its handling of a cybersecurity issue involving a Domain Name System (DNS) misconfiguration. The error, which went unnoticed for years, could have exposed sensitive company systems to unauthorized access. Essentially it allowed someone to use a foreign domain name to gain access to DNS routing and traffic from the sites.

The issue, first reported by Krebs on Security, stemmed from a DNS error that could have allowed unauthorized access to Mastercard’s systems. A security researcher discovered the vulnerability and responsibly disclosed it to the company. Instead of expressing gratitude and providing clear technical details, Mastercard’s official response minimized the incident, claiming no risk had been identified and omitting credit to the researcher.

Rather than let this exposure remain, he bought the domain name that was the source of the potential attack vector. It had been registered but abandoned by a Russian, presumed hacker. Because the domain was in a foreign country, it cost our researcher some of his own money and a lot of time.

Once the threat was neutralized, our researcher, having had no meaningful reaction from Mastercard, published his findings.

But, here’s the kicker, rather than crediting the researcher or providing detailed insights, Mastercard minimized the issue, claiming no significant risk was identified.

In fact, Mastercard wrote to him, asking him to take down his post, and seemed to imply that his posting was somehow unprofessional. While they made no threat in this case, an official letter from a large company is always something that any individual has to take seriously.

This isn’t how things should be done. Transparency is critical in cybersecurity. Companies like Google and Microsoft have set the standard with bug bounty programs and open collaboration with researchers. Mastercard’s response, which seems to be seeking to make the story disappear, is not only the wrong approach, but it risks alienating the cybersecurity community and eroding public trust.

This incident underscores the importance of transparency in addressing vulnerabilities. Companies should use such moments to showcase accountability and foster trust rather than downplaying the risks. Or as one person put it, it’s a good reason not to use marketing staff to do cyber security or breach communications. 

More info at the Krebs site. 

Script Kiddies Tricked by Fake Malware Builder
In an ironic twist, a hacker has turned the tables on 18,000 amateur cybercriminals, known in the industry as script kiddies, by distributing a fake malware builder to them. Instead of helping them launch ransomware attacks, the tool infected the users themselves, turning their own malicious intent into a field lesson in irony.

The tool was advertised as a simple solution for creating ransomware, promising inexperienced hackers the ability to deploy attacks with minimal effort. However, rather than generating malicious software, the builder delivered its own malware, infecting those who downloaded it. Cybersecurity researchers revealed that the hacker’s campaign effectively turned the tables on script kiddies, exploiting their eagerness to commit cybercrime without the skills to do so themselves.

Script kiddies and other relatively unsophisticated hackers often rely on pre-made tools to carry out cyberattacks. 

And more sophisticated hackers rely on this large pool of, I’ll say “talent” in quotes. That allows the more sophisticated hackers to develop the tools while others do the dirty work and take the risks. I’ve compared it to a franchise operation – only a criminal one. It’s very effective and it has fueled an explosion in phishing, ransomware and other attacks.

But in the case of script kiddies, it turns out it also makes them easy targets for experienced hackers. And who do you complain to when the software you downloaded to attack someone attacks you?

Maybe it’s the new 11th commandment: “Hack not, lest ye also be hacked.”


That’s our show for today. You can reach me with comments, questions, or tips at editorial@technewsday.ca. I’m your host, Jim Love. Thanks for listening.

 

SUBSCRIBE NOW

Related articles

North Korean Hackers Trick Employees With New Social Engineering

North Korean Hackers Trick Employees With New Social Engineering, New Prompt Injection Attack Compromises Gemini's Long-Term Memorym Canada's...

Canada’s Tech Sector Faces Continuing Talent Crunch: Hashtag Trending

Report Says Canada's Tech Sector Faces Continuing Talent Crunch Amid Rapid AI Advancements, Study Reveals reCAPTCHA's Lousy At...

homson Reuters Wins Landmark AI Copyright Case: Hashtag Trending for Thursday, February 13, 2025

Thomson Reuters Wins Landmark AI Copyright Case, Tumblr joins the fediverse and converts to WordPress, The US and...

Scammers Exploit DeepSeek Hype: Cyber Security Today

Scammers Exploit DeepSeek Hype with Fake Websites and Crypto Schemes, A Researcher Jailbreaks OpenAI’s o3-mini Model, Bypassing Safety...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways