Database Security Digest – May 2018
Please take a look at the database security news in May 2108.
Major Breakthrough in Personal Data Protection – Introduction of GDPR
The General Data Protection Regulation was introduced on May 25th, 2018 in the European Union. Recent years have seen massive data breaches affecting hundreds of millions of people. So, it’s no wonder that legislators are making data protection requirements more stringent and introducing new regulations and requirements.
Most multinational companies, and, of course, companies in the EU should be GDPR compliant by the end of May 2018. But let’s say you’re a US-based company with no direct operations in the EU. Will this regulation apply to you? Think again if your answer is “no”. The meaning of “personal data” under the GDPR stretches further than we understand it in the US. Such things as name, IDs, location information, etc. are considered to be “personal information”. “Personal information” includes even IP addresses, cookie strings, social media posts, online contracts and mobile device IDs.
Now you might be thinking that Europe is far away, and you don’t have any direct operations there, right? Ok, if you’re a US company with an Internet presence and selling or shipping goods to an EU country or just accepting European money for your products or services the GDPR will apply to your company.
Now about non-compliance with the GDPR. The price is high. For non-compliance the penalty can reach up to 4% of the company’s global annual turnover of the preceding financial year or 20 million Euros (whichever is greater) and 2% or €10 million Euros (whichever is greater) for infringements of lesser importance. For example, if a company fails to report a breach to a data regulator within 72 hours (which is required by Article 33 of the GDPR) is might pay a fine of 2% of its global revenue or 10 million Euros (whichever is greater).
DataSunrise makes the process of GDPR compliance, which is sometimes a daunting process for companies, a matter of a few mouse clicks.
South Africa Leaked
Cybercrime knows no borders. Using the internet cybercriminals can hack into almost any database even the protected one if the database security is weak.
South African authorities have been warned many times that their country might be the next target for cyber attacks. Among the next possible victims of cybercrime are India and Latin American countries.
This data leak follows another one which happened less than a year ago resulting in around 60 million South African ID numbers being publicly posted online. This time we’re speaking about 1 million South Africans whose personal data have been leaked online. The database with this information has been found on a publicly accessible server. The South African company handling electronic traffic fine payments in the country may be responsible for this so far the largest data leak in the history of South Africa.
PumpUp Application Leaking 6 Million of its Users
In May 2018 a security researcher discovered a backend server with no password to protect it. This server is connected to the PumpUp fitness application and the server is giving free access to the user-entered health information as well as the photos and private messages sent between users. In some cases, the information contained unencrypted credit card data: card number, expiry dates and card verification numbers.
The researcher then reached out to the company informing about the findings. The company closed free access to its backend server.
It’s still unknown how long the server has been sitting without any protections and what information might have been stolen.
Databases’ security updates
Oracle
https://nvd.nist.gov/vuln/detail/CVE-2017-15533https://nvd.nist.gov/vuln/detail/CVE-2017-18268
MS SQL Server
https://nvd.nist.gov/vuln/detail/CVE-2018-6617https://nvd.nist.gov/vuln/detail/CVE-2016-10556
PostgreSQL
https://nvd.nist.gov/vuln/detail/CVE-2018-1115IBM DB2
https://nvd.nist.gov/vuln/detail/CVE-2018-1449https://nvd.nist.gov/vuln/detail/CVE-2016-10577
https://nvd.nist.gov/vuln/detail/CVE-2018-1565
https://nvd.nist.gov/vuln/detail/CVE-2018-1544
https://nvd.nist.gov/vuln/detail/CVE-2018-1515
https://nvd.nist.gov/vuln/detail/CVE-2018-1488
https://nvd.nist.gov/vuln/detail/CVE-2018-1459
https://nvd.nist.gov/vuln/detail/CVE-2018-1452
https://nvd.nist.gov/vuln/detail/CVE-2018-1451
https://nvd.nist.gov/vuln/detail/CVE-2018-1450
MongoDB
https://nvd.nist.gov/vuln/detail/CVE-2016-10572Greenplum Database
https://nvd.nist.gov/vuln/detail/CVE-2018-1280MariaDB
https://nvd.nist.gov/vuln/detail/CVE-2016-10554https://nvd.nist.gov/vuln/detail/CVE-2016-10553
https://nvd.nist.gov/vuln/detail/CVE-2016-10550
https://nvd.nist.gov/vuln/detail/CVE-2016-10556
