Every time I look at my LinkedIn feed, I see more and more posts about new data theft incidents. There are so many now that it kinda gets boring after a while.
Why are they happening, and why are there more now than before? Are hackers getting better, or are organisations getting worse at protecting our data?
What is even more worrying, is that I am now seeing reports of data thefts from services I use myself. Almost every service you can imagine is now a target, which brings me to today's post.
Yes indeed, Datasport has exposed my details along with those of around 1 million people, and they were recently made available on a hacker forum. According to this Swiss Times article, around 900,000 of those records belong to Swiss citizens.
What data was exposed?
According to Datasport, the personal data affected includes: myDS ID, first name and last name, gender, date of birth, nationality, language, postal code, address, telephone number and e-mail address.
Other specific data included in myDS may also have been affected, such as event names and finishing times.
How did it happen and what do we know so far?
Apparently, the breach happened on January 22nd 2024.
Datasport made a brief announcement on its website, explaining how the data loss happened, and they issued an apology.
They say that they were advised during the regular review of technical and organisational measures for data security, to backup their data to a second datacentre. During the execution of that backup process, the data was somehow exposed and left vulnerable.
At the time of writing Datasport host their public website using two domains https://datasport.com and https://datasport.ch. Visits to the Swiss .ch domain redirect to the .com address.
According to publicly available DNS, information they currently use two Swiss providers, Infomaniac and Quickline, so we are probably not looking at an unsecured Amazon S3 bucket this time.
We can only guess how the data was exposed, but one possible scenario is that a file share, FTP server or database service port was exposed to the Internet, and firewall rules allowed inbound access from any source IP address.
So what does Datasport advise its customers to do?
They advise customers that no special actions are necessary, but to be vigilant to phishing attempts.
It will be interesting to see how quickly scammers start to take advantage of this data, and how soon I will see 90% off offers for On Running in my inbox and SMS messages.
So for my part, I have changed the email address I use for Datasport and will create a filtering rule in my Outlook, to move any email from Datasport sent to my old email address into my phishing folder.
And of course, I changed my password.
What more could Datasport be doing?
I think they should be encouraging users to change their password, and Datasport themselves should enforce a password change policy on the site.
And their site is not protected by multi-factor authentication.
That's pretty bad.
It's not rocket science to implement, and I wonder if the experts who reviewed their TOMs did not recommend it.
And there is no identity federation or known identity provider (IdP).
Perhaps they should join the Bug Bounty Switzerland program too.
The new Swiss Federal Act on Data Protection (nFADP) came into force on 1 Sep 23 and two of its key principles are "Privacy by design" and "Privacy by default".
I wonder if these principles are respected now by organisations, does that mean there will be no more data theft incidents?
I don't think so.
And were all Swiss organisations ready on September 1st?
I doubt it.
We don't need even more regulations, we need top-level executives to take cybersecurity seriously, and not throw more good money after bad.
Just because you instructed the most expensive security consultants that wear the best suits, that does not mean you can sit back and relax.
The real question is, are you employing the right people in your IT security and IT operations functions, and are you training and developing the employees you already have?