Daily Digest (4/24)

SBA Data for 8,000 Loan Applicants Exposed in Breach; NY Start-Up Paay Exposes Millions of Credit-Card Numbers for 3 Weeks; Hong Kong Activists Sue Over Warrants to Search Phones, Facebook Office; EU Official Urges Apple to Work With Bloc Despite French Rift Over COVID-19 App. Click below to read.

SBA Data for 8,000 Loan Applicants Exposed in Breach

The personal information of as many as 8,000 small-businesses applicants for federal disaster loans was potentially exposed to other applicants in a breach at the U.S. Small Business Administration.

The hack was discovered March 25 and lasted for an unknown time, The Washington Post reports. Exposed personal information might have included names, Social Security numbers, addresses, birthdates and email addresses.

The applicants were seeking aid through the SBA’s Economic Injury Disaster Loan program (EIDL).

The agency said in a statement that it “immediately disabled the impacted portion of the website, addressed the issue, and relaunched the application portal.”

The SBA did not immediately answer questions about how long the breach lasted or how it was discovered, the Post reports.

EIDL normally issues loans to small businesses recovering from tornadoes and wildfires. But the SBA last month expanded the program to include those affected by the COVID-19 pandemic.

The dollars are separate from the Paycheck Protection Program, which the White House and congressional leaders are working to replenish after its first round of funding ran out, the Post reports.

Source: Washington Post (external link)

NY Start-Up Paay Exposes Millions of Credit-Card Numbers for 3 Weeks

Millions of credit-card transactions stored in a huge database of the Paay card-payments processor were exposed on the internet for as long as three weeks.

The Manhattan-based Paay verifies payments on behalf of selling merchants, like online stores and other businesses, to prevent fraudulent transactions, TechCrunch reports. It is similar to other payment processors.

But the company’s server had no password, allowing anyone to access the data.

Security researcher Anurag Sen found the database, TechCrunch reports. He estimated that about 2.5 million card transaction records were on the server, some dating back to last September.

After the site notified the company, the database was taken offline.

“On April 3, we spun up a new instance on a service we are currently in the process of deprecating,” Paay co-founder Yitz Mendlowitz told TechCrunch. “An error was made that left that database exposed without a password.”

Source: Tech Crunch (external link)

Hong Kong Activists Sue Over Warrants to Search Phones, Facebook Office

Two Hong Kong activists said four warrants granting police access to their cellphones and personal information at the city’s Facebook office were unlawful and could lead to more than 3,700 protesters’ phones being searched.

Joshua Wong and Agnes Chow asked China’s highest court to deem the warrants unlawful, the South China Morning Post reports. Police obtained the warrants after their arrests at a demonstration last August.

“The violation of privacy rights,” they said in court documents made public Thursday, is “pronounced.”

A Facebook spokesman denied offering personal data to authorities.

“To our knowledge, Hong Kong police have not attended Facebook offices in relation to this matter,” he told the Morning Post.

Source: SCMP (external link)

EU Official Urges Apple to Work With Bloc Despite French Rift Over COVID-19 App

EU industry chief Thierry Breton told Apple Inc. CEO Tim Cook to make sure that mobile apps to limit the spread of coronavirus worked on its iPhones and other devices, despite the company’s spat with France over its privacy safeguards.

Apple is also fighting a French government demand to change the privacy settings of its phones to make them compatible with France’s planned contact-tracing app, Reuters reports.

Paris wants the future app detectable via Bluetooth, even when it is not active. But Apple’s policy prevents apps that transfer data over Bluetooth from running in the background.

Breton Wednesday urged Apple to work constructively with national health authorities to ensure that contact-tracing apps developed by national governments work on its devices.

Source: Reuters (external link)

— By DPN Staff