Top infosec trends in the social media spotlight this week

Police in Shanghai are investigating an alleged massive data breach at NASDAQ-listed Chinese hotel chain, Huazhu Group.

News of a hack against the hotelier broke on Tuesday after numerous cybersecurity firms discovered that the personal data of more than 130 million hotel guests was purportedly for sale on a dark web forum for eight bitcoin (around $55,000).

Huazhu runs more than 3,000 hotels across 370 Chinese cities. The company operates more than a dozen brands such as French hotel group Accor’s Mercure and Ibis hotels in China, as well as Hanting and Crystal Orange.

“Those who commit illegal acts including theft, trading and exchange of residents’ personal data will be heavily punished,” the Shanghai police said in a statement. “We are resolute in protecting people’s interest and ensuring information security.”

As police continue their investigation, reports surfaced that the breach occurred after developers at Huazhu accidently uploaded the group’s entire database to Github.

In the UK, data breach complaints have seen a huge annual rise following the implementation of the General Data Protection Regulation (GDPR), according to EMW Law.

Citing data from the Information Commissioner’s Office (ICO), EMW said there were 6,281 complaints between May 25, 2018, when GDPR came into force, and July 3, 2018, a 160% rise from just 2,417 complaints over the same period in 2017.

“A huge increase in complaints is very worrying for many businesses, considering the scale of the fines that can now be imposed,” said James Geary, principal at EMW.

“There are some disgruntled individuals prepared to use the full extent of GDPR that will create a significant workload for businesses.”

Interestingly, the UK data comes amid separate reports that the anticipated rise in global spam levels has failed to take place following the implementation of GDPR.

Ahead of the implementation of the EU privacy regulation, some within the industry feared an increase in spam because security researchers would no longer be able to use WHOIS information to track new domain registrations and identify potentially bad domains.

However, new research from Recorded Future indicates the volume of spam and new registrations in spam-heavy generic top-level domains has been on the decline.

“Spam is still a big problem, but it has not become a bigger problem, counter to popular opinions among security researchers,” said Recorded Future’s Allan Liska.

In privacy news, instant messaging app Telegram said it would cooperate with authorities in terror probes when ordered to do so by courts.

Telegram, a cloud-based service launched in 2013 by Russian entrepreneur Pavel Durov, has long been the messaging app of choice for anonymity advocates.

In its updated privacy settings, the company said it would disclose its users’ data to “the relevant authorities” if it receives a court order to do so – although not in Russia, where Telegram remains embroiled in a battle with authorities.

“If Telegram receives a court order that confirms you’re a terror suspect, we may disclose your IP address and phone number to the relevant authorities,” the company’s privacy policy reads.

“So far, this has never happened. When it does, we will include it in a semiannual transparency report.”

Elsewhere, Bitfi, the cryptocurrency hardware wallet backed by John McAfee, appears to have crumbled under pressure from the security community by removing the controversial “unhackable” claim from its branding.

Bitfi hit the headlines for all the wrong reasons following its launch in July, as researchers gleefully rose to the challenge of finding flaws in the device.

The past few weeks have seen a slew of attacks against Bitfi, as security experts poked holes in the wallet’s hardware components and operating system.

The controversy seemingly came to a head yesterday, after researchers came forward with a video demonstrating a cold boot attack that enabled them to extract private keys from the device.

Within an hour of the video being posted, Bitfi responded with an announcement on its Twitter page that it would be removing the “unhackable” tagline from its marketing material.

“Next week, we will make [a] comprehensive announcement acknowledging and addressing these issues that have been identified,” the company said.

“Effective immediately, we are closing the current bounty programs which have caused understandable anger and frustration among researchers.”