It's relatively common for publications to lazily only reference an action that resulted in a legal outcome, rather than the justification provided for the outcome.
For instance, Bob imprisoned for car bomb rather than Bob imprisoned after judgement rules deaths unlawfully resulted from Bob's malicious car bombing.
Had Bob's car bomb been on a film set and no one hurt, Bob would hopefully be fine.
If you read coverage with this in mind, then what matters is more a case of how likely an action is to be unlawful and thus how lazy the publication is being.
If someone blows up a car, we'd assume it was unlawful. If a company stores passwords unlawfully we'd assume it was unlawful and hopefully for good reason...
From GDPR: "personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed"
A typical security policy for securing passwords is to never store them in plaintext.
It would be a rare situation for the storage to not be accessible (what would be the point of storing it).
Thus it would seem fair to assume that in most cases plain text storage of passwords would be a breach of security (internal controls breach) would implicitly also be a breach of personal data (legal definition) as it would at the very least be accidentally accessible to staff, contractors or third parties (whoever hosts the storage).
So, it will likely fit the definition of a breach.
But, it still needs to escalate to a point where it would be recognised as serious enough to warrant action (like reporting to data subjects or regulators).
There are situations where storing passwords in plaintext may not warrant reporting or fines, such as if upon realising the breach it was evident that nobody had accessed the data and it was destructed before harm could be realised; but I doubt anyone would ever know about these situations happening in companies so it's fair to assume they wouldn't reach major news sites.
Even by the broadest possible definition of a breach, this is still just a control failure rather than a breach. The control that failed might have made it possible for Meta employees to perpetrate a breach, but the article makes no mention of that happening, or provides any suggestion that there is evidence that it might have happened.
At at least one point in my career, I have also accidentally mishandled password data (I accidentally leaked them into a log one time - well one time that I know of at least). When I did that I caused a control to fail, and I caused a security incident that required follow up remediation work (including password resets and disclosure), which is exactly what happened here. But I did not cause a data breach to occur. I struggle to image a world where I could have caused my employer to be fined $102M for that incident, and for that to be deemed a data breach, when there is no evidence (presented or referenced in this article at least) that a breach ever occurred. If I leave the office and forget to lock the door, I've caused a control failure. But if nobody comes in to rob us, then I haven't caused a robbery or a breach or anything else like that to occur, even if a typical security policy might require me to lock the door before leaving.
The creativity required to come to this conclusion doesn't do anything to improve the credibility of the GDPR, which from an outside perspective really doesn't look like anything other than an import tariff on foreign tech in disguise.
I like to think of a breach as hole through into the hull... they don't mean the boat will sink or even ever will sink; just that the layers of security protections has been compromised.
In the case you mention it seems that happened too: internal actors could reach plaintext passwords and thus for safety the company responded by forcing password reset and disclosure (commendable as I know of companies that would not).
The term "personal data breach" is useful because it defines the range of breaches that the law focuses on (it's not interested in business data or incidents where the first layer of defence fell but the second kept it secure).
I feel it's a bit like having a determination for "road traffic incident". It helps the public, police, etc identify what is in scope... just because you have one doesn't mean you'll lose your licence or be fined - that depends on a range of factors regarding the lead up to the incident: what happened before, during and after. Similar with data breaches.
If a company has a breach it does not mean much in GDPR unless other factors are considered, so I wouldn't worry about being too focused on the term breach.
> i read it twice and i still don’t understand the article.
Any recommendations to improve are welcome
> is this site complaining about 3rd party analytics?
If a bank page includes a script tag that loads third party JavaScript from a non-bank server, then what is to stop that script from capturing data, submitting forms, spoofing page content?
The bank has effectively given these third parties unaudited remote access, via remote code execution, to consumers bank accounts.
A bank can safely use third party analytics if they adopt appropriate security measures, SRI is likely be one, but alone might not be enough.
In the cases found here, there is no SRI protection or similar to protect users from the third parties doing what they like on the page, acting as customers.
> there is also a table further down that shows various banks sharing data with… themselves?
This is oddity due to the test suite spotting JS from a a separate domain for the same bank ( https://gitlab.com/markalanrichards/access-test/-/blob/main/... ): thank you for highlighting this and when I get time I hope to improve this I hope to filter it out.
Even if you do switch accounts, which bank do you choose, as most have this nature of vulnerability; hopefully with delivery providers that may be more trusted, but ultimately the bank has no control of the security and cannot distinguish their actions from customers: https://news.ycombinator.com/item?id=40112545
If anyone wishes to help improve this test suite or fork it for other purposes, please go for it.
Some may trust Google, Microsoft and co, and I'm sure some used to trust Fujitsu.
However, I encourage you to look at the companies in the list against the banks and see how broadly some banks give remote access to various types of third party companies.
Barclay's bank aren't on the list because the test suite didn't find anything. I might have to look into how to move my accounts there.
The technical fix to this exact issue is remove or SRI and review third party code. None of these features are a must have requirement for online banking.
However, the breadth of this problem indicates the fix is bigger, else this will just pop up again without being noticed and should be tackled from two directions.
Technically: in the context of non-repudiation, web browsers are insecure for users. Significant user requests (make a payment, consent to terms, etc) are not stored client side, not signed and were a user to discover an audit log feature there is no distinction between what JS did and what a user did. This should and must change for the web to evolve to protect users.
Business: the failure across most of the banking sector suggests that all who should be holding the banks to account (share holders, creditors, regulators, customers, etc) are failing to monitor the banks and given there has been prior warning of this for some (regulators) failing to act. If a third party uses their remote access to hack customers, then I'm sure they will react but that may be too late. When we want security in our physical environment we have watchdogs whose responsibility is not just to react, but to proactively monitor the environment: spot the river has chemicals in it. Banking is significant enough that it probably needs a watchdog tasked with specific objectives regarding information security.
For our systems we run, we have supply chain breaches.
But, when our code runs client side and depends on software artefacts being pulled from elsewhere by the client device, I feel like a supply chain paints a picture of a flow of control for that artefact that doesn't really exist.
Therefore, I phrased this post in the context of a "delivery chain" breach instead of a "supply chain" breach and I am curious to see what discussion flows.
Of course, I'm also trying to raise awareness to this particular breach and the odd events around it.
> Metro Bank's web pages downloaded and ran software direct from Chinese systems on customer devices.
I'm not a web developer.
I don't understand how content pulled from another system (by a web page) is not supply side. Does it really make a difference that it is pulled in before the page is delivered or as it is rendered?
In a supply chain attack against a system that produces some artefact (a container image, an executable, a VM image, whatever) an attacker can't modify what was injected after the fact (without building in some kind of remote update/attack persistence into the injection). This means that it could be audited and found later, for example the various projects designed to scan for the xz backdoor in executables.
But with this not only could the "attacker" (the CDN owner) change what is injected at any future time, there's no record of what was done as the author points out. A clever attacker could even selectively adjust what is sent based on the requester. They could distribute the unmodified code 99.99% of the time, but distribute malware 0.01% of the time — making it extremely hard to detect with simple 'spot checks'. They could exclude IPs known to be associated with the bank or CI systems from the malware distribution, so in-house malware checks would never see it.
Combined with other forms of intelligence, you could even build a system to target specific users with malware for very targeted attacks.
From the customer's perspective everything has been supplied to them.
However, from the bank's perspective, of their supply chain, the component shown to a customer has not been handled by them: they never received it, to supply it.
At best they can order a copy of it for quality assurance purposes and hope it is identical to what the customer will receive.
Instead, their web page sends an order to the third party for delivery (script src tag refers to a foreign location) and crosses their finger that all will be good.
There are mechanisms to reduce delivery chain risks, such as SRI, but they were not used.
I guess it's harder to notice because only the victim gets the malware based on IP or time or whatever. Typical supply chain attacks leave malware specimens in everyone's hands and leaves the system operator the power to delete it.
IBM was founded in 1898 by German inventor Herman Hollerith as a census tabulating company.
(1) IBM was created in 1911 (initially as the Computing-Tabulating-Recording Company) as an amalgamation of four companies, one of which was Hollerith's.
(2) Hollerith himself was not a "German inventor" but rather U.S.-born of German immigrant parents.
But hey, what's bit of sloppy hyperbole if it drives your point across?
>hey, what's bit of sloppy hyperbole if it drives your point across?
The type of person who stopped their reading on totalitarianism with the fall of the Nazis rather than the fall of the Berlin Wall tend to be unreliable narrators.
I love this idea, but I didn't choose it when I kicked off because of my experiences of feature backlogs.
Too often seeing something along the lines of "we'd love to use your site, if only it worked in IE|Firefox|insert here" and the ticket forever being thrown further back... but it would sometimes work.
My initial complaint went down the road of, if you want to get something fixed in engineering real quick: then you get it into the incident board - so GDPR complaint to the DPO, cc the ICO, get your MP involved and make it clear they should respond within 72 hours, etc and that largely worked for their breaches of GDPR in the ad tracking they had on their site, but that aggressive approach makes it harder to try the other route, as the tone is already set.
I'd like to think that cost isn't the issue, that they aren't sacrificing their cause because of that.
I believe the charity has an income near £100m a year, so it could justify some cost (how much I don't know)
I would love to think that a respectable CDN would jump at the opportunity to support a cause like this at cost and could perhaps reach out and offer services.
Google presented pitches to customers and employees alike that it cares about things like sustainability https://sustainability.google/, along with a breadth of other commitments https://about.google/commitments/ and I'm sure you'll find more examples if you Google Google.
All employees, contractors and business partners who are working with or for Google have had those or similar pitches thrown at them. They are hopefully part of the reasons why they chose Google and each has a right to complain when they don't get what they signed up for.
If people apply their conscience anywhere then great, but surely one step at a time, maybe the author will run for president one day, fix homelessness and buy everyone SUVs, but we can only do one battle at a time and it seems like he's got some good domain knowledge about Google to tackle this one.
For instance, Bob imprisoned for car bomb rather than Bob imprisoned after judgement rules deaths unlawfully resulted from Bob's malicious car bombing. Had Bob's car bomb been on a film set and no one hurt, Bob would hopefully be fine.
If you read coverage with this in mind, then what matters is more a case of how likely an action is to be unlawful and thus how lazy the publication is being.
If someone blows up a car, we'd assume it was unlawful. If a company stores passwords unlawfully we'd assume it was unlawful and hopefully for good reason...
From GDPR: "personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed"
A typical security policy for securing passwords is to never store them in plaintext.
It would be a rare situation for the storage to not be accessible (what would be the point of storing it).
Thus it would seem fair to assume that in most cases plain text storage of passwords would be a breach of security (internal controls breach) would implicitly also be a breach of personal data (legal definition) as it would at the very least be accidentally accessible to staff, contractors or third parties (whoever hosts the storage).
So, it will likely fit the definition of a breach.
But, it still needs to escalate to a point where it would be recognised as serious enough to warrant action (like reporting to data subjects or regulators).
There are situations where storing passwords in plaintext may not warrant reporting or fines, such as if upon realising the breach it was evident that nobody had accessed the data and it was destructed before harm could be realised; but I doubt anyone would ever know about these situations happening in companies so it's fair to assume they wouldn't reach major news sites.