At a glance.

  • Coffee and a pastry.
  • Update on WordFly incident.
  • Update on the Shanghai National Police breach.
  • Arrest in stalkerware case.

Data exposure? Have a free coffee and a pastry.

Tim Hortons, a Canadian coffee company, is offering free coffee and a baked good as restitution in class action lawsuits after it was revealed that the company was spying on its app users for over a year, Vice reports. It was discovered that the Tim Hortons app tracked app users’ locations, detecting every time a user entered a competitor, a sports venue, or their home or workplace. An email was sent to affected users and was tweeted out by James McLeod on Friday, notifying impacted customers of the lawsuit and their eligibility to pick up the free beverage, valued at $6.19 CAD, and the free pastry, valued at $2.39 CAD. Daniel Therrien, the Privacy Commissioner of Canada, said in a statement, “Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers. Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance. This case once again highlights the harms that can result from poorly designed technologies as well as the need for strong privacy laws to protect the rights of Canadians.” Tim Hortons also said in a statement that “It’s important to emphasize that the allegations raised in the class actions were not proven in court and the settlement is not an admission of any wrongdoing.”

Update on WordFly newsletter service hack.

The Globe and Mail reports that it has been revealed that more Canadian arts and cultural organizations have been impacted by the July 10 WordFly ransomware attack, including the National Ballet of Canada and The Musical Stage Company. The National Ballet of Canada said in an email to The Globe and Mail that it’s working with other impacted arts organizations “to create a unified response.” The Canadian Opera Company (COC) sent an email to patrons informing them that their names, emails, and COC IDs may have been compromised, but assured them that no financial information was leaked. Outside of Canada, other potentially impacted organizations include the Sydney Dance Company in Australia, The Smithsonian Institution in the US, and British arts organizations Southbank Centre, Royal Shakespeare Company, Royal Opera House, The Old Vic, and the Courtauld Institute of Art.

Shanghai National Police data breach remains puzzling.

Questions remain following the June 30 breach of an unsecured Shanghai police database that released 23 terabytes of personally identifiable information (PII) belonging to approximately 1 billion Chinese citizens, Dark Reading reports. The database is still up for sale for 20 bitcoin, which comes out to approximately $240,000 USD. It is believed that the leak occurred because it was poorly secured; a dashboard for managing the database was open to the internet and not even secured with so much as a password for an entire year. This breach is one of the largest involving PII ever. John Bambenek, principal threat hunter at Netenrich, asks how nobody noticed 23 terabytes of data being downloaded from the cloud, saying that he believes there’s no legitimate reason to download that much data. This is also unique because this was a Chinese breach that was made known to the outside world. Naomi Yusupov, Chinese intelligence analyst at Cybersixgill, told Dark Reading, “While China has historically been home to one of the world’s largest communities of cybercriminals, domestic Chinese breaches are rarely disclosed because the Chinese government censors media coverage.” For example, major Chinese social media platforms Weibo and WeChat censored coverage of the breach.

Arrest in Imminent Monitor stalkerware case.

The Guardian reports that Jacob Wayne John Keen, a 24 year-old, has been arrested after it was discovered that he created a spyware tool called Imminent Monitor as a teen while residing in Brisbane. The spyware, a remote access Trojan (RAT), allowed users to remotely control their victim’s computers and access personal information, spy on them via computer camera and microphone, and track their keystrokes. The spyware was sold on a hacking forum for $35 by Keen, who profited between $300,000 and $400,000 after selling it to some 14,500 people in 128 countries. The tool was shut down in 2019, but the Australian federal police (AFP) received evidence from law enforcement overseas that led to Keen’s arrest. The AFP said in a statement that among the buyers were domestic violence perpetrators, as well as someone on the child sex offenders registry. Keen was given six charges, and is due to appear in court next month, and his 42 year-old mother has been charged as well with alleged dealing in the proceeds of crime.