Database Security Digest - May 2018

Database Security Digest - May 2018
Please take a look at the database security news in May 2108.

Major Breakthrough in Personal Data Protection – Introduction of GDPR

The General Data Protection Regulation was introduced on May 25th, 2018 in the European Union. Recent years have seen massive data breaches affecting hundreds of millions of people. So, it’s no wonder that legislators are making data protection requirements more stringent and introducing new regulations and requirements. Most multinational companies, and, of course, companies in the EU should be GDPR compliant by the end of May 2018. But let’s say you’re a US-based company with no direct operations in the EU. Will this regulation apply to you? Think again if your answer is “no”. The meaning of “personal data” under the GDPR stretches further than we understand it in the US. Such things as name, IDs, location information, etc. are considered to be “personal information”. “Personal information” includes even IP addresses, cookie strings, social media posts, online contracts and mobile device IDs. Now you might be thinking that Europe is far away, and you don’t have any direct operations there, right? Ok, if you’re a US company with an Internet presence and selling or shipping goods to an EU country or just accepting European money for your products or services the GDPR will apply to your company. Now about non-compliance with the GDPR. The price is high. For non-compliance the penalty can reach up to 4% of the company’s global annual turnover of the preceding financial year or 20 million Euros (whichever is greater) and 2% or €10 million Euros (whichever is greater) for infringements of lesser importance. For example, if a company fails to report a breach to a data regulator within 72 hours (which is required by Article 33 of the GDPR) is might pay a fine of 2% of its global revenue or 10 million Euros (whichever is greater). DataSunrise makes the process of GDPR compliance, which is sometimes a daunting process for companies, a matter of a few mouse clicks.

South Africa Leaked

Cybercrime knows no borders. Using the internet cybercriminals can hack into almost any database even the protected one if the database security is weak. South African authorities have been warned many times that their country might be the next target for cyber attacks. Among the next possible victims of cybercrime are India and Latin American countries. This data leak follows another one which happened less than a year ago resulting in around 60 million South African ID numbers being publicly posted online. This time we’re speaking about 1 million South Africans whose personal data have been leaked online. The database with this information has been found on a publicly accessible server. The South African company handling electronic traffic fine payments in the country may be responsible for this so far the largest data leak in the history of South Africa.

PumpUp Application Leaking 6 Million of its Users

In May 2018 a security researcher discovered a backend server with no password to protect it. This server is connected to the PumpUp fitness application and the server is giving free access to the user-entered health information as well as the photos and private messages sent between users. In some cases, the information contained unencrypted credit card data: card number, expiry dates and card verification numbers. The researcher then reached out to the company informing about the findings. The company closed free access to its backend server. It’s still unknown how long the server has been sitting without any protections and what information might have been stolen.

Databases’ security updates

Oracle

https://nvd.nist.gov/vuln/detail/CVE-2017-15533
https://nvd.nist.gov/vuln/detail/CVE-2017-18268

MS SQL Server

https://nvd.nist.gov/vuln/detail/CVE-2018-6617
https://nvd.nist.gov/vuln/detail/CVE-2016-10556

PostgreSQL

https://nvd.nist.gov/vuln/detail/CVE-2018-1115

IBM DB2

https://nvd.nist.gov/vuln/detail/CVE-2018-1449
https://nvd.nist.gov/vuln/detail/CVE-2016-10577
https://nvd.nist.gov/vuln/detail/CVE-2018-1565
https://nvd.nist.gov/vuln/detail/CVE-2018-1544
https://nvd.nist.gov/vuln/detail/CVE-2018-1515
https://nvd.nist.gov/vuln/detail/CVE-2018-1488
https://nvd.nist.gov/vuln/detail/CVE-2018-1459
https://nvd.nist.gov/vuln/detail/CVE-2018-1452
https://nvd.nist.gov/vuln/detail/CVE-2018-1451
https://nvd.nist.gov/vuln/detail/CVE-2018-1450

MongoDB

https://nvd.nist.gov/vuln/detail/CVE-2016-10572

Greenplum Database

https://nvd.nist.gov/vuln/detail/CVE-2018-1280

MariaDB

https://nvd.nist.gov/vuln/detail/CVE-2016-10554
https://nvd.nist.gov/vuln/detail/CVE-2016-10553
https://nvd.nist.gov/vuln/detail/CVE-2016-10550
https://nvd.nist.gov/vuln/detail/CVE-2016-10556