Globally, the impact of a data breach on an organization averages $3.86 million, though more serious "mega breaches" can cost hundreds of millions of dollars. IBM's 2018 Cost of a Data Breachstudy was formulated through interviews with more than 2,200 IT, data protection and compliance professionals from 477 companies and it provides an interesting insight into one of the most serious problems facing companies today.

The potential cost of an incident depends on several factors with the financial impact rising in line with the number of records stolen. On average, each record costs $148 and a breach of 1 million records costs $40 million while a breach of 50 million costs $350 million. The research also found that the efficiency in identifying an incident and the speed of the response has a huge impact on its overall cost. On average, it took companies 197 days to identify a data beach and 69 days to contain it.

Average total costs of a data breach also varied heavily between countries with the United States the hardest hit. In 2018, an average incident costs U.S. firms $7.91 million while in Canada and Germany, the impact is lower at less than $5 million. Indian and Brazilian companies have the lowest average cost of a data breach at $1.77 million and $1.24 million respectively.

Timehop social media app has been hit by a major data breach on July 4th that compromised the personal data of its more than 21 million users.

Timehop is a simple social media app that collects your old photos and posts from your iPhone, Facebook, Instagram, Twitter and Foursquare and acts as a digital time machine to help you find—what you were doing on this very day exactly a year ago.

The company revealed on Sunday that unknown attacker(s) managed to break into its Cloud Computing Environment and access the data of entire 21 million users, including their names, email addresses, and approximately 4.7 million phone numbers attached to their accounts.

"We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. Some data was breached," the company wrote in a security advisory posted on its website.

Social Media OAuth2 Tokens Also Compromised

Moreover, the attackers also got their hands on authorization tokens (keys) provided by other social networking sites to Timehop for gaining access to your social media posts and images.

With access to these tokens, hackers could view some of your posts on Facebook and other social networks without your permission.

However, Timehop claims that all the compromised tokens were deauthorized and made invalid within a "short time window" after the company detected the breach on its network on July 4th at 4:23 PM Eastern Time.

Since the company was not using two-factor authentication, the attacker(s) were able to gain access to its cloud computing environment by using compromised credential.

Timehop has now taken some new security measures that include system-wide multifactor authentication to secure its authorization and access controls on all accounts.

Timehop immediately logged out all of its users of the app after the company invalidated all API credentials, which means you will need to re-authenticate each of your social media accounts to the app when you log into your Timehop account to generate a new token.

The company is also working with security experts and incident response professionals, local and federal law enforcement officials, and its social media providers to minimize the impact of the breach on its users.

Global entertainment ticketing service Ticketmaster has admitted that the company has suffered a security breach, warning customers that their personal and payment information may have been accessed by an unknown third-party.

The company has blamed a third-party support customer service chat application for the data breach that believed to affect tens of thousands of its customers. The customer support chat application, made by Inbenta Technologies—a third-party artificial intelligence tech supplier—used to help major websites interact with their customers.

In its statement, Ticketmaster said it discovered malicious software on the customer support application hosted on its UK website that allowed attackers to extract the personal and payment information from its customers buying tickets.
Ticketmaster said that it has emailed all affected customers, and is offering 12 months of free identity monitoring service for those who have been impacted.

Affected customers are also advised to keep a close eye on their bank account transactions for signs of any suspicious activity, and immediately notify their banks if found any.

Users are also advised to be cautious if they receive any suspicious or unrecognized phone call, text message, or email from anyone saying you must pay taxes or a debt immediately—even if they provide your personal information.

Orlando will not be renewing its contract with Amazon.

The city’s police department had been one of two in an Amazon pilot program to incorporate its facial recognition software, Rekognition, into law enforcement. But the program has come under fire from civil liberties groups and even some Amazon investors over concerns that the technology could be used for mass surveillance.

In a letter to Orlando’s mayor and city council on Monday, the legal director of the American Civil Liberties Union of Florida urged the police department to end its use of the technology.

In a joint statement, the city and the Police Department said the contract “remains expired” but left open the possibility of reinstating it or trying other types of software: “The City of Orlando is always looking for new solutions to further our ability to keep our residents and visitors safe. Partnering with innovative companies to test new technology—while also ensuring we uphold privacy laws and in no way violate the rights of others—is critical to us as we work to further keep our community safe.”

Amazon Rekognition is also being tested in Washington County, Oregon. The technology remains in use. In an email to The New York Times the Sheriff’s Office said, “The Sheriff’s Office has not, and will not, utilize this technology for mass or real-time surveillance. That use is prohibited by both Oregon state law and our own policy.”

We all get our share of spam. Some more than others. But how do we differentiate between simple commercial spam and the types of emails that want to get us in trouble?

The unsolicited commercial spam email is generally easy to recognize, report, and discard, but what about more dangerous types of spam? How can you determine if an email contains a malicious link or attachment, or is trying to scam you out of money or your personal information?

Five red flags for spotting malicious emails

Before we jump into determining what to do with a malicious email, there are a few general tricks users should learn to spot red flags for malicious activity. They are as follows:

1. The sender address isn’t correct.

Check if this address matches the name of the sender and whether the domain of the company is correct. To see this, you have to make sure your email client displays the sender’s email address and not just their display name. Sometimes you need to train hawk eyes at the address, since spammers have some convincing tricks up their sleeve. For example:

2. The sender doesn’t seem to know the addressee.

Is the recipient name spelled out in the email, and are you being addressed as you would expect from the sender? Does the signature match how this sender would usually sign their mails to you? Your bank usually does not address you in generic ways like “Dear customer.” If the email is legit and clearly intended for you, then they will use your full name.

3. Embedded links have weird URLs.

Always hover first over the links in the email. Do not click immediately. Does the destination URL match the destination site you would expect? (Once again, train those eagle eyes.) Will it download a file? Are they using a link shortening service? When in doubt, if you have a shortcut to the site of the company sending you the email, use that method instead of clicking the link in the email.

4. The language, spelling, and grammar are “off.”

Is the email full of spelling errors, or does it look like someone used an online translation service to translate the mail to your language?

5. The content is bizarre or unbelievable.

If it is too good to be true, it probably isn’t true. People with lost relatives that leave you huge estates or suitcases full of dollars in some far-away country are not as common as these scammers would have us believe. You can recognize when email spam is trying to phish for money by its promises to deliver great gain in return for a small investment. For historical reasons, we call this type of spam “Nigerian prince” or “419” spam.