Information Technology

ZDNet Recommends

Best 5G phone 2021

5G is now standard on US networks, with the expectation that every flagship includes support for 5G.

Read More

There is great debate in the industry as to whether iOS or Android provides the most secure mobile device. In all my conversations with security pros, most, if not all, believe Apple’s iOS to be inherently more secure than the Google-built Android. This recent article spells out a number of strengths iOS has over Android in the area of privacy, such as Apple’s new feature in which users can stop apps from tracking them. In the article, the author states: “When it comes to privacy, Google and Apple are almost on extreme opposite ends.” However, a new study begs to differ; a report from research firm Omdia caught my attention. The key finding is that the Google Pixel 6 running Android 12 is significantly more secure than the
Apple iPhone 12 Pro

 running iOS 15. There are comparisons to two other Android-based phones: the
Samsung Galaxy S21 Ultra

 and the 
Xiaomi Mi 11 5G

. The report scored each vendor on nine different factors and weighted them in order of importance.
The Google Pixel 6

 achieved a perfect score of 5.4, while Apple was fourth at 4.03. The weighting turned out to be irrelevant because of the Pixel 6’s perfect score.Since I had always believed Apple to have better security by a wide margin, I thought it was worth diving into this report and understanding the criteria. One interesting point is that I had always looked at iOS versus Android software; this report did its analysis at the device level, meaning a mix of hardware and software. See also: Pixel 6 hardware is buggy garbage and Google’s tech support is worse |  Goodbye Google Pixel 6 Pro: 9 reasons it’s not the phone for me | Google Pixel 6 review After reading through the report, I found several questionable points that I felt were worth raising. They are: SponsorshipThe most questionable fact about the report is that Google, the manufacturer of the Pixel phones, was the sponsor of a report in which it gained a perfect score. It’s essentially saying the Google Pixel 6 is a perfect device with respect to security, and that’s just not true because any device can be breached. Google has been issuing security patches for the phone, indicating there were at least a few issues. Not all sponsored research is bad, but it makes one wonder when coupled with a perfect ranking. Methodology

The weighting of the security criteria is done by asking consumers to rank the importance of the nine features. While the report does not explicitly say this, I believe the 1,520 respondents were asked to pick their top three because the total percentage adds up to 300%. In my opinion, this is a questionable way to do it because the average end-user is not a security expert. This would be akin to asking a person on the street what safety features are most important in an airplane. I fly a lot, but I have no idea of the relative importance of each feature. The survey should have used a panel of security professionals. Scoring This was also flawed as the scoring in each section was derived from counting the number of features versus meeting the objective of the category. A good way to think about this is that it counted “tick boxes” versus how well those worked. It’s certainly not the most effective way to score, and I’ll elaborate below. Identity protection: This was the top-ranked feature by users, but the methodology was completely botched. Google scored highest because it had the most identity options, which makes sense because it’s tied to one’s Gmail account. Users can choose between one-time passwords, FIDO, push notifications, and others, where Apple only has two-factor, so Google got the highest score. What’s not told here is that Apple iCloud is the largest and one of the most — if not the most — successful deployment of two-factor security in the industry. With identity, more isn’t always better. Apple also does some interesting things when users have multiple devices; for example, it will inform you if you’re logging into your Mac in San Jose while your phone has just been authenticated in Russia.Security updates: The report takes a curious approach to security updates. One of the criteria is how long the vendor commits to providing security updates. It gives Google Pixel 6 a perfect score as it commits to what it calls “a solid five years’ security update period,” which is the longest of all vendors tested. It grades Apple more harshly because it does not document how long the support period is but then states, “Apple devices tend to receive five to six years of support.” It also rewards Google for enabling upgrades via the Google Play store and refers to Apple’s methodology as “monolithic” but doesn’t define what that means. The fact is Apple does have a proven track record of providing updates to over a billion devices in less than a week when it is required to do so and isn’t that the most important thing? Anti-malware: The fact that Apple has a lower score here than the three Android phones actually made me laugh. The report states: “While Samsung, Google, and Xiaomi have anti-malware solutions built into their devices to protect and detect malicious software, Apple is lacking here.” Apple does not have on-device anti-malware because it offers App Store and ecosystem protection, whereas Google does not. Also, to many users’ chagrin, Apple does not allow for apps to be side-loaded, so there can be no “back-door” malware. This report from Panda Security stated that Android devices are responsible for 47% of all observed malware compared to less than 1% for iPhones. This becomes a vicious circle; threat actors will often target Android first because breaches are easier, adding to the Android problem.  Lost devices: The report gives both Apple and Google Pixel top marks for having a web-based tool and mobile app to locate, trigger, lock, and wipe the device if it’s lost or stolen. What’s omitted is that iPhone supports the finding of offline (and even powered-off) devices, whereas Pixel must be powered on and connected to Wi-Fi or cellular. Physical access control: Here is another area where Apple and Google Pixel 6 each received full marks, but they would not have been ranked that highly if effectiveness was looked at instead of simply having the feature. The iPhone 13 face ID has a 1:1 million false acceptance rate (FAR), while Pixel 6 has a 1:50,000 FAR. Also, there have been many reports of the Pixel 6 having a slow fingerprint scanner. Also: Go Google free: We pick privacy-friendly alternatives to every Google serviceI can make similar arguments for secure backups, hardware security, and network security where Apple is as good or better than Google Pixel 6. The one section I did feel was accurate was anti-phishing, although the write-up was somewhat misleading. Safari uses Google safe browsing, but the report fails to mention that. The Pixel 6 does have an on-device anti-phishing warning system, which the iPhone does not have. Oddly enough, the one area where Google does have a clear win over Apple is ranked very low on the importance scale. 
The net result is that, after reading the report, I would have ranked Apple as good or better than Google Pixel 6 if effectiveness was used instead of counting sub-features. In this case, Apple is being penalized for having solid features. This is akin to ranking a car safer because it has a parachute to stop it when it has brakes that are known to fail versus one that has brakes that never fail. More

Some 4,000 ICT graduates are thought to enter the Czech Republic’s tech industry each year.
Image: Getty / Joe Daniel Price

ZDNet Recommends

Each year, around 4,000 ICT graduates in the Czech Republic enter its tech and IT industry. According to some estimates, the IT sector in the country employs more than 300,00 people, with the demand for talent growing every day. The mix of startups, well-established tech firms and global companies opening offices or branches in Prague makes the Czech capital a popular destination for the country’s tech workforce.Software developers themselves say they are mostly motivated by the opportunity to learn and to work on interesting projects, as well as the quality of life that Prague offers.See also: Managers aren’t worried about keeping their IT workers happy. That’s bad for everyone.Thirty-seven-year-old SQM developer Martin Bohm has been living in Prague for 10 years, moving from neighboring Slovakia. For him, working in the Czech capital is the highlight of his career so far.”Opportunities in Prague are huge, skilled IT workers are needed and this is also visible on many job offer portals. This place has its spirit, cultural and historical; the difference with western EU countries is visible, but in a positive sense.” Bohm tells ZDNet.”The ratio between income and expenses is very well balanced, as the IT industry also offers high and above-average income.”

Several tech companies are looking to capitalize on this talent, with US cybersecurity company SentinelOne among them. Last month, the company launched its new office and innovation center in Prague. The company plans to hire 300 staff and create product development functions in Prague that will augment its existing teams in the Americas, Asia, and elsewhere in Europe. Prague will become the heart of SentinelOne’s European operations with a planned $45 million investment over the next three years.
Image: SentinelOne
SentinelOne’s total investment in the Czech Republic will exceed $45 million over the next three years. The company plans to hire across a number of engineering disciplines, such as kernel, frontend, backend, validation and data engineering, as well as in data science and detection. 

Innovation

With this investment, Prague will become the heart of SentinelOne’s European operations and the center of its global product development. This makes it an important strategic investment for the company, says SentinelOne COO, Nicholas Warner, and as such, access to talent will be crucial.”The Czech education system produces engineers of a particularly high caliber, so we see it as the ideal base to help us build our technology. We’re impressed with the math, science, critical thinking, and language skills of the talent pool,” Warner tells ZDNet. Martin Matula, the company’s VP of engineering, is the site lead for its operations in the Czech Republic. He joined SentinelOne from Avast, another successful cybersecurity company with its roots in the Czech Republic. The Czech Republic and Slovakia have created a number of successful cybersecurity companies. Matula believes this is why the region has such an abundance of tech talent.”We have a solid base of a talent pool for backend engineers, Java and JVM-based technologies. There are many SaaS companies based here, so when it comes to the experience of working with public cloud, developing microservices, public cloud backend, frontend, [and] quality assurance, I feel that we are doing pretty well on that front,” he tells ZDNet.Old dogs, new tricksPrague is also home to some of the Czech Republic’s biggest names in tech. 2N Telekomunikace, a developer and manufacturer of IP intercoms and access control systems, is considered one of the country’s IT pioneers. Founded in 1991, the company has since become a leader in the global access control market and has experienced an average growth of 20% annually since being acquired by Swedish video surveillance giant, Axis, in 2016.The demand for contactless technology in the workplace — something 2N has also been working on in recent years — is helping to fuel further growth for the company. “The value of technology in managing access to buildings or floor levels is becoming more widely recognized now,” 2N chief executive, Michal Kratochvil, tells ZDNet. 2N has ambitious plans to expand throughout Australia, Europe and the US, where the access control market size is expected to reach more than $15 billion by 2027.These regions are less price-sensitive than elsewhere and value innovation more highly, says Kratochvil — something that will prove crucial for the company’s ambitions to transition from analog intercom systems to ‘smart’ IP intercoms.Michal Kratochvil, chief executive of 2N Telekomunikace.
Image: 2N Telekomunikace
Even so, being based in the Czech Republic has significantly influenced the company’s development, Kratochvil says. “2N’s heritage is in the Czech Republic and our products are still developed here. It has proved to be the perfect base from which to grow internationally because the cost base is lower than Western Europe or North America and there is an outstanding talent pool.”With companies like 2N SentinelOne setting up shop in the Czech Republic and creating bountiful opportunities for the country’s software professionals, developers are less likely to move elsewhere.The success of Prague and Brno, another Czech city with a booming IT ecosystem, in attracting many of the world’s leading tech companies also means that tech also takes the pressure off relying on overseas talent.See also: Tech skills: Four ways you can get the right mix.Meanwhile, developers are able to work with companies that are serious about their workers’ career development. Organizational charts transformations — where employees are allowed to work for other parts of the business — and project relocations are becoming very common in the Czech Republic, says Bohn.”When it comes to personal growth, absolutely, companies I worked for are investing time for continuous employee development,” he says. “There is definitely big potential in the industry.”For Matula, no bigger is this potential than in the Czech Republic’s budding cyber-ecosystem. “There are lots of opportunities in Prague for starting up other R&D centers for e-commerce and other different domains, but I think cybersecurity is the future. Even now, it influences relationships between countries, it influences even how wars are being conducted,” he says.”In this region, the Czech Republic and Slovakia, we have a history of building cybersecurity companies… So, when it comes to cybersecurity, there is really good talent here.” More

Ahead of Thanksgiving this Thursday, the US Cybersecurity and Infrastructure Agency (CISA) and the FBI have released a warning for critical infrastructure providers to stay vigilant on holidays and weekends, because hackers don’t plan on taking a holiday break. The agency issued a similar warning in August ahead of the Labor Day weekend, warning that ransomware attackers often choose to launch attacks on holidays and weekends, specifically when businesses are likely to be closed. 

ZDNet Recommends

“Recent history tells us that this could be a time when these persistent cyber actors halfway across the world are looking for ways—big and small—to disrupt the critical networks and systems belonging to organizations, businesses, and critical infrastructure,” CISA and the FBI said.  SEE: A winning strategy for cybersecurity (ZDNet special report) The agencies said they had not identified any specific threats. However, they noted that some of the worst ransomware attacks happened on holidays and weekends, including Independence Day and the Mother’s Day weekend. To prepare for potential attacks on the Thanksgiving weekend, the agencies have outlined several key steps organizations can take to minimize the risk of an attack.  These include: identifying key IT security staff who could handle a surge in work after a ransomware attack; implementing multi-factor authentication for remote access and administrative accounts; enforcing strong passwords and avoiding password reuse; ensuring RDP is secure and monitored; and reminding employees not to click on suspicious links. 

Organizations also need to review incident response measures and procedures.  “To reduce the risk of severe business/functional degradation should your organization fall victim to a ransomware attack—review and, if needed, update your incident response and communication plans. These plans should list actions to take—and contacts to reach out to—should your organization be impacted by a ransomware incident.” CISA and the FBI urge users and organizations to take these actions “immediately” to protect themselves against this potential threat. SEE: Ransomware: Industrial services top the hit list – but cyber criminals are diversifying The agencies detailed several major ransomware attacks that aligned with US public holidays:  In May 2021, leading into Mother’s Day weekend, a ransomware gang deployed DarkSide ransomware against Colonial Pipeline. After DarkSide actors gained access to the victim’s network, they deployed ransomware to encrypt victim data and—as a secondary form of extortion—exfiltrated the data before threatening to publish it to further pressure victims into paying the ransom demand.In July 2021, during the Fourth of July holiday weekend, Sodinokibi/REvil ransomware actors attacked Kaseya’s remote monitoring and management tool.While most of these attacks have been attributed to suspected Russian-based hackers, Microsoft last week warned that state-sponsored hackers from Iran are increasingly using ransomware to disrupt their targets. The US, UK and Australia called out Iranian attackers for exploiting known flaws in Fortinet’s VPN and Microsoft Exchange to deploy ransomware.  More

Ethical Hacking: A Hands-on Introduction to Breaking In • By Daniel G Graham • No Starch Press • 376 pages • ISBN 9781718501874 • £41.99 / $49.99   The parlous state of software and IT infrastructure security is also a career opportunity, with malware analysts, security researchers, penetration testers and red teams all in demand. Defenders need to know how attackers think, and what tools they use, so they can assess their own infrastructure for vulnerabilities and learn to detect malicious activity in the network.  In Ethical Hacking: A Hands-on Introduction to Breaking In, Daniel G Graham sets out to deliver a practical guide for learning hacking techniques, and you jump straight into the hands-on guide by creating a set of Linux VMs to host the environment you’re going to break into (since you can’t ethically hack someone else’s environment). You then work through some known vulnerabilities, progressing to capturing traffic, building a botnet and a ransomware server, generating phishing emails and deepfakes.  Although you’ll need to know how to write and run Python code, you don’t need a great deal of expertise to get started because the step-by-step instructions are clear and detailed. Along the way, complex concepts are explained well: if you want to execute ransomware or try to bypass TLS, you need to understand encryption first, you need to understand syscalls and the underpinnings of Linux for rootkits, and likewise hashing for cracking passwords.

Graham steps through common hacking techniques, creating deepfake video and audio, exploring how publicly available information is interconnected with Maltego to reveal information about an organisation’s staff and infrastructure, downloading databases of cracked and breached passwords, looking for exposed vulnerable devices with Masscan, Shodan and Nessus, building Trojans and Linux rootkits (you’ll need to know C coding for this), using SQL injection to extract usernames and passwords from websites, cross-site scripting attacks and privilege escalation once you get into a network. You’re unlikely to discover your own zero days, but you will learn fuzzing, and how to exploit the OpenSSL Heartbleed vulnerability. Along the way, Graham introduces other hacking tools like King Phisher, the swaks SMTP auditing tool in Kali Linux, John the Ripper for password cracking, Hydra for automating brute force password attacks and many others.  The chapter on attacking domain servers, Active Directory and Kerberos on large Windows networks could probably be expanded to fill a book of its own, but if you’re a Windows network admin and you don’t already know how to use Mimikatz, even this quick survey of the approaches hackers will take should be something of a wake-up call. (Microsoft has extensive guidance on remediating many of the issues covered here.)  While this book will help even a relative beginner to become familiar with a wide range of tools that are useful to hackers, it is — as promised — a hands-on introduction. Readers will be in a position to explore further, and the final chapter talks you through hardening a hosted VM that you can use for actual ethical hacking. It also mentions some tantalising advanced targets like industrial systems and cellular infrastructure, although readers won’t immediately be in a position to go after those without doing quite a bit of extra work. 

Even if you don’t plan to do any active ethical hacking, it should be a salutary warning to anyone in IT that hacking tools are both sophisticated and widely available. There are plenty of tutorials aimed at using them maliciously, so the detail in this book doesn’t increase the risk to those with vulnerable systems. If you do want to pursue this as a career, Ethical Hacking will guide you through the first steps.  Read more book reviews More

A Nigerian man has been arrested in connection to a scheme attempting to lure insiders to deploy ransomware on employer systems.

On November 22, security expert Brian Krebs reported that the man, Oluwaseun Medayedupin, was arrested by Nigerian authorities on Friday. The suspect is allegedly linked to a ‘ransom your employer’ scheme investigated by Abnormal Security in August. Customers of the cybersecurity firm were sent emails with the subject “Partnership affiliate offer,” requesting that the recipient considered becoming an accomplice in a cyberattack.  The emails offered a 40% cut of an anticipated $2.5 million ransomware payment in Bitcoin (BTC), made after the recipients installed the DemonWare ransomware on their employer’s systems.  A Microsoft Outlook email address and Telegram handle were provided for interested parties. Abnormal Security researchers reached out under the guise of a fictional person and confirmed they were sent a ransomware executable hosted on two file-sharing websites. However, the ransomware ‘cut’ on offer was reduced to between $120,000 — $250,000 once the team began communicating with the scheme’s operator.   

The team suspected the ransomware initiative may be of Nigerian origin. When queried, the threat actor said he was attempting to build a social network for Africa called Sociogram and shared his LinkedIn profile containing his full name.   “According to the actor, he collects his targeting information from LinkedIn, which, in addition to other commercial services that sell access to similar data, is a common method scammers use to obtain contact information for employees,” Abnormal Security said. “[…] he had originally intended to send his targets — all senior-level executives — phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext.” Medayedupin then reached out to Krebs following his report, asking that the name Sociogram be removed, but at the same time, neither confirming nor denying Abnormal Security’s investigation. Another message followed via a domain registrar, calling “Mr. Krebson” a “clout chasing monger.” Charges are expected to be brought against Medayedupin, reportedly 23 years of age, this week.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A severe PHP deserialization vulnerability leading to code execution has been patched in Imunify360. 

Discovered by Cisco Talos researcher Marcin ‘Icewall’ Noga, the vulnerability “could cause a deserialization condition with controllable data and then execute arbitrary code,” leaving web servers open to hijacking. Tracked as CVE-2021-21956 and issued a CVSSv3 score of 8.2, the security flaw is present in CloudLinux’s Imunify360 versions 5.8 and 5.9. Imunify360 is a security suite for Linux web servers including patch management, domain blacklisting, and firewall features.  In a security advisory published on Monday, Cisco Talos said the flaw was found in the Ai-Bolit malware scanner functionality of the software.  The Ai-Bolit component is used to scan and check website-related files, such as .php, .js, or .html content, and is installed natively as a service with root privileges. Within a deobfuscation class of the module, a failure to sanitize data that has been submitted means that arbitrary code execution can be performed during unserialization.  If the software is configured for real-time file system scanning, attackers could trigger an attack by creating a malicious file in the target server, or if a user is duped into performing a scan on a crafted payload file on behalf of the threat actor.  Cisco reported its findings to the vendor on October 1 and coordinated public disclosure was agreed upon. Linux web developers making use of Imunify360 should upgrade their builds to the latest release, at the time of writing, version 6.1. 

ZDNet has reached out to the vendor and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

An audit of Australia’s big four banks by the Office of the Australian Information Commissioner (OAIC) has found that they have been handling consumer data under the Consumer Data Right (CDR) in an open and transparent way, and have demonstrated good privacy practices as it did not find any areas of high privacy risk.As part of the first CDR privacy assessment, the OAIC, which is a co-regulator of the CDR, examined ANZ, Commonwealth Bank, National Australia Bank, and Westpac as they were initial CDR data holders.Each bank was evaluated according to their compliance with privacy safeguard 1, which requires providers to have a CDR policy describing how they manage consumer data and implement internal practices, procedures, and systems to ensure compliance. There are 13 legally binding privacy safeguards under the CDR that set out consumers’ privacy rights and providers’ obligations when collecting and handling their data. Privacy safeguard 1 is considered, as the OAIC puts it, the bedrock privacy safeguard that underpins compliance with all the other privacy safeguards. “Our privacy assessment found the big four banks are generally complying with the bedrock Consumer Data Right privacy safeguard,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.According to the assessment, all banks have good privacy practices in place, as they each developed a CDR policy that outlined how they managed CDR data and their consumer complaint handling process. It also found the banks were taking steps to establish and promote a culture that respects privacy and good information handling practices when managing CDR data.

“All banks had appointed senior staff responsible for strategic leadership of the CDR regime and officers responsible for day-to-day management of CDR data,” the OAIC audit said.”Three banks demonstrated good privacy practice in limiting access to CDR systems and data to staff with an operational requirement to have access.”The banks generally demonstrated good practice by setting practices, procedures and systems to review their CDR policies on a scheduled basis, as well as following legislative and operational changes. They used existing document control frameworks and specific staff were responsible for reviewing their CDR policy.”At the same time, the audit uncovered areas for improvement. For each bank, the OAIC identified at least one medium privacy risk. One bank had four medium privacy risks, two banks had three, and one bank had one. The majority of medium privacy risks were related to the way the banks have implemented internal practices, procedures, and systems to ensure compliance with their CDR obligations.Off the back of these findings, the OAIC recommended what each bank could do to address the medium privacy risks, such as developing internal practices, procedures, and systems that specifically address compliance with privacy safeguards that diverge from, or are additional obligations to, the Australian Privacy Principles. All banks accepted the OAIC’s recommendations. “Our recommendations and suggestions will assist these data holders and other providers in the system to further embed, review and enhance their privacy practices, so that consumers can continue to use the Consumer Data Right with confidence,” Falk said.On finalising the assessment, the OAIC wrote to the banks outlining its expectation that they respond with a plan for implementing the recommendations. The OAIC will revisit each bank in six months to ensure all the recommendations are fully implemented.”The Consumer Data Right has a strong regulatory framework to protect consumers’ privacy and build confidence in the system,” Falk said.”We are proactively auditing and monitoring providers in the system to ensure these strict privacy safeguards are being upheld, so that consumers can feel confident their data is protected.Australia’s CDR was officially launched on July 1, with the first tranche, an open-banking regime, requiring financial services providers to share customers’ data when requested by the customer.Under CDR, individual customers of the big four banks can request their bank share their “live” data for deposit and transaction accounts and credit and debit cards with accredited data recipients.Earlier this month, amendments to the CDR were made so it could be expanded to the energy sector.Under the amendments, from October 2022, energy product information will be shared so consumers can better compare energy plans, and from November 2022, energy consumers will be able to give consent to share their data about their own energy use and connection with a comparison service or fintech app. “With increased consumer mobility, energy retailers will be encouraged to improve tailoring of services and create better consumer experiences to retain their customers. I’m excited to see this expansion of the CDR across the economy, with telecommunications as the next sector under consideration,” Minister for  Superannuation, Financial Services and the Digital Economy Jane Hume said.Related Coverage More

A Brazilian Wi-Fi management software firm exposed data of various high profile companies and millions of their customers.

The data was leaked by WSpot, which provides software that enables businesses to secure their on-premise Wi-Fi networks and allow password-free online access to their customers.The leak was discovered by security research firm SafetyDetectives. The researchers found WSpot’s misconfigured Amazon Web Services (AWS) S3 bucket, which was left open and exposed 10GB worth of data to the public. After discovering the sensitive data on September 2, the researchers contacted the software firm on September 7. WSpot secured the breach the following day. Some 226,000 files were exposed in the leak, the researchers noted, including personal information from approximately 2.5 million individuals who connected to the public Wi-Fi networks provided by WSpot clients. The company’s client portfolio includes Pizza Hut, financial services provider Sicredi, and healthcare firm Unimed. According to SafetyDetectives, the set of information exposed included details supplied by individuals in order to access the Wi-Fi service provided by the companies. This includes full name, email address, full address, and taxpayer registration numbers — in addition to the login credentials created in the registration process.WSpot confirmed the leak to ZDNet, saying the issue was caused by a “lack of standardization in the management of information [stored] in a specific folder.” The Brazilian company reiterated that it has been working to address the issue since it was contacted about it until the conclusion of technical procedures on November 18. WSpot states that its servers remain intact and were not invaded by malicious actors, saying there’s no evidence that the exposed data has been accessed by cybercriminals. However, the software firm also stated that it has hired a security company to fully investigate any repercussions in relation to the data leaked in the incident.

WSpot says the issue impacted 5% of its total customer base, and none of its clients had business and/or sensitive information compromised. Additionally, it reiterated that it does not capture financial information such as credit card details or access credentials to other services. It’s unclear whether the company will inform the individuals exposed about the incident. According to a WSpot spokesperson, the National Data Protection Authority has not yet been contacted about the incident, however, “all legal issues surrounding the case are being addressed by WSpot as thoroughly as possible, especially in order to ascertain the next steps.” More