380° <g380@biscuolo.net> writes:
Buongiorno,
"J.C. DE MARTIN" <juancarlos.demartin@polito.it> writes:
*The Breach of a Face Recognition Firm Reveals a Hidden Danger of Biometrics*
/Outabox, an Australian firm that scanned faces for bars and clubs, suffered a breach that shows the problems with giving companies your biometric data./
Jordan Pearson May 2, 2024 11:24 AM
https://www.wired.com/story/outabox-facial-recognition-breach/
--8<---------------cut here---------------start------------->8---
[...]
According to the Have I Been Outaboxed website, the data includes “facial recognition biometric, driver licence [sic] scan, signature, club membership data, address, birthday, phone number, club visit timestamps, slot machine usage.” It claims Outabox exported the “entire membership data” of [IGT], a supplier of gambling machines.
Vediamo cosa dicono direttamente dalla fonte: «Who are Outabox» https://haveibeenoutaboxed.com/outabox --8<---------------cut here---------------start------------->8--- In the fast-paced world of technology, companies often promise innovation and efficiency. However, the recent revelations surrounding Outabox, a software solutions provider, shed light on the darker side of the industry. Outabox's reckless and deceitful business practices have not only jeopardized their own reputation but also endangered the security and privacy of consumers' sensitive data. [...] Outabox contracted an offshore team of developers from the Philippines to build their software systems. While this outsourcing strategy is common in the industry, what followed was far from standard practice. The developers were granted unrestricted access to the back-end systems of gaming venues, including access to raw data containing facial recognition biometrics, driver's license scans, club membership details, and more. The developers were directed to back up all the data off site, possibly against the knowledge of the operating venue. Shockingly, Outabox provided little to no oversight, allowing these developers free rein over sensitive consumer information. What makes Outabox's behavior even more egregious is their abrupt decision to sever ties with the offshore team without fulfilling their contractual obligations. Despite the developers' year and a half of work, Outabox callously refused to compensate them, leaving a trail of unpaid invoices and shattered trust in their wake. Outabox has set up a new team in Vietnam and possibly following the same questionable practices. […] What data was collected? ──────────────────────── If you visted venue using these devices from Outabox, your visit was logged and your facial scan was saved. If you had your drivers licence scanned, the scan was saved. If you signed in, your signature was saved. Outabox had special access to IGT gaming databases and exported the entire membership data. This included members addresses, birthdays, phone numbers and slot machine usage. In total, over 500GB of data was shared. Share this page to warn others. --8<---------------cut here---------------end--------------->8--- sempre dallo stesso sito: https://haveibeenoutaboxed.com/press --8<---------------cut here---------------start------------->8--- Outabox shared a press release on their website and made some untrue statements to the media. Below are the truths regarding Outabox's data management practices and potential breaches. Unauthorized Access vs. Authorized Access ───────────────────────────────────────── Outabox claimed in their press release that there was potential unauthorized access by a third party, however, access to the data was authorized by senior executives from Outabox who gave clear instruction to the developers in the Philippines to schedule regular backup onto external clouds. Hence, access was fully authorized. Data Security Procedures ───────────────────────── Outabox's data security procedures are severely lacking. Outabox stored sensitive information like passwords in an unsecured spreadsheet, which was accessible by all employees and contractors, is a clear example of this. Additionally, exporting entire club membership databases, including slot machine data, without proper consent or knowledge of the clubs, is a serious breach of trust and potentially regulatory compliance. This is how Outabox handled each venue's sensitive data. […] Remote Access ───────────── In the event that remote support is needed by the club, in an ideal secure club, a dedicated remote session is set up and closely monitored. Every keystroke and mouse movement is closely watched and recorded. Outabox has a shortcut to bypass that scrutiny by installing remote desktop software on the venue's server. Outabox's shortcut to bypass secure remote access procedures is extremely risky. This gives them unrestricted access to sensitive data, compromising the security and privacy of the clubs' information. Even though the developers in the Philippines no longer have access to the remote desktops, it can't be ruled out that the developers in Vietnam still have access. Cloud Backup ──────────── Outabox was regularly backing up club membership data, including slot machine data, onto the cloud possibly without the clubs' knowledge or consent, this raises serious concerns about data privacy and compliance with regulations regarding the handling of sensitive information. We have evidence that the scheduled backups are still continuing. Supplier Permissions ──────────────────────── While access to the membership data may have been granted by International Gaming Technology (IGT), it's unclear if the clubs were fully aware of the extent of the data being accessed and backed up by Outabox. This lack of transparency further undermines trust between Outabox and the clubs. Overall, the practices outlined suggest significant negligence and disregard for proper data management and security protocols by Outabox. Yet, they are not accepting blame. They want to blame the people they cheated. We are exposing them on their poor lack of security and data protection protocol! --8<---------------cut here---------------end--------------->8--- [...] -- 380° (Giovanni Biscuolo public alter ego) «Noi, incompetenti come siamo, non abbiamo alcun titolo per suggerire alcunché» Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about <https://stallmansupport.org>.