"The Breach of a Face Recognition Firm Reveals a Hidden Danger of Biometrics"
*The Breach of a Face Recognition Firm Reveals a Hidden Danger of Biometrics* /Outabox, an Australian firm that scanned faces for bars and clubs, suffered a breach that shows the problems with giving companies your biometric data./ Jordan Pearson May 2, 2024 11:24 AM https://www.wired.com/story/outabox-facial-recognition-breach/
Buongiorno, "J.C. DE MARTIN" <juancarlos.demartin@polito.it> writes:
*The Breach of a Face Recognition Firm Reveals a Hidden Danger of Biometrics*
/Outabox, an Australian firm that scanned faces for bars and clubs, suffered a breach that shows the problems with giving companies your biometric data./
Jordan Pearson May 2, 2024 11:24 AM
https://www.wired.com/story/outabox-facial-recognition-breach/
--8<---------------cut here---------------start------------->8--- Outabox, an Australian firm that scanned faces for bars and clubs, suffered a breach that shows the problems with giving companies your biometric data. Police and federal agencies are responding to a massive breach of personal data linked to a facial recognition scheme that was implemented in bars and clubs across Australia. The incident highlights emerging privacy concerns as AI-powered facial recognition becomes more widely used everywhere from shopping malls to sporting events. The affected company is Australia-based Outabox, which also has offices in the United States and the Philippines. In response to the Covid-19 pandemic, Outabox [debuted a facial recognition kiosk] that scans visitors and checks their temperature. The kiosks can also be used to identify problem gamblers who enrolled in a self-exclusion initiative. This week, a website called “Have I Been Outaboxed” emerged, claiming to be set up by former Outabox developers in the Philippines. The website asks visitors to enter their name to check whether their information had been included in a database of Outabox data, which the site alleges had lax internal controls and was shared in an unsecured spreadsheet. It claims to have more than 1 million records. The incident has rankled privacy experts who have [long set off alarm bells] over the creep of facial recognition systems in public spaces such as clubs and casinos. “Sadly, this is a horrible example of what can happen as a result of implementing privacy-invasive facial recognition systems,” Samantha Floreani, head of policy for Australia-based privacy and security nonprofit Digital Rights Watch, tells WIRED. “When privacy advocates warn of the risks associated with surveillance-based systems like this, data breaches are one of them.” According to the Have I Been Outaboxed website, the data includes “facial recognition biometric, driver licence [sic] scan, signature, club membership data, address, birthday, phone number, club visit timestamps, slot machine usage.” It claims Outabox exported the “entire membership data” of [IGT], a supplier of gambling machines. IGT vice president of global communications Phil O'Shaughnessy tells WIRED that “the data affected by this incident has not been obtained from IGT,” and that the firm would work with Outabox and law enforcement. [...] "Outabox is aware and responding to a cyber incident potentially involving some personal information,” an Outabox spokesperson tells WIRED. “We have been in communication with a group of our clients to inform them and outline our strategy to respond. Due to the ongoing Australian police investigation, we are not able to provide further information at this time.” The New South Wales police force confirmed to WIRED that it was investigating a data breach on Wednesday, but a spokesperson declined to share further details. On Thursday, [the force announced that it], working alongside federal and state agencies, had arrested an unnamed 46-year-old man in a Sydney suburb. He is expected to be charged with blackmail. Clubs that used Outabox's technology posted announcements about the incident and notified clients this week. One person who [posted a breach notification] from a club they visited recounted their experience with the facial recognition system. “My fondest memory of this system is visiting a club and having it confidently match my face to a member that was clearly 20+ years older than me, and looked nothing like me,” [they wrote in a post on X]. The club did not respond to a request for comment. [...] “We are aware of a malicious website carrying a number of false statements designed to harm our business and defame our senior staff,” the Outabox spokesperson says. “We believe this is linked and urge people not to repeat false and reputationally damaging misinformation.” Outabox declined to specify which statements are false, citing the police investigation. It's unclear how much of the story told on the website is true, or whether the perpetrators even have the claimed biometric data. Australian cybersecurity expert Troy Hunt, founder of the breach notification website [Have I Been Pwned], tells WIRED that there is little reason to doubt it at this time. “I haven't seen any reason not to take this at face value, which means they have exactly what they say they have,” he says. [In posts on X], Hunt speculated that the website's posting may have been preceded by demands that were not met, and that the perpetrators' actions now “clearly land” in the realm of criminality. “Offshoring is a messy discussion between the legalities of data sovereignty, perceived shortcomings of foreign labor, and frankly, a big dose of xenophobia,” Hunt says. “It's not like Aussie developers doing exactly the same thing would have made this OK.” Floreani of Digital Rights Watch says that the incident illustrates the “significant negative consequences” that can arise from collecting sensitive biometric data. “We need bold privacy reform and strict limitations on facial recognition technology,” she says. “As always, surveillance isn't safety.” [Jordan Pearson] </author/jordan-pearson/> [debuted a facial recognition kiosk] <https://www.outabox.io/products/triagementrymgmt/index.html> [long set off alarm bells] <https://www.vice.com/en/article/dy75px/facial-recognition-will-be-used-to-st...> [IGT] <https://www.igt.com/> [the force announced that it] <https://www.police.nsw.gov.au/news/news?sq_content_src=%2BdXJsPWh0dHBzJTNBJT...> [posted a breach notification] <https://x.com/athompson10/status/1785649167114862786> [they wrote in a post on X] <https://x.com/athompson10/status/1785647123687682373> [including in the Philippines] <https://www.washingtonpost.com/world/2023/08/28/scale-ai-remotasks-philippin...> [according to online records] <https://whois.domaintools.com/haveibeenoutaboxed.com> [Have I Been Pwned] <https://haveibeenpwned.com/> [In posts on X] <https://x.com/troyhunt/status/1785784980209377758> --8<---------------cut here---------------end--------------->8--- -- 380° (Giovanni Biscuolo public alter ego) «Noi, incompetenti come siamo, non abbiamo alcun titolo per suggerire alcunché» Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about <https://stallmansupport.org>.
380° <g380@biscuolo.net> writes:
Buongiorno,
"J.C. DE MARTIN" <juancarlos.demartin@polito.it> writes:
*The Breach of a Face Recognition Firm Reveals a Hidden Danger of Biometrics*
/Outabox, an Australian firm that scanned faces for bars and clubs, suffered a breach that shows the problems with giving companies your biometric data./
Jordan Pearson May 2, 2024 11:24 AM
https://www.wired.com/story/outabox-facial-recognition-breach/
--8<---------------cut here---------------start------------->8---
[...]
According to the Have I Been Outaboxed website, the data includes “facial recognition biometric, driver licence [sic] scan, signature, club membership data, address, birthday, phone number, club visit timestamps, slot machine usage.” It claims Outabox exported the “entire membership data” of [IGT], a supplier of gambling machines.
Vediamo cosa dicono direttamente dalla fonte: «Who are Outabox» https://haveibeenoutaboxed.com/outabox --8<---------------cut here---------------start------------->8--- In the fast-paced world of technology, companies often promise innovation and efficiency. However, the recent revelations surrounding Outabox, a software solutions provider, shed light on the darker side of the industry. Outabox's reckless and deceitful business practices have not only jeopardized their own reputation but also endangered the security and privacy of consumers' sensitive data. [...] Outabox contracted an offshore team of developers from the Philippines to build their software systems. While this outsourcing strategy is common in the industry, what followed was far from standard practice. The developers were granted unrestricted access to the back-end systems of gaming venues, including access to raw data containing facial recognition biometrics, driver's license scans, club membership details, and more. The developers were directed to back up all the data off site, possibly against the knowledge of the operating venue. Shockingly, Outabox provided little to no oversight, allowing these developers free rein over sensitive consumer information. What makes Outabox's behavior even more egregious is their abrupt decision to sever ties with the offshore team without fulfilling their contractual obligations. Despite the developers' year and a half of work, Outabox callously refused to compensate them, leaving a trail of unpaid invoices and shattered trust in their wake. Outabox has set up a new team in Vietnam and possibly following the same questionable practices. […] What data was collected? ──────────────────────── If you visted venue using these devices from Outabox, your visit was logged and your facial scan was saved. If you had your drivers licence scanned, the scan was saved. If you signed in, your signature was saved. Outabox had special access to IGT gaming databases and exported the entire membership data. This included members addresses, birthdays, phone numbers and slot machine usage. In total, over 500GB of data was shared. Share this page to warn others. --8<---------------cut here---------------end--------------->8--- sempre dallo stesso sito: https://haveibeenoutaboxed.com/press --8<---------------cut here---------------start------------->8--- Outabox shared a press release on their website and made some untrue statements to the media. Below are the truths regarding Outabox's data management practices and potential breaches. Unauthorized Access vs. Authorized Access ───────────────────────────────────────── Outabox claimed in their press release that there was potential unauthorized access by a third party, however, access to the data was authorized by senior executives from Outabox who gave clear instruction to the developers in the Philippines to schedule regular backup onto external clouds. Hence, access was fully authorized. Data Security Procedures ───────────────────────── Outabox's data security procedures are severely lacking. Outabox stored sensitive information like passwords in an unsecured spreadsheet, which was accessible by all employees and contractors, is a clear example of this. Additionally, exporting entire club membership databases, including slot machine data, without proper consent or knowledge of the clubs, is a serious breach of trust and potentially regulatory compliance. This is how Outabox handled each venue's sensitive data. […] Remote Access ───────────── In the event that remote support is needed by the club, in an ideal secure club, a dedicated remote session is set up and closely monitored. Every keystroke and mouse movement is closely watched and recorded. Outabox has a shortcut to bypass that scrutiny by installing remote desktop software on the venue's server. Outabox's shortcut to bypass secure remote access procedures is extremely risky. This gives them unrestricted access to sensitive data, compromising the security and privacy of the clubs' information. Even though the developers in the Philippines no longer have access to the remote desktops, it can't be ruled out that the developers in Vietnam still have access. Cloud Backup ──────────── Outabox was regularly backing up club membership data, including slot machine data, onto the cloud possibly without the clubs' knowledge or consent, this raises serious concerns about data privacy and compliance with regulations regarding the handling of sensitive information. We have evidence that the scheduled backups are still continuing. Supplier Permissions ──────────────────────── While access to the membership data may have been granted by International Gaming Technology (IGT), it's unclear if the clubs were fully aware of the extent of the data being accessed and backed up by Outabox. This lack of transparency further undermines trust between Outabox and the clubs. Overall, the practices outlined suggest significant negligence and disregard for proper data management and security protocols by Outabox. Yet, they are not accepting blame. They want to blame the people they cheated. We are exposing them on their poor lack of security and data protection protocol! --8<---------------cut here---------------end--------------->8--- [...] -- 380° (Giovanni Biscuolo public alter ego) «Noi, incompetenti come siamo, non abbiamo alcun titolo per suggerire alcunché» Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about <https://stallmansupport.org>.
380° <g380@biscuolo.net> writes: [...]
[the force announced that it] <https://www.police.nsw.gov.au/news/news?sq_content_src=%2BdXJsPWh0dHBzJTNBJT...>
«Cybercrime Squad detectives arrest man over alleged data breach under Strike Force Division» Thursday, 02 May 2024 05:15:53 PM --8<---------------cut here---------------start------------->8--- […] Cybercrime Squad detectives investigating an alleged data breach threatening to share the personal details of over one million people have arrested a man in Fairfield West. Yesterday (Wednesday 1 May 2024), officers attached to State Crime Command's Cybercrime Squad were alerted to a website which had published the personal information of patrons who signed-in using their drivers' licences at specific premises across NSW. Cybercrime Squad detectives worked closely with Federal and State agencies to contain the breach and commenced an investigation under Strike Force Division. Following extensive inquiries, about 4.20pm today (Thursday 2 May 2024), strike force detectives executed a search warrant in Fairfield West. At the address, police arrested a 46-year-old man. He will be taken to Fairfield Police Station where he is expected to be charged with blackmail. Commander of the Cybercrime Squad, Detective Acting Superintendent Gillian Lister, said this breach should act as a remind for people to check their personal cyber security. “Now is the optimal time to make sure your cyber hygiene is good; you have strong passwords and are using two-factor authentication where possible,” Det A/Supt Lister said. “If you think your details may have been compromised, use extra caution when reviewing emails or texts and never click on a suspicious or unfamiliar link. “Always make sure to report incidents of cybercrime through the Australian Cyber Security Centre or Scamwatch.” --8<---------------cut here---------------end--------------->8--- [...] -- 380° (Giovanni Biscuolo public alter ego) «Noi, incompetenti come siamo, non abbiamo alcun titolo per suggerire alcunché» Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about <https://stallmansupport.org>.
380° <g380@biscuolo.net> writes: [...]
Jordan Pearson May 2, 2024 11:24 AM
https://www.wired.com/story/outabox-facial-recognition-breach/
--8<---------------cut here---------------start------------->8---
Outabox, an Australian firm that scanned faces for bars and clubs, suffered a breach that shows the problems with giving companies your biometric data. [...] The incident highlights emerging privacy concerns as AI-powered facial recognition [...] The incident has rankled privacy experts who have [long set off alarm bells] over the creep of facial recognition systems [...] Floreani of Digital Rights Watch says that the incident illustrates the “significant negative consequences” that can arise from collecting sensitive biometric data. “We need bold privacy reform and strict limitations on facial recognition technology,” [...]
[the force announced that it] <https://www.police.nsw.gov.au/news/news?sq_content_src=%2BdXJsPWh0dHBzJTNBJT...>
L'insistenza del pezzo, a partire dal titolo, che questa notizia riguardi il riconoscimento facciale e la biometria - per di più combinata con l'AI, il nuovo /esperimento nucleare/ - e non _tutto_ il sistema di raccolta e trattamento dei dati personali in generale, combinato col fatto che il comunicato ufficiale della polizia /insinui/ letteralmente che si tratti di un problema di "cyber hygiene" _personale_ e che /gli sprovveduti/ farebbero bene a usare "strong password" e "two-factor authentication" fa puzzare questa operazione mediatica di gaslighting (manipolazione psicologica) lontano un chilometro. L'uomo arrestato (pare) in connessione a questo "data breach" è accusato di ricatto, anche se mancano clamorosamente dettagli su _quale_ sarebbe stato il ricatto messo in atto: la pubblicazione del sito? Quello che hanno fatto gli autori di https://haveibeenoutaboxed.com/ è whistleblowing o blackmailing?!? Intanto, dopo alcuni giorni dalla notizia *e* un arresto di mezzo, lo OAIC (Office of the Australian Information Commissioner) non ha emesso nessun comunicato in merito, chissà se stanno almeno indagando https://www.oaic.gov.au/newsroom ...oppure tutta l'incazzatura e l'apparente gaslighting è pèrché "i panni sporchi si devono lavare in casa" (e stesi in modo tale da non rovinare il decoro della facciata)?!? Saluti, 380° -- 380° (Giovanni Biscuolo public alter ego) «Noi, incompetenti come siamo, non abbiamo alcun titolo per suggerire alcunché» Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about <https://stallmansupport.org>.
participants (2)
-
380° -
J.C. DE MARTIN