Data Privacy Weekly: Your Industry News Series 

01. AWS Unveils DSSE-KMS, A Dual-Layer Encryption for Enhanced Data Security!

AWS has introduced Amazon S3 dual-layer server-side encryption with keys stored in AWS Key Management Service (DSSE-KMS). This new encryption option provides two layers of encryption to objects uploaded to an Amazon S3 bucket, ensuring compliance with regulatory requirements. DSSE-KMS meets FIPS and CNSA encryption standards and offers four server-side encryption options, including DSSE-KMS.

Users can enable DSSE-KMS through various methods, such as the AWS CLI, AWS Management Console, or Amazon S3 REST API. With its enhanced security features, DSSE-KMS is available in all AWS Regions. Pricing details are on the Amazon S3 and AWS KMS pricing pages.

AWS Unveils DSSE-KMS, A Dual-Layer Encryption for Enhanced Data Security
Streamlined Payment Security: AWS Introduces Payment Cryptography for Effortless Transactions

02. Streamlined Payment Security: AWS Introduces Payment Cryptography for Effortless Transactions!

At the re:Inforce conference, AWS unveiled Payment Cryptography, a new service streamlining payment cryptography operations. Designed to meet PCI security requirements, this flexible solution replaces on-premises payment hardware security modules (HSMs) by providing encryption and decryption functions for payment-related data.

With support for symmetric and asymmetric keys like TDES, AES, and RSA, Payment Cryptography ensures key separation, identification, and access control. By leveraging AWS’s compliant HSMs, this service enables payment facilitators, processors, and banks to minimize dependencies on external data centers. The pricing model includes charges per API call and the number of active keys, making it attractive for early-stage Fintechs. Currently available in the US East and US West regions.

03. iOttie Site Hacked: Customer Credit Cards Stolen in Major Data Breach!

Popular mobile accessory maker, iOttie, has revealed a major data breach lasting nearly two months, resulting in the theft of online shoppers’ credit card details and personal information. The breach was caused by malicious scripts injected into the iOttie website between April 12th and June 2nd. While the company has removed the malicious code, customers who purchased during that period should remain vigilant for potentially fraudulent activities. The attack, MageCart, highlights the importance of monitoring credit card statements and bank accounts for unauthorized transactions.

iOttie Site Hacked: Customer Credit Cards Stolen in Major Data Breach
UPS Data Breach Exposes Customers to SMS Phishing Attacks

04. UPS Data Breach Exposes Customers to SMS Phishing Attacks

UPS has disclosed a data breach affecting Canadian customers, revealing that personal information obtained through its online package look-up tools was used in SMS phishing attacks. The breach occurred between February 2022 and April 2023, with threat actors accessing recipients’ contact details. UPS has taken measures to restrict access and is notifying affected individuals.

Phishing attempts impersonating companies like LEGO and Apple have been reported. Customers are advised to exercise caution, avoid clicking suspicious links, and refrain from sharing sensitive information in response to such messages. UPS is actively working with law enforcement and experts to halt the scheme.

05. Microsoft Addresses Azure AD Authentication Vulnerability

Microsoft has fixed a security flaw in Azure Active Directory (Azure AD) that could have enabled threat actors to gain control over targeted accounts. The flaw, named nOAuth, allowed attackers to exploit misconfigurations in Azure AD OAuth applications using the email claim from access tokens.

Attackers could fully control the target’s account by changing the email on their Azure AD admin account to the victim’s email address and using the “Log in with Microsoft” feature. Microsoft has deployed mitigations to address the issue and advises developers to review their app’s authorization logic for protection against unauthorized access.

Microsoft Addresses Azure AD Authentication Vulnerability

Let's talk