Technology

Amazon, Best Buy Sold Bugged Smartphones as Data Breaches Rise 25% in 2016

Paul Ausick

Published: November 17, 2016 10:45 am

Last Updated: January 12, 2020 5:41 pm

Earlier this week, a cybersecurity firm called Kryptowire revealed that it had identified several models of Android-based mobile phones that included firmware to collect sensitive personal data about the devices’ users and then to transmit this data to third-party servers with no disclosure to or consent from the users.

Consumers could purchase the devices at online retailers, including Amazon.com Inc. (NASDAQ: AMZN) and Best Buy Co. Inc. (NYSE: BBY), and they included popular devices such as the BLU R1 HD. The phones are no longer available at either Amazon or Best Buy.

According to Kryptowire:

These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.

For more details and information see the Kryptowire press release.

The latest data breach count from the Identity Theft Resource Center (ITRC) reports that there have been 873 data breaches recorded this year through November 15, 2016, and that nearly 30 million records have been exposed since the beginning of the year. The total number of reported breaches increased by 15 since ITRC’s last report on November 9.

The number of breaches in 2015 totaled 781, just two shy of the record 783 breaches that ITRC tracked in 2014. The 873 data breaches reported so far for 2016 are nearly 25% above the number reported (700) for the same period last year. A total of more than 169 million records were exposed in 2015.

Here’s a rundown of the latest ITRC report:

• The medical/health care sector leads all others in the number of records compromised to date in 2016. The sector has posted 36% (314) of all data breaches to date this year. The number of records exposed in these breaches totaled is nearly 14.5 million, or about 48.5% of the total so far in 2016.
• The government/military sector has suffered 59 data breaches this year, representing about 41.2% of the total number of records exposed and 6.8% of the incidents. More than 12 million records have been compromised in the government/military sector to date.
• The business sector accounts for more than 2.5 million exposed records in 389 incidents. That represents 44.6% of the incidents, and 8.6% of the exposed records.
• The number of banking/credit/financial breaches totals 37 for the year to date and involves more than 26,000 records, some 4.2% of the total number of breaches and about 0.1% of the records exposed.
• The educational sector has seen 74 data breaches in 2016. That accounts for 8.5% of all breaches for the year and nearly 500,000 exposed records, about 1.6% of the total so far.

Since beginning to track data breaches in 2005, ITRC had counted 6,683 breaches through November 15, 2016, involving more than 881 million records.