News round-up February 2021 — Downplaying data breaches, escalating ransomware tactics and “there’s something in the water”

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

We start this edition round-up with a stern warning from the privacy regulator, telling organisations to stop downplaying data breaches. We saw a general trend of regulators and law enforcement stepping up this month, with historic decisions by the OAIC, the FTC and the Norwegian Data Protection Agency, and a crackdown on the notorious Emotet botnet.   

Key articles

OAIC finds ‘multiple’ Australian companies downplaying data breaches 

Summary: The Office of the Australian Privacy Commissioner (OAIC) isn’t happy about delays in the assessment of and notification of data breaches by a growing number of organisations. 

Key risk takeaway: This stands as something of a warning from the Australian privacy regulator that it expects to see more timely assessment and notification of data breaches. Perhaps the regulator is sensing some complacency  as we prepare this month to mark the 3rd birthday of the Notifiable Data Breaches scheme, the attention and activity that characterised the scheme’s first year has arguably died off. In issuing its warning, the OAIC acknowledges “some data breaches are complex”, meaning organisations can find it challenging to quickly identify affected individuals. With complexity increasing as all entities increase their data holdings, wanticipate privacy automation and data mapping technologies will play a key role in helping organisations bridge the gap between current manual privacy processes and their desire to more promptly and efficiently manage privacy impacts. 

Meanwhile, for the first time, the OAIC has ordered that compensation be paid for non-economic loss suffered by participants of representative complaint against the Department of Home AffairsHome Affairs must pay almost 1,300 asylum seekers for wrongfully publishing their personal information in 2014. Compensation will range from $500 to $20,000 per applicant, meaning Home Affairs could potentially be up for nearly $26 million.  This ground-breaking decision could herald the dawn of a new cost for failing to secure personal information.  

Tags: #privacy #ndb #compliance #privacyops #regulation 

 

Grindr faces fine of nearly $12 million in Norway for alleged privacy violations 

Summary: Norway’s data protection agency is proposing a fine of US $11.7 million against Grindr for the alleged improper sharing of users’ data to third-party companies for marketing purposes. 

Key risk takeaway: This would be the biggest fine of its kind to date and indicates how seriously the GDPR takes the handling of sensitive personal information. The Norwegian Data Protection Authority said that Grindr had shared, without full consent, users’ GPS locations, profile data and other information with other companies. It also contends that the fact that a user is on Grindr is in itself information about sexual orientation, which is a specific class of sensitive information. Grindr may argue against the decision, but GDPR regulators are not pulling any punches in this area.  

This fine comes as the Muslim Prayer app Salaat First, also an app that by default collects sensitive information, is exposed as selling granular location data of its android users in the UK, Germany, France and Italy. The app, which doesn’t provide an in-app link to the privacy policy, sells a range of device and operation data including the user’s unique advertising ID, which allowed the media company to whom the data was leaked to filter the cache to specific users and then follow that person’s movements through time. As the data was of EU citizens, the GDPR may also kick in on this one.  

#privacy #datasharing #sensitiveinformation #privacypolicy #regulation #GDPR 

 

Privacy pilfering project punished by FTC purge penalty: AI upstart told to delete data and algorithms  

Summary: Everalbum, a California-based facial recognition business, has been directed by the US Federal Trade Commission to delete the AI models and algorithms that it developed by harvesting people’s photos and videos without permission. 

Key risk takeaway: This ruling is a significant disruptor of the old ‘it’s better to ask forgiveness than permission’, and indicates that regulators may now be looking beyond just fines and penalties. Apparently, Everalbum told people that it would not employ facial recognition on users’ content without consent, but in fact automatically activated the feature for people outside the EU and certain US states, and then used the data collected to build facial detection software. Facial detection software and algorithms are a hotly contested topic in the privacy world, and this ruling provides some indication that regulators are aware of the risks and are willing to take action to ensure violators aren’t allowed to profit from misuse 

#privacy #datahandling #regulation  

 

Some ransomware gangs are going after top execs to pressure companies into paying 

Summary: Ransomware gangs are reportedly prioritising stealing sensitive data from executives that can be used to extort businesses into approving large ransom payouts. 

Key risk takeaway: The slow-but-steady evolution of ransomware tactics continues in 2021, further ramping up pressure on businesses and their leaders. Despite the clear “never pay ransom” edicts from governments, this canny and increasingly aggressive targeting of a business’ reputation will only increase agitation levels among boards and senior execs who are unsure what to do when their turn comes. This reality is made clear by another recent story, which reveals even those organisations who have been able to restore their systems from backups after a ransomware attack are still paying ransoms to ward off reputational damage. Simulation exercises remain a valuable way to practice how your organisation would handle a ransomware attack and how leaders might contemplate ransom demands. In brighter news, US authorities have charged an attacker reportedly responsible for the ransomware attacks on Toll Group and Law In Order. 

Tags: #ransomware 

 

Intel drops 9% after a reported hack forced the chipmaker to release its 4th-quarter earnings early 

Summary: Shares fell after hacker gained unauthorised access to financially-sensitive information from Intel’s website. 

Key risk takeaway: We could barely imagine a neater demonstration of the adverse financial impacts of a data breach. After a positive quarterly earnings result drove up Intel’s share price, the gains were wiped out just as quickly after an infographic of those very same positive results was released earlier than intended because of a hack. Little has been revealed about the hack, other than that the graphic was accessed by an unauthorised party from Intel’s public relations news website. If it’s of any comfort to Intel, even hackers don’t always take steps to protect sensitive data. Having stolen more than a thousand credentials, a group of hackers reportedly accidently exposed them on the internet, making them freely accessible on Google (undercutting the typical goal of selling the data on the dark web).  

Tags: #databreaches #cyberattack 

 

US, European police say they’ve disrupted the notorious Emotet botnet 

Summary: U.S. and European law enforcement agencies said Wednesday they had seized control of the computing infrastructure used by Emotet, a botnet of infected machines that has been one of the most pervasive cybercrime threats over the last six years. 

Key risk takeaway: This is a significant law enforcement action against a serious and pervasive cyber threat that has been used to run everything from political phishing to ransomware to banking trojans. While authorities are cautiously optimistic about the impact of the takedown, it’s nonetheless a big achievement and, at worst, one that will take cyber criminals some time to recover from.  

#cybersecurity 

 

The Scammer Who Wanted to Save His Country 

Summary: A massive political corruption story in Brazil, involving the President and senior members of the legislature, was broken due to troves of hacked data. But what was initially thought to be a complicated hack, possibly by the Russians, turned out to be a simple exploit of poor security in the Telegram app, executed many times by a scammer.  

Key risk takeaway: While the key risk takeaway from this story could be ‘don’t be a corrupt politician’, the reminder not to overlook ‘the simple’ in security processes is certainly not far behind. In this case, the vulnerability came about due to a combination of the Brazilian VoIP system allowing people to spoof any phone number onto their account (thus allowing the hacker to access voicemail systems), and the Telegram app sending verification codes for adding a new device to a voicemail, without also sending a notification to the app. This then gave the hacker access to download the targets’ entire chat history from the cloud. 

While the outcome of this particular hack was the exposure of serious corruption, it nonetheless highlights how quickly the exploitation of a small hole in security protocols can snowball. Especially when security protocols fail to take into account the kind of innovative and imaginative thinking that only humans can apply. 

#privacy #cybersecurity #hack #government 

 

Remote hacker tries to poison water supply, exposing holes in OT security  

Summary: Hackers have accessed a water plant in Florida via remote access tools, altering the chemical levels in the water supply.   

Key risk takeaway: This is another timely reminder that not all hacks use sophisticated technology or approaches, and failing to consider all points of entry can leave essential systems vulnerable. In this instance, there is suggestion that the utilities industry is using outdated or not fit-for-purpose security systems, which significantly increases their risk profile when third party software or services are being used. The impact of cyber on critical infrastructure is a growing issue, with Governments and regulators concerned about both hacking and ransomware, as seen recently, with a US regulator asking energy companies to report their exposure to SolarWinds. The relationship between infrastructure and cyber security is further highlighted when operational technology is linked to other internet-enabled systems. Finding a vulnerable point of entry and then hopping across internal systems to gain access to critical functions is a hack methodology that organisations can’t afford to ignore 

#cybersecurity #hack #supplierrisk #cyberattack 

News round-up Jan 2021 — SolarWinds hack, the need for robust external security assurance, and a community demand for privacy

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

While the far-reaching consequences of the SolarWinds-FireEye-US Government hack are only just starting to be understood, a few stand-out lessons are emerging. In this round-up, we also observe oversight bodies in Australia starting to demand external assurance that organisations’ cyber security is robust. The rising swell from consumers demanding improvements in privacy protection also continues, with responses in kind by Apple, Microsoft, and the Australian Competition & Consumer Commission (ACCC).

The five trends driving ransomware tactics

Ransomware attacks continued to increase in 2020, and 2021 looks set to follow the trend. Unfortunately, the past 12 months has seen substantial evolution in ransomware tactics, as attackers look to improve their results.

In this post we look at 5 key ways this critical cyber threat is evolving.

News round-up Nov 2020 – Privacy Act review, ICO fines British Airways £20m over data breach and more

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

Privacy is well and truly in the frame this month – not least because of the Government’s review of the Privacy Act. It’s a big deal and we’ll have a bit to say about it – starting with our summary below. As the number of COVID-19 cases ease, attention is now also shifting towards the privacy provisions of COVID-19 check-in services. And turning to cyber, if you felt ransomware wasn’t nasty enough, attackers have dug deep and found more evil to draw on.   

News round-up Sept 2020 — Thousands of licence details exposed online, HeathEngine to pay $2.9mil, and more

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

 

The round-up

It’s a veritable smorgasbord – our latest roundup includes incidents traversing cloud security, phishing, extortion, distributed denial of service attacks and insider threat. We also look at a particularly egregious breach of trust by a healthcare website.

Key articles:

Data breach exposes tens of thousands of NSW driver’s licences online

Summary: A cache containing about 54,000 NSW drivers licences was found online by a Ukrainian security consultant. The data was linked to an unnamed private business that apparently failed to configure privacy settings appropriately on cloud storage.

Key risk takeaway: As we reported in May, misconfigurations of cloud services is one of the rising reasons behind data breaches – and so it has come to pass that tens of thousands of NSW drivers have been outed. The story here is a little more complex though, as it’s the NSW Government that has come under scrutiny for a lack of disclosure and notification to impacted residents – even though it was an unaffiliated third-party commercial operator that made the security bungle. It illustrates the complexity of responding to a data breach in the era of third-party data sharing, and the complex expectations that define what is trustworthy behaviour. Scenario planning can go a long way to being prepared for these contingencies and having well-thought out responses.

Tags: #cloudsecurity #notification

 

HealthEngine to pay $2.9 million for misleading reviews and patient referrals

Summary: Health directory and online booking site HealthEngine has been ordered to pay $2.9m in penalties after admitting that it disclosed personal information of over 135,000 patients to third party private health insurance brokers without adequately disclosing this to customers.

Key risk takeaway: Privacy Officers now need to consider consumer law risks when reviewing or drafting any communications or notices about how customer information will be handled. Failure to clearly communicate how personal information will be used and disclosed may amount to misleading and deceptive conduct (whether or not it also breaches the Australian Privacy Principles). The Australian Competition and Consumer Commission (ACCC) has become increasingly active in the privacy space since the conclusion of its Digital Platforms Inquiry in June 2019. HealthEngine may be the first casualty of this new focus on consumer privacy harms, but it’s unlikely to be the last. The Commission currently has two separate cases pending against Google alleging misleading and deceptive conduct in relation to privacy, and ACCC Chairman Rod Sims says there are plenty more in the works.

Tags: #ACCC #ACL #Privacy #Penalties

 

New Zealand Stock Exchange suffers day four disruption following DDoS attacks

Summary: A distributed denial of service (DDoS) that hit the exchange halted trading and prevented the publishing of market updates.

Key risk takeaway: So-called “DDoS extortions” have been around for a few years, but the recent attacks are being seen as among the most dangerous and targeted. The attack on NZX was one of many reported DDoS attacks against global financial service providers, with the criminal gang responsible demanding Bitcoin payments as extortion fees to stop their attacks. Where DDoS in the past has targeted public websites, a particular characteristic of recent attacks is the targeting of back end infrastructure, which can be potentially more disruptive. DDOS mitigation services should be considered for any business, particularly those with a high profile (where a website outage would be particularly damaging) or those that operate critical online services (where even a short outage would have substantial impact).

Tags: #ddos #cybercrime

 

SANS shares details on attack that led to their data breach

Summary: SANS Institute suffered a data breach after an employee fell for a phishing attack, resulting in more than 500 emails containing approximately 28,000 records of personal information being forwarded to attackers.

Key risk takeaway: SANS is a leading provider cyber security training for organisations around the world, so perhaps the lesson from its breach is, rather humbly, “there but for the grace of god, go I.” The attack draws on a rising phishing attack method – OAUTH phishing – where targeted users receive what looks like a legitimate shared document. Upon clicking the email request, they are typically asked to provide their credentials (eg to O365) and grant various permissions to a third-party app. This grants access to the app’s developer/owner – which is an attacker. Read more about OAUTH app examples here, ironically on a SANS discussion forum. Options to defend against this form of attack include preventing employees from being able to install unverified OAUTH apps and, of course, testing staff ability to detect this form of phishing via phishing simulations.

Tags: #phishing #oauth

 

Former Uber Security Chief Charged With Concealing Hack

Summary: Uber’s former head of security has been charged with attempting to conceal a hack that exposed the email addresses and phone numbers of 57 million drivers and passengers.

Key risk takeaway: CISOs around the world may be sleeping a little less comfortably, with the action brought by US prosecutors underscoring how much personal accountability is carried by those running security functions. At the heart of the criminal complaint is that former Uber CSO Joe Sullivan failed to disclose a major breach to regulators in 2016, even as it was being investigated for an earlier breach. A particularly notable callout by the prosecution team was that the “cover-up” prevented law enforcement learning about the hackers and being in a position to disrupt their activities – which included going on to “hack other companies in a way similar to what they had done to Uber”. This suggests that authorities view a company’s responsibility to disclose breaches not only in terms of its duty to its own customers, but also in terms of its important to protecting the broader economy.

Tags: #CISO #crisisplanning #cybercrime

 

A Tesla Employee Thwarted an Alleged Ransomware Plot

Summary: A Tesla employee rejected a US$1m offer to install malware on Tesla’s network, reporting the bribe to Tesla instead.

Key risk takeaway: Insider threat is perhaps one of the less covered threats to organisations’ systems and data – perhaps this story might lift it in prominence given the hype and attention usually associated with Elon’s electric enterprise. The story affirms the willingness of cybercriminals to coax their way into a network in any way possible – whether through sophisticated technical or cyber means or more old-fashioned coaxing and cajoling. Insider threats of the malicious (versus accidental) kind are challenging to defend against. Technical measures include strong access controls and monitoring (especially for critical systems) and data loss prevention tools. Equally important are human measures such as background checks, and creating a culture in which employees feel comfortable reporting anomalous behaviour.

Tags: #insiderthreat

News round-up June 2020 — PM’s cyber strategy announcement, ransomware attacks and email scammers

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

 

The round-up

“Imagine if we could get the Prime Minister to yell ‘cyber’?”
Security leaders preparing to go cap-in-hand for FY21 budgets could only have dreamed of the platform their portfolios would get this month. In this month’s round-up we take a look at the PM’s announcement, and watch as ransomware and business email compromise jostle for the mantle of most damaging cyber threat.