News round-up February 2021 — Downplaying data breaches, escalating ransomware tactics and “there’s something in the water”

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

We start this edition round-up with a stern warning from the privacy regulator, telling organisations to stop downplaying data breaches. We saw a general trend of regulators and law enforcement stepping up this month, with historic decisions by the OAIC, the FTC and the Norwegian Data Protection Agency, and a crackdown on the notorious Emotet botnet.   

Key articles

OAIC finds ‘multiple’ Australian companies downplaying data breaches 

Summary: The Office of the Australian Privacy Commissioner (OAIC) isn’t happy about delays in the assessment of and notification of data breaches by a growing number of organisations. 

Key risk takeaway: This stands as something of a warning from the Australian privacy regulator that it expects to see more timely assessment and notification of data breaches. Perhaps the regulator is sensing some complacency  as we prepare this month to mark the 3rd birthday of the Notifiable Data Breaches scheme, the attention and activity that characterised the scheme’s first year has arguably died off. In issuing its warning, the OAIC acknowledges “some data breaches are complex”, meaning organisations can find it challenging to quickly identify affected individuals. With complexity increasing as all entities increase their data holdings, wanticipate privacy automation and data mapping technologies will play a key role in helping organisations bridge the gap between current manual privacy processes and their desire to more promptly and efficiently manage privacy impacts. 

Meanwhile, for the first time, the OAIC has ordered that compensation be paid for non-economic loss suffered by participants of representative complaint against the Department of Home AffairsHome Affairs must pay almost 1,300 asylum seekers for wrongfully publishing their personal information in 2014. Compensation will range from $500 to $20,000 per applicant, meaning Home Affairs could potentially be up for nearly $26 million.  This ground-breaking decision could herald the dawn of a new cost for failing to secure personal information.  

Tags: #privacy #ndb #compliance #privacyops #regulation 

 

Grindr faces fine of nearly $12 million in Norway for alleged privacy violations 

Summary: Norway’s data protection agency is proposing a fine of US $11.7 million against Grindr for the alleged improper sharing of users’ data to third-party companies for marketing purposes. 

Key risk takeaway: This would be the biggest fine of its kind to date and indicates how seriously the GDPR takes the handling of sensitive personal information. The Norwegian Data Protection Authority said that Grindr had shared, without full consent, users’ GPS locations, profile data and other information with other companies. It also contends that the fact that a user is on Grindr is in itself information about sexual orientation, which is a specific class of sensitive information. Grindr may argue against the decision, but GDPR regulators are not pulling any punches in this area.  

This fine comes as the Muslim Prayer app Salaat First, also an app that by default collects sensitive information, is exposed as selling granular location data of its android users in the UK, Germany, France and Italy. The app, which doesn’t provide an in-app link to the privacy policy, sells a range of device and operation data including the user’s unique advertising ID, which allowed the media company to whom the data was leaked to filter the cache to specific users and then follow that person’s movements through time. As the data was of EU citizens, the GDPR may also kick in on this one.  

#privacy #datasharing #sensitiveinformation #privacypolicy #regulation #GDPR 

 

Privacy pilfering project punished by FTC purge penalty: AI upstart told to delete data and algorithms  

Summary: Everalbum, a California-based facial recognition business, has been directed by the US Federal Trade Commission to delete the AI models and algorithms that it developed by harvesting people’s photos and videos without permission. 

Key risk takeaway: This ruling is a significant disruptor of the old ‘it’s better to ask forgiveness than permission’, and indicates that regulators may now be looking beyond just fines and penalties. Apparently, Everalbum told people that it would not employ facial recognition on users’ content without consent, but in fact automatically activated the feature for people outside the EU and certain US states, and then used the data collected to build facial detection software. Facial detection software and algorithms are a hotly contested topic in the privacy world, and this ruling provides some indication that regulators are aware of the risks and are willing to take action to ensure violators aren’t allowed to profit from misuse 

#privacy #datahandling #regulation  

 

Some ransomware gangs are going after top execs to pressure companies into paying 

Summary: Ransomware gangs are reportedly prioritising stealing sensitive data from executives that can be used to extort businesses into approving large ransom payouts. 

Key risk takeaway: The slow-but-steady evolution of ransomware tactics continues in 2021, further ramping up pressure on businesses and their leaders. Despite the clear “never pay ransom” edicts from governments, this canny and increasingly aggressive targeting of a business’ reputation will only increase agitation levels among boards and senior execs who are unsure what to do when their turn comes. This reality is made clear by another recent story, which reveals even those organisations who have been able to restore their systems from backups after a ransomware attack are still paying ransoms to ward off reputational damage. Simulation exercises remain a valuable way to practice how your organisation would handle a ransomware attack and how leaders might contemplate ransom demands. In brighter news, US authorities have charged an attacker reportedly responsible for the ransomware attacks on Toll Group and Law In Order. 

Tags: #ransomware 

 

Intel drops 9% after a reported hack forced the chipmaker to release its 4th-quarter earnings early 

Summary: Shares fell after hacker gained unauthorised access to financially-sensitive information from Intel’s website. 

Key risk takeaway: We could barely imagine a neater demonstration of the adverse financial impacts of a data breach. After a positive quarterly earnings result drove up Intel’s share price, the gains were wiped out just as quickly after an infographic of those very same positive results was released earlier than intended because of a hack. Little has been revealed about the hack, other than that the graphic was accessed by an unauthorised party from Intel’s public relations news website. If it’s of any comfort to Intel, even hackers don’t always take steps to protect sensitive data. Having stolen more than a thousand credentials, a group of hackers reportedly accidently exposed them on the internet, making them freely accessible on Google (undercutting the typical goal of selling the data on the dark web).  

Tags: #databreaches #cyberattack 

 

US, European police say they’ve disrupted the notorious Emotet botnet 

Summary: U.S. and European law enforcement agencies said Wednesday they had seized control of the computing infrastructure used by Emotet, a botnet of infected machines that has been one of the most pervasive cybercrime threats over the last six years. 

Key risk takeaway: This is a significant law enforcement action against a serious and pervasive cyber threat that has been used to run everything from political phishing to ransomware to banking trojans. While authorities are cautiously optimistic about the impact of the takedown, it’s nonetheless a big achievement and, at worst, one that will take cyber criminals some time to recover from.  

#cybersecurity 

 

The Scammer Who Wanted to Save His Country 

Summary: A massive political corruption story in Brazil, involving the President and senior members of the legislature, was broken due to troves of hacked data. But what was initially thought to be a complicated hack, possibly by the Russians, turned out to be a simple exploit of poor security in the Telegram app, executed many times by a scammer.  

Key risk takeaway: While the key risk takeaway from this story could be ‘don’t be a corrupt politician’, the reminder not to overlook ‘the simple’ in security processes is certainly not far behind. In this case, the vulnerability came about due to a combination of the Brazilian VoIP system allowing people to spoof any phone number onto their account (thus allowing the hacker to access voicemail systems), and the Telegram app sending verification codes for adding a new device to a voicemail, without also sending a notification to the app. This then gave the hacker access to download the targets’ entire chat history from the cloud. 

While the outcome of this particular hack was the exposure of serious corruption, it nonetheless highlights how quickly the exploitation of a small hole in security protocols can snowball. Especially when security protocols fail to take into account the kind of innovative and imaginative thinking that only humans can apply. 

#privacy #cybersecurity #hack #government 

 

Remote hacker tries to poison water supply, exposing holes in OT security  

Summary: Hackers have accessed a water plant in Florida via remote access tools, altering the chemical levels in the water supply.   

Key risk takeaway: This is another timely reminder that not all hacks use sophisticated technology or approaches, and failing to consider all points of entry can leave essential systems vulnerable. In this instance, there is suggestion that the utilities industry is using outdated or not fit-for-purpose security systems, which significantly increases their risk profile when third party software or services are being used. The impact of cyber on critical infrastructure is a growing issue, with Governments and regulators concerned about both hacking and ransomware, as seen recently, with a US regulator asking energy companies to report their exposure to SolarWinds. The relationship between infrastructure and cyber security is further highlighted when operational technology is linked to other internet-enabled systems. Finding a vulnerable point of entry and then hopping across internal systems to gain access to critical functions is a hack methodology that organisations can’t afford to ignore 

#cybersecurity #hack #supplierrisk #cyberattack 

The five trends driving ransomware tactics

Ransomware attacks continued to increase in 2020, and 2021 looks set to follow the trend. Unfortunately, the past 12 months has seen substantial evolution in ransomware tactics, as attackers look to improve their results.

In this post we look at 5 key ways this critical cyber threat is evolving.

News round-up Nov 2020 – Privacy Act review, ICO fines British Airways £20m over data breach and more

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

Privacy is well and truly in the frame this month – not least because of the Government’s review of the Privacy Act. It’s a big deal and we’ll have a bit to say about it – starting with our summary below. As the number of COVID-19 cases ease, attention is now also shifting towards the privacy provisions of COVID-19 check-in services. And turning to cyber, if you felt ransomware wasn’t nasty enough, attackers have dug deep and found more evil to draw on.   

News round-up Oct 2020 — Update on ServiceNSW databreach, Twitter upping its security game, and more

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

It’s in the nature of this game that there’ll always breaches and bungles, so increasingly it matters how you respond. And in our eyes, some recent response actions are worth commending. The NSW Government opened up on how it might have prevented the Service NSW breach, while Twitter laid out how it is upping its internal security game after a hack in July. We also explore if NAB’s step into the world of bug bounties sets a new bar for security maturity.

Key articles:

Australians want more control over privacy, survey shows

Summary: Privacy is a major concern for 70% of Australians while 87% want more control and choice over the collection and use of their personal information, a new study shows.

Key risk takeaway: As businesses roll out services that are increasingly data-driven, one of the more salient findings of the survey was that privacy is now the leading consideration when individuals choose an app or program to download, ahead of quality, convenience and price. Concerns around collection practices – particularly around the purpose for which data was collected – was another prominent finding. These views reinforce the importance of approaches such as privacy-by-design and practices such as Privacy Impact Assessments (PIA), which seek to “bake in” good privacy practices early into the development of new projects or initiatives. The Office of the Australian Information Commissioner this month also issued guidance for agencies on how to screen for potentially ‘high privacy risk’ projects to determine whether a PIA is required under the agencies’ privacy code.

Tags: #privacy #communityattitudes #privacyimpactassessments  

Service NSW hack could have been prevented with simple security measures

Summary: The personal data of 186,000 customers and staff were leaked after a cyber-attack on Service NSW in April that compromised the email accounts of 47 employees.

Key risk takeaway: We covered the news of this attack in our May roundup – our focus here is on Service NSW’s response. Transparency, responsiveness and empathy for affected customers are core principles of a trust-building response. Service NSW has attracted criticism for taking four months to notify affected customers, illuminating a key challenge in translating these principles into reality. In the wake of a breach many organisations lack the capabilities to quickly identify and assess the data types involved and, more pertinently, the extent of likely harm for affected customers – resulting in lengthy delays to notification. That appears to have been the case here, with Service NSW describing that much of the breached data was in unstructured form (eg. in emails, handwritten notes, forms and scans). Encouragingly, head of Cyber Security NSW Tony Chapman demonstrated commendable transparency in his responses around root causes, citing the preventative roles multi-factor authentication and reduced email-based data sharing could have played. Some may argue these concessions are like shutting the gate after the horse has bolted – another perspective is that these disclosures demonstrate an understanding of what is required to prevent recurrence of similar incidents in the future.

Tags: #databreachresponse

Woman dies during a ransomware attack on a German hospital

Summary: In what is being described as the first possible death directly linked to a cyber-attack, a woman has died after a German hospital couldn’t accept emergency patients due to a ransomware attack.

Key risk takeaway: In seeking to illuminate why cyber security matters, we often describe the potential impacts of cyber incidents. Large financial, reputational and operational impacts are serious enough, but for organisations in the health sector, impacts to the wellbeing of individuals (to the point of death) are sadly also very much on the cards. Do incidents like this – where human life is at stake – complicate advice to “never pay ransoms”? It’s hard to say, but seems fair to observe that there’s mixed views in some quarters, with some organisations reserving the right to make a risk-based judgement. In this scenario, even the attackers tweaked the ‘conventional’ rules of extortion – when told they had impacted a hospital treating emergency patients, they withdrew the ransom demand and provided a decryption key. Sadly, it was too late for the impacted woman. This incident follows ransomware attacks on a Thai hospital and on one of Chile’s biggest banks, resulting in the shutdown of all its branches, with disruptions lasting over a week.

Tags: #ransomware

NAB crowdsources cyber security with bug bounty program

Summary: NAB is the first of the Big Four banks to include a bug bounty program in its security strategy

Key risk takeaway: We’ve previously written that bug bounties are increasingly seen as a sign of a mature approach to security. The foray of a major Australian bank (traditionally more conservative) into the world of “crowdsourced security assurance” is arguably further evidence of the mainstreaming of these approaches, and a step we wager took some hearty advocacy by the security team to get sign-offs from legal-types and executives. Given the global cyber security skills shortage, bug bounties can offer organisations access to a broader and internationally-based pool of security talent to test and assure key systems. A key consideration is to see bug bounties not as a replacement but a complement to existing capabilities within a layered security strategy.

Tags: #bugbounty #layereddefence

Twitter prepares for US election with new security training, penetration tests

Summary: Ahead of the US election Twitter has been bolstering its internal security and privacy controls, including by requiring staff to complete additional training, deploying hardware security keys to employees, and engaging in penetration tests and privacy impact assessments.

Key risk takeaway: Here’s something of a blueprint for hardening systems in the wake of a phishing-based breach. After suffering such a breach in July, Twitter has stepped up a range of protections – most notably around employees – by increasing training requirements, enhancing checks on employees with key systems access and rolling out “phishing-resistant security keys”. A mix of baseline security/privacy training for all staff coupled with more targeted and dynamic learning content for specific role types (as Twitter appears to be pursuing) also reflects the strategies that we are increasingly seeing being pursued in the local market. Also of note is Twitter’s push to ensure appropriate privacy measures are implemented before projects launch: in the first six months of 2020 Twitter completed more than 300 privacy impact assessments compared with 100 PIAs in 2018.

Tags: #securityawareness

News round-up July 2020 — European court decision on international data transfers, software vulnerabilities, and more

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

 

The round-up

This month saw some big plays in the world of privacy – most notably the striking down by a European Court of a mechanism for international data transfers. We look at the implications for Australia organisations coming out of the judgement. This month we’re also reminded of the inherent vulnerability of software via stories about backdoors in Chinese tax software, a flood of critical patches released for popular enterprise software products and, of course, more yarns about ransomware.

Key articles:

Chinese bank requires foreign firm to install app with covert backdoor

Summary: Tax software required to be used by organisations that conduct business in China has been found to have been infected with malware.

Key risk takeaway: This discovery by security researchers is a cautionary tale for any business with operations in China. Dubbed “GoldenSpy”, the backdoor in the tax software reportedly allowed the remote execution of commands on infected computers. A similar backdoor was later discovered in the other of the two Chinese-government authorised tax software products. Concerns have long been raised about the invasive security provisions levelled at western businesses by China, though the covert nature of this incursion is rather more sinister. The FBI warns that companies in healthcare, chemical and finance sectors are in particular danger. Echoing the FBI’s advice, businesses should ensure they patch critical vulnerabilities on their systems, monitor applications for unauthorised access and protect accounts through multi-factor authentication.

Tags: #cyberhygiene #cyberespionage

 

Europe’s top court strikes down flagship EU-US data transfer mechanism

Summary: The EU-US Privacy Shield, a key framework for regulating transatlantic data transfers, has been declared invalid by the Court of Justice of the European Union with immediate effect. Alternative international data transfer mechanisms remain valid subject to additional obligations imposed upon companies.

Key risk takeaway: Though primarily focused on transatlantic transfers, the Court’s judgement will also give pause to Australian organisations that use Standard Contractual Clauses (SCCs), a key tool for Australia-EU data transfers. Whilst confirming that SCCs remain a valid means for international data transfers under the GDPR, the Court’s judgement imposes an onus on companies relying on SCCs to undertake case-by-case determinations on whether foreign protections are adequate under EU standards and whether additional safeguards are required.

Tags: #privacy #GDPR

 

Apple Just Crippled IDFA, Sending An $80 Billion Industry Into Upheaval

Summary: Apple’s shift to requiring opt-in consent for IDFAs, a unique identifier which enables advertisers to track user behaviour across apps for targeting and attribution purposes, threatens to upend the mobile advertising ecosystem.

Key risk takeaway: Apple continues to brandish its privacy-centric approach as a key competitive asset and brand differentiator. This latest move was announced alongside a series of privacy-conscious updates and has been celebrated by privacy advocates as a fundamental step towards greater user transparency and control over use of their data. The change involves users now receiving explicit prompts requiring opt-in consent, as opposed to these controls being buried within Apple’s settings. The update has particular implications for both Facebook and Google, whose ad-tech services depend on aggregating large troves of data with IDFAs. Meanwhile, in another fillip for privacy advocates this month, the public broadcaster in the Netherlands has published data showing that it grew ad revenue after ditching ad trackers and moving to contextual ads.

Tags: #privacy #trust

 

Twitter partially shut down as hackers compromise 45 high profile accounts

Summary: In a coordinated attack, hackers gained control of dozens of high-profile Twitter accounts, including former US President Barack Obama, US presidential candidate Joe Biden, Amazon CEO Jeff Bezos, Elon Musk, Apple and many others.

Key risk takeaway: While the hackers’ motivations here appear to have been rather benign (to propagate a bitcoin scam message), their unprecedented access could have had much more serious consequences. Imagine a nation state with full control of these compromised accounts, intent on derailing an election. It should raise the question for any organisation – what damage could a hacker do with access to your internal tools? The methods behind the attack were also relatively standard: social engineering to gain access to an internal customer support tool, which they used to reset account passwords. No zero-day cyber-gymnastics here. The obvious lesson here is ‘back to basics’ – training and awareness and restricted privileges. The deeper concern is how Twitter and other social media have become so central to our democracies – failures of this kind cannot be allowed to happen.

Tags: #socialengineering #databreaches #geopolitics

 

2020 is on track to hit a new data breach record

Summary: Troy Hunt’s ‘Have I been Pwned’ database reaches 10 billion records, while a new report estimates that 8.4 billion records were exposed in the first quarter of 2020 alone.

Key risk takeaway: The internet is now awash with compromised credentials, making password re-use a greater threat than ever. If you’ve already used a given password before, the likelihood is it’s now out there somewhere and can be used to compromise your account. This threat to account security is compounded by the continued rise of phishing and social engineering attacks, particularly in the new COVID-19 normal. The rapid switch to remote working combined with the uncertainty of the pandemic have given rise to effective new phishing lures such as fake pandemic updates or notifications from popular remote working applications. And so, the parade of data breaches continues. From dating apps, to hotel chainsairlinestelcos and many others, news of data breaches have become part of the background hum of our industry.

Tags: #databreaches

 

Garmin confirms ransomware attack, keeps quiet on possible Evil Corp. involvement

Summary: Garmin said while there was no indication attackers accessed customer data, the attack did interrupt website functionality, customer support services, user apps and corporate communications. This was again one of many ransomware attacks this month.

Key risk takeaway: This particular attack draws attention to the incredibly precarious position ransomware victims find themselves in regarding ransoms. Enduring widespread disruption to services due to WastedLocker ransomware, Garmin reportedly was faced with a US$10 million ransom to decrypt its files. Reports also claim that Russian gang Evil Corp was behind the attack. The gang’s members have been sanctioned by the US government, making any dealings with them illegal. Services are now back online and Garmin has not confirmed whether it paid the ransom. We also learned this month that ransomware gangs are a patient bunch – spending long periods of time within the networks they have breached in order to gather as much information as possible to maximise leverage in ransom demands.

Tags: #ransomware

 

US cyber officials urge patching of bug affecting up to 40K SAP customers

Summary: A critical vulnerability in SAP applications could affect up to 40,000 customers.

Key risk takeaway: Patch your critical systems! The last month has seen a rash of patches released for serious vulnerabilities in widely used systems. In addition to the SAP bug, software company Citrix announced yet more bugs (but with fixes), as did Microsoft, Palo Alto Networks and F5 Networks products. Respected guidance such as the Australian Government’s Essential Eight strategies recommends timely patching as a foundational security practice. In practice, many organisations struggle to prioritise the many, many security fixes that increasingly require acting on. The last month will only have further compounded the headaches of systems administrators (and likely intensified their pleas for more attention to secure coding practices).

Tags: #vulnerabilitymanagement

News round-up June 2020 — PM’s cyber strategy announcement, ransomware attacks and email scammers

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

 

The round-up

“Imagine if we could get the Prime Minister to yell ‘cyber’?”
Security leaders preparing to go cap-in-hand for FY21 budgets could only have dreamed of the platform their portfolios would get this month. In this month’s round-up we take a look at the PM’s announcement, and watch as ransomware and business email compromise jostle for the mantle of most damaging cyber threat.