Latest Instagram Hack Exposes 49 Million Accounts
In the most recent attack, the Facebook subsidiary exposed telephone numbers and email addresses. Combined with recent research by cyber security firms to demonstrate potential weaknesses, there are reports that privacy concerns may be driving lower usage statistics and recruitment practices.
Spyware Targets WhatsApp Users
The messaging app WhatsApp discovered a vulnerability that could expose users to malware. A bad actor could transfer the malware to a users phone simply by calling it, without even requiring the user to answer. The spyware was allegedly developed by Israeli company NSO Group. WhatsApp alerted US law enforcement agencies, issued a CVE notice to the cyber community, and notified and its users. WhatsApp is used by approximately 1.5B people worldwide.
Source: The Guardian
Data Breach Targets Australian National University
The Australian National University (ANU) has been hit by data breach exposing personal data going back 19 years. Credit card details, medical records and research work were all unaffected.
Attack on Graphic Design Platform Canva
Australian based graphic design platform Canva has confirmed that it detected and stopped a malicious attack on its systems in May. 139 million users’ personal information, including partial credit card data, was exposed on the company’s profile database.
"Smart" Cities More Susceptible to Ransomware
With more city governments incorporating technology into their daily operations, opportunities for hackers to breach local databases are increasing. The most common method is ransomware, which encrypts stolen data and keeps it locked until a ransom is paid. San Francisco, Albany, New York, and a city in Maine (Ed. Note: add to this list three towns in Florida, as discussed elsewhere in this issue) have all been affected by data breaches of this nature. For instance, the city of San Francisco lost millions when the Municipal Transportation Agency was unable to accept money from passengers due to a cyber-attack. In 2018 Atlanta had to pay $50,000 in ransom along with millions of dollars to recover from a breach.
Source: AV Club
Ransomware Attacks Airplane Parts Maker ASCO
A ransomware attack occurred on June 7th against Belgium-based airplane parts maker ASCO Industries. AT&T Alien Labs believes the same ransomware used in the Norsk Hydro event - dubbed LockerGaga – may have been used here as well, however, the event is still under investigation. There has already been cases of manufacturing companies being attacked by ransomware, and it is believed that many more will come. Co-founder of Nozomi Networks, Andrea Carcano, said that paying the ransom is not ideal and organizations should have contingency plans in place to minimize damages.
Source: SC Media
Washington and New Jersey Pass Breach Notification Legislation
Washington and New Jersey recently passed laws expanding and refining their rules for breach notification. Although both states had existing rules on the books on the issue, the new rules reflect the growing regulatory attention being paid nationwide, the increased governmental understanding of what the meaningful issues are, and a rising threshold of what an adequate response to a breach is.
Source: Saul Ewing Arnstein & Lehr
California Data Privacy Law Update
California’s upcoming Consumer Protection Act (CCPA) will be one of the farthest-reaching in the country when it takes effect on January 1, 2020 – but its final form remains uncertain, as a number of bills seeking to alter the law in a wide variety of ways. Although the two most-talked-about amendments - which would expand the private right of action under the upcoming law - appear to have stalled, a number of other amendments are likely to move forward, including among others:
- The definition of “de-identified” information is clarified, “reidentification” is prohibited, and the definition of personal information is narrowed.
- Job applicants, employees, contractors, and agents are excluded from the definition of “consumer.”
- Business required to provide “clear and conspicuous” notice that they are using facial recognition technology.
Source: Lewis Brisbois
Nevada Adds State Privacy Law to Growing List
Nevada has already passed their own data privacy law, currently referred to as SB220, styled after the CCPA. The Nevada law was signed by the governor on May 29, 2019, and while it is not as broad as California’s proposed Consumer Protection Act, it goes into effect more quickly, in October 2019.
ICO Levies Large Fine Under Old Data Protection Act
Pregnancy and parenting support group, Bounty (UK) Limited has been fined £400,000 by the ICO for sharing in excess of 34 million records comprising personal data of 14 million individuals to third party companies. Data subjects included potentially vulnerable new mothers but also young children.
Touchstone Medical Imaging Agrees to $3M Fine
Touchstone suffered a breach affecting over 300,000 patient records in 2014 and has now agreed to pay a $3M fine. In what was likely a key factor in the size of their settlement, they initially claimed that no patient PHI was exposed. OCR investigated and found that Touchstone had not timely look into the breach, their investigation was inadequate, and their notifications were untimely. The HHS OCR “Wall of Shame” continues to keep a running tally of healthcare breaches in the U.S.
Hiscox Reports Jump in UK Cyber Attacks
Insurer Hiscox surveyed 5,400 business across seven European countries, finding 55% had been targeted by a cyber attack in the last year – a significant increase over the 40% who had the year before. In addition to the increase in number of attacks, the cost of those attacks also jumped roughly 61% year-over-year. (Ed. Note: for additional detail see the full report linked below.)
No Honor Among Cyber-Thieves: Dark Web Targeted
Three of the largest crime-focused marketplaces on the dark web were targeted by significant DDoS attacks earlier this year. Dream Market, Empire Market, and Nightmare Market – all known for selling drugs, guns, malware, and hacked data – were targeted, with Dream Market actually planning on shutting down after being cripple by 7 weeks of sustained attacks. The alleged source of those attacks demanded a $400k ransom to stop them.
Bug Bounty Program Reveals Unique Insight Into Hacking
HackerOne is a program that pays rewards (bounties) to hackers who find exploits in corporate systems and report them so they can be fixed. Programs like this – referred to as “bug bounties” – have proven to be great successes over the years, but the newly released data is a rare look into what types of bugs are most commonly found, in what industry, etc. Many large corporations like Apple and Google run their own independent bug bounty programs.
Kronos Pays $1.6M for Violating Privacy Law
Smith’s Senior Home, Kronos located in Chicago violated the Biometric Information Privacy Law (BIPA) on May 10th. Kronos uses a biometric timekeeping device which scanning employees fingerprints. The employees never gave informed consent, therefore, violating BIPA regulation. Smith’s employee Cynthia Dixon claimed that the employee's fingerprints were also shared with Massachusetts bases Kronos. Kronos is now paying $1.55 million to settle this claim. Employees who were employed on September 28, 2015 to when U.S District Judge Matthew Kennelly approved will be receiving $1,000.
This is but one example of a large and increasing number of lawsuits filed under BIPA, particularly since the Rosenbach v. Six Flags Illinois Supreme Court decision discussed in the last newsletter.
CJEU to Hear Facebook Case
Facebook has failed in an appeal to the Irish Supreme Court to prevent the High Court from referring a number of key questions pertaining to transfer of personal data directly to the Court of Justice for the European Union (CJEU). Concerns relate to the adequacy protections afforded to data transferred outside the EU and an adverse ruling by the CJEU could have significant implications for businesses doing so.
Morrisons Given Permission to Appeal
UK Supermarket chain Morrisons has been granted leave to appeal to a ruling that it was vicariously liable for the acts of a disgruntled employee who released the personal data of 100,000 employees online.
Source: Financial Times
Marriott Data Breach Litigation Update
Litigation resulting from the late-2018 Marriott breach affecting approximately 383 million customers is currently under way. U.S District Judge, Paul Grimm, ordered the case to be processed quickly and closed by the end of the year. There are over 100 class action law suits being overseen by Judge Grimm, including those filed by consumers, financial institutions, and municipalities like the City of Chicago. Investigations into the exact nature and extent of the breach and its consequences remain ongoing.
Source: Cohen Milstein
FedEx Not Petya lawsuit
A securities class action has been filed against global logistics company FedEx for allegedly not fully disclosing the extent of the disruption to the company following the 2017 Not Petya cyberattack.
India Proposes Jail Time for Cryptocurrency Users
India has proposed a law that would prohibit holding, selling, or dealing in cryptocurrency with penalties of up to 10 years in prison. The rationale for the law refers to the “high chances” that cryptocurrency will be used for money laundering, etc. The chances of the bill becoming law are unknown, as are the realistic effects as tracking and attributing bitcoin transactions is notoriously difficult.
Source: India Today
Crypto Pricing Remains Volatile
Bitcoin and several other leading cryptocurrencies have rebounded in value since their 12/2018 lows (1 BTC = $7,792; 1 ETH = $239). Pricing remains incredibly volatile compared to both traditional currencies and mainstream investments. Warren Buffett recently commented on Bitcoin, referring to it as a “gambling device” and “not an investment.”